08.07.2017 | Alex Rhomberg
Swift Arms Itself in the Fight against Cyber Attacks
Dr. Rhomberg, it was a hacker attack the likes of which the banking world had never seen before: In February 201, hackers managed to feed fake transfers of more than 950 million US dollars into the SWIF network at Bank Bangladesh. How could this happen?
It turned out that, on the one hand, the bank concerned had considerable deficiencies in its IT security. Secondly, the attackers were not only very well informed about the software and IT infrastructure used, they also knew exactly where the weak points were and when to launch their attack. In addition to generating the greatest possible profit, the hackers aimed to keep the transfers secret for a long time in order to be able to transfer the money on to the target banks or collect it in cash.
Could this have happened to any other bank?
The attackers are highly professional organizations. They try everywhere and continue where they find the worst protection and see that there is something to be gained.
What consequences did SWIFT, which is responsible for standardizing the messaging and transaction traffic of around 10,000 banks, draw?
The fact is that the attackers have to hack very deeply into the bank’s system before they can access the software. SWIFT pointed out that it had no weak points in the system. Nevertheless, it took action and developed a security program, the Customer Security Controls Framework, which contains comprehensive security recommendations.
How were the new regulations received by the banks?
The first draft contained many measures for smaller SWIFT participants with less developed IT security, which would have applied to everyone. These met with strong resistance from larger Swiss banks. After intensive discussions, a statement was drawn up by the Swiss SWIFT participants. The framework was finally revised. In the published version, it sets control objectives that can be achieved with various implementations.
These security recommendations are strongly supported in the financial sector. What do they contain in detail?
The program includes a set of rules to protect SWIFT systems and a platform through which SWIFT can quickly inform its customers about threats. For example, the regulations are about separating the systems to which the SWIFT network is connected from other systems. In addition, secure user identification is to be provided not only by password, but also by an additional means of identification such as a smart card.
By the end of 2017, all SWIFT customers are to carry out a self-declaration. What does this look like?
In its framework, SWIFT has defined protection goals in 16 mandatory and eleven recommended chapters. The banks have until the end of 2017 to enter on the SWIFT platform whether they meet these targets. This information will then be communicated to the financial market supervisory authorities.
To what extent can TEMET AG assist its customers with self-declaration?
We support the banks in analyzing these requirements with regard to the existing infrastructure and security solutions. We also assess whether a control objective is being achieved and where we recommend improvements to the security environment. Since we know the development process and each version of the framework in detail, we are able to show banks the best way to achieve the control objectives.
How likely is it that, despite various security precautions, hackers will again interfere with these financial processes in the near future?
The new security precautions will make it much more difficult for hackers to intervene in the SWIFT infrastructure of banks. However, it is now up to the financial institutions themselves to think carefully about how such payments can be prevented in general. Because it is also clear that hackers are organizations with detailed knowledge of the computer systems used and are always on the lookout for the weakest link in the chain.
Note: This article was also published in Wirtschaftsguide als Beilage zur Sonntagszeitung.
Compliance Governance, Risk and Compliance (GRC)