back to article SWIFT finally pushes two-factor auth in banks – it only took several multimillion-dollar thefts

The international financial network SWIFT has said it will "expand" its use of two-factor authentication when banks shift funds. The belated decision comes following a turbulent few weeks in which a series of multi-million dollar thefts carried out through the SWIFT system came to light. Bangladesh's central bank lost $81m, …

  1. Paratrooping Parrot
    Mushroom

    I am sure that if the United States or any of the "Western" countries had lost that money, then SWIFT would have acted a LOT sooner.

    So, what will happen to those banks that have lost a great deal of money? Bangladesh isn't a particularly rich country. That amount of money leaves a huge dent in their purse.

    1. robidy

      Of course the western banks will have better internal risk and control frameworks that have actually been implemented.

      Swift is appaullingly lax however the banks that lost the money are hardly coming out of this smelling of roses!

    2. Goopy

      "acted sooner" as in SWIFT out.

  2. Ian Ringrose

    Given that this is often a inside job

    As this is often a inside job, the issue then becomes how to protect the "two factors" from the people that need to access it to do their job.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: Given that this is often a inside job

      It seems unlikely that more than one bank would be hit by insider attacks so close together. There even sems to be some evidence that the Norks are to blame, for whatever that's worth.

  3. Keef
    Coat

    Protecting the bonus culture...

    is all that matters,

    You can't have modern society without banks, the morons in suits and skirts think they are indispensable.

    Sadly they are.

    What they don't don't know is most of their jobs could be done at minimum wage by people with more honesty and integrity than they would ever recognise even if shoved up their nostrils in a rolled up 50 pound note.

    Yes, you need some big brains around the shop, but most of these people are the equivalent of Simon Lazenby standing with his legs spread pushing his groin at the camera.

    Okay, I'll come clean, this post was more about what a massive wanker Simon Lazenby is than the inadequacies of bankers.

    Coat time...

  4. Pseu Donyme

    How can this happen?

    What I find puzzling is that substantial amounts of money can be stolen with fraudulent bank transfers. Or not that so much, actually, but that it can remain missing with the perps uncaught.

    1. lglethal Silver badge
      Unhappy

      Re: How can this happen?

      I have to agree. Surely Swift can check there records to see where the money was transferred to and where subsequent transfers from that account went. The only way it leaves there system is if someone actually pulls the cash out in person (and you don't exactly walk out of a bank with $81 million, without raising a few flags).

      Sure with an insider or two's help at the receiving bank you could pull some tricks like transferring the money to other internal accounts and then sending it out, but that should still leave a trail.

      I'm constantly surprised that with the amount of records and electronic trails in the baking world, that money can just go missing like this...

    2. Anonymous Coward
      Anonymous Coward

      Re: How can this happen?

      Yep and records show it was transferred to the bank account of a 91 year old named Sheila grandsworth, who promptly transferred it in iterations to well known bitcoin sellers, western union and moneygram transfers... the latest being to a person named Olga Zsergraba based in the Ukraine.... not a problem - I'm sure if we just contact the Ukrainian police they'll promptly arrest her......

      1. lglethal Silver badge
        Go

        Re: How can this happen?

        Well from my one experience with Western Union I had to show full ID (i.e. my passport), and the details of which were recorded. Now unless the rules are different in different countries, then that should mean details of those receiving the money should be available. I would assume MoneyGram would be the same.

        Admittedly, this assumes you can get the co-operation of the receiving country, but you would think a bit of pressure could be brought to bear here...

        1. Anonymous Coward
          Anonymous Coward

          Re: How can this happen?

          We are talking about laundering millions of $ here.

          With that sort of money floating around, I'm sure it won't take much effort to bribe someone at some point. Either to get the receiving bank to set up an account using a fake ID for a 'cut', or perhaps they know someone in the local passport office who can make them fake IDs, that look real enough for a bank .

  5. Paul Crawford Silver badge

    And these would be the same banks that want to push liability for fraud on to the customers?

    Can we please have a full public audit of how this happened first? You know, to check if any banks are running systems that are anything other than state-of-the-art in terms of security, say no IE version below 11, no comms protocols with known vulnerabilities, all machines' user-writeable areas set to no-execute, etc, etc.

    1. Anonymous Coward
      Anonymous Coward

      How to make it state of the art?

      When is depends on the people involved? Those are the ones usually at fault.

      I've seen stores repeatedly, with big messages, meetings and demonstrations in front of the entire lot of staff state "if someone phones saying they are from the bank, do not put digits into the credit card machines!!!"

      Next week we got another reminder of "those who are still making the same mistakes". Let's just say the other companies I've worked for never got to the first hurdle with the scammers. Why? Because the staff knew already, before they were recruited, not to be suckers.

      1. Paul Crawford Silver badge

        Re: How to make it state of the art?

        Yes, people often are the weakest link in security but that is the very reason you need systems designed to make stupid less of a risk. That of course has a cost in training and monitoring of behaviour, but a proper audit will show if those sort of risks are being managed well enough.

        2FA is a good example as it helps avoid the need for the human to understand if the https link is in use and if the certificate is the correct one.

    2. Goopy

      no IE version.

  6. Anonymous Coward
    Anonymous Coward

    Horse. Stable door. Bolted.

    See title.

    It's about bloody time.

  7. Slx

    Knowing the banks they probably send the money by Fax or something.

    They're not known for their rapid adoption of modern technology.

    1. Goopy

      Banks never send money via fax. Ironically, fax is more secure.

  8. a_yank_lurker Silver badge

    Only a decade behind now

    SWIFT is moving from 30 years behind to 10 years behind. Most of the stuff mentioned competent people having been doing for years now; audits - a must, 2FA - been done by many. The question is will they continue or call this good.

    1. Anonymous Coward
      Anonymous Coward

      Re: Only a decade behind now

      SWIFT is taking action..... 2 insider authentication sounds like a good plan..... sleep on.

  9. Jeffrey Nonken Silver badge

    I remember my father working on SWIFT when I was a kid. He's retired now. I'm sure he'll be gratified to know the development work he put in place then is still working now, unaltered, four-plus decades later.

    It brings a tear to one's eye.

  10. Will Godfrey Silver badge
    Happy

    swift?

    Presumably this is a meme for how quickly you can be defrauded

  11. Aodhhan Bronze badge

    Of course they can track where the money went...

    right to a bank where the laws protect banks from having to release any detailed information about the account holder. Oh, c'mon... you know where I'm talking about.

  12. Anonymous Coward
    Anonymous Coward

    Most of SWIFT's problems have nothing to do with SWIFT itself.

    2FA can not and will not fix the rest of the shitty software running inside banks.

    On many institution's networks, network access alone will do.

    There are open FTP servers and SMB shares on those networks into which you can drop files containing fraudulent, but correctly formatted MT1xx/MT2xx messages with no authentication required.

    The bank's various pieces of poorly written middleware will then dutifully pick up those messages and push them out across the SWIFT gateway and into the network.

    AC for obvious reasons.

  13. panyusg

    Did the bank officials in Bangladesh sold their identities and passwords? Who knows...it is mega sums. And the money got transferred to a bank in Manila and a banker there, took it to the casino. A few days later it came out in clean cash, got on a chartered plane to Macau.

    SWIFT denies wrongdoing and any faults. It is more like CYA...who will admit their systems have flaws.

    I simply cannot trust SWIFT 100% but have no choice. They have the monopoly on global funds transfer. And cyber thieves...including possibly even insiders in SWIFT could have sold secrets to cyber criminals. This is the world of big fraud and money can buy insider knowledge.

    Biometrics using multiple checks... DNA, fingerprint, IRIS scan and facial scan are needed. And where there mega sums transferred on bank holidays and week-ends, such transfers have to be suspended until someone in NY can verify. Or that there is bank auditor who can verify etc.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019