SWIFT discloses more cyber thefts, pressures banks on security
This article by Jim Finkle for Reuters may be of interest to subscribers. Here is a section:
A SWIFT spokeswoman declined to elaborate on the recently uncovered incidents or the security issues detailed in the letter, saying the firm does not discuss affairs of specific customers.
All the victims shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers, according to the letter.Accounts of the attack on Bangladesh Bank suggest that weak security procedures there made it easier to hack into computers used to send SWIFT messages requesting large money transfers. The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police.
SWIFT has repeatedly pushed banks to implement new security measures rolled out after the Bangladesh heist, including stronger systems for authenticating users and updates to its software for sending and receiving messages. But it has been difficult for SWIFT to force banks to comply because the nonprofit cooperative lacks regulatory authority over its members.
SWIFT told banks Tuesday that it might report them to regulators and banking partners if they failed to meet a November 19 deadline for installing the latest version of its software, which includes new security features designed to thwart the type of attacks described in its letter.
The security features include technology for verifying credentials of people accessing a bank's SWIFT system; stronger rules for password management; and better tools for identifying attempts to hack the software.
The vulnerability of central banks and financial institutions to cybercrime is truly worrying and the fact the Bangladesh central bank didn’t have so much as a firewall exemplifies just how big the problem is. Swift is a global network with huge vulnerabilities. The problem is the penalty for laxity is so low that governments have been slow to act. It is questionable whether anyone will even lose their job because of the Bangladesh scandal.
The penalty for not being careful enough to avoid a breach is still too low. For many companies it is simply cheaper to tolerate a given level of cybercrime than to invest in the constant monitoring and network upgrades that would enhance security. That has so far represented a challenge for the cybersecurity sector but the growth of the threat and size of the losses is quickly approaching the point where all businesses will have little choice than to invest.
The Purefunds CyberSecurity ETF has rallied persistently for two months and is now testing the highs reached in late 2015. Some consolidation of recent gains is looking more likely than not, but a sustained move below the trend mean would be required to question the medium-term upward bias.