U.S. federal and financial regulators recently advised banks nationwide to assess the strength of their safeguards against cyber fraud. The warning comes after a string of cyber heists and attempted heists against banks around the world, including the $81 million theft from the Bangladesh central bank.
These crimes have opened the financial industry’s eyes to a new kind of attack. Instead of solely looking to break in from the outside and steal customers’ personal information to sell on the black market, criminals are now infiltrating accounts so they can pose as legitimate insiders. Those insiders include bank officials, third party vendors, or any other employee who has access to the bank’s network. The criminals then spend time getting to know the bank’s network, manipulating systems to fraudulently move money, and hiding the evidence.
In the Bangladesh case, the attackers compromised a legitimate bank user’s account and put in money wire orders through the SWIFT platform, which is used by banks around the world to transfer money.
Although the Federal Reserve Bank of New York blocked the majority of those requests, it let some transactions go through, causing the Bangladesh central bank to lose $81 million. The case is alarming because the only breach that took place was the initial hack into the Bangladesh bank user’s account.
Neither SWIFT nor the Federal Reserve Bank of New York were compromised. However, the theft eroded confidence in the SWIFT system, making the Federal Reserve question the legitimacy of orders coming through in the future.
The case shows that banks not only need to worry about their own cyber security, but everyone else’s too. The method of attack exposes the entire banking ecosystem to harm. It proves that the historical method of implementing strong perimeter protection is no longer enough.
Perimeter protection is like the front desk of an office building. There’s a security guard to check badges and make sure only those individuals who should be entering the building are doing so. However, once they are inside, the guard can no longer see where they are going, and what files or valuables they can steal. Cyber criminals have realized that if they breach just one bank employee who connects to a shared platform like SWIFT, they can submit a seemingly legitimate money transfer order and steal money.
The attack method for these high-tech bank heists is similar to credit card fraud. A criminal steals an individual’s credit card information and then buys something online, appearing to be the true cardholder. However, the credit card industry has become very effective at stopping such fraud in its tracks.
I recently received a text from my credit card company asking if I had made a purchase in Guatemala. I said, “No,” and they shut down my card immediately. Credit card companies understand the importance of enlisting the credit card holder as an active participant in thwarting fraud. They detect unusual behavior—like a New Yorker shopping in Guatemala—and contact the card’s owner. If the cardholder denies making the purchase, they shut down the transaction and the card.
The result of the Bangladesh case is similar to a credit card company saying, “Your purchase was a legitimate order so we paid them. Shame on you, Mr. Cardholder, for not doing more to prevent your credit card from getting stolen.” The financial industry as a whole needs to do better.
SWIFT should have cyber security measures in place to detect unusual patterns in money transfer requests. The clues are in the message itself. On the other end, if the Federal Reserve receives a transaction request that’s flagged as unusual, it must demand verification from the asset owner, which is the authorized bank official who put in the order, that the individual did indeed make the request. If the bank official says, “No, we didn’t make that request,” then SWIFT should temporarily suspend all messages from the bank that’s under attack.
In the Bangladesh case, the onus was more on SWIFT and the Federal Reserve to stop the transactions from going through. But banks overall must do a better job of detecting and reacting to unusual behaviors. If a bank flags unusual activity against an asset, the bank’s incident responders should contact the authorized bank official who governs that asset and ask whether the activity is indeed suspicious. And if so, the bank should shut down the system that is under attack, whether that’s an application, database, or network.
Criminals can steal someone’s shoes but they cannot duplicate how they walk in those shoes. If SWIFT and/or banks, which include the Federal Reserve, see shoes walking in an unusual way, they need to stop them. That entails identifying unusual behavior, contacting someone who can verify that it is indeed suspicious, and temporarily shutting down the system under attack. Once the financial industry can get to that level of maturity, this new kind of attack will be stopped.
