The financial messaging service known as SWIFT — which operates as a bank-owned consortium and helps payments in the billions of dollars move globally — has been beset by security flaws, has known about those flaws and has done little to address those flaws.
So reported Reuters on Wednesday (Aug. 17), as the newswire said that more than a dozen current and former SWIFT officials maintained that security issues beset smaller banks that are among the 10,000 banks that use the service across more than 200 countries, and those security issues were tied to the way those banks used the SWIFT messaging terminals.
Those officials — some unnamed by the newswire and others identified and quoted, all employed at the manager and director level — stated that SWIFT had not been proactive in monitoring or changing “sloppy security practices,” according to Reuters. At the same time, it recognized that the smaller entities among its network were, in fact, potential threats to the overall security of the network at large.
One former board member, Arthur Cousins, told Reuters that one reason no action came from SWIFT stemmed from the perception that bank regulators themselves were on the hook for ensuring that the smaller players across the platform had adequate security measures in place. The movement to become a bit more alert to security threats may have been triggered by the Feb. 2016 attempt by hackers to make off with $1 billion from the Bangladesh central bank’s messaging system, as Reuters noted. As has been widely reported, that hack never reached the scale that was attempted, but thieves did indeed make off with $81 million from the Bangladesh account maintained at the Federal Reserve Bank of New York. Funds were subsequently diverted to banks located in the Philippines. Executives said that there had not been communication by member banks about the hacking attempts, and they failed to spot those attempts on their own.
Reuters quoted another former executive, Leonard Schrank, who served as the CEO of SWIFT from 1992 to 2007, as stating: “The board took their eye off the ball. They were focusing on other things and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system.” Noting that there had been knowledge of those weak links but that inactivity had been a hallmark of the response, the former CEO stated: “I am partially responsible.”
The current CEO, Gottfried Leibbrandt, who has served in that capacity since 2012, has said in the past that SWIFT has been looking to foster better sharing of information among member banks and stronger security via software, among other initiatives.
One issue that has bedeviled the consortium has been growth itself. The number of countries covered by SWIFT blossomed from 126 in 1994 to its current 212. Reuters noted that 90 percent of the messaging revenue for SWIFT (at about €710 million) comes from 25 of those countries, which are among the biggest developed nations.
The aforementioned Bangladesh thievery may have been an impetus for change. Reuters noted that, in May, SWIFT debuted a “customer security plan,” which focused on security software initiatives and also increased scrutiny on finding where accounts may have been compromised, with the ability for banks to set up “stop payment” orders with speed.