ARtICLE

SWIFT - In the era of Cyber “in” Security

*Ms.Namrata Kamat and Mr. Debjyoti Roy

The information and communications technology
(ICT) industry has evolved greatly over the last half
century. Over the past several years, experts and
policy makers have expressed increasing concern
about protecting ICT systems from cyber-attacks,
which many believe could increase in frequency
and severity over the next several years.
Cyber Security is an important tool in protecting
privacy and preventing unauthorized surveillance
and information sharing and intelligence
gathering. Most cyber-attacks have limited impact,
but a successful attack on some components of
critical infrastructure could have significant effects
on national security, the economy and the
livelihood and safety of individual citizens.
It is essential that in every IT based initiative,
security is addressed as a vital component. Cyber-
attacks are becoming highly sophisticated, use
specialized analytical techniques and exploit
minute vulnerabilities which hitherto have gone
unnoticed. Continued vigilance and concerted
proactive protective actions are warranted. IT
systems of banks are the prime target for cyber
crimes and if one were to judge by the volume and
The Unraveling of the Bangladesh heist
The daring online heist at the central bank of
Bangladesh appears straight out of a cyber-spy
thriller. The Bangladesh Bank heist, which took
place in February 2016, was incredibly simple and
complex at the same time to execute. It was not
simply enormous in size, but ambitious in its
selection of target: the SWIFT system, the backbone
of international finance. The methods deployed
were highly sophisticated, involving a combination
of technical prowess and intimate knowledge of
how Bangladesh Bank interfaced with SWIFT. The
act unravelled in the following manner: It was the
start of a weekend in Bangladesh when an official at
the country's central bank checked a printer in a
server room. The tray was empty, which was
strange. There should have been a sheaf of reports
confirming payment instructions sent through the
SWIFT system. The printer glitch was no accident,
but a deliberate strategy by criminals to hide their
tracks. A day earlier, cyber thieves had issued
instructions to transfer US$951million out of
Bangladesh Bank's account at the New York Federal
Reserve. This was possible as the hackers gained

Monthly Newsletter December 2016

access to the SWIFT network by hacking into the
value of incidents, the menace is steadily growing.
bank's local network and then released malicious
SWIFT, the globally used telecommunication
software into the network which could read SWIFT
network with its strong, secure built in safeguards
codes and release it into the SWIFT network as the
has also been breached. The daring heist at the
bank's own. However, the authorities were able to
central bank of Bangladesh in February 2016,
block a majority of the release codes to various
where cyber criminals transferred funds to a
corporations in Sri Lanka and Philippines. Thus
location in Philippines has brought forth that no
most were declined, but $81-million was
system or network is impenetrable or inviolable for
transferred to a bank in the Philippines, never to be
the new breed of cyber criminals.
seen again. Gottfried Leibbrandt, chief executive of
CCIL

* Ms. Namrata Kamat is Sr. Manager, Forex Settlement Dept. and

Mr. Debjyoti Roy is Sr. Executive Officer, Economic Research and Surveillance Dept. at
Clearing Corporation of India Limited

7
 Article
Belgium-based SWIFT, called the Bangladesh cyber-
attack “a watershed” for the banking industry.
“There will be a before and an after Bangladesh.”
Systems are at the mercy of the people connecting
to them and are only strong as the weakest link.
Investigations in the Bangladesh Bank heist
showed that the bank did not have a firewall
installed to prevent incoming unsolicited traffic
over the network, and it had cheap second hand
routers in place connecting the local network at the
bank to the SWIFT network.
The SWIFT Network
SWIFT stands for 'Society for Worldwide Interbank
Financial Telecommunication', a Belgium-based
financial transaction enabling authority, through
which banks and financial institutions worldwide
can transfer funds to each other by means of
standardised messaging service. It is a cooperative
society, founded by 239 banks from 15 countries, in
1973.Currently the number of member institutions
at SWIFT stand at over 11,000, with over 29 million
messages exchanged using its network each day.
The dependency on the SWIFT network is such that
standardised messages, formatted to SWIFT can be
read by any financial processing software, even if
the messages are not delivered via the SWIFT
network. SWIFT assigns each of its member
Monthly Newsletter December 2016
institution- a unique identification code that has
either eight characters or eleven characters. It is
known as the SWIFT code, or the bank identifier
code (BIC), or alternatively, even ISO 9362 code.
Prior to the advent of SWIFT, banks used to
transfer funds with the help of TELEX network,
which was a teleprinter based network, used to
sending text messages. Unlike SWIFT, there was no
unique coding system to describe branches and
transactions-the messaging was in free form. This
CCIL
was both time-consuming and prone to human
8
errors. The advantage of the SWIFT mechanism lies
in the fact that it issues a unique code for each
transaction over a secure network, and the
transaction data is backed up in server-based data
centres situated in US and Europe, each separated
from the transaction of the other, location wise.
Cyber Security Controls
This incident strongly reinforced the fact that no
system is insulated from hackers and cyber-attacks
in this era of an inter-linked and digital world. The
Reserve Bank of India has recognized this risk and
has come out with timely guidelines on “Cyber
Security Framework”. It exhorts banks to put in
place a board approved, documented “Cyber
Security Policy” with a clear strategy and approach
to combat cyber threats based on the complexity
level of its business and acceptable levels of risk.
The cyber security policy of banks must be distinct
and separate from their broader IT policy or IS
security policy so that it can highlight risks from
cyber threats and the measures to address and
mitigate these risks. A Security Operations Centre
(SOC) has to be set up which will be responsible for
continuous surveillance and testing for
vulnerabilities at reasonable intervals.
Some highlights of the RBI's cyber security
framework are:
i. Banks must address network and database
security comprehensively.
ii. Banks must ensure Confidentiality, Integrity
and Availability of data/information.
iii. A Cyber Crisis Management Plan (CCMP)
should be immediately evolved and be a part
of the overall Board approved strategy. It
should address four issues: detection,
Recovery, Response and Containment. Banks
are expected to be well prepared to face

emerging cyber-threats such as 'zero-day'
attacks, remote access threats, and targeted
attacks.
iv. Bank must assess the adequacy of and
adherence to cyber resilience framework and
measure through development of indicators
to assess the level of risk/preparedness.
v. All cyber security incidents must be reported
to RBI within 2 to 6 hours. The incident
reporting format is defined in the guidelines.
The fact that the most daring attack was perpetrated
on SWIFT which has hitherto been considered an
impenetrable system has highlighted the need for
vigil over the sensitive systems like remittances.
Banks need to put in place preventive measures
such as appropriate controls framework around the
SWIFT and other messaging systems,
reconciliation of transactions in on real / near real
time basis, controls over the message creation and
transmission, applying timely security patches to
the interfaces, if any, close monitoring of
transactions and disabling USB, and Internet
ARtICLE
access on the connected nodes. Equally important
are the timely detective measures. The RBI
Guidelines related to Cyber Security framework
will enable banks to formalize and adopt cyber
security policy and cyber crisis management plan.
The requirement to share information on cyber
security incidents with RBI will also help structure
proactive threat identification and mitigation.
Cyber-attacks are growing in number and
sophistication and attackers are focusing more
deeply on critical financial institutions. The
current cyber threat environment makes it clear
that both SWIFT and its customers must remain
vigilant and proactive over the long term. While
customers are responsible for protecting their own
environments, SWIFT's Customer Security
Programme has been established to support
customers in the fight against cyber fraud.
Mandatory Security controls establish a security
baseline for the entire community and must be
implemented by all customers on their locally
hosted SWIFT Infrastructure.
Monthly Newsletter December 2016
CCIL