SWIFT Security Vulnerabilities: Bank Data Breaches Are the Future of Bank Robberies

In this day and age, if you want to rob a bank, you can dispense with the overcoat, the wig, the cheap sunglasses, and the note slid across the counter to a blanching teller. Bank data breaches, by contrast, yield on average a payout 10,000 times higher than a traditional bank robbery (a paltry $7,500 in the United States). And the risk of getting caught, so far, appears low. (Don’t do this, of course. We don’t condone theft of any kind; we’re just making conversation.)

For example, in February of this year, hackers, possibly acting on behalf of a nation state, infiltrated the SWIFT network and attempted to execute a series of transactions that would have robbed the Bangladesh Central Bank of nearly $1 billion. A typo in their transactions alerted a security officer, and the Federal Reserve Bank of New York was able to block 30 of their transactions, totaling $850 million. Still, the thieves made off with $101 million, of which only $38 million has been recovered. At the time of this posting, the thieves responsible for this devastating bank data breach remain at large.

SWIFT in Name But Not in (Security) Practice

Founded in 1973, the Society for Worldwide Interbank Financial Telecommunication, more commonly known as SWIFT, is a secure international messaging network for conducting financial transactions. Over the past few decades, the network has grown from 239 customer banks to over 11,000 financial institutions across 200 countries. Banks rely on SWIFT to conduct financial transactions, including multi-million dollar exchanges. In 2015, the network transmitted over 6.1 billion messages.

But security is uneven, and in some cases, hopelessly substandard. In the Bangladesh Central Bank heist, the bank was operating without a firewall and using $10 second-hand network switches. Until a few months ago, the network did not require two-factor authentication (2FA) or additional authentication checks for high-value or anomalous transactions. Not surprisingly, SWIFT credentials were easily compromised without detection. Considering the vast wealth that the network ultimately controls, its security standards have been shockingly low.

SWIFT argues that securing clients from a bank data breach is not its responsibility. Although the network advertises itself as “the world’s leading provider of secure financial messaging services,” some SWIFT board members such as Arthur Cousins have maintained that SWIFT is simply a network; it’s SWIFT customers who are responsible for ensuring that security practices and tools are implemented correctly. If institutions fall short, regulators should penalize the institutions, not SWIFT.

Leonard Schrank, CEO of SWIFT from 1992 to 2007, has a different opinion. Schrank believed security was part of SWIFT’s job. He told Reuters: “The board took their eye off the ball. They were focusing on other things, and not [on] the fundamental, sacred role of SWIFT, which is the security and reliability of the system.”

The Bangladesh Central Bank data breach was not an isolated incident. There have been other successful bank data breaches on the SWIFT system in recent years. In January 2015, thieves siphoned $12 million from Ecuador’s Banco del Austro. In December, thieves almost managed to steal $1.4 million from Vietnam’s Tien Phong Bank.

These bank data breaches targeting vulnerabilities in SWIFT should be a wake-up call—not only to the SWIFT management team and the financial institutions that make up SWIFT’s customer base. It should remind providers of critical services in all industries, from financial services to energy to healthcare, that hackers will attack if they perceive value in attacking. Multi-layered security is essential to protect any IT system or resource of value.

Avoid Bank Data Breaches with Secure File Sharing

The biggest threats today don’t come skulking through the front door demanding a teller to empty the cash drawer. Instead, the threat is working around the clock in unknown locations, and will quietly take advantage of the slightest IT oversight to abscond with millions or even hundreds of millions of dollars.

And money isn’t the only valuable commodity moving in and out of banks. Confidential files such as loan applications and account statements filled with personally identifiable information (PII) are frequently transmitted between banks and their customers, as well as between banks with little attention paid to security.

Secure file sharing solutions, like the Kiteworks secure file sharing and governance platform, provide financial services professionals the means to share financial records, customer account statements and other sensitive information with the highest levels of data security and compliance. Now, bankers, insurance agents, and investment advisors securely process loan applications with customers and third parties, collaborate on documents with colleagues in real-time, and improve productivity across all devices.

Helping clients achieve their financial goals is predicated on trust. With secure file sharing, financial services professionals earn — and maintain — their clients’ trust and dramatically mitigate the risk of costly bank data breaches.

Additional Resources

• ArticleRisk And Security Management
• Blog PostAudit Logs
• Blog PostHIPAA Security Breach
• Blog PostHIPAA Security Rule Requirements & Compliance
• GlossaryCyber Security Risk Management