LONDON / Reuters
International financial messaging service SWIFT has directed all its client banks to share information on attacks on the system to help prevent hacking, after criminals recently used SWIFT messages to steal nearly $81 million from the Bangladesh central bank.
It was reported earlier that Wells Fargo , Ecuador’s Banco del Austro (BDA) and Citibank, whose managing director, Franchise Risk & Strategy, Yawar Shah, is SWIFT’s chairman, did not inform SWIFT of an attack last year in which more than $12 million was stolen from BDA.
The banks and Shah all declined to comment on why they did not inform SWIFT in time.
Banks use secure SWIFT messages for issuing payment instructions to each other. The network is considered the backbone of international finance but faith in its security has been rocked by the theft from Bank Bangladesh’s account at the Federal Reserve Bank of New York.
SWIFT said in a communication to users that they should “immediately inform SWIFT of any suspected fraudulent use of their institution’s SWIFT connectivity or related to SWIFT products and services.”
SWIFT spokeswoman Natasha de Teran said banks whose SWIFT systems had been hacked should inform SWIFT.
She ointed out that she was unable to say whether banks, such as Wells Fargo, that received messages they later discovered were fraudulent, should inform SWIFT.
SWIFT has a role to play in educating its members about cyber threats, said Doug Johnson, Senior Risk Adviser at the American Bankers Association (ABA), noting there were disparate levels of security across
financial institutions. ABA is a lobby group for the US banking industry.
“This is a teachable moment for everybody who uses the SWIFT system to recognise that there is an effort by criminals underway to compromise the end points of companies using that system,” Johnson said in a statement released after SWIFT communicated to its users.
SWIFT is especially concerned about the use of malware to access interfaces with the SWIFT network. The Belgium-based co-operative, which is owned by its user banks, said it needed technical information from systems which have been compromised with malware to better understand the risks of attack.
Malware was used in the hacks on Bank Bangladesh in February and in the BDA case in January 2015.
“It is essential that you share critical security information related to SWIFT with us, “SWIFT said.
SWIFT told clients it would notify them as soon as possible of cases where malware had been used to attack systems “so that you can better target your preventative and detective efforts”. SWIFT did not inform clients about the BDA theft because it was unaware of it, a spokeswoman said.
In February 2016, instructions to steal $951 million from Bangladesh Bank were issued via the SWIFT network. Five transactions issued by hackers, worth $101 million and withdrawn from a Bangladesh Bank account at the Fed Reserve, succeeded, with $20 million traced to Sri Lanka and $81million to the Philippines.