There’s been a lot of finger pointing within the global finance industry recently, as banks, governments and the industry’s primary service provider for moving money between financial institutions try to address how three separate banks fell victim to cyberattacks, resulting in the theft of nearly $100 million over the past year. As these entities battle it out in the media, in boardrooms and in court, cyber thieves are becoming more sophisticated and threatening our entire global financial system.
Three Similar Cases
The largest and best-known of these cyberattacks was disclosed in February, when the Central Bank of Bangladesh reported an $81-million heist after discovering the unauthorized transfer of money between the Federal Reserve Bank of New York and accounts in the Philippines, as reported by Fortune in March. Yet, just last week, CNBC and other media outlets reported that Vietnam’s Tien Phong Bank thwarted a similar heist, just as The Wall Street Journal revealed a lawsuit that Ecuador’s Banco del Austro filed in New York federal court this year against Wells Fargo & Co. The suit accuses the San Francisco-based bank of failure to notice a dozen suspicious transfers of about $12 million to banks in Hong Kong over a 10-day period in January 2015.
According to The New York Times, in the most recent attacks in Vietnam, hackers successfully gained access to the banks’ messaging and transfer system, implemented by the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, using valid credentials, possibly obtained from known insiders or from other breaches of the banks’ systems. The thieves then covered up their actions by installing computer malware to erase traces of the fraudulent transfers.
While SWIFT, the backbone of global financial transactions, acknowledged the attempted attack, it quickly pointed out that its core messaging system had not been breached and reiterated that each bank is responsible for maintaining a secure connection to the SWIFT network. At the same time, SWIFT noted that these attacks exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks and may have been aided by “malicious insiders or cyberattacks, or a combination of both.”
‘A Very Serious Concern’
These attacks on commercial banks are eye-opening and represent a very serious concern. Not only are we seeing an increase in hackers regularly using CEO email scams on small- to medium-sized companies, but also these attacks are growing larger and more sophisticated, employing criminal networks that are now focusing on our global financial system.
Fortunately, the attack in Vietnam was apparently recognized quickly enough to prevent a huge loss. Nevertheless, it sends a clear warning that these malicious cyberattacks, described by SWIFT as a “highly adaptive campaign targeting banks,” will continue, and the next financial institution to be attacked may not be so lucky.
According to Reuters, SWIFT is not regulated. Led by the National Bank of Belgium and overseen by a group of 10 central banks from developed nations, the network says it requires its members to notify it of problems that can affect the "confidentiality, integrity, or availability of SWIFT service.” However, former SWIFT employees and cybersecurity experts told Reuters that SWIFT has no specific requirements for member banks to report hacking thefts. So, when banks experience a theft and choose not to report it out of fear of exposing vulnerabilities, there’s no real recourse – a fact that is likely to change in light of these thefts.
Regardless of who is to blame, these recent attacks, and others undisclosed or yet to be disclosed, should be a wake-up call to financial institutions and the global financial industry to make cybersecurity a top international priority. By working together to ensure the use of the best deterrence systems available, regular disclosure of attacks and the sharing of information to prevent such attacks, global financial institutions will be better prepared to fight the common enemy – cyberthieves – and prevent the potentially disastrous results of larger, more sophisticated and successful cyberattacks.