Swift is a global messaging network for financial transactions. It was founded in 1973 when a consortium of banks decided to establish common standards and a shared communication system. Today, people at R3 might call this a “blockchain”.
Recently, banks in emerging countries have been hit with dozens of Swift hacks. Or, rather, Swift is doing fine, but hackers are sending fraudulent payment requests from compromised bank computers. The recipients of the messages are larger banks at which the hacked banks hold accounts.
Take the Bangladesh central bank for example. Bangladesh Bank has an account at the New York Federal Reserve. Back in February, a computer at Bangladesh Bank was used to send unauthorized Swift payment messages to the New York Fed, resulting in an $81 million loss. For weeks, the Bangladesh central bank blamed the New York Fed for accepting its fraudulent payment requests.
Dude. The New York Fed processes over a trillion dollars worth of payment requests a day. Almost all of these are automatically executed; that’s the only way it can scale.
Swift is threatening to drop some of the banks in emerging countries if they don’t get their opsec act together. Without access to Swift’s messaging system, bank employees would have to pick up the phone and issue payment instructions verbally. That may not be a bad thing. If Bangladesh Bank called up the New York Fed and said, “Hey, please move 81 million dollars from my account to a Philippine casino,” the NY Fed employee might say, “You want…what??”
Except… that’s what banks used to do! The very first case of bank cyber-theft happened in 1988, when two people called up the First National Bank of Chicago, impersonated Merrill Lynch officials, and requested $70 million worth of wire transfers to Vienna. Humans are fallible, and we thought computers might be better.
It took decades for the big US banks to get to the level of threat management they have today. Emerging-market banks have a lot of catching up to do.