17 May, 2016
Global financial network SWIFT has warned customers over malware that reduces the ability of financial institutions to identify fraudulent transactions.
However, SWIFT stressed in an emailed statement that "this malware has no impact on SWIFT's network or core messaging services" and that in some instances it is financial institutions' own internal vulnerabilities that have been exploited.
SWIFT was responding to reports that attackers have been sending fraudulent messages over its system.
Reuters reported that a message to its customers said that SWIFT was "aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions' back offices, PCs or workstations connected to their local interface to the SWIFT network".
SWIFT has also acknowledged that hackers altered its software on Bangladesh Central Bank's computers in February, in a $81 million theft from the bank's account at the Federal Reserve Bank of New York, Reuters said.
The thieves transferred the money to casinos in the Philippines, Reuters said. The theft would have been much greater but for a spelling mistake that prompted an intermediary bank to stop a transfer to check it, The Guardian reported at the time.
"We cannot comment on the details of any particular customer or incident, but confirm that the commonality in what we have seen is that internal or external attackers have successfully compromised banks’ own environments and thereby obtained valid operator credentials with the authority to create, approve and submit messages from those entities’ interfaces," SWIFT said.
While the malware in question exists, it "can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security", SWIFT said.
SWIFT has now issued a mandatory software update, it said. This will help financial institutions to "identify situations in which attackers have attempted to hide their traces, whether these actions have been executed manually or through malware, however the overall security measures remain the best defence against fraudulent actions on their local infrastructure," SWIFT said.
Fraud expert Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com, said: "While SWIFT has released a security update, the focus must remain on the financial institutions that use SWIFT. Fraudsters have been able to submit SWIFT messages as a result of being able to compromise the systems of the relevant financial institutions. More must be done to safeguard networks and security systems to nullify the efforts of fraudsters and to protect the finances of the institutions and their customers."
"Unfortunately, the incidents that have affected the Bangladesh Central Bank are likely to affect other institutions around the world unless steps are taken to increase cyber security awareness and implement proper controls. This will require a comprehensive risk assessment to identify areas of concern. Investment in these issues will come in several forms but appear most necessary in respect of strengthening network infrastructures and educating employees regarding the safeguarding of their credentials and access procedures," Sheeley said.
"The security update issued by SWIFT must be installed without delay by the financial institutions. If customers suffer losses as a result of a failure of a financial institution to implement the software update, it is likely that the financial institution could be the subject of a claim," he said.
For further information, please contact:
David Rennick, Partner, Pinsent Masons
david.rennick@pinsentmasons.com