Hackers took advantage of gaps in cybersecurity coverage at the periphery of the Society for Worldwide Interbank Financial Telecommunication’s (SWIFT) network — which enables cross-border banking transactions worth trillions for some 10,000 banks that use the service across more than 200 countries — to pull off a series of cyberheists in the past year.
The financial institutions included banks in India, Vietnam, Ecuador and Bangladesh. While not all of the heists were successful, The Wall Street Journal said Bangladesh’s central bank and a commercial bank in Ecuador lost a combined $90 million.
The cybercriminals behind the Bangladesh heist reportedly used malware to steal bank codes and place fake transfer orders. At the time, the central bank was not using two-factor authentication measures.
The controversy over SWIFT’s security flaws, especially those tied to its messaging terminals, has been growing since 2016. A number of officials have spoken out against SWIFT’s lack of action in addressing these flaws and broader security concerns.
SWIFT software, while distributed with two-factor authentication built-in, reportedly allows users to opt-out of the security measure.
“Swift was not watching for the launch of cyberattacks on its customers beyond the core network,” Marcus Treacher, a Swift board member from 2010 to 2016 and now an executive at digital payments startup Ripple, an alternative to Swift, told the Wall Street Journal.
Smaller entities among its network have been known to be potential threats to the overall security of the network at large. The network reportedly released new security standards for its customers in April.
Gottfried Leibbrandt, SWIFT’s chief executive, was quoted in a statement: “While customers remain responsible for securing their own environment, we are dedicating very substantial efforts and resources to our customer security program, which aims to help customers improve their security and prevent these frauds.”
Federal prosecutors are building cases against North Korea that would point toward that nation as being behind the theft at the Bangladesh central bank.