The recent news that banks in Bangladesh and Vietnam have been successfully hacked is a concerning fact about the level of IT Security in financial services.
SWIFT has warned its 11,000 members worldwide about the recent incidents, which allowed hackers to transfer more than a million Euros from TPBank in Vietnam. It seems the malware used was the same that hacked the Central Bank of Bangladesh in recent weeks and, surprisingly, a similar piece of software used hacked Banco del Austro in Ecuador a year ago.
In the case of the incident in Vietnam, the hackers sent an infected PDF which in turn, executed code which would exploit the SWIFT network to send multiple fraudulent payments. As a background, SWIFT has evolved from an obscure messaging system used by a dozen countries in their beginnings to be an integral part of the global banking system. There are a few problems with this private banking network:
1. Smaller banks have fewer resources to invest in cyber-security, therefore, the hackers are targeting them. Experts agree that the PDF infected technique wouldn’t work in a major global bank.
2. By exploiting smaller banks, the hackers could potentially escalate their transactions to bigger banks since SWIFT consider all its members secure enough.
The big problem with SWIFT is that the networks assume that the sender and the receiver are trusted parties, members of the global banking system. The fraud protections in SWIFT are not as advanced as the ones used for retail banking transactions, for example. There is even a lawsuit from the Ecuadorian Banco del Austro against the US-based Wells Fargo. The lawsuit focus on the American bank failure to recognise the fraudulent transactions. Wells Fargo, of course, argues that they received a perfectly valid and secure SWIFT instruction and didn’t have reasons to stop it.
It is foreseeable that smaller banks and other emergent financial institutions won’t update quick enough. It seems quite possible that more attacks might be successful in the following months.