Anti-Malware , Data Breach , Fraud

Will SWIFT's Forthcoming Security Improvements Blunt Hack-Attack Spree? Mathew J. Schwartz (euroinfosec) • May 31, 2016    

Officials at SWIFT have announced a range of new security proposals designed to better secure - and restore confidence in - the global money-transfer network as news of yet another suspected attack against the network has come to light, this time in the Philippines.

See Also: Security Shouldn't be Boxed: The Cloudified Edge & End of an Era for Hardware Box Providers

The messaging system maintained by SWIFT - formally known as the Society for Worldwide Interbank Financial Telecommunication - is designed to guarantee that money-moving messages between banks are authentic. But the reliability of the system, which is used by more than 11,000 institutions, has been called into question following revelations that SWIFT-using banks were falling victim to malware-wielding attackers (see Another SWIFT Hack Stole $12 Million).

Following the $81 million theft from the central bank of Bangladesh in February, SWIFT warned that a "wider and highly adaptive campaign" was underway. Investigators now suspect that a dozen or more banks may have been targeted by a group of attackers - possibly with ties to North Korea - who have been using fraudulent SWIFT messages to transfer millions into attacker-owned accounts, aided by customized malware that's designed to trick SWIFT's client software.

Bangladesh Suspects Insider Help

The head of a government-appointed panel investigating the Bangladesh Bank attack - the largest cyber heist in history - reportedly now suspects that one or more insiders may have aided attackers.

"Earlier we thought no one from Bangladesh Bank was involved, but now there is a small change," Mohammed Farashuddin, a former governor of the Bangladesh central bank, told reporters on May 30, without elaborating as to the precise nature of the change, Reuters reported.

The results of the new investigation will be made public in the next 15 to 20 days, Bangladesh Finance Minister Abul Maal Abdul Muhith told Reuters.

Previously, Bangladesh officials had blamed both SWIFT and the Federal Reserve Bank of New York for failing to spot and block the four fraudulent money-transfer messages that were processed. SWIFT, however, dismissed those claims, blaming the bank's poor security instead. But earlier this month, all three organizations met and pledged to work more closely together.

Bangladesh Bank spokesman Subhankar Saha couldn't be immediately reached for comment about the report's findings. But Saha told Reuters that the central bank had yet to see a copy of the report. "The Bangladesh Bank management will follow all instructions given by the government," he said. "Actions will be taken as per instruction by the government if any central bank officials were found guilty."

Security researchers now suspect that the same group of attackers may have targeted at least five different banks: Sonali Bank in 2013; an as-yet-unnamed bank in the Philippines in Octpber 2015; Vietnam's Tien Phong Bank in December 2015; Ecuador's Banco del Austro the following month; and Bangladesh Bank in February.

Last week, incident response firm FireEye told Bloomberg that it was investigating eight more suspected incidents involving banks in Asia - including the Philippines - as well as New Zealand. FireEye declined to comment on that report.

Report: Philippines Bank Attacked

Now, Symantec says it has identified three more pieces of "backdoor" malware - named Fimlis, Fimlis.B and Contopee - designed to give attackers remote access to systems. Symantec says these malware strains shares significant code commonalities with the malware used against Bangladesh Bank and TPBank, which researchers have tied to the Lazarus Group, which was previously tied to the 2014 Sony Pictures Entertainment hack. The U.S. government controversially attributed the Sony attack to "North Korea actors" (see FBI Attributes Sony Hack to North Korea).

"Symantec believes distinctive code shared between families and the fact that [Contopee] was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group," Symantec says in a blog post.

Symantec said it recovered the malware from an October 2015 attack against a Philippines bank which - as noted above - it has declined to name.

Nestor Espenilla, the deputy governor of the Philippines' central bank, told Reuters that being attacked was not the same as being hacked and losing money. "We are checking if there are similar attacks on Philippine banks," Espenilla said. "However, no reported losses so far."

SWIFT Will 'Expand' Two-Factor Authentication

On May 27, SWIFT announced that it would be launching a set of five security changes to help better secure and authenticate SWIFT messages, including helping banks to better trade threat intelligence as well as detect related fraud. The measures were previewed last week by SWIFT CEO Gottfried Leibbrandt (see SWIFT Promises Security Overhaul, Fraud Detection).

SWIFT says the effort will commence with "cooperation with and facilitation of information sharing among overseers, banks, law enforcement and cybersecurity firms," and in the event of an attack include digital forensic analysis "on products and services related to SWIFT connectivity at affected banks, so that other users can protect themselves."

SWIFT has also promised to beef up the security of the software that it offers customers. "For example, our interface products support two-factor authentication, but we will further expand this and add additional tools," according to SWIFT's security announcement (see Gartner's Litan Analyzes SWIFT-Related Bank Heists). "We will also increase remote monitoring capabilities of customer environments."

Weakest Link Warning

But the five security improvements being proposed by SWIFT won't be a "silver bullet" that suddenly stops related attacks, says Ricardo Villadiego, CEO of anti-fraud firm Easy Solutions. "Those five points look to me more like a recipe for damage control than really going deeper into the problem," he says.

What's required, he contends, is not just mandatory use of multi-factor authentication, but a much more layered system of security defenses. "The system is only as secure as the weakest link," he says, and right now that weak link appears to be so many SWIFT-using banks.

Don't blame a lack of information security standards, security products or cybersecurity competence for the failure of breach defenses. In many cases, the culprit is design and implementation flaws in IT products, Robert Bigman, former CIO at the CIA, contends.

In an interview with Information Security Media Group following his presentation at the recent ISMG Fraud and Breach Prevention Summit in Washington, Bigman contends existing collections of commercial hardware, firmware and software aren't consistently reliable - what he characterizes as "trustability."

In the interview (click player beneath photo to listen), Bigman:

Explains what organizations get wrong about trustability; Discusses how enterprises can boost trustability of their systems as technologies rapidly evolve; and Addresses the cost to enterprises to ensure their systems are trustable.

"Trustability is the capability to ensure that those security mechanisms work in a computer system ... as they're intended by the vendor and by you - via your security policy - and can't be modified or changed to do something they're not allowed to do," Bigman says. "And, if they're changed, you'll see it, as part of the trustability matrix."

In his presentation at the recent summit, Bigman explained that zero-day exploits are being written and tested as enterprises add millions of lines of poorly secured code to their base of vulnerable applications and operating systems. "What sophisticated hackers understand - and many IT security practitioners don't - is that regardless of the amount of security products and services deployed, internet-connected systems remain vulnerable to exploitation," Bigman said.

The only solution to this dilemma, Bigman says, is to raise the trustability level of computer systems high enough to make even sophisticated hacking riskier and more susceptible to easier identification.

Bigman founded the IT security consultancy 2BSecure after retiring from the CIA in 2012, where he spent 15 of his 25 years overseeing information security. While at the CIA, Bigman contributed to many intelligence community and federal government information security policies. He frequently briefed congressional committees and advised presidential commissions.

ISMG editors, in a special report that leads this ISMG Security Report, examine the status of data breach notification laws in a number of regions, including the European Union, which this past week implemented the General Data Protection Regulation, although enforcement of the new rules won't take place for two years.

Click player below image to listen to this report, which features:

ISMG Data Breach Editor Mathew Schwartz and program host Eric Chabrow discussing the challenges faced in adopting consistent data breach notification laws, including in the EU, United States, India, Australia and New Zealand, based on reporting conducted by Schwartz, Chabrow and ISMG editors Geetha Nandikotkur and Jeremy Kirk. Kirk's examination of the continuing battle e-commerce sites face in defending against account takeovers. A senior U.S. congressman, Rep. Elijah Cummings, repudiating earlier reports that a vendor demonstrating a product to the Office of Personnel Management discovered the OPM breach that exposed the personal information of some 21.5 million individuals. In a letter, Cummings contends a contractor working for OPM uncovered the breach five or six days before the product demonstration.

Information Security Media Group debuted on May 24 the ISMG Security Report, a concise, on-demand audio report in which ISMG editors and other experts analyze the latest IT security news.

The ISMG Security Report will be posted on this and other ISMG websites on Tuesdays and Fridays, with each episode running about 10 minutes.

Please check out our May 24 and May 27 reports. The next ISMG Security Report will be posted Friday, June 3.

ISMG Security Report's theme music is by Ithaca Audio.

Financial fraud expert Avivah Litan, a Gartner analyst, says the SWIFT-related heists, which have defrauded banks out of millions of dollars in recent weeks, are not cause for "the sky is falling" alarm (see Report: Bangladesh Probes 2013 Bank Hack via SWIFT).

"When I read the reports and the reactions to those transactions from some of our politicians, I was pretty amazed at that strong reaction that they had that our financial system could be in jeopardy, that there's frailness in the worldwide financial system," Litan says during this interview with Information Security Media Group. "The sky isn't falling. We have technology and measures that could be put in place to prevent what happened at SWIFT."

Nevertheless, Litan says that SWIFT, an interbank messaging system for payments, "didn't seem to have some of the very basic fraud-detection controls that could have stopped the heists - looking for abnormal payees, looking for remote account takeover, looking for abnormal access. These are all fraud-detection measures that the U.S. regulators have mandated that U.S. banks put in. So it was pretty shocking to me that SWIFT did not have these measures, apparently, and relied so heavily on authentication instead."

Stronger Controls Needed

Litan, who recently blogged about the lessons the SWIFT-related heists should teach U.S. banks about authentication weaknesses and lacking security controls, says banks need to implement the same controls for interbank transactions that they have in place for customer-to-bank payments.

Fraud detection and risk mitigation is a shared responsibility, she adds. "We read a lot in the media about finger pointing, where SWIFT was saying it was the banks' responsibility and the banks were saying it was SWIFT's responsibility," Litan says. "Everyone needs to wake up and realize this is a shared responsibility."

During this interview (see audio player below photo), Litan also discusses:

A five-layered security approach to prevent heists like the ones that compromised SWIFT transactions. "You have to assume the criminals can beat one layer, and maybe even two. But it's highly unlikely that they'll beat all five." Why bank-to-bank transactions should follow the same guidelines for ACH and wire payment security outlined by the Federal Financial Institutions Examination Council for customer-to-bank transactions; How the SWIFT attack reveals security concerns for real-time payments; and The need for transaction authentication and verification across numerous links in the payments chain.

Litan, a vice president at Gartner Research, is a recognized authority on financial fraud. She has more than 30 years of experience in the IT industry. Her areas of expertise include financial fraud; authentication; access management; identity proofing; identity theft; fraud detection and prevention applications; and other areas of information security and risk. She also covers security issues related to payment systems and PCI compliance.