Weak bank messaging system increases security challenges

More than a dozen current and former board directors and senior managers of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) - the bank messaging system that helps transmit billions of dollars around the world every day - have said the organisation for years suspected there were weaknesses in the way smaller banks used its messaging terminals. But they did not address such vulnerabilities. SWIFT did not regard the security of customer terminals as a priority until February 2016 when hackers tried to steal nearly US$1.0 billion  by breaking into the messaging system at Bangladesh Bank (BB). The top executives either did not receive information from member banks about specific attempts to hack the messaging network or failed to spot those attempts themselves. 

 The SWIFT's annual reports and strategy plans from the past 17 years show only one reference to SWIFT helping its users to secure their systems. That reference - to helping "our community to strengthen their own infrastructure" - was in the 2015 annual report published in June 2016, months after the BB heist, in which the fraudsters ended up making off with US$81 million. Leonard Schrank, who was chief executive of SWIFT from 1992 to 2007, said that the board took their eye off the ball. They were focusing on other things, and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system. Schrank said he was broadly aware that users' terminals were a weak link in SWIFT's overall security, but paid too little attention to it. "So I am partially responsible," he admitted. 

The former directors and managers said the messaging business failed to act in part because the risks were not properly appreciated. The SWIFT did not comprehensively track security incidents or monitor the extent of sloppy security practices among users. According to the former managers and directors it saw smaller banks as a potential - but not immediate - threat to the security of the network. Former board member Arthur Cousins said the SWIFT never acted, because the organisation believed bank regulators - rather than SWIFT - were responsible for ensuring smaller banks' security procedures were robust enough to repel hackers. 

The SWIFT defended itself by saying the organisation and its Board have prioritised security, continually monitoring the landscape and responding by adapting the specific security focuses as threats have evolved. Today's security threats are not the same threats the industry faced five or ten years back - or even a year back - and like any other responsible organisation it adapts as the threat changes. The SWIFT was, and still is, dominated by large Western banks, including Citibank, JP Morgan, Deutsche Bank and BNP Paribas, that built the network decades back. The former directors said that contributed to the lack of concern over security, because the larger banks tend to have sufficient defence to prevent criminals from hacking into their SWIFT systems. 

But since the 1990s, many smaller banks in emerging markets have joined SWIFT, and some may have weaker computer security. In all, more than 10,000 institutions are now connected to SWIFT. Gottfried Leibbrandt, CEO since 2012, said it was only with the benefit of "hindsight" that one could see that SWIFT needed to put more focus on security at customer terminals. 

In the BB heist, hackers broke into a computer interface called Alliance Access, a piece of software sold by SWIFT for accessing its central network. It is still unclear exactly how the thieves gained entry. The BB has alleged that a botched upgrade of its system left vulnerabilities in it. The SWIFT has rejected any responsibility for the way BB upgraded its systems. 

Whatever specific weakness the thieves in the BB case exploited, former SWIFT directors and managers said the system became more vulnerable as it got bigger. Alessandro Lanteri, a former executive with Italian bank Unicredit who served on SWIFT's Board between 1995 and 2000, said security challenges increased when smaller banks in emerging markets joined the SWIFT network. He said that the difficulty is always to keep the security system very effective when one deals with little banks and emerging countries; it is very difficult to be sure that all the procedures of security are managed in the correct way. The number of countries and territories covered by SWIFT swelled from 126 in 1994 to 200 in 2003 and 212 now. 

A former SWIFT staff Cousins said bigger western banks considered SWIFT more cost-effective and secure than alternative means of communication, and encouraged smaller banks to become members. But despite the rise in the number of smaller institutions as members, the big banks continued to dominate SWIFT. The organisation's revenues, which hit 710 million euros in 2015, are driven by a concentrated number of large western correspondent banks like Citigroup and HSBC. Data in the decade to 2011, the last year for which SWIFT published a breakdown, shows 90 per cent of messaging revenue traditionally comes from banks in just 25 countries - almost all developed nations. 

Two years ago, Martin Ullman, a Prague-based SWIFT consultant, was browsing a LinkedIn forum for SWIFT users when he saw a posting from a recently-appointed technician at the Central Bank of Solomon Islands (CBSI). The technician needed to install an upgrade to the bank's SWIFT messaging system but did not know how to do it. He wanted advice. Ullman emailed the man and told him that raising such issues in a public forum could endanger security and advised him to seek expert help. The technician said the bank could not afford it, and said he finally managed to install the system himself. The CBSI declined to comment. But it was not possible to contact the technician to confirm the incident. Yet security was vital: Six former directors of SWIFT said any breach of the broader system could put the bedrock of SWIFT - the willingness of banks to accept messages at face value - at risk. 

A former SWIFT executive Hugh Cumberland, who now advises banks on payments technologies, said he first saw security risks in 1993. He said so, when he was working as a technology contractor with BZW, an arm of Barclays, in London. Cumberland arrived for work one day to be met by policemen carrying Heckler & Koch submachine guns. Two staff members had been arrested for attempting to use their access to a SWIFT terminal to send 10 million pounds of "unnamed client money" to accounts controlled by them. However, Cumberland did not know the outcome of the case. Both SWIFT and Barclays declined to comment. 

According to a lawsuit Dubai Islamic Bank (DIB) filed against Citibank in New York in 1999, another incident occurred in 1995, when officials at DIB began sending fraudulent payment instructions to Citibank, telling it to pay money from DIB's account at the United State (US) bank into the account of a fraudster. More than US$150 million was allegedly stolen by DIB executives in collaboration with Foutanga Dit Babani Sissoko, a West African businessman previously jailed for trying to bribe US customs officials. Sissoko was deported from the US before the DIB allegations were made in court. A lawyer involved in the case confirmed the messages were sent via SWIFT, which has a near monopoly on such international payment instructions. The court dismissed the claim of negligence against Citibank. The banks declined to comment on the case. The SWIFT was not involved in the legal proceedings. 

More recently, thieves exploiting SWIFT systems stole US$250 thousand from Bangladesh's Sonali Bank in 2013 and more than US$12 million from Ecuador's Banco del Austro in 2015. Later in 2015, Vietnam's Tien Phong Bank foiled an attempt to steal money via SWIFT, which was reported in May 2016. The SWIFT officials said the banks involved in these three cases did not immediately inform it of the incidents, though the banks did confirm them later. The senior management at SWIFT appears to have been unaware of the events. Leibbrandt told in May 2016 that, before the BB heist in February 2016, he had not been told of any successful or unsuccessful attempt to steal money using SWIFT. Asked why SWIFT had not logged the incidents described above, the answer was that SWIFT has always maintained an uncompromising focus on security as evidenced by its track record.

Prof. Sarwar Md. Saifullah Khaled is a retired Professor of Economics, BCS General Education Cadre.

[email protected]