Banks tighten SWIFT system security after hacks
Banks are tightening the security of their SWIFT messaging networks – used by the industry to shift trillions of dollars each day – following revelations that hackers are increasingly able to get into this system to steal money.
Bankers at SWIFT’s annual SIBOS conference in Geneva said they were adopting new security tools, reviewing procedures and pressing their counterparties to do the same. Some banks are also looking at alternative technologies for transferring money, such as blockchain-type systems.
They are stepping up their efforts after the theft of $81 million from the Bangladesh central bank in February and revelations of other infiltration of banks’ SWIFT terminals. These hacks have undermined confidence in SWIFT messages, which were previously accepted at face value.
“The attacks will continue and get more sophisticated,” SWIFT Chief Executive Gottfried Leibbrandt warned delegates at the conference organized by SWIFT, which is a global member-owned cooperative.
Benoit Desserre, Global Head of Global Transaction Banking at France’s Societe Generale, said his bank had already undertaken all of SWIFT’s recommended security measures but that the hacks had encouraged it to go one step further.
The bank is introducing a new layer of security whereby the staff who are approved to send SWIFT payment instructions must now sign on with a fingerprint scanner. This is in addition to passwords and a physical computer key.
“It was easier for us to make that investment knowing what has happened,” he told Reuters in an interview. “It suddenly became more important to get something like that.”
In time, SocGen may press its counterparties to use a similar system, only agreeing to fulfill payment instructions which carry a digital fingerprint, Desserre said. But he said cost could slow a broader roll-out of the technology.
In the wake of the hacks, the French bank also went through its SWIFT system to weed out redundant communications channels. SWIFT operates like Facebook in that members can only send messages to confirmed counterparties. But sometimes these links remain open even after business relationships end.
SWIFT’s Chairman Yawar Shah told delegates at the conference that such open channels were a security risk and that all banks should weed out unused channels.
Desserre said Societe Generale had removed thousands.
Cheri McGuire, Chief Information Security Officer at Standard Chartered said her bank was also conducting an internal review around its SWIFT systems.
But banks are not just looking at their own systems.
The Bangladesh Bank heist involved diverting money held at accounts at the Federal Reserve Bank of New York into accounts in the Philippines.
Bankers said to avoid this happening in the future bigger banks needed to ensure the smaller banks they work with have appropriate security procedures.
Sergio Dalla Riva, Head of Product Development, Global Transaction Banking at Intesa Sanpaolo S.p.A. said understanding the security capabilities of your clients was becoming part of customer due diligence.
Lev Khasis, Chief Operating Officer at Sberbank, Russia’s biggest bank by assets, said he expected regulators to tighten oversight of security practices but that peer pressure would also play a role.
“Some big banks will be pushing their smaller counterparties to move in that direction,” he said. Sberbank was already pushing its clients in this way, he said.
The SWIFT hacks are also spurring interest in new technologies.
Lars Sjogren, Global Head of Transaction Banking at Danske Bank said his bank was working with technology companies to develop tools that would spot unusual and potentially fraudulent payment instructions sent via SWIFT.
“Payments of a certain size by a customer to people they normally pay should be green-lighted. But others could be yellow or red-lighted. There is a huge demand from our customers for that kind of service,” he said.
Others are looking at technologies which might one day replace the current SWIFT “FIN” message which banks send to tell another bank to move money around.
Blockchains are the most commonly touted alternative. These involve a publicly accessible ledger, which works as an electronic record-keeping and transaction-processing system and requires no third-party verification. The ledger can be checked at any time, helping to highlight fraudulent transfers.
On Wednesday, Sberbank joined the Hyperledger Project, which was formed by the Linux Foundation, a not for profit technology consortium, to develop new blockchain technologies for businesses. Khasis said such a system might be more secure than sending FIN messages.
SWIFT is also developing blockchain initiatives and its involvement could help to speed up the technology’s adoption, David Treat, Blockchain Lead at consultants Accenture, said. Nonetheless, he said that governance and privacy challenges remained.
Mark Buitenhek, Global Head of Transaction Services at ING, said he was doubtful blockchain or other technologies were a silver bullet.
“Fraud is a constant and fraud will remain there if we move to the next digital generation or not,” he said.
(Reporting by Tom Bergin. Editing by Jane Merriman)