SWIFT Discloses More Cyber Thefts, Pressures Banks On Security

Jim Finkle, reporting for Reuters:SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT said that new cyber-theft attempts -- some of them successful -- have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank. "Customers' environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions," according to a copy of the letter reviewed by Reuters. "The threat is persistent, adaptive and sophisticated - and it is here to stay." The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers. The Brussels-based firm, a member-owned cooperative, indicated in Tuesday's letter that some victims in the new attacks lost money, but did not say how much was taken or how many of the attempted hacks succeeded.

the...

[fyngyrz]

Wait, the VICTIMS lost money? Because the BANK'S security was compromised???

WTF do you keep your money in a bank for if they're not making certain it's safe???

JFC, time to go back to buried coffee cans. It's not like you can earn interest worth a shit anymore in a bank account anyway.

Re:the...

As of 1 Oct. 2015, the liability for fraudulent use of an EMV enabled card in the U.S. falls to whichever of the merchant or the bank are the least EMV compliant, not the customer whose card was fraudulently used.

Re:the...

[SuricouRaven]

C&P does have some exploitable vulnerabilities, certainly, but it's a lot better than magstripe. Any idiot with $20 worth of readily available commodity hardware can duplicate one of those in seconds. C&P fraud at least takes a level of organised crime and some equipment you have to know the right people to buy.

Re:the...

[guruevi]

The "victims" here would be the banks. Swift is a consortium of banks that facilitates international (or at least EU) bank-to-bank transfers. It's basically the routing number banks use for international transfers. From what I remember from using it, the transfer itself does not contain account numbers. If the swift network is what is compromised, the hackers could initiate fraudulent no-origin transfers.

Re:the...

[parkinglot777]

Wait, the VICTIMS lost money? Because the BANK'S security was compromised???

Read TFA again? Who is the "victim" here again? Swift's clients... Who are they? I am sure you are not Swift's client but may rather be Swift's client's client...

Re:the...

[bn-7bc]

SWIFT is global you are probably thinking of SEPA transfers (transfers within EU done in €)

Re:the...

[slashrio]

There is a severe misconceptions showing in your post.
As soon as the customer gives his money to the bank, it's not his money anymore.
When the bank goes bankrupt the customer will be the last in line to receive 'his' money back.
It's a loan you extend to the bank, you're not putting it there 'in storage'.

Re:the...

[slashrio]

That's not true. As a private person, since the Greece banking problems, the EU has adopted a new 'blue print' in which the customers will have to 'bail-in' the banks.
In other words, they lose (part of) their money to the creditors of the bank.
And you know what some prime minister once said about 'guarantees'? "Guarantees are for vacuum cleaners."
Try for instance to imagine who is going to pay every 'customer' (=idiot who gave his money away) his 100.000 Euros when all banks have gone belly up... There is no insurance that will be able to pay those amounts.

Let me get this straight...

The bank here is not taking responsibility for the funds in the accounts for which it is responsible for securing? If infrastructure was compromised and it was not a user-issue (meaning that the account holder didn't enable access via having had malware or similar) then the bank should take responsibility as a good business practice.

Re:Not so SWIFT afterall

[jellomizer]

It is nice that you feel a cool and confidant as wherever you work hasn't been hacked yet.

Security problem is across all sectors Government, Non-Profit, corporate...
Why? Well IT Security is a relatively new problem. As we are hooking many systems together. However organizations are still not thinking in terms of IT Security. And also the Buzzword friendly "Agile/Nimble..." organization has no time for such security problems as Good IT people are Expensive, and this Security Work isn't directly affecting the bottom line.

She's getting brutal

[bluefoxlucid]

Looks like someone has had enough with these banking breaches.

victims [Re:the...]

[XXongo]

Wait, the VICTIMS lost money?

That's the definition of "victim", isn't it?

If they were unaffected, they're not victims.

Banks Beg To Be Robbed

[JimSadler]

If banks wanted security the first thing that should be allowed is long or complex passwords. Yet many banks have severe restrictions on what characters can be used in passwords as well as insisting upon short passwords. So just why would financial institutions not have software that allowed characters as well as long passwords to be used? Imagine trying to crack }}}}}}}philandbillwentupthehill4444times.

Two Bytes to $951M ..

[khz6955]

'The malware enumerates all processes, and if a process has the module liboradb.dll loaded in it, it will patch 2 bytes in its memory at a specific offset. The patch will replace 2 bytes 0x75 and 0x04 with the bytes 0x90 and 0x90.'