Fraudulent SWIFT Transfers: Congress Queries New York FedSecurity Defenses Probed After Massive Bangladesh Bank Heist
A House committee is seeking answers from the Federal Reserve Bank of New York about the recent $81 million SWIFT-related theft from the central bank of Bangladesh and its implications for U.S. financial services firms.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The House Committee on Science, Space and Technology launched its probe after warnings from SWIFT that the heist from Bangladesh Bank's New York Fed account and related malware attacks were "part of a wider and highly adaptive campaign targeting banks," which may have targeted a dozen or more institutions (see 5 SWIFT Cyber Heist Investigations).
"This is deeply troubling and it is Congress' responsibility to ensure, through its oversight, that the NY Fed is taking all precautions to protect American finances and aggressively execute its own role as overseer of SWIFT," reads a May 31 letter to William C. Dudley, president of the New York Fed Reserve, signed by Lamar Smith, R-Texas, committee chairman, as well as committee member Barry Loudermilk, R-Ga.
SWIFT, formally known as the Society for Worldwide Interbank Financial Telecommunication, is a cooperative owned by 3,000 banks that bills itself as "the world's leading provider of secure financial messaging services." It's now used by 11,000 banks globally to daily process 25 million communications that collectively account for billions of dollars' worth of transfers.
But the security of that messaging system has been called into question following a series of reports that malware-using attackers have been injecting fraudulent messages into the SWIFT network as part of a campaign that may stretch back to at least 2013.
"We are writing to request a briefing and information related to the February incident as well as information related to the NY Fed's role in overseeing ... SWIFT," the House committee's letter reads. The deadline for the Fed to respond and brief the committee is June 14.
As the letter suggests, the central banks of the 11 countries that comprise the G10 - Belgium, Canada, France, Germany, Italy, Japan, the Netherlands, Sweden, Switzerland, the United Kingdom and the United States - together oversee SWIFT, with the National Bank of Belgium taking the lead role.
Probing SWIFT-Related Weaknesses
Other legislators and regulators also have been asking SWIFT-related questions.
On March 22, Rep. Carolyn B. Maloney, D-N.Y., wrote to the New York Fed seeking further details on the Bangladesh Bank heist, to which the Fed responded on April 14.
Also in April, Britain's central bank, the Bank of England, wrote to all U.K. banks seeking details of how they were responding to risks related to the SWIFT network.
On May 19, Sen. Tom Carper, D-Del., the ranking Democrat on the Senate Homeland Security and Governmental Affairs Committee, also wrote to Dudley at the New York Fed, asking how the Fed was responding to the bank heists.
On May 23, meanwhile, Maloney wrote to Fed Chair Janet Yellen, Comptroller of the Currency Thomas Curry and Federal Deposit Insurance Corp. Chairman Martin Gruenberg, asking if they planned to follow the Bank of England's lead and order all U.S. banks to conduct a full cybersecurity review.
War of Words
The Bangladesh Bank heist, which came to light in March, initially triggered a war of words, with Bangladeshi officials accusing SWIFT and the New York Fed of sharing in the blame for the heist by failing to spot and stop the fraudulent transfers. But the New York Fed fired back, saying that the transfer requests had been valid, and so they had been honored, per existing agreements. SWIFT, meanwhile, accused Bangladesh Bank of having substandard security practices, including weak passwords and nonexistent firewalls on systems that it used to interface with the SWIFT network (see SWIFT to Banks: Get Your Security Act Together).
On May 10, officials from Bangladesh Bank, SWIFT and the New York Fed met and then released a joint statement pledging to work more closely together. "The parties also agreed to pursue jointly certain common goals: to recover the entire proceeds of the fraud and bring the perpetrators to justice, and protect the global financial system from these types of attacks," they said.
The House Committee on Science, Space and Technology has also requested an update on the status of those initiatives as well as details of "any remedial steps" that the Fed has taken to address vulnerabilities related to using the SWIFT network.
Meanwhile, after initially blaming the breaches on banks, SWIFT has changed its tune and released a five-point security improvement plan, which includes better support for banks' information sharing and fraud-detection efforts. But no aspect of that plan, or related information sharing, will be mandatory.
SWIFT has also promised to issue more detailed security guidance to users.
Should SWIFT Cover Losses?
Some security experts, however, say SWIFT must do more, such as requiring banks to comply with new industry security regulations and external audits (see Blocking Hack Attacks: SWIFT Must Do More).
In a May 24 speech in Brussels, Gottfried Leibbrandt, SWIFT's CEO, dismissed such proposals: "SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry."
If investigators uncover more hack attacks and fraudulent SWIFT money-moving messages, however, or such attacks worsen, SWIFT may be forced to take stronger steps or risk further damage to its reputation.
Ricardo Villadiego, CEO of anti-fraud firm Easy Solutions, says it's useful to contrast SWIFT's response to hacked customers, versus how banks respond to their hacked customers. "From the SWIFT CEO's point of view, he is accurate when he is saying the SWIFT network wasn't compromised," Villadiego says. "That is true. But now what is also true is that if you compare this with traditional phishing attacks, the banks' systems weren't compromised, but the money was stolen from users."
In such cases, most banks promise to cover customers' losses. For example, Lloyds Bank, a British retail and commercial bank, offers the following online and mobile banking guarantee: "We guarantee to refund your money in the unlikely event you experience fraud with our Internet Banking service - as long as you've been careful, for example, by taking reasonable steps to keep your security information safe."
"It would be nice to see the same reaction from SWIFT here," Villadiego says.