Financial transaction network SWIFT called on its customers Friday to help it end a string of high-profile banking frauds perpetrated using its network.
The SWIFT network itself is still secure, it insisted in a letter to banks and financial institutions. However, some of its customers have suffered security breaches in their own infrastructure, allowing attackers to fraudulently authorize transactions and send them over the SWIFT network, it said.
That's the best explanation so far for how authenticated instructions were sent from Bangladesh Bank to the U.S. Federal Reserve Bank of New York over the SWIFT network, ordering the transfer of almost US$1 billion. The Fed transferred around $101 million of that before identifying an anomaly in one of the instructions. Only $20 million of that has so far been recovered.
"While customers are responsible for the security of their own environment, security is our top priority and as an industry-owned cooperative we are committed to helping our customers fight against cyber-attacks," SWIFT said in the letter.
SWIFT wants its customers to come forward with information about other fraudulent transfers made using their SWIFT credentials, to help it build a picture of how the attackers are working.
It's making more than a polite request: It reminded its customers that they have an obligation to provide such information under the terms of their contract, and also to help SWIFT identify, investigate, and resolve problems, including by providing diagnostic information following an incident.
SWIFT promised its customers it would share new information about malware or other indicators of compromised systems. It said it would add such information to a restricted section of its website, tacking it on to knowledge base tip number 5020928, "Modus Operandi related to breaches in customer’s environment."
"All new and relevant information related to cyber incidents at customers’ institutions known to us will be posted," SWIFT said in its Friday letter. But customers would do well to search elsewhere, too, as the company has scattered recent information about hacks across its knowledge base.
Tip 5020930, for instance, explains how to tell whether a system has been compromised by malware that prevents the storage of transaction acknowledgements in the default location on disk, one of the most likely explanations for how the Bangladesh heist initially escaped detection.
The tip immediately after that, 5020931, describes "indicators of compromise" to help users identify whether they are impacted by malware corrupting the Master Boot Record from the hard disk followed by a reboot, perhaps offering a hint as to how another recent attack on a SWIFT customer was carried out. "This malware known to SWIFT was designed to destroy the MBR (Master Boot Record) of the disk and reboot the system. After reboot the system does not boot anymore," it says.
Sign up for CIO Asia eNewsletters.