81M USD missing via SWIFT: How banks can protect payment networks against cybersecurity attacks

SWIFT, the global messaging network used by banks to send payment instructions, was forced to warn its customers last week that “a number of recent cyber incidents” had taken place on its system involving fraudulent messages sent by cyber thieves.  This was prompted by investigations into a cyber attack on the Central Bank of Bangladesh (Bangladesh Bank) in February in which attackers attempted to steal $951m, of which $81m is still missing.  SWIFT, whose customers include about 11,000 banks worldwide, had warned clients that the scheme involved altering SWIFT software on the computers of financial institutions to hide the evidence of false transfers, according to a Reuters report.  SWIFT has since provided customers with a mandatory software update; patches, however, only providing a temporary fix.  This breach has poked a hole in the theory of the supposed security of payments networks, and has left banks asking how irregularities can be identified more promptly in order to increase the likelihood of retrieving or cancelling errant payment messages.

A multi-layered payment chain

A typical workflow of SWIFT payments includes multiple applications, connection points and transformations.  Firstly, payments are generated in a back-office application and go through a validation and approval workflow, then the instructions are transported and potentially transformed on a middleware layer and ultimately submitted onto a SWIFT gateway.  On the SWIFT gateway, messages will get additional checks and can be further transformed.  Finally, these messages are posted to the SWIFT network and released to the counterparty which can sometimes involve multiple correspondent banks.  Banks certainly take security measures along the whole lifecycle to make sure messages are secure, but because there are many points along the payments chain, in reality end-to-end integrity is difficult to ensure.

In the case of the Bangladesh Bank (BB) heist, the attackers sent thirty-five fake payment instructions from BB to the central bank’s account at the New York Federal Reserve via the SWIFT network.  Four batches of transfers were then successfully sent to accounts in the Philippines and Sri Lanka.  The custom malware used in the attack was identified as originating from a user in Bangladesh.  The malware interacted with the local SWIFT Alliance Access software running on BB’s infrastructure, allowing transactions to be deleted and records changed.  

When people think about cybersecurity, most tend to think about preventing external attacks by putting firewalls in place.  But the threat is as large when a person with access to internal systems implants the malware.  The fact of the matter is, regardless of attempts to lock down the underlying components (be it databases, networks or hardware), in the end a certain amount of trust has to be given to staff operating or running the different components of payment-related infrastructure.  And as long as employees have access, a factor of security risk is introduced.

Cyber regulation coming soon

It was not so long ago that anybody interested in speaking to a bank about the risks of payment networks would get referred, not to the compliance department, but to the IT department.  With the creation of the upcoming EU Cybersecurity Directive, otherwise known as the Network and Information Security (NIS) Directive, banks are categorised as critical infrastructures and as such will have to take "appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems they use and control in their operations."  National authorities would also have the power to ensure banks provide them with information to assess the security of their networks, with "effective, proportionate and dissuasive" sanctions provided for noncompliance.  

It is clear that financial institutions will soon have to elevate the risks associated with payments networks to a higher level within their corporate infrastructures and install adequate integrated surveillance and risk management measures.  

An independent payments message surveillance system

In order to safeguard against potential internal interference on payments networks, an independent end-to-end integrity validation should be put in place through an automated surveillance system.  Because there are so many potential weak links along the payments chain, a preferred approach is to validate output at the end of the process in order to provide indications of potential abuse by identifying the following:

1. Consistency in intention:  Messages between different systems need to be compared between actual output and the initial intention of the output.  Identification should be enabled to alert if anything across the entire chain of events has been changed.

2. Unusual patterns:  Abnormal patterns need to be identified, in order to indicate that some kind of manipulation or intentional fraud has occurred or is about to occur along the chain based on unexpected or unusual values and destinations of the payment messages.

We believe that the case of BB could have been prevented if a comparison of the messages on a post-transaction basis would have been taken against the initial instructions with the discrepancy between the two becoming apparent.  Patterns of deviations would also have become apparent because multiple instructions were all going to one bank.  Because the latency on the SWIFT network is much higher than those of capital markets systems, once the bank would have been alerted to the fact, the likelihood of either retrieving the message from the network or cancelling the payment with the counterparty bank would have been very high.

Customers “protect themselves”

SWIFT spokeswoman Natasha Deteran told Reuters that the commonality across these cyber thefts was the fact that it was the banks’ own environments that were compromised in order to obtain valid operator credentials, advising that, "Customers should do their utmost to protect against this."

What banks now need is an adequate system that can continuously evaluate integrity along the whole payments chain.  Indeed, the new EU Cybersecurity Directive may soon see regulators asking for proof of appropriate technical measures to manage risks associated with payment networks at risk of a fine for non-compliance.  

Independent surveillance systems providing end-to-end integrity validation can be installed in order to identify discrepancies and monitor abnormal patterns indicating potential attacks.  Using a contextual approach and monitoring across the entire payment chain, surveillance systems can spot outlier messages, providing early warnings supported by strong visualisation tools.   

Given the malware is still out there, and the technology in the form of surveillance systems is indeed available for the protection of payments networks, banks would be advised to react swiftly.