Bolstering the Banks for the Better

Editorial

Several central banks have admitted suffering from cyber attacks, meaning that new measures need to be taken to strengthen them

In February earlier this year, the central bank of Bangladesh lost $81 million due to the malicious work of cybercriminals. Since then, numerous other banks, notably in SouthEast Asia, have admitted to suffering from similar breaches, with millions of dollars being lost in each case.

Some security experts have pinned the blame on North Korea, as the US government did with the Sony attacks from a while back. The FBI suspect that insider help may have played a crucial role in the success of the heist. The bureau has found evidence during its investigation that at least one bank employee may have assisted the hackers in accessing the Bangladeshi Bank’s computer systems.

The hackers of the heist were able to obtain these lucrative sums by exploiting the loopholes of the messaging system used for cross-border transfers of money known as the Society for Worldwide Interbank Financial Telecommunication (Swift).

This non-profit organisation was established in the 1970s to make it easier to communicate with banks across the world to transfer money. Today around 10,000 banks worldwide utilise its services and has around 2,400 employees operating those services. Swift replaced the telex machines which were previously used by banks to communicate with each other. It was meant to be more secure, using exclusive protocols to allow banks anywhere in the world to be able to comprehend and use the messaging system.

This system is not a platform to transfer actual money between banks. It is simply a messaging system through which banks exchanging money can communicate how much needs to be sent and to which account. The breach suffered by the Bangladeshi central bank was due to cybercriminals getting access to their computer networks to fraudulently send money to any other institutions they desired. The injection of malware allowed the hackers to collect keystrokes and subsequently allowed them to obtain the codes and numbers needed to conduct the transactions. The hackers would request billions of dollars to be sent from the central bank’s account at the Federal Reserve Bank of New York to accounts in the Philippines and Sri Lanka. Many of the transactions were flagged by the Reserve to ensure that they complied with certain rules and protocols, but a few still managed to get through. In addition, they were also able to prevent the list of transactions from being printed out to avoid detection.

Team Work Makes the Dream Work

Many banks and other financial sector institutions have reacted accordingly. JP Morgan has reduced the number of people with access to Swift, and the Bank of England has advised other institutions to improve their security. Although these particular institutions were not victims of this particular cyber attack, they recognise that there is the potential for an attack in the future.

But this does not make the financial sector completely immune to devastating cyber heists in the future. In the context of cyber, essentially nothing will. One reason for why that is points to the weaknesses in the Swift system itself, which causes a danger to the thousands who use it. When communicating with other banks through the messaging system, there is no way to guarantee that the party on the other side is the intended recipient. This reflects a wider overall problem with the internet, which is that hackers can disguise themselves as others quite convincingly and therefore their suspicious activity is not detected until it is too late.

In order to better defend against such attacks, a collective effort by all financial institutions that use Swift need to bolster their security. The cyber defences of banks in developed economies in recent years has improved, with few reports of successful attacks being declared out of the thousands of attempts against Wall Street firms. But this is no good with banks in developing economies that are lagging behind, with insubstantial firewalls and other lacking security measures . Even if the likes of the UK or the US are encouraging private sector banks to take cyber threats more seriously, the lack of concern in developing economies makes those efforts nugatory. A chain is only as strong as its weakest link, after all.

This latest hack also brings into question Swift’s ability to cope with the realities of cyberspace.

Alternative messaging systems are being proposed and the use of blockchain technology has even been suggested. But even if banks move to a safer system, given the pernicious environment that cyberspace is, it will inevitably be breached. Blockchain, too, has had its problems with fraud. For now, Swift is considering implementing stronger measures of its own, such as software that tracks behavioural patterns to identify suspicious activity. But a better international effort is also needed. Nobody can be too safe.