In February 2016, Bangladesh Bank was the victim of a widely publicised cyber attack on its infrastructure which was connected to SWIFT. Following the attack, SWIFT launched its Customer Security Programme to drive collaboration in the industry against cyber threats. Three years on, how has it fared? Patrick Brusnahan writes
The quest for collaboration in cyber security continues. At the start of 2018, SWIFT aimed to increase its collaboration with industry experts, for example, anti-virus vendors and incident response teams.
SWIFT claims that these efforts resulted in the quick identification of financial institutions targeted by cyber criminals. Furthermore, it managed to do this before fraudulent transactions were sent.
In SWIFT’s report, Three years on from Bangladesh: Tackling the adversaries, the firm examined the trends observed between 2018 and 2019. These included telltale signs and how they become crucial in detecting and responding to attempted attacks.
Dries Watteyne, head of the cyber security incident response team at SWIFT, said: “SWIFT’s threat intelligence sharing has highlighted the changes to cyber criminals’ tactics, techniques and procedures used in attempted attacks, enabling industry participants to understand, and respond to, the increasingly sophisticated nature of cyber threats.
“It is encouraging that detection rates of attempted attacks are increasing, but we need to be mindful that malicious actors adapt rapidly. The industry must continuously strengthen and diversify its defences, investigate incidents and share information.”
Brett Lancaster, head of customer security at SWIFT, said: “These cases show how SWIFT solutions including our Daily Validation Reports tool, our Payment Controls Service and the gpi Stop and Recall facility can all have real, positive impact. They also evidence the importance of implementing security controls and of understanding and mitigating against cyber risks presented by counterparties. This is why more and more customers are turning to SWIFT’s KYC-Security Attestation utility to consume that information.”
SWIFT does not reveal who the main targets are of cyber attacks, but has narrowed it down to a few themes.
In most cases, financial institutions targeted are based in countries with a very high risk level on the Basel AML Country Corruption List. Over the last fifteen months, a large chunk of the attacks targeted firms in Africa, Central Asia, South East Asia, and Latin America.
However, in every case, it was smaller banks in terms of cross-border transactions per day.
In the vast majority of cases investigated, the interface GUI was used to insert the fraudulent transaction. As a result, instructions would not have been present in payment back office applications. Therefore, it would have been detectable through verification of end-of-day/start-of-day statement reconciliation messages.
Fraudsters are constantly playing a balancing game. The larger the fraudulent transaction attempted, the greater the reward, but also the larger chance that detection systems are triggered.
Since the incident with Bangladesh Bank, SWIFT believes the amounts sent in individual fraudulent transactions have “evolved”.
The report states: “Up until early 2018, we typically saw per transaction amounts of ten or tens of millions USD, however since then attackers have significantly reduced average per transaction amounts to between $0.25m and $2m – presumably to help avoid detection.”
However, fraudulent transaction amounts tended to be significantly higher than the “average” amounts sent over them in the prior 24 months.
Dollars account for the majority of cross-border traffic and, as a result, it was the currency most used in investigated incidents. It accounted for close to 70% of fraudulent messages created since the Bangladesh Bank attack.
However, since the incident, there has been an increased usage of European currencies, such as GDP and EUR. In addition, a small number of Asia Pacific currencies, HKD, AUD and JPY mainly, made up around 5%.
Most the beneficiaries of these attacks were based in Asia Pacific, 83% of them according to SWIFT. The remaining 17% was split across Europe, the Middle East and North America.
The report concludes: “The industry should continuously increase the strength and diversity of its defences and ensure it understands the nature of the changing threat. This means being proactive in limiting criminal opportunities linked to systems and business practices, it means ensuring proper preparedness and understanding counterparty cyber risk.”