- Swift codes for ICBC, UniCredit said to be in Vietnam malware
- U.S. banks pressing from more action from messaging network
Bank hacks in Vietnam and Bangladesh have sparked concerns within global banks, some of which are privately pressing the Swift interbank network to shore up security at its 11,000 members.
The pressure on Swift comes as new details emerge from the most recently disclosed bank hack. An examination of the malware used in an attack late last year on Vietnam’s Tien Phong Commercial Joint Stock Bank shows that unique Swift codes identifying at least seven additional financial institutions were embedded in the hackers’ work, according to a private report by BAE Systems Plc.
The list includes major banks in Asia and at least one in Europe, including what two people familiar with the list said were banks where the Vietnamese lender had correspondent accounts. The malware wasn’t used to attack those banks, said one person familiar with the situation. Rather, it deleted money-transfer confirmations sent between the Vietnamese bank and its partners that could have alerted bank officials of improper transactions, the person said.
Such revelations -- coming on top of Swift’s warning last week of a “wider and highly adaptive campaign targeting banks” -- show that intruders’ efforts went beyond looking solely at small banks in developing nations. They have raised alarms inside global lenders, said people familiar with several banks in the U.S. and Europe.
In the U.S., those concerns have prompted major banks to push for more action by the messaging network, according to two people familiar with the matter.
The Vietnam malware was “configured to parse transaction messages,” according to the BAE report. It included Swift codes for the New York and Hanoi branches of Industrial & Commercial Bank of China Ltd., the world’s largest bank by assets; Bank of Tokyo Mitsubishi UFJ Ltd., Japan’s largest bank; UniCredit SpA, Italy’s biggest bank; and Australia & New Zealand Banking Group Ltd., among others.
While Swift has for decades made sure its own financial messaging network was secured, less attention was paid to the security surrounding how member banks -- each with their own codes and varying levels of technology -- were connecting. Even today, when it discusses the cyber attacks, Swift emphasizes that its own network wasn’t breached and says its members are responsible for their own system interfaces.
Some U.S. banks are pushing to open discussions with Swift about whether it should have responded more quickly to the breaches and should now help member banks better secure their systems, according to one of the people familiar with the thinking within a large U.S. bank. BITS, the section of the Financial Services Roundtable aimed at combating cyberfraud and other technological issues, could be tapped to broker those discussions, the person said.
More broadly, some U.S. banks expect Swift to come up with a technological solution that could apply to all connected institutions and would help reduce these risks, another person said.
Natasha de Teran, a spokewoman for Swift, declined to comment.
Vietnam’s Tien Phong, known as TPBank, informed the country’s regulators this week that it had fended off a fraudulent transfer request late last year for more than 1 million euros ($1.13 million) that came through a third-party service that the bank used to connect to the Swift system. The report analyzed the malware used in that attack, calling it a less sophisticated “prequel” to a similar attack on the Bangladesh central bank earlier this year.
A BAE spokeswoman and the lead author of the report didn’t respond to requests for comment.
A Beijing-based press officer at Industrial & Commercial Bank of China declined to comment. Kazunobu Takahara, a Mitsubishi UFJ Financial Group spokesman in Tokyo, declined to comment to questions about Bank of Tokyo Mitsubishi. A representative at UniCredit declined to comment.
“While we are aware that the Swift codes of several international banks have been included in the malware, we have strong systems in place to detect and prevent this type of fraud,” Stephen Ries, a Melbourne-based spokesman for Australia & New Zealand Banking Group, said in an e-mail.
Other Swift codes found in the software were those for United Overseas Bank Ltd. of Singapore, South Korea’s Kookmin Bank, and Japan’s Mizuho Bank Ltd., part of Mizuho Financial Group Inc. in Tokyo.
Masako Shiono, a spokeswoman for Mizuho Financial Group, declined to comment.
An official at Kookmin Bank said the company wasn’t hacked and hasn’t had anything stolen by hackers, but has been following up on issues related to the Bangladesh central bank and TPBank hacks.
Susan Hwee, Managing Director and Head of Group Technology and Operations at United Overseas Bank, said “UOB treats the security of our banking systems and network very seriously,” and declined to comment further.
Swift, an acronym for the Society for Worldwide Interbank Financial Telecommunication, has risen over the past four decades from an obscure messaging network backed by banks in 15 countries to become a core part of the world’s financial plumbing. It processes about 25 million messages a day among 200 nations and territories, enabling banks to clear transactions in markets such as currencies and derivatives.
In the Bangladesh attack, the Federal Reserve Bank of New York was tricked by fake Swift messages into wiring more than $80 million held for the impoverished country to hacker-controlled accounts in the Philippines. The Fed’s systems halted an additional $850 million the hackers tried to have transferred.
Last week, Swift asked members to “urgently review” payments and messaging controls. Still, many banks still haven’t put in stronger security standards -- such as an added, independent system to verify that a user really is the person authorized to send messages, which would have thwarted the Bangladesh hack, said Carlo Schupp, chairman of miaa Guard, a Belgium-based cybersecurity company, and a former Swift security executive who spoke without referring to specific banks.
“I’m afraid certain banks won’t update quickly enough,” Schupp said.
The weakest link in the Swift system would be at individual banks’ interface with the network, according to Leonard Schrank, CEO of Swift until 2007, who was speaking generally. “Swift needs to now do more in the realm of tougher interface standards and security to help its members mitigate these new threats,” he said.
Among his suggestions is an “anomaly detector” capability which would flag unusually large or frequent transfer requests in Swift messages.
The practice of using pattern-recognition software to catch cyber crooks is commonplace throughout the financial services industry, from credit card processors to banks themselves. But those are protections for open systems involving inherently untrusted users. Swift is different -- a safe space where both ends of an exchange between banks are assumed to be valid users.
Computer scientists have become exceptionally good at writing programs that sift reams of data to spot out-of-the-ordinary events, so the technology to stop illicit transfers is quite advanced. But the calculus of figuring out the balance of facilitating commerce and reducing fraud is fraught.
The potential financial targets for hackers are enormous. The Bangladesh hack, for example, was just a drop in the daily bucket for the New York Fed, which processes around $80 billion a day through some 2,000 transactions just for foreign governments, central banks and other so-called official account holders.
The New York Fed said it followed standard procedures during the Bangladesh heist. Andrea Priest, a New York Fed spokeswoman, declined to comment on whether the bank had changed any of its procedures in response either to the February heist or to the reports of additional cyber attacks.
The specific means by which hackers carried out the Bangladesh hack and tried to effect the Vietnam hack -- through malware infecting a PDF reader used to check confirmation messages -- wouldn’t work on a major bank, according to two people familiar with the situation. It nevertheless showed that the attackers had learned a great deal about their victims’ systems, prompting consternation at a briefing at a major bank in New York Monday, and the feeling that now Swift needs to respond, one of the people said.