Security is a lower priority than the director's bonuses, fancy offices or new car.
Banking system SWIFT was anything but on security, ex-boss claims
You'd think, with the amount of money the SWIFT inter-bank payment system transfers every day, that the group would be strong on security. Not so, says a former head of the organization. The SWIFT organization has been trying to up its security game after a string of high-profile hacking attacks that siphoned off millions from …
COMMENTS
-
-
Friday 19th August 2016 06:56 GMT david 12
There was a assumption that the new customers would be capable of looking after their own money, like the traditional customers. That turned out to be false. The new customers are Lusers, and need to have their hands held, their noses wiped, and their nappies changed.
That's a problem for namagement.
But it doesn't indicate that management were more interested in bonuses than security. It indicates that management failed to appreciate changes in their security environment.
-
Friday 19th August 2016 07:48 GMT Warm Braw
Having worked for SWIFT as a contractor - over a couple of decades ago - I can attest that the offices were very fancy indeed (including specially-commissioned light fittings and carpets) and that the staff canteen provided exceptionally good food at a heavily-subsidised price.
There were also an awful lot of contractors working there. I never really found out what I was supposed to be doing - apart from showng up and taking the money - and. presumably, serving as a indicator of some manager's growing empire.
However, having worked in and around other financial institutions, they all seemed to be basically the same: lots of contractors with a vested interest in prolonging their gigs and managers who were acquiring bodies in order to impress their next employer with the size of their present team - none of them having any real interest in their supposed deliverables.
And whereas banks don't have the money to slosh around that they once did. I suspect that has only made things worse as the few permanent staff who actually knew what they were doing are likely to have been shown the door.
I'm astounded that financial IT systems don't exhibit more problems than they do.
-
Friday 19th August 2016 09:05 GMT Danny 2
I'm guessing you were working at the Begian HQ. In the OPs centres there aren't any contractors and the canteen food is, well,not exceptionally good. Security though is tighter than anywhere else I've ever seen, certainly far, far tighter than banks which just aren't comparable. I take it you were a developer, you wouldn't have got within sniffing distance of the actual networks.
As 2nd line support (only four managerial levels lower than Schrank since they only have four levels) I wasn't allowed to touch the active machines I was supporting. I'd have to talk an operator in a secure area through it.
-
-
-
-
Friday 19th August 2016 00:13 GMT Anonymous Coward
Re: "we adapt as the threat changes"
~ What's worse, a lot of these smaller banks and emerging markets outfits don't even know how the system works. For example Intermediary bank charges and circumstances where Swift transfers get returned.
~ Added to which, Swift offer zero options for consumer contact, there's not even a FAQ!
~ How much work would it have been to have a more layered system to accommodate frontier banks that are less sophisticated in their controls and are at a higher risk regarding fraud...
~ Face it! You just wanted to grow the business aggressively without dealing with any of the associated costs of security, which you viewed as other people's problems! Which is why you-like-so-many-other-cheap-outsourcing-corporations right now are getting humiliated...
-
-
-
Friday 19th August 2016 08:12 GMT allthecoolshortnamesweretaken
Technically, SWIFT doesn't handle any money but acts as a messenger. SWIFT does not facilitate funds transfer: rather, it sends payment orders, which must be settled by correspondent accounts that the institutions have with each other. Each financial institution, to exchange banking transactions, must have a banking relationship by either being a bank or affiliating itself with one (or more) so as to enjoy those particular business features.
That being said, SWIFT's job is to provide secure communications for its users.
Which is tricky at best; but they should at least try to lock out common criminals.
-
Friday 19th August 2016 12:36 GMT Danny 2
Half the money that passes hands each day is transferred across the SWIFT network. You are quite correct that actual money doesn't travel across their network, only messages, but duh! A physical £50 note is only a message too.
SWIFT do provide secure communications to their users, in the same way the Bank of England/ Bank of Scotland RBS and Clydesbank provide secure £50 notes to their users. If you get mugged walking down the street or accept obviously fake £50 notes then you can't blame the currency. The weak point is the banks, aka between the chair and the keyboard.
-
-
-
Friday 19th August 2016 09:10 GMT Danny 2
Re: Lack of trust
First, neither Linux or Windows is used on the main network.
Second, why on earth is SWIFTs self-signed root PKI cert a 'dodgy security practice'? It's entirely their network so outsourcing trust would be a vulnerability. Banks trust SWIFT for a good reason, they are unhackable. Other root certifiers are not.
-
-
-
Friday 19th August 2016 11:17 GMT Gordon 10
Re: I interviewed there last year. . .
I'm interested in knowing how you assumed they were all Hindu's? did you ask them all their religion? Or was this a veiled reference to the colour of their skin?
Quote from wiki "Traditionally, Hindu men wear a dhoti kurta and women wear a sari. The clothing of Hindu people varies depending on the time of year and the area in which they live."
So how exactly did you tell?
-
-
Friday 19th August 2016 13:42 GMT Danny 2
Re: I interviewed there last year. . .
Culpepper. Aye, and I had a Virginian boss in the Netherlands who never liked the locals, and who in turn wasn't liked. That made him a bit paranoid too. I never met a single Indian there but I met many, many nationalities among my colleagues. Mostly western, mostly white, mostly male.
-
Thursday 22nd September 2016 09:52 GMT Anonymous Coward
Re: I interviewed there last year. . .
So their religion would have been 'none', 'Jainism' or the large number of other religions within India?
You're a xenophobic moron, likely a racist too. Travel the world a bit, you idiot - it can only do the likes of a person like you valuably development.
Having an accent is ok these days. In fact most professionals I work with in IT do have an accent non-native to the city they are working in, because highly intelligent professionals are very often mobile, particularly contractors.
You are harking back to the day when white people from your dull white town were the only people to work in high ranking institutions. Those days are (thankfully) gone - welcome to 2016, moron.
-
-
-
-
Friday 19th August 2016 11:17 GMT Anonymous Coward
swift .... really archaic
I used to work at a bank, multiplatform (from Unixware to CTOS even Novell netware there) apps produced interbank orders to swift department via... 5.25 floppy disks! The guys there had to check manually one by one the orders , cryptokeys on books (something like yellow pages), mistakes were on daily base, I remember once, I did a mistake on a PIC value of COBOL app, one amount went to swift as million instead of thousands, luckily spotted asap.
-
Friday 19th August 2016 12:01 GMT Anonymous Coward
In a previous SWIFT hack story I wrote "Semantics. The SWIFT system arguably extends to the terminal devices, networks and personnel authorised to use it. Without these SWIFT still exists as a central service but no money gets transferred. I don't know for sure but I'd expect the people who run SWIFT have the will and clout to ensure that these additional 'components' are up to scratch through compliance, due diligence and training and therefore if they aren't up to scratch SWIFT themselves may well have some responsibility."
I guess I was wrong but as an infosec professional and not a senior manager or board member it's understandable.
-
Friday 19th August 2016 14:53 GMT Sproggit
Bunkum
This is some aspirational PR fluff from a former SWIFT employee who left their role as CEO 9 years ago. A lot happens in 9 years...
It used to be that connections to SWIFT were only granted to major banks, via dedicated leased lines and wrapped in security. Now, SWIFT themselves will give direct access to large companies, using a VPN solution and Microsoft Windows based software...
SWIFT were greedily eyeing the income that banks were making from handling high-value international trade payments between large companies and figured they wanted some of that for themselves, so they tried to cut the banks out of the loop and go direct.
Oh, and the CEO thinks that there were security issues connecting "smaller banks" ???
Yeah, right!!!!!!!!
Why do I get the impression that there's a dirty little story waiting in the wings to come out, and this is a pre-emptive PR strike?