igor - Fotolia

$81m cyber heist highlights gap between attacker and defenders, says Swift

Secure messaging service Swift was surprised by the gaps in banks’ cyber security practises highlighted by mega cyber heist, says CISO Alain Desausoi

The theft of $81m from an account belonging to the Bangladesh central bank in February 2016 was a watershed event, according to Alain Desausoi, CISO at financial messaging service Swift.

“We were surprised by the gap between the skills of the attackers and the cyber security practices in the banking industry,” he told the FT Cyber Security Summit in London.

The heist was part of a wider campaign that would have netted the cyber thieves almost $1bn if a typo had not alerted bank officials, who managed to block a further fraudulent transaction of $870m.

Swift subsequently acknowledged that the heist involved altering Swift software to hide evidence of fraudulent transfers, but it said its core messaging system was not harmed.

Desausoi said it also involved the theft of Bangladesh central bank credentials that enabled the attackers to impersonate authorised users to initiate transactions.

“Think of Swift as a secure mail system, but banks have their own software and systems that they manage that send messages to us,” he said.

One of the biggest problems, said Desausoi, is that while the threat is the same worldwide, the necessary skills to manage them are not the same in all countries.

Subsequent to the heist, Swift took steps to help the banking community fill the gaps that had been exposed, which included releasing software to help banks detect anomalous activity.

Read more about cyber crime

Swift also developed a customer security strategy to address the risk, which is made up of five components.

These are improved information sharing, more resilient software, improved security practices, traffic pattern detection to identify anomalies, and ensuring banks have the right security partners.

“Information sharing can be difficult to get going, but it is essential so that banks are better able to spot malicious activity in future,” said Desausoi.

As part of Swift’s customer security intelligence programme, the organisation is now making indicators of compromise (IOCs) available to customers.

“Customer feedback about IOCs has been positive, with many telling us that it has been very helpful in planning and improving cyber defences,” said Desausoi.

He said Swift has a well-established cyber security programme, but it is continually seeking to raise the bar by introducing things such as penetration testing, security operations centres and proactively hunting for attackers.

Looking beyond technology

Desausoi said while technology has a role to play in cyber security, banks need to understand that no single technology will solve the problem and they need to look beyond technology to examine their processes and ensure their employees have the necessary training and support they need.

“The best way to find attackers is to look for abnormal activity, although defining ‘normal’ activity is a never ending quest,” he said.

Swift plans to continue to support customers by helping them acquire and develop as many detection capabilities as possible.

“We want banks to take ownership of the challenge and to engage with law enforcement at their own pace [in terms of attribution and prosecution],” said Desausoi.

Read more on Hackers and cybercrime prevention