Vietnam success foiling hack shows risk of Swift connection

[HANOI] A foiled hacking attack on a small Vietnamese bank may have been a practice run for an US$81 million cyber assault on Bangladesh's account at the Federal Reserve Bank of New York, and points to vulnerabilities in how banks connect to the Swift interbank messaging system.

Vietnam's Tien Phong Commercial Joint Stock Bank, known as TPBank, informed the country's regulators on Monday that it had fended off a fraudulent transfer request late last year for more than 1 million euros (S$1.55 million). The request came through a third-party service that the bank used to connect to the Swift interbank messaging system, the Hanoi-based lender told the central State Bank of Vietnam. The regulator said it's investigating, though the incident didn't result in any losses.

"What cyber criminals have been trying to do is focus on banks that might be using outdated versions of Swift or third-party vendor software," said Kenneth Wong, cyber security leader of PricewaterhouseCoopers China and Hong Kong, calling the Vietnam attack "most likely" a warm-up for the Bangladesh incident.

"There's always a race between software companies and hackers."

Banks are also vulnerable if workers simply click on a suspicious link that places malware on workstations used to make monetary transfers, he said.

"The Swift payment system is only as strong as the operational controls built and enforced around it," said Mark Williams, a lecturer at Boston University and author of Uncontrolled Risk on the rise and fall of Lehman Brothers.

He blamed "a lack of strong policies and procedures" for increased vulnerabilities.

In February, Bangladesh lost US$81 million after its central bank was infected with malware, according to Mohammed Farashuddin, chief of the government panel on the Bangladesh Bank heist.

He pointed the finger at Swift and also said the Federal Reserve Bank of New York didn't conduct enough due diligence.

"The Vietnam case shows that the global banking system is vulnerable to cyber attacks, and we should make a global effort to prevent these attacks," Bangladesh Bank spokesman Subhankar Saha said Monday.

Swift has warned users that it was aware of several similar cases, and last week it said that the Bangladesh heist was carried out by malware infecting a PDF reader used by a customer to check statements.

In its warning Friday, Swift said customers using PDF reader applications to check confirmation messages should take particular care. Hundreds of billions of dollars are moved internationally through the Swift system every day.

UK-based security firm BAE Systems Plc said in a blog post that malware samples uploaded from Bangladesh and Vietnam are a match, and that the hacks also match a third breach, the 2014 attack on Sony Pictures.

"Looking at it broad base, the Vietnam attack, Bangladesh attack, and going back to Sony, there could be indicators telling us that it's a very syndicated and sophisticated attack," said Bill Taylor-Mountford, vice president for the Asia-Pacific region at LogRhythm Inc, a security intelligence company.

"The malware looks very similar."

Banks in developing countries such as Vietnam are prime candidates for such attacks and are vulnerable because they often lack the resources to build technological firewalls against hackers, said Alan Pham, chief economist at VinaCapital Group in Ho Chi Minh City.

"When I look at banks across Asia, most of them are unprepared for these types of attacks," said Bryce Boland, chief technology officer for the Asia-Pacific region at FireEye Inc, a malware and network-threat protection system, which has a team hired to conduct a forensics investigation into the Bangladesh heist.

Yet TPBank, a closely held bank with assets of just US$3.4 billion at the end of 2015, managed to thwart the hacker's assault during the fourth quarter of last year, the bank said in an e-mailed statement.

Hackers may have installed malware into the third-party software the bank used to use to connect to the Swift system, it said, citing information from Swift. The bank has stopped using the third-party vendor's service and now deploys its own technology with stronger security to connect directly with Swift, it said, without identifying the vendor.

TPBank was deemed to have the Best Internet Banking Product in the country in the annual Asian Banker awards this year.

"Tien Phong is a small bank but equipped with techniques that are modern and sophisticated enough to foil the hacking attempt, successfully preventing the bank from losing money," said Le Manh Hung, Vietnam central bank's head of banking technology department.

Vietnam's central bank alerted the country's lenders to increase surveillance, Hung said.

"The tide has changed and systemic risk issues are rapidly being redefined to include infrastructure," said Peter Hahn, banking professor at London's Institute of Financial Services at IFS University College.

"Slowly but surely, the world is coming to realize that the back office of banks and central banks is now part of the front office." Vietnam's regulators will face more pressure to increase Internet financial security as the country becomes more integrated into the global economy, said Trinh Nguyen, a Hong Kong-based senior economist for emerging Asia at Natixis SA.

"As hackers become more sophisticated," she said, "more talent is also needed from a regulatory point of view to deter losses."

BLOOMBERG