Bank Heister Returns - Cyber, SWIFT tricker

 

Oct 06, 2016 posted by Mayur Dave, Independent telecom research professional

DOI: 10.13052/popcas011 | Read[76]

Years ago, we have had incidents of bank robberies. And in the recent months, we still have incidents of bank robberies. Back then it was an act of physical storming into the bank premises, masked gangs and the ensuing crime. And now we have sophisticated means to rob banks from a remote location via a computer system/s!

The context I intend to bring out is related to the recent string of bank heists, all executed in a common pattern, through identity theft to access a centralised system. Based on the above keywords, you would surely have guessed that this blog is about the bank heists executed via the SWIFT system. For a quick reference, SWIFT is a global member-owned cooperative provider of secure financial messaging services, whose products and services connect more than 11,000 banking and securities organisations, market infrastructures and corporate customers in more than 200 countries and territories [1]. It is an abbreviation for 'Society for Worldwide Interbank Financial Telecommunication [2].

There have been at-least six bank heists suspected to have a similar plot, discovered and reported recently as:

  • SONALI BANK: Bangladesh bank lost $250,000 to attackers in 2013 [3]. Case being re-examined after the latest attack on February 2016 on Central Bank of Bangladesh [4].
  • BANCO DEL AUSTRO: $12 million was stolen from Ecuadorian bank in January 2015 [3].
  • BANK IN THE PHILIPPINES: As yet unnamed, this bank was attacked in October 2015; security firm Symantec says [3].
  • TIENPHONG (TP) BANK: Vietnamese bank blocked the attempted theft of more than $1 million in December 2015 [3].
  • BANGLADESH BANK: The Central Bank of Bangladesh lost $81 million to attackers, who attempted to steal nearly $1 billion in their February heist [3].
  • UKRAINIAN BANK: The warning, issued on April 28 (by Ukraine's central bank), did not identify the bank or say if the cyber-attack had been successful, but said it had been similar to the theft in February of $81 million from Bangladesh's central bank [5].

    Highlighted widely, is the SWIFT system that is confirmed to have been 'accessed' for most of the above heists. I read each case and compare for details for each of those cases and I find that it was other mechanisms and systems around the SWIFT system that were compromised or defrauded that just validated the identity of the money-transfer-initiator over SWIFT systems/networks.

    In the Sonali Bank heist case, hackers installed key-logger software on a computer to gain passwords to other systems, and then sent fraudulent transfer requests over SWIFT, said a senior bank official who is part of the bank's IT operations [6].

    In the TPBankheist case, it was because of a "third-party vendor" it had used to connect to the Swift system was likely infected with malware. The vendor's internet servers were based in Singapore. However the bank claimed to not know the identity of the vendor provider [7].

    While with the Central Bank of Bangladesh, it was a locally-developed malware designed not just to alter SWIFT transactions, but also to hide their alterations, since all transfers get sent by SWIFT's software to a printer [8].

    While SWIFT has its own stand on the above cases, and has committed to enhancements and detailed guides for the future use [8], it is for the banks that connect to SWIFT to also maintain security policies and ensure subsequent implementation and adherence to the same. Because there would still be a good number of banks, employing the SWIFT system that may be in the radar of such attackers. How scary does it get if you had huge financial engagements with a bank that got cyber-attacked, after which the Managing Director publicly admits,"We could not find out what happened," [6]. Sounds like I heard that in my childhood days when the not-so-sophisticated piggy bank was found broke!

    References:
    [1] About SWIFT messaging: https://www.swift.com/about-us
    [2] SWIFT stands for: https://www.swift.com/about-us/history
    [3] 5 Cyber Heist Investigations, bankinfosecurity.in: http://www.bankinfosecurity.in/5-swift-cyber-heist-investigations-a-9160
    [4] Fresh Probe on 2013 Sonali Bank heist: http://www.databreachtoday.com/report-bangladesh-probes-2013-bank-hack-via-swift-a-9143
    [5] Ukrainian bank cyber heist: http://www.reuters.com/article/us-cyber-heist-ukraine-idUSKCN0ZG2P1
    [6] The Sonali Bank heist, re-examined: http://www.reuters.com/article/us-cyber-heist-bangladesh-idUSKCN0YG2UT
    [7] TP Bank heist case: http://www.ibtimes.co.uk/vietnam-cyberheist-hackers-tried-transfer-funds-slovenian-bank-1560525
    [8] Central Bank of Bangladesh heist case: http://www.databreachtoday.com/bangladesh-bank-attackers-hacked-swift-software-a-9061
Comments