SWIFT admits to more cyber attacks on banks' payment systems

"The threat is persistent, adaptive and sophisticated - and it is here to stay," warns SWIFT

The banking payments infrastructure provider SWIFT has admitted to even more attacks and attempted hacks on banks' payment systems in a letter to members. And many of those attacks have been successful, it also admitted.

"Customers' environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions," according to a copy of the letter leaked to newswire Reuters. "The threat is persistent, adaptive and sophisticated - and it is here to stay," it added.

The letter follows a series of attacks on banks' payments systems since news of a February attack on the central bank of Bangladesh was disclosed in April. Bangladesh Bank lost $81m in the cyber heist, but the attack could have cost it as much as $951m if it weren't for a typographical error that alerted clerks to a potential fraud, stopping the series of transactions before they could all be executed.

Other banks known to have been attacked include Ecuador's Banco del Austro, Vietnam's Tien Phong Bank and a so-far unnamed bank in the Philippines. In total as many as 11 hacks have been linked with attacks on banks' SWIFT payment messaging systems.

While the banks concerned have been blamed for weak internal security controls - Bangladesh Bank barely firewalled its payments system terminals from the rest of its network - SWIFT has also been accused of not taking the threat to its infrastructure seriously enough. Until now, that is.

SWIFT is now getting tough on banks. It has given them a deadline of 19 November to implement the latest version of SWIFT's software, which incorporates new security features that supposedly should prevent a recurrence of the recent attacks.

Those features include stronger authentication protocols, better rules for password management and new tools to alert banks of attempted attacks on their SWIFT systems.

On top of that, SWIFT has threatened to name-and-shame banks that fail to take security seriously enough and, should that not be enough, to expel banks from its network, preventing them from making international payments via the de facto standard payments system.