Swift is only as safe as its poorest members

[NEW YORK] Swift, the financial messaging system used by 11,000 banks throughout the world, admitted this week that it's vulnerable to hackers if they penetrate its member financial institutions.

It shouldn't be major news: Thieves go where the money is, and more than half of the 25.8 million messages a day the network carried in March were meant to transfer money. Yet Swift's hacker problem is a great illustration of how globalized finance can get out of hand.

Swift's warning, sent to members over its secure network, tells them about "a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit Swift messages from financial institutions' back offices, PCs or workstations connected to their local interface to the Swift network."

Of these incidents, only one is well-known - February's Bangladesh Bank heist, which could easily provide the plot for a cyberpunk novel. On Monday, UK-based BAE Systems' cybersecurity division provided the technical details of how the hack probably worked, having found malware that was likely used for the hack on an online malware repository.

The perpetrators tried to transfer US$951 million to the Philippines and Sri Lanka from the account Bangladesh's central bank holds with the New York Federal Reserve. The Philippine bit worked without a hitch: US$81 million went to accounts at the Rizal Commercial Banking Corp, set up in the names of two Chinese businessmen (who deny they had anything to do with it), then passed through several local casinos which are exempt from money-laundering regulations and left the Philippines in an unknown direction. 

The Sri Lanka bit was a failure. Bangladesh Bank recovered the US$20 million transferred to that country and stopped further transactions after a typo in one of the messages led a routing bank to start asking questions. The hackers slipped up stupidly: They misspelled "foundation" as "fandation" in the name of a Sri Lankan non-governmental organization they were using for their transfer.

The hackers gained access to Bangladesh Bank's local network, which wasn't too hard since the bank was using second- hand US$10 switches. They found that the Swift servers were on that network, not separated from it by any kind of firewall. They then ran a program designed to cheat Swift's Alliance Access software, which interacts with the Oracle-built database in which transaction data is stored. The malware searched Swift messages to extract addresses and transfer references. As the hackers generated and sent money transfer messages based on that data (exactly how they did that is not clear to BAE Systems based on the available data), they also patched Alliance Access to allow these transactions, so they looked as if they had been properly checked by the system. That's why, at the New York Fed's end, the messages looked perfectly legit. The hackers also knew that all Swift messages are automatically sent to be printed, and they used a bit of malware to cheat the printers so they only spewed out evidence of properly approved transactions.

"The tool was custom made for this job, and shows a significant level of knowledge of Swift Alliance Access software as well as good malware coding skills," BAE Systems praised the attackers. Apparently, they knew Bangladesh Bank pretty well, too: The printer-cheating software was specifically written for a particular model of HP printer used at the bank.

They also must have been knowledgeable about international banking regulations and loopholes in countries financial systems, such as the one that allowed them to launder the loot as gambling proceeds in the Philippines. And they may have subverted a number of bank employees. A Rizal Commercial Banking Corp. branch manager, who withdrew part of the money in cash to move it, is under investigation.

It was a big, sophisticated  operation, and it paid off for those who launched it. There will undoubtedly be more like them because people with the technical expertise are not the ones with the money - bankers are.  Far be it from me to praise the perpetrators as Robin Hoods: They robbed one of the poorest nations in the world. Even using purchasing power parity, Bangladesh is, according to the International Monetary Fund, the 139th of 185 nations in terms of per capital economic output. The average disposable monthly wage there is US$324, lower than, for example, in Zimbabwe or El Salvador. Its international reserves - US$27 billion, part of which the hackers stole - are smaller than tiny Hungary's, though Bangladesh has a bigger population than Russia.

And yet Bangladesh in on the electronic systems that move billions of dollars per second - money that belong to governments, corporations and wealthy individuals. As far as that money is concerned, this is one world. Yet it's not in real life. Bangladesh Bank has assets of US$29 billion, compared with US$2.7 trillion for the New York Fed. It cannot afford to spend as much on cybersecurity as its US counterparty in the fraudulent deals. Nor can many central banks and financial institutions around the world.

Networks such as Swift aren't vulnerable because they underspend on security. Swift takes it seriously: The latest warning came with a mandatory security update. Yet a global system is only as safe as its most unsafe parts. In a way, the Bangladesh heist is part of the same problem as Europe's refugee crisis: The West would like to be complacent about its relative wealth and security, but it can't be, because in a world made smaller by technological advances, poverty and need are knocking more and more persistently at its doors. To keep the world as conveniently small as it's getting - with fast, affordable travel, instant money transfers and the other 21st century perks - it's time to strive for a more uniform distribution of wealth.

BLOOMBERG