According to two informed sources, the major global central banks have launched a taskforce to consider setting broad rules to protect the vast network of cross-border banking from cyber attacks. This has been done after the theft of $ 81 million from the Bangladesh Bank (BB) reserve with the New York Fed in a cyber heist early this year. The committee of central banks set up the taskforce this summer as a part of the Bank for International Settlements (BIS) in Basel, Switzerland. The sources, who requested anonymity because the work had just begun, said that it has begun gathering information from members on their protection against fraud.
The taskforce could ultimately set cyber security standards about inter-bank transfers that may be adopted globally. The new principles or guidance could cover responsibilities of banks that send and receive money transfers and networks like Society for Worldwide Interbank Financial Telecommunication (SWIFT) that transmits payment instructions in correspondent banking. The sources said the taskforce also aims to consider recommending the steps each actor should follow, if a central bank falls short of protecting its systems from hackers, what role domestic regulators should play and how to respond if another breach happens. One of the sources said, "It's in its formative stage. It's what needs to happen ... but it's not a fast process".
According to the other source, a focus of the taskforce will be on identifying where the "breakdowns" are hidden in correspondent banking. The BIS oversees the Committee on Payments and Market Infrastructures (CPMI) that launched the effort; but it declined to comment. The sources said the attempted theft of nearly US$ 1.0 billion from the BB's account with the Federal Reserve Bank of New York, in addition to other cyber attacks that since came to light, helped spur the committee of central banks. In early February 2016, hackers breached the Bangladesh central bank's systems and peppered the Federal Reserve Bank with payment requests via the SWIFT global money-transfer network. Some requests were responded amounting to US$ 81 million that disappeared mostly into Philippines casinos.
A Reuters investigation found the theft happened amid missed warning signs and miscommunication between the Federal Reserve Bank of New York and Bangladesh Bank. After months of international finger-pointing, central banks and police investigators now appear to be cooperating to try to find the culprits, recover the funds, and strengthen a banking system found to be vulnerable. A US Democrat Senator Gary Peters, who has urged the Group of 20 to prioritise cyber crimes, said in a recent interview that it just showed the vulnerabilities and how a lot of money can be redirected in a very short time. One of the sources has said that the National Bank of Belgium, which directly oversees SWIFT, has a leading role in the taskforce.
The Federal Reserve Bank of New York handles some US$ 80 billion in global money transfers each day and it is also taking part in the taskforce. It was talking in June 2016 with other central banks about the structure of global payments and cyber security system. The Federal Reserve Bank of New York, Belgium's central bank and SWIFT each declined to comment. The taskforce would have representatives from some of the most influential 25 central banks that make up the BIS payments committee. Such banks include the Bank of Japan, the European Central Bank, the People's Bank of China and the Federal Reserve System. However, it was unclear who was tapped to serve. The committee, which does not include Bangladesh Bank, promotes the safety and efficiency of bank-to-bank payments and settlements. One of the sources said that it could open consultations with outside entities as early as this year 2016, adding that it could take another couple of years before anything was formalised.
Another report said the global financial messaging system SWIFT on September 13 last disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after the BB's high-profile US$ 81 million heist. The SWIFT said in a private letter to clients that new cyber-theft attempts - some of them successful - had surfaced since June 2016, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank. According to a copy of the letter, "Customers' environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated - and it is here to stay". The disclosure suggests that cyber thieves may have ramped up their efforts following the BB heist and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers.
A member-owned cooperative - the Brussels-based firm - indicated in the September 13, 2016 letter that some victims of the new attacks lost money. But it did not say how much was taken or how many of the attempted hacks succeeded. Without identifying the specific victims it said the banks varied in size and geography and used different methods for accessing SWIFT. A SWIFT spokeswoman saying the firm does not discuss affairs of specific customers declined to elaborate on the recently-uncovered incidents or the security issues detailed in the letter. According to the letter, all the victims shared one thing in common: weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers.
Weak security procedures there made it easier to hack into computers used to send SWIFT messages requesting large money transfers - the accounts of the attack on BB suggest. According to the Bangladesh police, the bank lacked a firewall and used second-hand, US$10 electronic switches to network those computers. The SWIFT has repeatedly pushed banks to implement new security measures rolled out after the BB heist, including stronger systems for authenticating users and updates to its software for sending and receiving messages. But it has been difficult for SWIFT to force banks to comply, as the non-profit cooperative lacks regulatory authority over its members. The SWIFT told banks on September 13, 2016 that it might report them to regulators and banking partners, if they failed to meet a November 19. 2016 deadline for installing the latest version of its software. This includes new security features designed to thwart the type of attacks described in its letter.
The security features include stronger rules for password management, technology for verifying credentials of people accessing a bank's SWIFT system, and better tools for identifying attempts to hack the software. An independent security consultant, Shane Shook, who advises central banks, said the SWIFT was trying to coerce members into prioritising cyber-security by threatening to share confidential information about security lapses that banks want to keep private. Shook has maintained that that type of information sharing is something that no bank likes to see happen without their direct approval and involvement, as it can affect market confidence.
The writer is a retired Professor of Economics, BCS General Education Cadre.
Email: sarwarmdskhaled@gmail.com
Central banks\' way of battling cyber heist
Prof. Sarwar Md. Saifullah Khaled | Published: October 08, 2016 00:00:00 | Updated: February 01, 2018 00:00:00
Share if you like