back to article Inter-bank system SWIFT on security? User manual needs 'revamp’

Inter-banking messaging systems SWIFT’s security guidelines are "outdated and incomplete". The criticism from security vendor Skyport Systems comes days after SWIFT revealed that a second bank had fallen victim to credential theft fraud, creating yet further concern already fuelled by February’s $81m Bangladesh reserve bank …

  1. m0rt

    Obviously El Reg is a hallowed place, being a bastion of upright technology reporting and keeping itself relevant in this day and age.

    This should also extend to the icons for commentards. Since you do tend to use rather a lot of 'Swift' imagery, surely there should be an icon for Swift to represent, well whatever it is she represents. Usually herself. Since she is as big a phenomenon as our previous incumbent - Paris.

    My last request, a 42 icon to represent things that reflect a philosophical bent (though it could be argued the Beer icon does that very well), was ignored, I would like to think that my comments do sometimes get read by the El Reg keepers of the flame and considered. Not just for moderation, either.

    1. m0rt

      I should add, in a spirit of honesty, I didn't read the article yet. I just saw the image and how it related to the subheading.

      I should do that now...

    2. Brewster's Angle Grinder Silver badge
      Alert

      As I've said before, we really need an icon for "We need an icon for..."

  2. Anonymous Coward
    Anonymous Coward

    ~8 months ago, I interviewed with SWIFT. . . .

    . . . .and my impression was that it was an Old Boys Club, you got in if you were the right group, and not, if you weren't.

    Now I'm glad I wasn't. . .

    1. HmmmYes

      Re: ~8 months ago, I interviewed with SWIFT. . . .

      Ah ... what could go wrong with an organisation where, over time, the management start recruiting to top up heir rugby or golf club membership with other, non-skilled, minor public school boys.

    2. Danny 2 Silver badge

      Re: ~8 months ago, I interviewed with SWIFT. . . .

      Your impression was incorrect. I'm working class, never went to Uni, and many of my colleagues were the same. It's probably the most meritocratic employer I've worked for, far better than any British employer. Only four seniority levels from bottom to top. There were a lot of white males, but no more so than other European IT organisations.

      If you were competent for the role then you were maybe deemed a security risk, their background checking is a lot more in-depth than they you'd know.

      1. Keith Glass

        Re: ~8 months ago, I interviewed with SWIFT. . . .

        I should have been more specific. By "old-boys-club", I meant a particular in-group. One that .us IT people are, alas, all to familiar with.

  3. Erik4872

    Purpose-built systems are never secure

    I work for a company that's similar to SWIFT and maintains a very critical set of systems worldwide that perform...a useful function, let's call it. To say I'm not shocked that SWIFT is vulnerable is an understatement.

    Truth is, any vertical, "closed" purpose built system built before the late 2000s isn't secure, and I'll bet a lot after that aren't either. Computers connected to systems like this are considered unreachable even in cases where the machine also has Internet access, for example. Until a few years ago, that was a safe assumption. Systems in networks like these are trusted, their requests aren't validated because it's assumed that there's no way to generate the appropriate messages in a non-official manner.

    It's very interesting that international wire transfer is such a trusting system. You send a wire request, and it's just like handing a bag of cash over to the other party with very few checks in place. Attacks on systems like this are going to gain in popularity, simply because they're easy lucrative targets.

    1. Chris G Silver badge

      Re: Purpose-built systems are never secure

      SWIFT arguably hasn't been secure since just after 9/11 when Bush gave the NSA acess to SWIFT transactions in order to keep track of Terrist's international dealings.

      How do you trust members of an organisation that lies, cheats and breaks it's own National laws?

      1. Danny 2 Silver badge

        Re: Purpose-built systems are never secure

        SWIFT originally refused to cut-off Iranian banks so the US threatened to arrest all it's employees and management. SWIFT complained to the Belgian government who shrugged. So how can an organisation follow Belgian national laws without the support of the Belgian government?

        As for monitoring terrorist funding, can you name one organisation with an operations centre in the US that doesn't comply with a legal request from US authorities to track terrorists?

    2. Anonymous Coward
      Anonymous Coward

      Re: Purpose-built systems are never secure

      The core SWIFT system remains pretty secure providing an infrastructure that enables mutual authentication and encryption of messages between two financial institutions. Banking is based on mutual trust between the institutions with the SWIFT communications giving sound verification using crypto Message Authentication Codes that the messages are coming from the other parties SWIFT terminal with an authorized User smart card plugged in.

      After that all bets are off. Anyone who can gain access to the banks system that is pushing the messages into the SWIFT system and put their own correctly formatted ones in will see them delivered as trusted SWIFT messages and acted on by the other bank. The hard bit is catching the confirmations that come back alerting the bank that something is afoot and rolling the payment back before they can access it. If you succeed with that you have a little time before its going to be spotted for a number of other reasons.

  4. Anonymous Coward
    Anonymous Coward

    the real scandal

    The scandal with SWIFT is not about how poorly some 4th world countries use it but how a certain superpower abuses it's control over the whole system.

  5. Anonymous Coward
    FAIL

    SWIFT is outdated and incomplete?

    "In both cases, the working theory is that hackers managed to get their hands on access credentials needed to send messages on the SWIFT secure financial messaging system after either successfully infecting terminals on the network of the targeted bank"

    What was the names of these nameless infected terminals?

    types of attacks that were prevalent a decade ago

    No, attacks on SWIFT weren't prevalent a decade ago and your SkySecure is only as secure as the underlying OS. See Doug Gourlay discuss contemporary security practices, which sounds remarkably like the old stuff; vpns, virtual machines, firewalls, active directory, forests, virtualized operating systems etc ...

  6. Gecko

    I'm surprised that banks are still capturing messages directly on SWIFT terminals. I'd expect they'd have all moved to STP (straight through processing) by now. Using this, the core banking app will validate all components of a transaction and it will be consistently reported and reconciled. Using a dual capture channel for messaging will always be a security risk as there's too many places to hide things. SWIFT's network is pretty robust, but at some point there is human input and banks should assume responsibility for guarding those points. Disclaimer - I built STP functionality between SWIFT systems and banking apps for a 3rd world bank 20 years ago, so this is not something new.

  7. RobertD

    As the chap says...

    If people are compromised, then all the technical controls in the world won't prevent fraud. Detection is where we need to spend a LOT more effort.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020