By Raz Rafaeli, CEO of Secret Double Octopus
SWIFT, the Society for Worldwide Interbank Financial Telecommunication, is the grease that keeps the wheels of the worldwide economy moving. Some 25 million messages – most of them money transfers – pass through the SWIFT system daily. It’s said that the system transfers some $5 trillion dollars a day – big money any way you look at it. If something were to happen to the SWIFT system, the world economy would grind to a halt.
But it turns out that there are risks with money transfers in the SWIFT system even when it is working properly. That is essentially what happened a little more than a year ago, when hackers heisted $81 million from the Bangladesh Bank, cleverly stealing the money via a SWIFT transfer. Via a series of subterfuges and with the right timing (scheduling the thefts for a weekend, when staff members of the Federal Reserve Bank the hackers requested the transfer from were away from their desks), the hackers were able to fly under the radar, avoiding notice until it was too late.
But all along, the SWIFT system operated properly. To steal the money, the hackers didn’t compromise the system – they used it, by obtaining (possibly in a phishing scam) the credentials of employees of the Bangladesh Bank. Once logged in, the hackers were able to do as they wanted – and had it not been for a typo in one of the transfer requests they filed with the New York Federal Reserve Bank to send money to accounts in the Philippines, Sri Lanka and other parts of Asia, they might have gotten away with stealing the billion dollars they were said to have their eyes on.
In the large scheme of wire transfer fraud, $81 million isn’t all that much; some $30 to $50 billion is stolen en route from one bank or business to another, according to experts. How much is stolen from the SWIFT network is a closely guarded secret, but it may be substantial, according to the organization itself. SWIFT told clients last November that it was experiencing new threats from hackers who were operating in a more sophisticated manner than in the past.
Speaking to Reuters, a top security official in the SWIFT organization said that the network had been hit with a “meaningful” number of attacks since the Bangladesh hack – about a fifth of them resulting in stolen funds. “The threat is very persistent, adaptive and sophisticated – and it is here to stay,” SWIFT told clients. If those thefts were similar to the Bangladesh hack, then it’s not just the targeted banks that have a problem; anyone using the SWIFT network is at risk, because of the credential-based system the organization uses to transfer funds. One of the results of the Bangladesh hack was the adoption of two-factor authentication by the group.
But the two factors SWIFT is using have proven themselves to be less than secure. Despite its experience with user IDs and passwords – the very credentials that were stolen by hackers in the Bangladesh hack, and probably the other ones SWIFT officials have hinted at – such credentials are still the number one (as in first) step in authorizing a transfer. The second one – SMS or voice – is not much better, according to NIST, the US National Institute of Standards and Technology. “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators,” as SMS is now “deprecated” because of the security threat involved. “Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline,” NIST says in the latest draft update of its recommended security guidelines.
Perhaps it’s time for SWIFT to consider something more secure; if there is any financial organization that is “too big to fail” (or suffer a major hack), it’s SWIFT. What are the alternatives? One up and coming trend is push authentication, when used as a second factor. According to Gartner, 50% of all enterprises using phone authentication adopt push over other methods, compared to fewer than 10% today – a growth rate of 500%. But while push offers a very convenient alternative to password, from a security standpoint it is no more secure than SMS, and has already been compromised by hackers. The push app must be accompanied with strong anti-cloning technology that would prevent attackers from authenticating on their own devices. For further security, biometrics – use of a fingerprint, for example – could be used as a second factor to authenticate the user, and organizations can eliminate use of the far weaker username/password method of authentication.
And getting away from password authentication seems as if it should be a priority for SWIFT. According to a Verizon report, two out of every three data breaches are due to stolen passwords or misused credentials – and those odds are far too high for a system handling as much money as SWIFT. It’s time to take authentication to the next level.