• The opening case, Hackers Attack the SWIFT Global Banking Network, discusses breaches in the system of several banks that are a part of the SWIFT network. The case is an example of the importance of information system controls. Explain some of the security risks associated with information systems as well as some security and control measures that can be implemented to protect against these security risks.

SWIFT, which stands for Society for Worldwide Interbank Financial Telecommunication, is considered the Rolls-Royce of payment networks. It is a system used by more than 11,000 financial institutions worldwide to authorize payments from one account to another. SWIFTs secure messaging system sends about 25 million messages on a typical day, including orders and confirmations for payments, securities settlements, and currency exchanges. Obviously, this is a very important system for global finance. If you receive a message from SWIFT, you can be sure its legitimate and move the money as expected. SWIFT is a highly secure system, but apparently not secure enough. In early 2016 revelations surfaced about multiple attempts to use SWIFT messaging to rob financial institutions. Bangladeshs central bank disclosed that in February 2016 it had lost $81 million to hackers who breached its security, accessed SWIFT, and tricked the Federal Reserve Bank of New York into sending funds it held for the bank to hacker-controlled accounts in the Philippines. Each bank in the SWIFT network is identified by a set of codes. Hackers somehow managed to steal the Bangladesh banks credentials to transmit the messages and used malware targeting a PDF reader for checking statements. SWIFTs core messaging system was not compromised. Security breaches occurred in the computers of individual institutions that interact with the system, and these computers remain the responsibility of individual SWIFT members. The hackers had access only to the compromised banks funds but not to the funds of the thousands of other institutions that use SWIFT. However, investigators have identified breaches at 12 other banks, including Vietnams Tien Phong Commercial Joint Stock Bank and Ecuadors Banco del Austro. Brian Jackson/123RF How could this have happened? SWIFT isnt regulated like a bank because it doesnt hold funds or manage accounts. Its overseen by the National Bank of Belgium and representatives from the U.S. Federal Reserve, the Bank of England, the European Central Bank, the Bank of Japan, and other major banks. Experts point out that the SWIFT system is based on flexibility and trust. A bank can choose to let employees open SWIFTs main interface right from their desktop browser. That same feature that makes SWIFT easy to use also makes the system susceptible to hacking. Hackers apparently were able to obtain the banks SWIFT access codes, send authenticated but fraudulent requests to transfer funds, and cover their tracks with malware surreptitiously placed onto bank computer systems. These attacks showed a deep and sophisticated knowledge of specific controls at the targeted banks, which may have been acquired from insiders, cyberattacks, or both. Most banks in the United States take special precautions with their SWIFT-linked computers, including multiple firewalls to isolate SWIFT from the banks other networks and even operating the machines in separate locked rooms. Unfortunately some banks in other countries take fewer precautions. The Bangladesh bank may have been especially vulnerable, using $10 routers and no firewalls, according to experts. Security firms and intelligence agencies are still trying to learn who is behind the attacks. Symantec Corp, a leading security company, says the attacks resemble earlier hacking efforts attributed to North Korea. SWIFT plans to toughen software requirements, expand the use of two-factor authentication (which provides additional identity checking), monitor compliance more rigorously, and provide more information about fraud detection. Ultimately, however, SWIFT can only do so much. The real solution must come from the participating banks themselves. And according to SWIFT CEO Gottfried Leibbrandt, fully armoring the networks defenses is likely to take years.

The problems created by the $81 million theft resulting from break-ins to the SWIFT global banking network illustrate some of the reasons businesses need to pay special attention to information system security. The SWIFT system is a critical tool for global business. But from a security standpoint, as this case illustrates, the system was vulnerable to hackers who were able to access supposedly protected user authentication data.

The chapter-opening diagram calls attention to important points raised by this case and this chapter. The SWIFT system is flexible and easy to use and does not require the same high level of security among its participating institutions. Although major banks in the United States using the SWIFT network have strong information system security in place, the security used by other SWIFT network members for protecting global banking transactions was weak. Despite the strong security safeguards of the SWIFT network itself, criminals were able to break into the systems of SWIFT member banks and send false instructions over the SWIFT system to illicitly transfer funds to their accounts. SWIFT is now working with member institutions to upgrade their security, but it will take years before all participants in the network are fully protected.