SWIFT Hack: Lessons for IndiaHow Indian Banks Must Respond to Recent SWIFT Attack
SWIFT's recent acknowledgement that it was aware of "a number of recent cyber incidents" where attackers had sent deceitful messages over its system serves as a wake-up call for Indian banks.
The SWIFT messaging platform, which was hacked during the Bangladesh Bank heist, has been used widely by most Indian banks for international financial transactions since 1991. Except for the transactions that happen through checks, which are comparatively fewer in number, SWIFT is the prominent delivery system for Indian banks for foreign transactions (see: Bangladesh Bank Attackers Hacked SWIFT Software).
It was revealed that attackers of Bangladesh Bank who stole $81 million used malware that allowed them to hack into the bank's SWIFT software to transfer money, as well as hide their tracks. The heist was not an isolated incident, said SWIFT's April 25 customer alert (see: SWIFT Confirms Repeat Hack Attacks).
SWIFT is a Belgium-based cooperative of 3,000 organizations that maintains a messaging platform that banks use to move money internationally.
Caveat for Indian Banks
Indian banks that rely on the SWIFT messaging platform need to be more vigilant, say banking sector security experts. There are currently 117 financial institutions in India that are connected with SWIFT. The users of the network in India are the RBI and all major banks, including the newly established private sector banks, branches of foreign banks and major financial institutions.
"Though the malware that targeted the Bangladesh bank was written bespoke for attacking a specific victim infrastructure, but the general tools, techniques and procedures used in the attack may allow the gang to strike again," according to technology consultancy BAE Systems Applied Intelligence. "All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed." p>
There is no clarity on whether any Indian banks have been directly impacted by the SWIFT hack, but experts think it's a matter of time. The nation's top four banks did not immediately reply to Information Security Media Group's request for further details (see: SWIFT to Banks: Get Your Security Act Together).
But Dr. Onkar Nath, a security strategist who is ex-CISO of Central Bank of India, says that banks may have to face multiple areas of concern. "The intranet of the bank, which is connected to the internet, typically hosts other fund transfer systems like RTGS and NEFT. So if something goes wrong in the SWIFT system, it could have impact on the other systems as well," he says.
It's also evident that the attackers of Bangladesh Bank had thoroughly studied not just the bank's local environment, but the SWIFT messaging platform as well, making it possible for them to erase any trace of evidence from the entire network. This means that a similar attack can be replicated on any bank, which leaves its door open to such attackers.
Unlike domestic transactions, which are monitored and controlled to some extent by the RBI, Indian banks have no control over foreign money transactions once those leave the bank's system. This poses a unique challenge to the Indian banks when it comes to SWIFT transactions, industry experts say.
"APT attacks mostly happen using custom spyware directly delivered to end desktop machines," says Bangalore-based J. Prasanna, director and founder of Cyber Security and Privacy Foundation. "Most branches have email IDs or foreign cells which handle SWIFT and other transactions. These end machines don't have protection more than anti-virus, and the staffs are not trained to see social engineering/sophisticated spyware."
The Loopholed System
How vulnerable are Indian banks? Probably as vulnerable as Bangladesh Bank, say security experts who closely observe the BFSI sector in the country. Today, the capabilities of most Indian banks to detect and respond to advanced attacks lags their peers in other countries, says Bryce Boland, APAC chief technology officer at FireEye. "For example, most banks in India lack an enterprise-grade security operations center," he says. "They might have a network operation center, but the tooling, capabilities and expertise are very different."
Outsourcing and remote access by third parties is another challenge that Indian banks face, according to experts. "The huge volume of transactions created on a daily basis by the banks are usually handled by subcontracted agencies, who have access to the bank's system and network," Nath says. "Worst still, some of the banks do not have an alert or clearance system for high-value or high-risk transactions." Banks usually do not implement business best-practices to identify and isolate such transactions, he adds.
However, some experts also argue that such attacks can happen irrespective of having the right tools and technologies in place. "There have been a lot of discussion about cheap firewall use by banks because of which APT attacks happen," Prasanna says. "But I would say this is because of the lack of complete understanding about APT attacks. We have analyzed APT attacks in systems that have multiple monitoring and detection tools in place."
Security Best Practices
There are a multitude of technologies and tools that banks have long been ignoring when it comes to security. The experts recommend that banks should invest in SOC, SIEM, application-level controls along with effective peripheral security systems.
That said, technology alone is not the solution to tackle the increasing number of sophisticated attacks. "No bank can prevent advanced cyberattacks, but banks can ensure they are able to quickly detect these attacks and effectively respond to contain breaches," says Boland of FireEye. "There's no silver bullet. It takes a combination of technology, threat intelligence and expertise."
Recommendations shared by industry experts encompass a combination of technology, regulations and strategies to avoid risks. Those include:
- Encrypt the consumer data in the database and keep the key with the application;
- Review (by business) controls for foreign transactions; isolate them from the other systems and deploy high-risk controls, an alert system or dash board to review it;
- Report to regulators/central bodies in the event of an attack instead of silently fixing vulnerabilities;
- BFSI sector should conduct vulnerability assessment and penetration testing for real security, and not for compliance.
Although SWIFT confirmed multiple attempts on its network and alerted its customers, it could have taken further steps, according to Nath. "SWIFT has to provide security guidelines not just for its own network, but also for the end points/banks and review the status periodically so as to penalize or de-member the banks who are not adhering to it. Security has to be integrated right from the bank to the SWIFT central server," he adds.
"The only solution is that regulators should have independent cyber security penetration testing where any gap or vulnerability in the BFSI sector should be seriously taken and then prosecuted," concludes Prasanna.