Hackers’ use of Swift network means banks worldwide need deeper layers of security defense

A number of high-profile – and high cost – cyber heists that leveraged the international Swift network to execute large-scale fraudulent transfers prove that banks around the world need multiple layers of defense especially against insider threats and external cybercrime threats.

The SWIFT network is designed to standardize and secure communication between financial institutions to conduct bank transfers. But with the right information in the hands of hackers, SWIFT can become the highway these robbers use to whisk away the fraudulent loot.

Failure of first layer of defenses
Among numerous global thefts this year, the most dramatic was the illegal transfer of $101 million (USD) from the Bangladesh Central Bank’s holdings at the New York Federal Reserve to accounts in the Philippines. It’s thought to be the biggest cybercrime heist in history. Malware installed within the Bangladesh Bank’s computer system enabled the hackers to gather valuable information about the banks international payment and fund transfer operations. The malware was installed from the inside, by staff, intentionally or accidentally. First-layer security measures like anti-virus/anti-malware software and firewalls should have prevented this malware from operating within the banks’ computer network. For whatever reason, this process failed.

The Bangladesh case was the most dramatic, but hardly unique. Other similar cases using the Swift network this year include:

  • Attempted theft from Vietnam’s Tien Phong Bank
  • Theft of about $9 million from Ecuadorian bank Banco del Austro
  • Theft of $10 million from a Ukrainian bank in late June

Smart and daring – covering their tracks and choosing the moment
Some Wild West bank robbers – Jesse James, Butch Cassidy, etc. – gained legendary status with stories of their smart and daring heists. Today’s hackers are faceless, not legends (yet), but the good ones are certainly as smart and daring as their Wild West predecessors. In the Bangladesh Bank case, the hackers manipulated Swift’s Alliance Access server software to cover their tracks, so the banks involved would not immediately spot the issue. The transfers began late on a Thursday (February 4th), meaning they took place over what is effectively a “long” weekend when you combine the Bangladeshi weekend and that of the US, where the Bangladesh Bank’s holdings were placed. On top of that, recipient account banks in the Philippines were closed the following Monday for Chinese New Year. Traditionally, fraud and fraud attempts are mostly executed during holiday seasons.

Too little, too late
In the Bangladesh Bank heist, there were 35 transfers conducted over the long weekend. Of these, 30 were halted, preventing the loss of $851 million. A bit of luck may have helped save another $20 million: the hackers misspelled the word “foundation” as “fandation” trying to impersonate a Sri Lankan NGO for a transfer to a Sri Lankan bank. This led to queries and the potential to recover these funds. However, this is still a bad news story. Any other measures taken by the banks involved were too little, too late to save $81 million.

Everybody looses
The Bangladesh case helps show just how much these Swift-using banking fraud cases hurt. Nobody comes out a winner, except the fraudsters.

  • Bangladesh Bank: As much as $101 million was stolen, not to mention severe reputation damage, loss of customer confidence, and serious regulatory repercussions
  • Beneficiary banks in the Philippines and Sri Lanka: Reputation and financial losses due to regulatory scrutiny and massive fines and penalties for failed anti-money laundering (AML) practices – this could possibly include bans from commercial relationships with other institutions
  • New York Federal Reserve: Reputation and client confidence is a real risk for the routing bank, since red flags on the large-value irregular transfers should have -triggered immediate inquiries and investigation
  • Swift network: Swift also needs to protect its reputation and solidify its own anti-fraud measures following these events
  • Account holders: Ambitious frauds like the Bangladesh case usually target large-balance accounts: central banks, corporate accounts, high net-worth individuals or, sometimes, accounts held by public figures.

The shortcomings of first-layer of defense
Let’s go back to that malware installed on the Bangladesh Bank’s system. We’re all familiar with malware these days; it’s a fact of life. It just took a slightly open door – a complicit or careless employee – and the malware was in, quietly providing the hackers with information critical to their mission of fraud. Can you prevent that door from never being opened for a split second? The fact is, there are thousands upon thousands of transactions conducted every day in a financial institution. And importantly, there are humans behind those transactions. Whether or not you can control technology, you can’t control human behavior. The human behavior that began the Bangladesh heist chain of events happened before the transaction.

Multiple layers of defense: THE critical solution
What do you do if first-layer defenses based on transaction analytics aren’t enough? You complement them with deeper layers of defense that are based on understanding of human behavior. User behavior analytics combine technologies based on pattern-based intelligence, profiling, and predictive analytics. This ensures continuous monitoring and auditing of human behavior across entire banking systems, with immediate alerts when control breaches occur.

The Bangladesh case used information gained through employee access, took advantage of an on-leave period, and transferred funds to bogus accounts. Each of these events, by itself, can fly under the radar without the capacity to correlate the actions. This is our specialty at NetGuardians. Our smart behavior analytics software – available as out-of-the-box solutions called Smart Controls Objectives (SCOs) – could prevent events such as these Swift hacking frauds by:

  • Correlating information from multiple sources.
  • Identifying suspicious user behavior in real-time with non-intrusive pattern-based intelligence: Logins from unusual locations, password tries and fails, use during vacation time or out-of-business hours, etc.
  • Spotting unusual account activity like multiple money transfers to a single location or recipient, transfer of amounts deviating from the habit, unprecedented payment channels, etc.
  • Providing real-time alerts to the activity.
  • Correlating available audit trails, giving you the relevant information to identify the user who acted maliciously.

Some controls:  

These multiple layers of defense work together with the first layer of defense to prevent cyber-frauds from occurring. Financial institutions – and their clients – save money, reputation and frustration.

Author
John Kiptum
NetGuardians Risk Consultant