When I first started in cyber security we looked to SWIFT as the gold standard for how to keep a system secure. It had two things going for it (1) Incentive: it was the transfer of money and money was always a target (2) Good Policy: policy that was followed with high standards. Thefts from banks in India, Equador, and Vietnam leave that confidence shaken This is, of course, on top of the $81 million in Bangladesh central bank.
I repeat this comment from my previous post: "A senior Sonali Bank official said the bank had informed Swift about the breach of its system in June 2013. Abu Muhammad Mustafa Kamal, secretary of the Anti-Corruption Commission, which investigated the Sonali Bank theft, said his agency “hadn’t been asked” to share information on the incident. The investigation found that the passwords of the Swift server were hacked, he said." That is not the way SWIFT is supposed to work. It means there are a lot more thefts that have gone undetected, or unreported. Somebody is making billions off of this and it isn't SWIFT.
SWIFT has been slow to clamp down on internal security of banks. It took 4 years to get out the current policies and start to put some teeeth into the policy, going through regulators to do it. It is a huge system, but this is real money here. You would think they could move faster than that.
From the technical side, they are instituting two-factor authentication, which has been around long enough that my wife has figured out how to do it. This is not exactly rocket science, nor state of the art security. It reminds of a class I did for some of the seniors at IRS. I showed them some statistics on virus software for people who never knew they had a virus in their system, and ones that knew they had one. Guess which ones had virus software installed? The enterprise should be installing it for everyone and not allowing it to be a personal decision. One would think SWIFT would be ahead of the curve and not catching up.
No comments:
Post a Comment