Banks that exchange payment information using the SWIFT global messaging system have been urged to step up security to protect against ongoing attacks by hackers.
In the months since cybercriminals using a stolen SWIFT code took $80m from a Bangladeshi bank, some organisations in the financial sector still have significant holes in their cybersecurity defences, according to a letter seen by Reuters.
In a notice sent to its clients, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) revealed that new attempts have been made to steal funds from banks and that, despite new security measures being put in place, some of the cyberattacks have been at least partially successful.
"Customers' environments have been compromised, and subsequent attempts [were] made to send fraudulent payment instructions," said the letter seen by Reuters. "The threat is persistent, adaptive and sophisticated -- and it is here to stay."
While SWIFT indicated that some banks have had money stolen as a result of these new attacks, it hasn't disclosed which institutions have been affected, how much has been lost, or how many of the latest hacking attempts have succeeded. However, the group said that various methods were used for accessing SWIFT in efforts to send fraudulent payment instructions.
What the SWIFT notice does reveal is how all of the new victims -- which vary in size and location -- do share one thing in common: all had flaws in their local security that hackers were able to use to compromise networks and send fraudulent messages requesting money transfers.
In the case of February's Bangladeshi bank incident, hackers were ultimately able to take advantage of its almost non-existent security, with no firewalls and the cheap, secondhand networking gear used to connect to SWIFT, in order to infiltrate the bank's systems and make off with millions.
It was only because a spelling mistake in one payment request was spotted by an employee at a US bank that the queued fraudulent transactions were stopped. If that hadn't occurred, the amount stolen could have risen from $80m to hundreds of millions of dollars. The incident cost the head of the Bangladeshi central bank their job.
SWIFT is providing tighter guidelines that auditors and regulators can use to assess whether banks' SWIFT security procedures are good enough to use the system.
The organisation has also warned banks that it might report them to regulators if they don't meet the November deadline for installing the latest version of its software, which contains features designed to prevent the known attacks.
"In a communication to all users, SWIFT has informed its customers about the tangible results already delivered by the Customer Security Programme, urged customers to take appropriate measures and warned on ongoing attacks on customer firms," a SWIFT spokesperson said.
"The letter reassures SWIFT customers that the cooperative has no indication that the SWIFT network and core messaging services have been compromised and sets out the progress SWIFT has made with its Customer Security Programme."