Delinea | Privileged Access Management Blog

SWIFT Controls, Cyber Crime and Privileged Access Management

Written by Delinea Team | Oct 15, 2019 8:00:35 AM

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides financial messaging services to banks, financial institutions, and corporations all over the world. The technology is used to exchange sensitive information about financial transactions by more than 11,000 customers in over 200 countries.

Financial institutions: a major target for cyber criminals; a critical subject for security professionals

With so much sensitive data and financial information being transferred over the SWIFT network, it’s become a major target for cyber criminals and a critical subject for security professionals in banking and finance.

There has been a string of high-profile attacks targeting SWIFT systems and extracting cataclysmic volumes of money over the past five years.

  • In January 2015, $12 million was stolen from Ecuadorian bank Banco del Austro using SWIFT.
  • In February 2016, the Central Bank of Bangladesh lost $81 million to attackers who attempted to steal nearly $1 billion.
  • In October 2017, a Taiwanese bank had $60 million pinched. Those funds were recovered, and the attackers were arrested.
  • In August 2018, India’s Cosmos Bank lost $13.5 million in an attack using unauthorized SWIFT transactions.
  • Also in 2018, a gang of North Korean government cyber criminals, known as APT38, waged a sophisticated hacking campaign against banks in Asia and Africa, resulting in the theft of more than $100 million via fraudulent transfers through SWIFT.

It’s undeniable that breaching a SWIFT system remains temptingly lucrative

And this is just a selection of the breaches we know of. A recent SWIFT report, “Three years on from Bangladesh: Tackling the adversaries,” found that cyber criminals are targeting smaller amounts between $250,000 and $2 million to fly under the radar of authorities and information security teams. It’s undeniable that breaching a SWIFT system remains temptingly lucrative.

Here are some security lessons learned from SWIFT breaches over the past decade, including what action can be taken and how to avoid key mistakes while doing so:

1. Protecting SWIFT means securing the privileged attack surface

Forrester reports that 80% of successful breaches leverage a privileged account, making the attainment of privileged credentials a critical strategic objective for cyber criminals. In the case of the many SWIFT breaches, the credentials granting access to the SWIFT terminals have played a consistent role.

In the case of the attack on the Central Bank of Bangladesh, the attackers began by identifying privileged credentials before using these to move laterally through the network until they had attained access to SWIFT.

To help mitigate the risk, SWIFT has a Customer Security Controls Framework (SWIFT CSCF), a comprehensive list of security controls that all SWIFT customers must demonstrate compliance with. It recommends Privileged Access Management (PAM) across privileged accounts (control 1.2), restricting access in accord with a principle of least privilege (control 5.1), implementing multi-factor authentication (control 4.2), and adopting complexity password standards (control 4.1).

Robust Privileged Access Management solutions are critical in achieving these controls in and around the SWIFT network and could have prevented the kind of lateral movement and privilege elevation seen at the Central Bank of Bangladesh.

2. Security machine learning can do the heavy lifting

Even with PAM and other security measures properly deployed, there can still be foul play. The Verizon Data Breach reported that 81% of privilege misuse comes from insiders, and in the case of SWIFT, there is no reason to think otherwise. Top police investigators have pointed to insiders and officials deliberately exposing the network to facilitate successful breaches before. This is why, along with restricting access through PAM controls, SWIFT also recommends that customers “record security events and detect anomalous actions and operations within the local SWIFT environment” (control 6.4).

This means that for SWIFT customers, their PAM solution must not only lock down access but also continually monitor all users and activity to detect suspicious behavior before catastrophe strikes. The solution should leverage sophisticated threat scoring to identify anomalous activity by measuring IP address, time of day, and the kind of activity being performed against a baseline for standard behavior.

At Delinea, we also recommend implementing automated actions that can be triggered based on threat scores. For example, if a SWIFT user is accessing the console in a suspicious context, they should be forced to re-enter their two-factor authentication credentials or request access before they proceed.

3. SWIFT action is not always a given

Lastly, even those spending a lot of money on security may sometimes struggle to achieve their SWIFT objectives. In the case of Deutsche Bank, despite spending €9 million in the past 2 years to improve SWIFT security, they are still reporting “critical failings” in its controls over high-value payments — first identified in 2014 — and its governance and technical security of the cross-border interbank SWIFT payment system.

CSO Online found that financial institutions face around 4 times as many attacks than other verticals

Banking and finance firms attract some of the industry’s best security talent because of the unparalleled threat environment. In 2017, the FCA found that the number of attacks facing financial institutions rose by 80%, and CSO Online found that they face around 4 times as many attacks as other verticals.

With so much at stake, it is critical that those leading SWIFT projects have a chance to test proposed security solutions to determine if they are up to the task of meeting their SWIFT and other compliance requirements.