Gottfried Leibbrandt, CEO of SWIFT, the interbank software and messaging service for bank payments, has announced plans to reinforce its members cyber-security in the wake of February’s $81m theft from the Bangladesh central bank. Thieves used SWIFT instructions to steal the money, and attempted to divert a total of $951m.
“I think it will prove to be a watershed event for the banking industry; there will be a before and an after Bangladesh,” said Leibbrandt, speaking at an industry conference in Brussels. “The Bangladesh fraud is not an isolated incident: we are aware of at least two, but possibly more, other cases where fraudsters used the same modus operandi, albeit without the spectacular amounts.”
Leibbrandt maintained that SWIFT’s network, software and core messaging services “have not been compromised” by those crimes. “In Bangladesh and the other cases, the thieves compromised the IT environment and worked their way to the bank systems where the SWIFT instructions are generated and the confirmations received,” he said.
“While we (and other providers) give tools and software to our customers, our customers run these in their own environment and need to keep them secure. We cannot secure our customers’ environments and cannot assume responsibility for that.”
However, said Leibbrandt, SWIFT is ready to work with its member banks to improve security and he announced a “five point plan” for tackling cyber crime, focused on:
• “Drastically” improving information sharing among the global financial community
• Hardening security requirements for customer-managed software to better protect their local environments
• Supporting banks’ increased use of payment pattern controls to identify suspicious behaviour, and
• Introducing certification requirements for third party providers.
Leibbrandt said that the plan will be fully detailed by SWIFT later this week. The organisation will be demanding more information from its customers, he said, and SWIFT’s ambition is to do on an international scale what banks in several countries are already doing domestically to harden security.
“Banks can learn from one another about the modus operandi [of criminals],” said Leibbrandt. “Entities like SWIFT can serve as the information sharing channel, and we can develop indicators of compromise to help those banks improve their detective capabilities … But information sharing needs to get better, much better.”
