It is difficult to shock people these days. Especially in the cybersecurity realm we have seen so many different foolish ways of being vulnerable that one becomes inured to it. As Kevin Mittnick is reported to have said once: “There is no patch for human stupidity.”
Still, sometimes the mind just boggles. A case in point is this report from The Register. Readers may recall that a month ago, reports surfaced of a theft of more than $81 million from the Bangladeshi central bank. And it seems that but for a small error, the theives might have gotten away with more than $1 billion. The attack itself came in through the SWIFT system — the Society for Worldwide Interbank Financial Telecommuncation, headquartered in Belgium. We were assured, however, that there were no vulnerabilities in the SWIFT system itself. According to SWIFT the hack must have started in the local banks.
Perhaps so. But today we learn that SWIFT itself has failed to take even the most basic security steps to protect its network. Two-factor authentication is the simple system where when you log in, you use a password but then you also have to present a second factor to authenticate yourself. Usually this is some sort of random pin. Or it can be an approval from your mobile device. Everyone uses it these days — its how we log in to Google mail and its also how we log in to post on Lawfare.
Apparently, however, SWIFT was not so swift. Only now, after the Bangladeshi attack (and others on banks in the Phillipines and Vietnam) will the bank move to expand its use of two-factor authentication. I would have assumed that for an organization like SWIFT, where security was a critical component of the business model, two-factor authentication would have been implemented long ago. That it has not been until now is simply incredible and says something very bad about SWIFT — for the failure is not just a lapse of technical implementation. The gap suggests very large failures of risk management and organizational governance — and that is not a good thing in an institution that is at the core of the world’s financial system.
Unhappy thought for a Memorial Day weekend … sorry to be a buzz kill.