Questions surrounding the risks of banks connected to the SWIFT network have arisen following a series of cyberattacks, which all started with the $81 million Bangladesh hack on its New York Fed bank account.
But what’s shown the potential risks in how banks are connected to SWIFT’s interbank messaging system is a failed attempt to hack a smaller Vietnamese bank, which announced earlier this week that it had stopped a fraudulent attack last year that was worth more than $1 million. Tien Phong Commercial Joint Stock Bank (TPBank) announced that the hacking attack came via a third-party service that attempted to use SWIFT’s interbank network to break into the system.
There were no losses in the incident, according to the bank, but the regulators are still investigating the incident. But what that incident revealed is that the Vietnam bank hacking attempt showed what was to come for the Bangladesh cyberheist.
“Whatcyber criminals have been trying to do is focus on banks that might be using outdated versions of SWIFT or third-party vendor software,” Kenneth Wong, cybersecurity leader of PricewaterhouseCoopers China and Hong Kong, told Bloomberg. “There’s always a race between software companies and hackers.”
And that’s where the conversations have continued on this issue.
“The Vietnam case shows that the global banking system is vulnerable to cyberattacks, and we should make a global effort to prevent these attacks,” Bangladesh Bank spokesman Subhankar Saha told Bloomberg on Monday (May 16).
But that also means ensuring policies and procedures are in place to prevent these attacks, and that’s why SWIFT’s payment system has continually come into the conversation, along with how its operational risks are managed.
SWIFT, which moves hundreds of billions of dollars across its system daily, has noted that it is aware of other cases like this that have occurred and reported last week that the Bangladesh hack occurred after malware infecting a PDF reader was used to breach customer data.
And, even more recently, there was a link made between the 2014 Sony Pictures attack that suggests it could be connected to both the Bangladesh and Vietnam cases. According to what Bryce Boland, chief technology officer for the Asia-Pacific region at FireEye, told Bloomberg, banks in some Asian markets are more vulnerable to attacks because they don’t always have the necessary resources to prevent attacks.
Even so, SWIFT has come out and made formal statements recently that it is not responsible for banks not taking proper precautions to safeguard their systems.
“SWIFT is not, and cannot, be responsible for your decision to select, implement [and maintain] firewalls, nor the proper segregation of your internal networks,” SWIFT wrote in a letter to its customers. “As a SWIFT user, you are responsible for the security of your own systems interfacing with the SWIFT network and your related environments. We urge you to take all precautions.”