SWIFT Discloses More Cyber Thefts, Pressures Banks On Security

Jim Finkle, reporting for Reuters:SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT said that new cyber-theft attempts -- some of them successful -- have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank. "Customers' environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions," according to a copy of the letter reviewed by Reuters. "The threat is persistent, adaptive and sophisticated - and it is here to stay." The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers. The Brussels-based firm, a member-owned cooperative, indicated in Tuesday's letter that some victims in the new attacks lost money, but did not say how much was taken or how many of the attempted hacks succeeded.

the...

[fyngyrz]

Wait, the VICTIMS lost money? Because the BANK'S security was compromised???

WTF do you keep your money in a bank for if they're not making certain it's safe???

JFC, time to go back to buried coffee cans. It's not like you can earn interest worth a shit anymore in a bank account anyway.

Re:the...

It's been the ultimate desire of banks and credit companies to shift all liability to the customer. Look into what happens if someone manages to compromise chip & pin card security (spoiler: your bank will blame you even if it's 'their' fault for using an insecure standard. Theirs has a chip, after all! /s).

Wake up, people, and stop supporting predatory and abusive business practices because you're too lazy or whatever to research and move to something better.

Re:the...

As of 1 Oct. 2015, the liability for fraudulent use of an EMV enabled card in the U.S. falls to whichever of the merchant or the bank are the least EMV compliant, not the customer whose card was fraudulently used.

Re:the...

WTF do you keep your money in a bank for if they're not making certain it's safe???

Perhaps you don't know it isn't safe until it's stolen.

Re:the...

[SuricouRaven]

C&P does have some exploitable vulnerabilities, certainly, but it's a lot better than magstripe. Any idiot with $20 worth of readily available commodity hardware can duplicate one of those in seconds. C&P fraud at least takes a level of organised crime and some equipment you have to know the right people to buy.

Re:the...

[guruevi]

The "victims" here would be the banks. Swift is a consortium of banks that facilitates international (or at least EU) bank-to-bank transfers. It's basically the routing number banks use for international transfers. From what I remember from using it, the transfer itself does not contain account numbers. If the swift network is what is compromised, the hackers could initiate fraudulent no-origin transfers.

Re:the...

[parkinglot777]

Wait, the VICTIMS lost money? Because the BANK'S security was compromised???

Read TFA again? Who is the "victim" here again? Swift's clients... Who are they? I am sure you are not Swift's client but may rather be Swift's client's client...

Re:the...

Welcome to England, the land of Bank Barons and Pirates, where the liability lies on the client!

Re:the...

[bn-7bc]

SWIFT is global you are probably thinking of SEPA transfers (transfers within EU done in €)

Re: the...

The banks are the victims.

Re:the...

[slashrio]

There is a severe misconceptions showing in your post.
As soon as the customer gives his money to the bank, it's not his money anymore.
When the bank goes bankrupt the customer will be the last in line to receive 'his' money back.
It's a loan you extend to the bank, you're not putting it there 'in storage'.

Re:the...

Hi,

I work for a non-banking company that is a customer of Swift, although most of their customers are indeed banks.
Swift facilitates money transfers between all their customers.

Although you need to comply with certain security requirements to become a customer (this is verified), most companies, including banks, are not taking them very seriously afterwards and don't even act on the non-mandatory security guidelines swift provides.
Now there is malware specifically targetted at the Swift interface at the customer. This is simlar to malware (Man in the browser) for "normal" webbanking users.

In short: Customers of Swift are bering hacked and infected withouth them knowing in order to do malicious Swift money transfers.
From the side of Swift it just looks like regular transactions.
I'd like to stress this is an interface between banks, so a transfer of several milion Dollars/Euros is a "normal" transaction.

The end users will not lose their money as there is regulation around that in Europe, but the customers of swift loose money as they need to make up for the money that was fraudulently transfered. (They can be insured and off course they will try to retrieve this money if they find out what happened after investigation.)

Hacks of governments, big institutions, etc... are happening from time to time and almost always the perpetrators are organised crime rings and a lot of money is involved.
Because bank robberies, the hijacking planes full of diamonds are "public" actions, they get reported almost all the time they happen, the "non-public" robberies, such as hacks, internal fraud, etc... are wildly underreported as the victims don't want their names in the media.

ICT Security in big companies is never done "because", there is always a risk based approach.
What does the ICT Security control cost, what does insurance cost instead? What is the likelyhood of this going to happen?, Do we need to protect it because of regulations? Etc...

The real news is that these issues are surfacing more and more in the public media.

Having such events in the media with sufficient details is good for ICT Security as it:
* Changes the numbers for the risk managers: "Hmm, the odds of this happening are higher than previously thought, we better invest in Security as it will cost less in the end."
* Adds costs because for victims because of negative image. "Hmm, if we get hacked, we need to do damage control at this cost, so we might want to prevent it from happening as that will be cheaper."
* etc...

Re:the...

In Europe this is regulated.

* As a private person, you are guaranteed to get up to 100.000 Euros back, which is more than most people have in their account.
* If you temporary have more, i.e. you just sold your house, this is guaranteed as well. (I believe "temporary" is defined as up to 3 months.)

The only problem is for companies who have a lot of money in their accounts, they are not guaranteed to get their money back and that is too bad as they though process for business is they need to "spread" their risk accros different banks, or "use" their money to do "economics" as they are required to do.

Re:the...

[slashrio]

That's not true. As a private person, since the Greece banking problems, the EU has adopted a new 'blue print' in which the customers will have to 'bail-in' the banks.
In other words, they lose (part of) their money to the creditors of the bank.
And you know what some prime minister once said about 'guarantees'? "Guarantees are for vacuum cleaners."
Try for instance to imagine who is going to pay every 'customer' (=idiot who gave his money away) his 100.000 Euros when all banks have gone belly up... There is no insurance that will be able to pay those amounts.

Not so SWIFT afterall

Just another day with clueless bankers...

Re:Not so SWIFT afterall

[jellomizer]

It is nice that you feel a cool and confidant as wherever you work hasn't been hacked yet.

Security problem is across all sectors Government, Non-Profit, corporate...
Why? Well IT Security is a relatively new problem. As we are hooking many systems together. However organizations are still not thinking in terms of IT Security. And also the Buzzword friendly "Agile/Nimble..." organization has no time for such security problems as Good IT people are Expensive, and this Security Work isn't directly affecting the bottom line.

Let me get this straight...

The bank here is not taking responsibility for the funds in the accounts for which it is responsible for securing? If infrastructure was compromised and it was not a user-issue (meaning that the account holder didn't enable access via having had malware or similar) then the bank should take responsibility as a good business practice.

Re:Let me get this straight...

Your comments are racist and inappropriate.

Re:Let me get this straight...

They are responsible, that's why they are losing money and the victims: They need to make up for it.

She's getting brutal

[bluefoxlucid]

Looks like someone has had enough with these banking breaches.

victims [Re:the...]

[XXongo]

Wait, the VICTIMS lost money?

That's the definition of "victim", isn't it?

If they were unaffected, they're not victims.

Banks Beg To Be Robbed

[JimSadler]

If banks wanted security the first thing that should be allowed is long or complex passwords. Yet many banks have severe restrictions on what characters can be used in passwords as well as insisting upon short passwords. So just why would financial institutions not have software that allowed characters as well as long passwords to be used? Imagine trying to crack }}}}}}}philandbillwentupthehill4444times.

Blockchain

No one steals from a Blockchain.

Two Bytes to $951M ..

[khz6955]

'The malware enumerates all processes, and if a process has the module liboradb.dll loaded in it, it will patch 2 bytes in its memory at a specific offset. The patch will replace 2 bytes 0x75 and 0x04 with the bytes 0x90 and 0x90.'