(Bloomberg) – Bank hacks in Vietnam and Bangladesh havesparked concerns within global banks, some of which are privatelypressing the Swift interbanknetwork to shore up security at its 11,000 members.

The pressure on Swift comes as new details emerge from the mostrecently disclosed bank hack. An examination of the malware used in an attack latelast year on Vietnam's Tien Phong Commercial Joint Stock Bank showsthat unique Swift codes identifying at least seven additionalfinancial institutions were embedded in the hackers' work,according to a private report by BAE Systems Plc. 

The list includes major banks in Asia and at least one inEurope, including what two people familiar with the list said werebanks where the Vietnamese lender had correspondent accounts. Themalware wasn't used to attack those banks, said one person familiarwith the situation. Rather, it deleted money-transfer confirmationssent between the Vietnamese bank and its partners that could havealerted bank officials of improper transactions, the personsaid.

Such revelations — coming on top of Swift's warninglast week of a "wider and highly adaptive campaign targeting banks"— show that intruders' efforts went beyond looking solelyat small banks in developing nations. They have raisedalarms inside global lenders, said people familiar with severalbanks in the U.S. and Europe. 

In the U.S., those concerns have prompted major banks to pushfor more action by the messaging network, according to twopeople familiar with the matter. 

The Vietnam malware was "configured to parse transactionmessages," according to the BAE report. It included Swift codes forthe New York and Hanoi branches of Industrial & Commercial Bankof China Ltd., the world's largest bank by assets; Bank of TokyoMitsubishi UFJ Ltd., Japan's largest bank; UniCredit SpA, Italy'sbiggest bank; and Australia & New Zealand BankingGroup Ltd., among others.

Member responsibility

While Swift has for decades made sure its own financialmessaging network was secured, less attention was paid to thesecurity surrounding how member banks — each with theirown codes and varying levels of technology — wereconnecting. Even today, when it discusses the cyberattacks,Swift emphasizes that its own network wasn't breached andsays its members are responsible for their own systeminterfaces.

Some U.S. banks are pushing to open discussions with Swift aboutwhether it should have responded more quickly to the breaches andshould now help member banks better secure their systems, accordingto one of the people familiar with the thinking within a large U.S.bank. BITS, the section of the Financial Services Roundtable aimedat combating cyberfraud and other technological issues, could betapped to broker those discussions, the person said.

More broadly, some U.S. banks expect Swift to come up with atechnological solution that could apply to all connectedinstitutions and would help reduce these risks, another personsaid.

Natasha de Teran, a spokewoman for Swift, declined tocomment.

Continue reading…

In the Bangladesh attack, the Federal Reserve Bank of NewYork was tricked by fake Swift messages into wiring more than $80million held for the impoverished country to hacker-controlledaccounts in the Philippines. (Photo: Thinkstock)

Fraudulent request

Vietnam's Tien Phong, known as TPBank, informed the country'sregulators this week that it had fended off a fraudulent transferrequest late last year for more than 1 million euros ($1.13million) that came through a third-party service that the bank usedto connect to the Swift system. The report analyzed the malwareused in that attack, calling it a less sophisticated "prequel" to asimilar attack on the Bangladesh central bank earlier thisyear.

A BAE spokeswoman and the lead author of the report didn'trespond to requests for comment.

A Beijing-based press officer at Industrial & CommercialBank of China declined to comment. Kazunobu Takahara,a Mitsubishi UFJ Financial Group spokesman in Tokyo,declined to comment to questions about Bank of Tokyo Mitsubishi. Arepresentative at UniCredit declined to comment.

"While we are aware that the Swift codes of severalinternational banks have been included in the malware, we havestrong systems in place to detect and prevent this type of fraud,"Stephen Ries, a Melbourne-based spokesman for Australia & NewZealand Banking Group, said in an e-mail.

Nothing stolen

Other Swift codes found in the software were those for UnitedOverseas Bank Ltd. of Singapore, South Korea's KookminBank, and Japan's Mizuho Bank Ltd., partof Mizuho Financial Group Inc.in Tokyo. 

Masako Shiono, a spokeswoman for Mizuho Financial Group,declined to comment. An official at Kookmin Bank said thecompany wasn't hacked and hasn't had anything stolen byhackers, but has been following up on issues related to theBangladesh central bank and TPBank hacks.

Susan Hwee, Managing Director and Head of Group Technology andOperations at United Overseas Bank, said "UOB treats the securityof our banking systems and network very seriously," and declined tocomment further.

Fake messages

In the Bangladesh attack, the Federal Reserve Bankof New York was tricked by fake Swift messages into wiring morethan $80 million held for the impoverished country tohacker-controlled accounts in the Philippines. The Fed's systemshalted an additional $850 million the hackers tried to havetransferred.

Last week, Swift asked members to "urgently review" payments andmessaging controls. Still, many banks still haven't put in strongersecurity standards — such as an added, independent systemto verify that a user really is the person authorized to sendmessages, which would have thwarted the Bangladesh hack, said CarloSchupp, chairman of miaa Guard, a Belgium-based cybersecuritycompany, and a former Swift security executive who spoke withoutreferring to specific banks.

"I'm afraid certain banks won't update quickly enough," Schuppsaid.

Related: The 10 most expensive data breaches todate

The weakest link in the Swift system would be at individualbanks' interface with the network, according to Leonard Schrank,CEO of Swift until 2007, who was speaking generally. "Swift needsto now do more in the realm of tougher interface standards andsecurity to help its members mitigate these new threats," hesaid.

Among his suggestions is an "anomaly detector" capability whichwould flag unusually large or frequent transfer requests in Swiftmessages.

Pattern recognition

The practice of using pattern-recognition software to catchcyber crooks is commonplace throughout the financial servicesindustry, from credit card processors to banks themselves. Butthose are protections for open systems involving inherentlyuntrusted users. Swift is different — a safe space whereboth ends of an exchange between banks are assumed to be validusers. 

Computer scientists have become exceptionally good at writingprograms that sift reams of data to spot out-of-the-ordinaryevents, so the technology to stop illicit transfers is quiteadvanced. But the calculus of figuring out the balance offacilitating commerce and reducing fraud is fraught.

The potential financial targets for hackers are enormous. TheBangladesh hack, for example, was just a drop in the daily bucketfor the New York Fed, which processes around $80 billion a daythrough some 2,000 transactions just for foreign governments,central banks and other so-called official account holders.

Related: What are the leading causes of data securitybreaches?

The New York Fed said it followed standard procedures during theBangladesh heist. Andrea Priest, a New York Fed spokeswoman,declined to comment on whether the bank had changed any of itsprocedures in response either to the February heist or to thereports of additional cyberattacks.

The specific means by which hackers carried out the Bangladeshhack and tried to effect the Vietnam hack — throughmalware infecting a PDF reader used to check confirmation messages— wouldn't work on a major bank, according to two peoplefamiliar with the situation. It nevertheless showed that theattackers had learned a great deal about their victims' systems,prompting consternation at a briefing at a major bank in New YorkMonday, and the feeling that now Swift needs to respond, one of thepeople said.