Banking on VPNs
Almost everyone in business has reason to be grateful for the existence of SWIFT. SWIFT (the Society for Worldwide Interbank Financial Telecommunications system) is the international banking and funds transfer network that allows you to quickly send and receive money to or from any financial institution in the world. The aim of SWIFT is to increase transaction efficiency and, without it, business would return to the painfully slow days when cheques were sent in the mail. Presently, around 10,000 SWIFT member institutions send approximately 24 million messages across the network every day.
VPNs have a crucial role in SWIFT’s security, but following a series of successful attacks over the past 12 months it appears that not all banks – especially ones in less developed economies – have made security their top priority. The answer may lie with regulators insisting that VPNs are used not just in the core of the SWIFT network, but also as part of improvements to security measures at its outer limits.
The SWIFT network has been under pressure recently following a number of high-profile breaches. In February 2016, $81 million was stolen from the account of the central bank of Bangladesh at the Federal Reserve Bank of New York. Elsewhere, Banco del Austro S.A. in Ecuador filed a lawsuit against Wells Fargo & Co. for failing to stop hackers using SWIFT to steal $12 million. Another theft occurred at an unnamed commercial bank while the Tien Phong Commercial Joint Stock Bank of Vietnam managed to thwart the attempted theft of €1 million in late 2015.
In at least two cases, investigators found cyber criminals had managed to gain entry into the computers of employees with privileged systems access. It started with a successful spear phishing attack that allowed them to obtain staff credentials which they used to identify administrators’ computers. By planting malware on these machines, the attackers were able to see everything that happened on the screens of the administrators who serviced the cash transfer systems. In this way, the fraudsters were able to become so familiar with the routine that they were able to remain undetected while they siphoned off money from accounts over many months.
Rules not enforced
In the course of the Bangladesh and Wells Fargo investigations, current and former executives responsible for SWIFT have admitted the priority has been given to convenience rather than security. This is, by no means, the only example where security is not as robust as it could be within the financial messaging system. VPNs are at the heart of the SWIFT network. To build-in some systems redundancy, the organisation recommends that its members use a connectivity pack consisting of two VPNs for every branch or office with a connection to SWIFT. But because two connectivity packs per branch adds up to twice the investment, many members – especially smaller ones – choose to ignore this rule.
Tighter grip on security needed
The recent attacks on SWIFT show that banks may adhere to compliance and banking regulations but they are still vulnerable if not enough attention is given to security. Hackers are targeting the computers of those banking insiders with high-level access privileges. To defend against this, banks’ IT security must be multi-layered, regularly updated and constantly monitored for anomalous behaviour. SWIFT, too, needs to do more. For example, it should enforce rules like the two VPN connections per branch on those members that send transfers. Ideally, the rules should be expanded to include recipient banks too. Many larger banks send and receive SWIFT payments. But others - often smaller institutions from developing nations - only receive payments. They are not SWIFT members.
Ultimately, banks are responsible for their own risk management. And just like any other industry, some businesses place a higher priority on security than others. Adequate protection for the whole SWIFT network requires regulators to step in and make the security measures highlighted above the absolute minimum standard of compliance for every bank. In summary, there are lessons to be drawn for all parties involved – for SWIFT, for the banks and for the regulators. For a start, existing rules, such as those regarding the use of VPNs, need to be enforced and new regulations governing improvements in monitoring, stricter management of high-level access privileges and multi-factor authentication need to be introduced. Hackers have caused considerable damage to the reputation of a system that is vital to the global economy. But with improved security measures in place, SWIFT should quickly bounce back to being the network that everyone can bank on.