Another SWIFT Hack Stole $12 MillionHeists Highlight Real-Time Payment Risks, Security Experts Warn
(This story has been updated.)
See Also: Taking Advantage of EMV 3DS
Another series of SWIFT-enabled hack attacks against a bank has come to light, following the theft of $81 million from the central bank of Bangladesh, and SWIFT warning that other banks are also being targeted (see Banks, Regulators React to SWIFT Hack).
Security experts say the newly revealed hack attacks, leading to fraudulent SWIFT interbank messages, highlight the dangers facing any financial institutions that attempt to implement real-time payments or automated clearinghouse systems.
The attacks, which occurred on Jan. 21, 2015, resulted in the theft of $12.2 million from Banco del Austro, or BDA, in Ecuador. The theft was revealed via a lawsuit filed by BDA against San Francisco-based Wells Fargo on Jan. 28, as Reuters first reported.
Meanwhile, a Vietnamese bank recently revealed it foiled a plot to transfer $1.36 million out of its accounts - via the interbank SWIFT messaging system - in the fourth quarter of 2015.
In the BDA theft incident, both Wells Fargo and BDA believe the money was indeed transferred by hackers. BDA holds Wells Fargo responsible for not flagging the transactions as being suspicious and has demanded that Wells Fargo return the full amount that was stolen, according to court documents. BDA says that it noticed the fraud the same day that it occurred and "promptly informed its correspondent banks."
Wells Fargo has fired back, however, blaming BDA's information security policies and procedures for the fraud having occurred and noting that it honored a valid request received via the SWIFT messaging system, according to court documents. Wells Fargo successfully recovered and returned to BDA $1.85 million of its stolen funds, court documents show.
In a statement provided to Information Security Media Group, Wells Fargo states: "With respect to the Banco del Austro case, Wells Fargo properly processed the wire instructions received via authenticated SWIFT messages, and Wells Fargo's computer systems were not compromised in any way. Wells Fargo is not responsible for the losses suffered by Banco del Austro and intends to vigorously defend the lawsuit. Wells Fargo continually assesses our SWIFT platform and monitors systems searching for potential threats and takes action as warranted through updates to our security tools and practices."
BDA did not immediately responded to a request for comment.
SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, is a Brussels-based cooperative that maintains a messaging system used by 11,000 banks. Its "secure" messaging system has long been used to handle the majority of the world's money-moving messages, experts say. Not surprisingly, criminals have long attempted to issue real-looking but fake messages to move money from victims' accounts into attacker-controlled ones.
SWIFT says that it is not a party to the BDA lawsuit and that it only just learned of the hack attack.
"We were not aware," spokeswoman Natasha de Teran tells Information Security Media Group. "We need to be informed by customers of such frauds if they relate to our products and services so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information and are reminding customers of their obligations to share such information with us."
It's not clear, however, if banks are obligated to report such attacks to SWIFT, and the cooperative didn't immediately respond to a related query, or questions about whether it tracks fraud that gets committed via the SWIFT network (see Blocking Hack Attacks: SWIFT Must Do More ). According to Reuters, current agreements with members require only that SWIFT be alerted to any problems that impact the "confidentiality, integrity or availability of SWIFT service."
Remote Attacker Hacked Banco del Austro
In the case of the BDA hack, the transfers were made from its HSBC account in San Francisco to HSBC and Hang Seng Bank accounts in Hong Kong, a Wells Fargo account in Los Angeles, a Mashreqbank account in Dubai, and a JPMorgan Chase account in New York, according to court documents. "BDA discovered that for each unauthorized transfer, an unauthorized user remotely accessed BDA's computer system after hours, logged onto the SWIFT network purporting to be BDA, and redirected transactions to new beneficiaries with significant dollar amounts," one court filing reads.
BDA's lawsuit also slams Wells Fargo for failing to spot the fraud. "Each and every one of the unauthorized wire transfers were performed outside normal operating hours of Banco del Austro; it included transactions of significant amounts, which undoubtedly should have triggered an alert at Wells Fargo in their control and verification of the transactions that were being processed," BDA officials wrote in an April 7, 2015, letter to Wells Fargo's financial crime manager that was included in documents filed in support of BDA's lawsuit.
Under the terms of the banks' contractual agreement, "WFB [Wells Fargo Bank] agreed to verify the authenticity of SWIFT payment orders pursuant to the SWIFT authentication procedures in accordance with the SWIFT User Handbook," BDA says in its lawsuit. It adds that the bank also agreed to abide by "general U.S. commercial bank practices" and "follow 'know your customer' and fraud detection policies and procedures designed to detect and deter suspicious activity in the accounts."
BDA adds that attackers also attempted to transfer another $1.4 million from its Citibank accounts to accounts in Dubai and Hong Kong, but those attacks were blocked. "On the same day of January 21, 2015, an unauthorized wire transfer was made from the account that Banco del Austro maintains at Citibank, in identical circumstances; the prompt response and controls of Citibank resulted on (sic) the immediate refund of the funds to our account," BDA says in its April letter to Wells Fargo. BDA also says that those fraudulent wire transfers had attempted to move money to accounts in Dubai and Hong Kong.
Wells Fargo has petitioned the court to dismiss the case, blaming the theft on BDA's information security practices, noting that hackers obtained and successfully stole and used a valid SWIFT logon. "BDA and Wells Fargo agreed that SWIFT authentication was a commercially reasonable security procedure for verifying SWIFT payment orders," Wells Fargo says in a court document.
"BDA ... [discusses] whether Wells Fargo behaved as a prudent bank and followed the USA Patriot Act, the Bank Secrecy Act, and other anti-money laundering and 'Know Your Customer' statues and regulations. BDA speculates that these rules required Wells Fargo to conduct due diligence for BDA's benefit and to stop the transfers at issue. But compliance with these statutes and regulations is irrelevant to Wells Fargo's obligation under [New York Uniform Commercial Code]," Wells Fargo says in a court document.
Banks' Liability Concerns
The BDA lawsuit against Wells Fargo comes as more banks around the world are moving to real-time payment systems. Indeed, a Bangladesh police investigation reportedly concluded that a SWIFT technician left exploitable loopholes after connecting the bank to SWIFT's network to facilitate real-time payments. SWIFT has dismissed that report.
But despite any talk about "know your customer," real-time payment transfers are designed to operate automatically and in real time. So when an institution such as the Federal Reserve Bank of New York - in the case of the Bangladesh Bank hack - receives a valid-looking request via the SWIFT messaging system, "it has controls in place to ensure that it completes the transaction as ordered because it might be liable if it failed," says information assurance consultant William Murray.
"The Fed is a bank, one whose customers are other banks," he says. "If it gets an order from a customer to pay someone, it does it. Like any other bank, it has a responsibility to ensure that the transaction is properly authorized in accordance with its agreement with its customer. While [Bangladesh Bank] might wish that the Fed failed in this case, wishing will not make it so."
No Margin for Error
There is zero margin for error where money-moving systems are concerned, especially with real-time transactions, Gartner analyst Avivah Litan says in a blog.
"Irrevocable real-time payments are fraught with risk," she says. "There is no time for bankers' fraud staff to manually review transactions, and there is no time to retrieve a fraudulent payment on its way to an unknown bank account far from the reach of U.S. banks and authorities."
Litan says SWIFT hacks have repercussions for any institutions that employ real-time payment systems. In the United States, for example, banks hope to have real-time Automated Clearing House - an electronic network for financial transactions in the United States - payments in place soon.
"But is the U.S. really ready for faster payments? The recent news on the SWIFT heists strongly suggests the answer is no," Litan says. "According to industry sources, a few banks started opening their faster payment systems up to their customers, but adoption was slow - except among the criminals."