“BDA discovered that for each unauthorized transfer, an unauthorized user remotely accessed BDA’s computer system after hours, logged onto the SWIFT network purporting to be BDA, and redirected transactions to new beneficiaries with significant dollar amounts…”
The news relating to the security of the SWIFT messaging system seems to be getting worse as more stories come out about breaches, some successful and some not, at banks around the world. According to this article from DataBreachToday, an attacker was able to access the Banco de Austro (BDA) network and request transfers from multiple banks, undetected in most cases. BDA is suing Wells Fargo for not detecting the fraud (note the irony) and Wells Fargo is standing firm that the root cause of the loss was the poor security at BDA.
What Failed (a short list)
- According to the article, the BDA systems were accessed remotely by unauthorized personnel after hours. Not only were attackers able to gain unauthorized access but they were able to maintain it undetected long enough to make s number of fraudulent transactions.
- Wells Fargo failed to identify the transfers as fraudulent but, when the same attempts were made against Citibank, they were flagged.
Possible solutions (a short list)
- Better access control. If remote access to the banks system is required, confirming that the entity on the remote end of the connection is who they say they are and that they’re doing what they’re supposed to be doing is paramount.
- Better authentication of transfers. It’s safe to assume that the SWIFT systems security through obscurity model is no longer a viable approach. Taking a look at the Bitcoin model may be a good place to start (decentralized ledger with cryptographic confirmation that repeats every x [minutes | hours | days | etc.] before the transaction is confirmed legitimate).
- Better information sharing between SWIFT members on a) the attacks that they are seeing, b) the success and failures they are having against these attacks and c) the processes that they employ (effectively and otherwise) to detect and mitigate the attacks.