Juha Saarinen: Lessons from the big bank SWIFT heist

SWIFT network has been in the spotlight after unknown digital raiders made off with around NZ$121 million from Bangladesh central bank's New York Federal Reserve account. Photo / Getty Images

Have you come across a banking cooperative called the Society for Worldwide Interbank Financial Telecommunication? No? Actually, you probably have, if your bank has sent or received money from overseas by means of the SWIFT network.

That's the same SWIFT network which has been in the spotlight lately, after unknown digital raiders made off with around NZ$121 million from Bangladesh central bank's New York Federal Reserve account in February.

It would appear that that heist was just one of several attempts in a coordinated campaign against SWIFT, which some security vendors think could be orchestrated by cash-starved North Korea or another rogue nation - or an inside job, nobody's totally sure yet.

The robbery could've been much, much larger if all had gone according to the hackers' plans, as they tried to put through instructions for around $1.4 billion worth of transfers, most of which were blocked.

SWIFT is actually a secure messaging network for banks, and not used for funds transfers per se. Instead, payment orders that are settled by the banks traverse the SWIFT network, and money goes from one account to another, minus the exorbitant fees charged by financial institutions, and a double clip on the ticket with bad foreign exchange rates as well.

The point of SWIFT messages is that they are standardised, reliable and secure. Well over 11,000 banks and other financial institutions around the world, including New Zealand, trust them.

That makes SWIFT a juicy target for hackers. If the bad people can control and subvert trusted SWIFT messages and the other party doesn't pay enough attention to the payment orders issued, lots of money could move around to where it shouldn't be.

Don't try to break SWIFT security, when it's easier to attack the weakest links instead, like bank systems and staff; it's a classic way to work around security precautions with potentially devastating effects as billions of dollars are transferred every day with the help of SWIFT.

The reporting and analysis so far has focused on how the robbery was done, including byte level analysis of the malware used to attack banks. Missing in the puzzle is where the money was sent, something that was presumably mentioned in the SWIFT messages requesting transfers.

Researchers now believe the attacks go back to at least October 2015, maybe even earlier, given that the Lazarus hacking group allegedly being behind the attacks has been active since 2009.

There are no dollar estimates yet on how much money has been spirited away in the SWIFT attacks, and I suspect the story is far from finished unless unless it gets buried on purpose.

SWIFT has meanwhile finally doubled-down on security, hiring more expert staff and focusing hard on the financial messaging network's customers.

Banks and financial institutions will have to meet operational and security baselines for handling SWIFT transactions, and provide more information to the financial network to improve incident notifications and sharing of data.

The lesson here is that while SWIFT undoubtedly worked hard to ensure that it itself is secure and reliable, the messaging network started to fray at the edges as customers didn't pay enough attention to security.

That was all it took for the bad guys to get in, and it's a salutary reminder that security must be an all-encompassing process covering all parts and ends of the network.

Debate on this article is now closed.