Lessons from a Bank Heist

Posted on May 30, 2016


The Society for Worldwide Interbank Financial Telecommunication, an organization that enables money transfers worldwide, has come under fire after a rash of bank hackings -- some of which bear fingerprints of nation-states including North Korea. In response, it announced this week a series of new measures aimed at protecting the global financial system from cybercrime.

These steps can’t hurt. They’ll probably help. But the more urgent security problem rests with the banks, not with the messaging system they use.

The story began in February, when Bangladesh’s central bank fell victim to an $81-million heist. Hackers used the Swift network to access the bank’s account at the Federal Reserve Bank of New York and transfer funds to accounts in the Philippines, from which they vanished. Similar breaches have happened at banks in Vietnam and Ecuador, and possibly elsewhere.

Troubling as the heists may be, it’s important to put a few things in perspective. While $81 million is nothing to sniff at, it’s small in comparison to the hundreds of billions of dollars in transfers that the system facilitates every day. What’s more, Swift itself did not fail, any more than a telephone fails if somebody uses it to commit fraud. The network passes messages among banks, which then move money on their own. Hackers were able to impersonate the banks thanks to weaknesses in the systems they used to connect to Swift. This gave the hackers access only to the compromised banks’ funds, not to the funds of the thousands of other institutions that use Swift.

Nevertheless, the breaches are a big deal for an organization founded on trust: For the system to work smoothly, banks must be able to assume that the messages they receive are legitimate. To that end, Swift has wisely offered to take on more responsibility for the security practices of its members. It plans, for example, to toughen software requirements, expand the use of two-factor authentication (which provides an added identity check), monitor compliance more rigorously, and facilitate sharing of fraud-detection know-how.

Ultimately, though, Swift can only do so much. The network is fast and efficient because it’s neutral and passive -- a feature that any major effort to police some 11,000 member institutions could impair. The real solution must come where the failure happened: at the banks. If institutions in developing nations somehow prove unable to defend against state-sponsored attacks, some assistance from the developed world might be in order. That said, keeping their money safe is something banks themselves should have the resources and expertise to do.