Swift is introducing a new reporting system to help banks identify fraudulent payments made over its financial transfer network — but the reports will arrive up to a day too late to stop them.
Over the last year, cybercriminals have hacked systems at a number of banks, using their credentials to issue fraudulent payment instructions over the Swift network. Swift’s network wasn’t comprimised, but because genuine credentials were used on authorized bank terminals, no alarms were raised until some time after the transfers were made, leaving victims struggling to recover their funds from the destination accounts.
From December, Swift will send banks a Daily Validation Report, summarizing activity across currencies, countries and counterparts (destination banks), and also highlighting large or unusual payments and new combinations of payment parties. Banks can then reconcile details of such payments with their own records of the transfers they intended to make. Any discrepancies would provide warning of fraudulent activity, increasing banks’ chances of cancelling the transfers.
But critics might say the report is just a way to shut the stable door a little sooner after the horse has bolted. Criminals timing their illicit transfers for just after Swift generates its daily reports could have a whole day to empty the destination account and make off with the proceeds.
In the attack on Bangladesh Bank disclosed in February, thieves initially sought to transfer $951 million, and ultimately got away with $81 million of that. The other transfers were blocked or cancelled, or the funds returned.
Swift plans to send the summaries via a different channel to the one used to make payments. That way, if criminals have compromised a bank’s Swift terminal to the point where they can hide locally generated reconciliation records, they will not also be able to intercept and tamper with the validation report.
That, security researchers said in April, was what the Bangladesh Bank attackers tried to do with some custom malware. In May, Swift said attackers had sought to cover up their actions in a similar way at a second of its customers, widely believed to be a commercial bank in Vietnam.