Cybergeddon? SWIFT Malware May Put Central Banks at Risk

The scariest bank robbery in history took place recently, and very few people understand the true nature of the crime.

A robber with a gun can empty a bank vault.  A mastermind with an understanding of SWIFT can steal a country’s future.

Billion-Dollar Heist Attempt

Central banks, and banks alike, use the 40-year-old system called SWIFT (Society for Worldwide Interbank Financial Telecommunication) to send messages authorizing fund transfers. Tens of millions of transfers go through the system daily. It is, without hyperbole, the backbone of the international banking system.

At the beginning of March, Bangladesh almost lost a billion dollars, almost 4% of their total foreign currency reserves. Almost. Instead, it only lost $81 million. The tragically absurd reason that the bank did not lose more was the result of a chance misspelling.

Malware, Casinos and The New York Fed

Malware in the computers at the Central Bank of Bangladesh nearly allowed hackers to make off with 4% of that country’s total foreign policy reserves.

While an active investigation is ongoing, this much appears clear: Someone was able to furtively install malware in the computers at the Central Bank of Bangladesh. The malware was able to record passwords of central bank employees. Using these passwords, the thieves were able, despite SWIFT’s multilayered security protocols, to send 35 transfer requests to the Federal Reserve Bank of New York. (Bangladesh, like much of the world, retains large portions of their foreign currency reserves with the U.S. central bank.)

Bangladesh maintains $28 billion in foreign currency reserves. The transfer requests were for large transfers to Philippine casinos and, newly opened, not-for-profit accounts in Sri Lanka. The Federal Reserve has been largely quiet on the incident other than to say “the payment instructions in question were fully authenticated by the SWIFT messaging system in accordance with standard authentication protocols.”

The $900 Million Dollar Typo

While $81 million moved swiftly through the Philippine casinos (which, unlike their U.S. counterparts have no financial reporting requirements), $20 million was sent to Sri Lanka, and delayed before being returned to Bangladesh. While four requests were allowed to go through, one was flagged by a routing bank in Germany because the hackers misspelled “foundation” as “fandation.” That error was brought to the attention of Bangladeshi authorities and the remaining payments were fortunately stopped.

Is this a simple tale of hacking? Using malware to steal accounts? Yes and no. This was not money sitting in your grandparent’s savings and loan. These were central bank reserves held by arguably the most secure financial institution in the world: the Federal Reserve Bank of New York. While the Fed is insisting that they followed all the appropriate protocols (even if that meant sending money to casinos), we must still face the fact that a nation’s wealth has been impacted by a simple piece of malware and some clever, if illiterate, thieves.

Ramifications

This crime will highlight the need for improvements in our global money transfer system.

This crime highlights that no one, no institution, is beyond the reach of cyber criminals. This crime demonstrates, like none before it, that the keys to the kingdom, the all-powerful SWIFT passcodes, are not inviolate. Nefarious acts of social engineering, malware or potentially more violent acts can provide criminals all they need to move unimaginable sums of money around the world.

While SWIFT appears to have performed the way it was designed, the reality is that this crime will highlight the need for improvements in our global money transfer system. Will foreign nations continue to trust their wealth to an American central bank that can be accessed by passcodes? Passcodes that we now know are virtually impossible to fully safeguard in this day and age?

While authorities search for the criminals, financial institutions will be searching for long-term solutions to the problem. Bio-metric locks and better cryptography may be the solution, cold-storage techniques for data—like those being practiced by certain Bitcoin companies—may hold promise.

With the reserves of entire nations at stake, it’s clear that all solutions will be considered. In the short run, financial institutions must fight to protect against malware and do a better job of protecting their passcodes. Especially – their SWIFT codes.

About Richard Magrann-Wells

Richard is a Executive Vice President with Willis Towers Watson’s Financial Institutions Group based in Los Angel…
Categories: Cyber Risk, Financial Services | Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *