The theft of $81 million from Bangladesh Bank earlier this year highlights the problems that accompany technology’s benefits.
Ask banking CEOs what keeps them awake at night and a cyberattack is likely to figure prominently among the most worrisome threats—to both reputation and revenue. According to PwC’s 2014 Annual Global CEO Survey, more than 70% of banking and capital market CEOs cite cyber-insecurity as a major threat to their growth prospects. Cyberthieves tend to follow the money, which makes financial services one of the most vulnerable industries, and as banking enters a new digital age, exploiting technologies such as blockchain and increasing levels of automation, the cyberthreat increases. “There is an explosion in richness and diversity [of targets] inside of companies, especially banks,” says Dave Palmer, director of technology at cybersecurity firm Darktrace. “The blockchain, new currencies and faster speeds at which money is being transferred around the world are all new avenues of attack.”
Out of all economic crimes, cybercrime is now the second-most-reported crime after asset misappropriation, according to PwC’s Global Economic Crime Survey 2016. The financial losses from cybercrime are substantial. Approximately 50 organizations in PwC’s 2016 survey said they had suffered losses of more than $5 million from cybercrime, with almost a third reporting cybercrime-related losses in excess of $100 million.
High-profile hacks on financial institutions included attacks on US banks’ online banking websites in 2012. In 2014, cyberattackers hacked into JPMorgan Chase servers, gaining access to customers’ personal account details. Outages at the New York Stock Exchange have also been attributed to cyberattacks, and multiple cyberattacks on merchants or retailers such as Target have resulted in theft of millions of personal credit card details, impacting banks indirectly.
Although banking websites and credit card details have been traditional targets, new forms of attack are emerging all the time. For example, ransomware, which encrypts data or restricts access to information on a company’s servers unless it pays a ransom, has been growing in popularity. In 2015, a hacker leaked customer data from a UAE-based bank after it refused to pay a bitcoin ransom of approximately $3 million. Even the most arcane aspects of global financial plumbing are now being targeted. In early February, cyberattackers issued falsified instructions to transfer $951 million of deposits held at the New York Federal Reserve Bank by Bangladesh’s central bank, via the SWIFT network, to accounts in the Philippines and Sri Lanka. Although some of the transactions were blocked, $81 million was stolen.
SWIFT has asked banks to review their controls across messaging, payments and e-banking channels, and says the security and integrity of its messaging services are not in question. It refuted allegations by Bangladesh Bank and police investigators that SWIFT made mistakes in connecting a local network in Dhaka. “As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network—starting with basic password protection practices—in much the same way they are responsible for their other internal security considerations,” SWIFT remarked in a statement.
SWIFT says it is cognizant of malware designed to reduce financial institutions’ ability to spot evidence of fraud on local systems. On May 13, SWIFT acknowledged a second malware incident, which, like the attack on Bangladesh Bank, targeted banks’ secondary controls. But the second attack also targeted a PDF reader used by customers to check statements, thereby delaying victims’ ability to detect the fraud.
Matthias Maier, technical evangelist at Splunk, a San Francisco Big Data specialist, says the recent spate of attacks on banks connected to the SWIFT network is a wake-up call for the financial services industry: “Serious investigations must follow, given the custom-built nature of the malware used in this attack. It appears to have been created by someone with an intimate knowledge of how the SWIFT software works, which is cause for concern.”
Given the sophistication of the attack, some believe it could have been perpetrated by a nation state. “Some are hypothesizing it was the North Koreans,” says Rich Barger, chief intelligence officer at Arlington, Virginia-based ThreatConnect, which provides cyberthreat intelligence. Barger says some of the code used in the attacks on SWIFT member banks had data-wiping functionality similar to that used by North Korean cyberattackers.
“Attacks on underlying mechanisms like SWIFT don’t come as a surprise,” says Palmer at Darktrace. “Someone may have been bribed to give away details.” As cyberattacks drill down to narrower components of the business processes on which the global financial system relies, Palmer says, other areas, such as market-pricing information, may be vulnerable to attack.
SWIFT CEO Gottfried Leibbrandt says cybersecurity is part of SWIFT’s DNA. “After all, we are trusted by our clients to carry billions of high-value payment messages a year,” he notes. “This requires a network that meets the highest standards in terms of confidentiality, integrity and availability.” Leibbrandt stressed the need for the industry to work together to combat growing cyberthreats. “SWIFT is not all-powerful, we are not a regulator, and we are not a policeman,” he says. “Success here depends on all the stakeholders.”
SWIFT has adopted a five-pronged approach to customer security, starting with improved information-sharing among global financial institutions pertaining to new forms of malware identified by customers and best practices for dealing with cyberincidents. “Information-sharing is important,” says Maier, “not just the file name of the malware, but also tactics and how the malware behaves.” The US-based Financial Services Information Sharing and Analysis Center provides anonymous information-sharing for financial services firms globally, as well as alerts pertaining to the latest threats targeting banks.
Natasha Small, policy director in the financial crime department at the British Bankers Association, denies that the recent attacks via SWIFT mean the industry was caught napping. “Banks have been aware of these issues,” she says, “but it has probably brought it to the public’s attention.” She says UK banks are investing in specialists with cybercrime and financial crime expertise, and the Cyber Defence Alliance in the UK is also seeing banks working proactively with the UK’s National Crime Agency to share information regarding cyberthreats.
Maier says some of the security controls banks have put in place, such as anti-virus scanners to defend against computer malware, are no longer working. “In the SWIFT example, there is no virus scanner that could have detected the malware,” he explains. “If you had applied behavior modeling, however, it would have detected there had been several changes on the system, as usually SWIFT does not change that much. It is very stable.”
Instead of studying what cyberattacks looked like in the past, Darktrace, which uses Bayesian mathematics and machine-learning techniques to detect changes in behavior, monitors what is going on in the business, how information flows between people, how they use different devices and interact with people from outside. “If you know what is normal for your business, you can focus on the things that are unusual,” says Palmer.
Although it can be hard to pinpoint who is behind a cyberattack, attackers often make mistakes, according to Barger, and leave clues which can be analyzed. “Just because you’re a victim,” he says, “doesn’t mean you need to adopt a victim mind-set.”
Barger believes it is important to understand the motivations of hackers. Cyberattackers such as nation-states may not be intent on stealing money. For example, cyberattacks on US banks in 2012 were attributed to Iran allegedly retaliating for the Stuxnet attack on its nuclear facilities. The factors that inspire cyberattackers, Barger says, are often overlooked. “How are you going to tackle threats if you’re not considering the geopolitical impact that drives motivation?” he asks.