According to a new SWIFT report (“Three Years On From Bangladesh: Tackling the Adversaries”), international cyber criminals are becoming increasingly sophisticated in the ways that they evade detection when carrying out fraudulent payment transactions. The report, based on 15 months of investigation after the much-heralded cyber attack on the Bank of Bangladesh in 2016, found a constantly evolving landscape of cyber threats to international payment flows.
Trying to avoid another Bangladesh
The primary reason for releasing the report was to help banks and other financial institutions around the world avoid another Bangladesh-style incident. Back in February 2016, sophisticated cyber thieves grabbed more than $100 million from the accounts of the Bangladesh central bank by creating fraudulent payment instructions, making it one of the biggest cyber security news events of the year. A series of 35 fraudulent payment instructions were issued via the SWIFT network, authorizing the Bangladesh central bank to pay out over $1 billion to beneficiary accounts in South East Asia. Only 5 of the 35 fake payment orders were executed – but that was still enough to withdraw $101 million from the bank. Of that $101 million, $20 million ended up in Sri Lanka and another $81 million in the Philippines.
Obviously, then, the SWIFT payment network would like to avoid a similar type of incident. How was it possible that cyber thieves were able to create these fake payment instructions? And how was it possible that banks did not recognize these as fake payments? The basic concept behind the report, then, was to answer these two basic questions and provide insights into the sorts of cyber threats that present heightened cyber security risks to SWIFT users (including both financial institutions and corporations) around the globe. In the wake of the Bangladesh cyber heist, SWIFT created the Customer Security controls framework to make future attacks much more difficult to carry out.
Key findings on the report about cyber threats
The report found that 80 percent of all fraudulent payment transactions involved beneficiary accounts in South East Asia. Moreover, the report found that 70 percent of all attempted thefts were denominated in US dollars (USD), which is perhaps no surprise given the importance of the dollar to the global financial order. Where things get really interesting, though, is when the report delved deep into the methods and tactics that cyber criminals are using to evade detection in order to target the SWIFT customer base.
First and most importantly, the value of each fraudulent transaction is decreasing markedly. At one time, cyber threats involved payment transactions in the tens of millions of dollars. For cyber criminals, the goal was clear: carry out a “smash and grab” operation where you make as much money as possible from a cyber heist at one time. However, banks have become much smarter about detection triggers, and cyber criminals have had to adjust accordingly. As the SWIFT report makes clear, the average value of a transaction has dropped from $10 million to the range of $250,000 to $2 million. In many ways, this is simply a way to help fraudulent transactions “blend in” and not raise any red flags.
Secondly, the SWIFT report found that many cyber threats were being carried out in broad daylight, during normal banking hours. In the case of the Bangladesh central bank heist, the payment instructions were issued outside of normal banking hours, in the hopes of catching a financial institution at its most vulnerable moment. Now, however, cyber criminals are making a much greater effort to blend in with legitimate financial traffic. A huge $10 million transaction might raise eyebrows if carried out at night or over the weekend, but might pass through unimpeded if carried out during the course of a normal banking day.
Thirdly, the SWIFT report detailed new cyber threats resulting from diversification in payment corridors. In this case, a “payment corridor” is the combination of target and beneficiary banks that results in a fraudulent transaction. Just a few years ago, cyber criminals might have found a weak point or two in the SWIFT network, and repeatedly hammered away at that payment corridor. But now they are getting much smarter about diversifying their cyber threats, so as not to call too much attention to their efforts.
And, finally, the SWIFT report highlighted the fact that cyber criminals are becoming much more patient and strategic in how they compromise the payment network. In some cases, they are compromising a system and then waiting for weeks or months to carry out an attack, as they learn more about a target’s vulnerabilities, and how different payment credentials are created in order to exchange financial information securely.
Strengthening SWIFT defenses against cyber threats
Taken together, these key findings from the SWIFT report highlight the evolving cyber threat landscape for the global banking system. As SWIFT notes, it’s a good sign that financial institutions are getting much smarter about detecting potential cyber threats, but there is still a lot more that they can do. They need to be mindful of the fact that malicious cyber actors adapt rapidly. Threats can come from anywhere within Asia. In a worst-case scenario, a rogue state like North Korea might use fraudulent financial transactions to finance its nuclear program.
So what needs to happen next? One important recommendation is that there needs to be closer industry collaboration. This will help financial institutions to make quick identification of cyber threats more likely. Moreover, there needs to be more support of robust cyber standards, such as SWIFT’s Customer Security Programme (CSP). And, finally, there needs to be more cyber intelligence threat sharing about cyber threats involving SWIFT products and services, as well as SWIFT messaging protocols. In other words, beefed-up defensive measures must include a mix of both increased information sharing and greater adherence to robust cyber security standards.
Clearly, cyber criminals are not slowing down. Emboldened by the relative ease of making tens of millions of dollars by exploiting weaknesses in the global payment system, it’s perhaps no surprise that they are constantly looking for new back doors into the system. Against this backdrop, financial institutions must be increasingly vigilant about the evolving cyber threats that they must confront on a daily basis.