Will SWIFT-Related Heists Trigger More Regulatory Oversight?FFIEC, FBI Issue Alerts About Interbank Messaging Risks
Now that both the FBI and the Federal Financial Institutions Examination Council have issued alerts calling attention to the risks associated with interbank messaging and wholesale payments, U.S. banks and credit unions should brace themselves for more regulatory scrutiny of bank-to-bank payments, financial fraud experts say.
"Regulators will take these issues very seriously and will begin looking for weaknesses during exams," says Shirley Inscoe, an analyst at the consultancy Aite.
"While the largest banks may be targeted the most initially, since it is normal for them to move very large amounts of money daily, smaller institutions should not think they are immune to this risk," Inscoe adds. "As with other types of fraud, as larger banks shore up defenses, and it becomes more difficult to defraud them, attacks will move downstream to smaller banks."
But mitigating the risks by conducting a gap analysis and taking corrective action takes time, she acknowledges. "Even if an FI [financial institution] gets all the way through the process, it doesn't mean dedicated hackers won't be successful. There is so much money at stake, this game will continue with both sides constantly trying to outwit one another."
Two Alerts Issued
The FBI recently issued a private Flash Alert to U.S. banks, offering them technical information about the attacks that compromised transactions worth millions of dollars routed through interbank messaging provided by SWIFT, including the $81 million heist from Bangladesh Bank , according to a report by Reuters.
"The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorized monetary transfers over an international payment messaging system," the FBI alert said, according to Reuters.
On June 7, the FFIEC issued a similar alert, reiterating the need for U.S. banks and credit unions to review their risk management practices and processes related to interbank messaging and wholesale payments.
The vulnerabilities that allowed the SWIFT-related heists to be successful were simply not, until recently, a major concern to the banking community, says Tom Kellermann, CEO of Strategic Cyber Ventures, a cybersecurity technologies investment firm.
"They have slipped through the cracks due to a systemic underestimation of the financial acumen of the cybercriminals, coupled with a lack of appreciation for the modern day kill chain, which is laser-focused on compromising credentials and private keys," he says.
"This migration to straight-through processing has allowed for the manifested opening of Pandora's Box. Organized hacking rings are now aware that straight-through processing allows for the immediate distribution of wire transfers, without the ability to unwind transactions if not discerned in real time. As SWIFT is over-reliant on PKI [public key infrastructure] to defend its ecosystem, cybercriminals are compromising the private keys, and thus, conducting wire-fraud conspiracies."
Controls for Interbank Payments
In its statement, the FFIEC specifically calls out the need for banks to review controls and processes used for interbank transaction authentication, authorization, fraud detection and response management systems.
"The FFIEC members emphasize that participants in interbank messaging and wholesale payment networks should conduct ongoing assessments of their ability to mitigate risks related to information security, business continuity, and third-party provider management," the FFIEC states. "This statement does not contain new regulatory expectations. It is intended to alert financial institutions to specific risk mitigation techniques related to cyberattacks exploiting vulnerabilities and unauthorized entry through trusted client terminals running messaging and payment networks."
To ensure regulatory compliance, the FFIEC says institutions should review their interbank messaging and payments processes by:
- Conducting ongoing risk assessments;
- Performing security monitoring, prevention and risk mitigation to protect against intrusion and ensure detection when intrusions occur;
- Limiting the number of credentials that are issued for elevated privileges to access accounts and systems and periodically reviewing access rights;
- Conducting regular audits to review employees' and contractors' access and permission levels to critical systems;
- Changing default passwords and settings for system-based credentials;
- Preventing unpatched systems, such as home computers and personal mobile devices, from connecting to internal-facing systems;
- Using monitoring controls to detect when unauthorized devices are connected to internal-facing systems; and
- Ensuring only secured connections are used for remote access through virtual private networks.
The FFIEC also recommends that banks and credit unions refer to the FFIEC IT Examination Handbook to ensure they are meeting regulatory expectations for adequate IT risk management. "Financial institutions should also review and adhere to the technical guidance issued by payments and settlement networks for managing and controlling risks to critical systems," the council says.
Financial fraud expert Avivah Litan, an analyst at Gartner, noted in a recent interview that bank-to-bank transactions are often more vulnerable to fraud than customer-to-bank transactions because of the poor authentication practices used. She contends that basic security controls could have prevented the SWIFT-related heists.
The controls needed are "nothing new," says Amy McHugh, an attorney and former IT examination analyst with the FDIC who now works as a banking consultant for CliftonLarsonAllen.
"User-access reviews, activity reviews, dual control to initiate/validate/send funds, etc. - these recommended practices should have been reviewed all along by the regulators and internal/external auditors," she contends. The SWIFT-related heists "will probably lead to an increase in regulator focus on these types of transfers and FIs using SWIFT, at least in the short term."
Until the SWIFT-related incidents grabbed headlines, U.S. regulators focused primarily on domestic payments, McHugh adds. The FFIEC alert aims to remind banks and credit unions that international payments need just as much scrutiny, she says.
"All institutions performing funds transfers via the internet are vulnerable," McHugh says.
But the SWIFT-related heists suggest that attackers are going after larger institutions to get "more bang for their buck" and by taking advantage of institutions in nations with less stringent security controls, she says.
"These institutions dealing with interbank transfers may also believe they are less vulnerable, as there is no external customer introducing vulnerabilities into their systems," McHugh adds. "The problem is that the system consists of a patchwork of laws and regulatory oversight, and the focus, at least in the U.S., has been on domestic institutions and their interaction with customers in the U.S."
What the Attacks Revealed
In its statement, the FFIEC stresses that it's not offering new guidance but rather providing a reminder about why controls along certain points of interbank messaging are necessary. The FFIEC notes that recent attacks reveal fraudsters can successfully:
- Compromise a financial institution's payment origination environment by bypassing information security controls;
- Obtain and use valid operator credentials with the authority to create, approve and submit interbank messages;
- Employ sophisticated understanding of funds transfer operations and operational controls;
- Use highly customized malware to disable security logging and reporting, as well as other methods to conceal and delay the detection of fraudulent transactions; and
- Transfer stolen funds across multiple jurisdictions quickly or in real time to prevent institutions from recovering the funds.