Why swift action is needed to protect the banking system

Trusted money-transfer system SWIFT must rely on client banks to keep it updated of breaches

Tom Bergin and Nathan Layne

Shortly after 7pm on January 12, 2015, a message from a secure computer terminal at Banco del Austro (BDA) in Ecuador instructed San Francisco-based Wells Fargo to transfer money to bank accounts in Hong Kong.

Wells Fargo complied. Over 10 days, Wells approved a total of at least 12 transfers of BDA funds requested over the secure SWIFT system.

The SWIFT network - which allows banks to process billions of dollars in transfers each day - is considered the backbone of international banking. In all, Wells Fargo transferred $12m of BDA's money to accounts across the globe.

Both banks now believe those funds were stolen by hackers, according to documents in a BDA lawsuit filed against Wells Fargo in New York this year. The two banks declined to comment.

BDA is suing Wells Fargo on the basis that the US bank should have flagged the transactions as suspicious. Wells Fargo has countered that security lapses in BDA's own operations caused the Ecuadorean bank's losses. Hackers had secured a BDA employee's SWIFT logon credentials, Wells Fargo said in a court filing.

SWIFT - the Society for Worldwide Interbank Financial Telecommunication - is not a party to the lawsuit. Neither bank reported the theft to SWIFT, which said it first learned about the cyber-attack from a Reuters inquiry. "We were not aware," SWIFT said. "We need to be informed by customers of such frauds if they relate to our products and services, so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information, and are reminding customers of their obligations to share such information with us."

SWIFT says it requires customer to notify it of problems that can affect the "confidentiality, integrity, or availability of SWIFT service".

But SWIFT has no rule specifically requiring client banks to report hacking thefts. Banks often do not report such attacks out of concern they make the institution appear vulnerable, former SWIFT employees and cyber security experts said.

The Ecuador case illuminates a central problem with preventing such fraudulent transfers: Neither SWIFT nor its client banks have a full picture of the frequency or the details of cyber-thefts made through the network, according to over a dozen former SWIFT executives, users and cyber security experts interviewed by Reuters.

The case - details of which have not been previously reported - raises new questions about the oversight of the SWIFT network and its communications with member banks about cyber-thefts and risks. The network has faced intense scrutiny since cyber-thieves stole $81m in February from a Bangladesh central bank account at the Federal Reserve Bank of New York.

It's unclear what SWIFT tells its member banks when it does find out about cyber-thefts, which are typically first discovered by the bank that has been defrauded. SWIFT spokeswoman Natasha de Terán said the organisation "was transparent with its users" but declined to elaborate.

Reuters was unable to determine the number of cyber-attacks involving the SWIFT system, or how often the banks report them to SWIFT officials. Lack of disclosure may foster overconfidence in SWIFT network security by banks, which routinely approve transfer requests made through the messaging network without additional verification, experts said.

The criminals behind such heists are exploiting banks' willingness to approve SWIFT requests at face value, rather than making additional checks, said John Doyle, who held a variety of senior roles at SWIFT between 1980 and 2005. "SWIFT doesn't replace prudent banking practice," he said, noting that banks should verify the authenticity of withdrawal or transfer requests, as they would for transfers outside the SWIFT system.

SWIFT commits to checking the codes on messages sent into its system, to ensure the message has originated from a client's terminal, and to send it to the intended recipient quickly and securely, former SWIFT executives and experts said. But once cyber-thieves obtain legitimate codes and credentials, they said, SWIFT has no way of knowing they are not the true account holders.

The Bank for International Settlements, a trade body for central banks, said in a report that increased information sharing on cyber-attacks is crucial to helping institutions manage the risk.

"The more they share the better," said Leo Taddeo, a former special agent in charge with the FBI's cyber crime division in New York.

SWIFT, a cooperative owned and governed by representatives of the banks it serves, was founded in 1973 and operates a secure messaging network that has been considered reliable for four decades. But recent attacks involving the Belgium-based cooperative have underscored how its central role in global finance also presents systemic risk. SWIFT is not regulated, but a group of ten central banks from developed nations, led by the National Bank of Belgium, oversee it. Among its stated guidelines is a requirement to provide clients with enough information to enable them "to manage adequately the risks related to their use of SWIFT".

However, some former SWIFT employees said the cooperative struggles to keep banks informed on risks of cyber-fraud because of a lack of cooperation from the banks themselves. SWIFT's 25-member board of directors is filled with representatives of larger banks. "The banks are not going to tell us too much," said Doyle, the former SWIFT executive. "They wouldn't like to destabilise confidence in their institution."

Banks also fear notifying SWIFT or law enforcement of breaches because that could lead to regulatory investigations that highlight failures of risk management or compliance that could embarrass top managers, said Hugh Cumberland, a former SWIFT executive who is now a senior associate with cyber-security firm Post-Quantum.

Theoretically, SWIFT could require its customers, mainly banks, to inform it of any attacks - given that no bank could risk the threat of exclusion from the network, said Lieven Lambrecht, the head of human resources at SWIFT for a year-and-a-half through May 2015. But such a rule would require the agreement of its board, which is mainly made up of senior executives from the back office divisions of the largest western banks.

This week, Vietnam's Tien Phong Bank said its SWIFT account was used in an attempted hack last year. That effort failed, but it is another sign that cyber-criminals are targeting the network.

In the Ecuadorean case, Wells Fargo denies any liability and said in court records that it did not verify the authenticity of the BDA transfer requests because they came through SWIFT, which Wells called "among the most widely used and secure" systems for money transfers.

BDA is seeking recovery of the money, plus interest. Wells Fargo is attempting to have the case thrown out. New York-based Citibank also transferred $1.8m in response to fraudulent requests made through BDA's SWIFT terminal, according to the BDA lawsuit against Wells Fargo.

Citibank repaid the $1.8m to BDA, according to a BDA court filing in April. Citibank did not respond to a request for comment.

Wells Fargo refunded to BDA $958,700 out of the $1,486,230 it transferred to an account in the name of a Jose Mariano Castillo at Wells Fargo in LA, according to the lawsuit. "This image of the SWIFT network and the surrounding ecosystem being secure and impenetrable has encouraged complacency," Hugh Cumberland said. (Reuters)