By Katy Burne and Robin Sidel
The Society for Worldwide Interbank Financial Telecommunication
has James Bond-level security at the facilities it uses to move
millions of bank-payment orders around the world every day.
Visitors to a Swift operations center in Culpeper, Va., say
their car trunks were inspected upon arrival by armed guards, who
used mirrors to check under the chassis. Security inside included a
fingerprint scan, a test for chemical weapons and an iris scanner
in the most restricted areas.
"It's like Fort Knox," says Mohan Murali, chief executive of
Axletree Solutions Inc., which helps banks and companies connect to
Swift.
That isn't where the thieves hit. In the past year, a spate of
cyberattacks has penetrated banks along Swift's less-defended
perimeter, shaking confidence in the dominant network used by banks
for cross-border transactions. While Swift diligently locked down
that network's core, customers were left mostly responsible for
their own security, creating an opportunity for hackers.
Targets included banks in India, Vietnam, Ecuador and
Bangladesh. Thieves made off with a total of about $90 million from
Bangladesh's central bank and a commercial bank in Ecuador. The
other cyberattacks were unsuccessful.
It was a stunningly simple ruse: The cybercriminals behind the
Bangladesh heist used malware to steal bank codes and place fake
transfer orders, according to people familiar with the
incident.
The attacks also have threatened the trust that banks have had
for decades in Swift, a cooperative that runs the international
messaging service among banks. Banks use the service to instruct
each other what to do, making Swift the lifeblood of the global
banking system, where trillions of dollars flow between banks each
day.
"Swift was not watching for the launch of cyberattacks on its
customers beyond the core network," says Marcus Treacher, a Swift
board member from 2010 to 2016. He now is an executive at
digital-payments startup Ripple, an alternative to Swift
An examination of Swift's culture and practices, including
interviews with more than a dozen people who have worked for or
closely with Swift, shows it was ill-prepared for some of the
toughest challenges of the cyberattack era.
Security standards for banks using the Swift network were
dictated in what was an eight-gigabyte handbook but rarely
enforced, these people say. That left an opening for thieves to
hack into Bangladesh's computer systems, steal their Swift access
codes and send fraudulent messages seeking nearly $1 billion in
payments across Swift's network. The total for all the cyberattack
attempts in the past year isn't known publicly.
Swift has since toughened its standards, including new rules for
customers that were released in April, but it is too soon to tell
how serious many of Swift's customers are about reducing their
vulnerability to security breaches.
Swift has said it was surprised by the scale of the
cyberattacks, rushed to shore up the system's defenses and remains
confident in its overall security. Swift has said repeatedly that
its core network, including the fortresslike facility in Virginia,
hasn't been breached. It says customers still have the primary
responsibility for their own computer security.
Gottfried Leibbrandt, Swift's chief executive, said in a
statement: "While customers remain responsible for securing their
own environment, we are dedicating very substantial efforts and
resources to our customer security program, which aims to help
customers improve their security and prevent these frauds."
After last year's theft from the Bangladesh central bank's
account at the Federal Reserve Bank of New York, he said in an
interview: "We knew cyberrisk was a big deal for the industry, and
it was only a matter of time before we saw something big happening,
but I had not expected it in this form."
Last summer, a Swift executive told a meeting of the Association
of Banks in Singapore trade group that Swift was investigating 26
attempted cyberattacks on bank customers, according to an attendee.
Swift spokeswoman Natasha de Teran declined to comment on the
remark.
After repeatedly urging customers to follow voluntary
guidelines, Swift has rolled out a series of mandatory security
measures, introduced a new system to help users identify and block
suspicious payments, and is now requiring customers to attest
annually to their own security. Swift also warned banks that they
will be reported to regulators if they don't comply.
Swift tripled the size of its security team and hired a new
chief information security officer from Deutsche Bank AG in
October.
The changes come as cybercriminals take aim at everything from
consumer health-care records to the U.S. power grid. Federal
prosecutors believe that North Korea might have orchestrated the
theft from Bangladesh's account, according to people familiar with
matter. No charges have been filed. North Korea's permanent mission
to the U.N. didn't respond to requests for comment.
Based in Brussels, Swift has more than 11,000 users, up from
about 500 when its electronic messaging service was launched in
1977.
Belgium's Prince Albert pressed the button to turn on the
service, and it soon rivaled the clunky, error-plagued Telex.
Bessel Kok, one of Swift's founders and a former Swift chief
executive, says it became profitable within a year.
Growth was important to Swift and its bank owners, who were
eager to lower per-message costs by spreading them across a larger
base, people familiar with the matter say. Swift agrees that it
wanted more users but says it wasn't sales-driven or distracted by
expansion.
Swift entered markets from Argentina to Australia. Much of the
extra revenue it earned was distributed to members as rebates.
Swift had revenue of EUR710 million ($773.6 million) and rebates of
more than EUR30 million in 2015, the latest year for which figures
are available. Messaging costs fell to slightly more than 2 euro
cents in 2015, compared with 26 euro cents in 2001.
Employees at Swift's headquarters often work without assigned
offices or desks and are encouraged to take advantage of themed
spaces like the "Vintage Room," with red and cream patterned
wallpaper, and the bamboo-decorated "Zen Room," according to former
employees.
The cafeteria nearly always offers wine with lunch, and
employees have access to a swimming pool next to a 19th-century
château on the property.
Leonard Schrank, another former Swift executive, says top
managers considered an initial public offering during the dot-com
boom of the late 1990s. Technology company values were soaring, but
Swift backed down when member banks asked it to "stick to its
knitting," Mr. Schrank recalls.
As it grew and prospered, Swift spent heavily to secure its
systems. But it saw the challenge largely as making sure intruders
couldn't penetrate crucial facilities and knock the network
offline.
"Security issues were always primarily issues of stability, of
coping with the volume on the network, and not the broader topic of
full end-to-end security," says Itzi Klein, a Swift board member
from 1998 to 2003 who now works as an independent consultant.
Swift's general counsel, Patrick Krekels, responds that Swift
expanded to meet the needs of customers and reduce costs but never
skimped on security.
"We are very much a technology and operationally driven company,
not a sales-driven company," says Mr. Krekels. "We have very
prudently and deliberately moved step by step into adjacent
markets."
Swift has proclaimed the same motto for decades: "Failure is not
an option." If a bank's corporate customer in New York needs to pay
a supplier in Rome, the bank uses Swift to wire the corresponding
bank in Italy to make the payment. Banks trust the authenticity of
Swift's messages so much that they are typically processed
automatically.
Bangladesh joined the Swift network in 1995. Over the next two
decades, some risky practices by Bangladesh's central bank went
undetected.
The central bank never changed its Swift passwords between late
2015 and early February 2016, according to an official at the bank.
During that period, hackers breached the bank's computer systems,
found the credentials to the Swift terminal and ordered the fake
money transfers.
The bank also wasn't using two-factor authentication on the
system it used to access Swift, according to a person familiar with
the bank's procedures. Two-factor authentication is a higher
security standard that requires a second measure of verification in
addition to a password.
Software that Swift provides to customers now has built-in
two-factor authentication, but they can opt not to use it. At the
time of the Bangladesh cyberattack, two-factor authentication was
merely Swift's preference for local access, according to a copy of
its security guidance reviewed by The Wall Street Journal.
Two people briefed on the theft say two-factor authentication
might not have made the hacks impossible but would have made them
more difficult.
Subhankar Saha, a Bangladesh Bank spokesman, wouldn't comment on
the bank's password procedures or authentication measures. He said
the central bank had firewalls, but they may have been weakened or
not implemented in the right places.
The hackers had sent the New York Fed fake payment orders
requesting nearly $1 billion. The Fed paid out $101 million, of
which $20 million was recovered after a banker in Sri Lanka spotted
a typo. The Fed rejected other orders, some for formatting errors,
and others after they were detected by a sanctions screen.
The Bangladesh attack was even more embarrassing because Swift
officials had been at the central bank in late 2015 to connect its
Swift messaging platform to another system that handled payments
among the country's banks, according to people familiar with the
matter.
The hackers used malicious software to remotely monitor routine
activity at the central bank for weeks before they struck. The
Bangladesh central bank has said it is trying to determine if any
of Swift's work played a role in the attack. Ms. de Teran, the
Swift spokeswoman, said Swift doesn't comment on individual
customers.
At first, Swift called the attack on Bangladesh Bank "an
internal operational issue" at the central bank. When Swift learned
that hackers were using software that disabled customers' ability
to print out logs of their messages, it issued a software patch but
left it up to customers to implement the upgrade.
Last May, the Journal reported that Banco del Austro SA in
Ecuador had suffered a similar attack. Thieves got the Ecuadorean
bank's Swift codes and used them to steal about $9 million with
fake transfer orders.
Within days, Swift rolled out a new customer security program,
hinting that it wouldn't rule out the possibility of kicking
violators out of the network. Swift didn't make the controls
mandatory until September.
The 16 mandatory standards include tighter password security,
such as two-factor authentication. Swift ordered bank customers to
update software, threatening to report to regulators anyone who
doesn't obey. Regulators have the power to withdraw licenses from
banks deemed insufficiently safe and sound.
Axletree's Mr. Murali says the number of clients he works with
who have requested two-factor authentication for the Swift
messaging system has jumped to about 150 from 10 since last
year.
Swift will likely need more time to fully win back confidence.
The New York Fed stopped making payments on the strength of Swift
messages alone and adopted a policy of double-confirming orders
from Bangladesh by phone.
A New York Fed official complained last June that the
arrangement "is not sustainable," according to a letter reviewed by
the Journal. It isn't clear if the policy is still in effect. The
New York Fed declined to comment.
The Bank of Papua New Guinea uses Swift's messaging service and
has been interested in the cooperative's newer products, including
one that scrapes message traffic for data used in price benchmarks
and business analysis.
"We are concerned about what happened," says Stephen Pouru, a
risk analyst at Papua New Guinea's central bank. "The question
everyone is asking is: What Swift is doing?"
(END) Dow Jones Newswires
April 30, 2017 14:19 ET (18:19 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.