Special Report: Not so SWIFT - Bank messaging system slow to address weak points
By Tom Bergin
LA HULPE, Belgium (Reuters) - More than a dozen current and former board directors and senior managers of SWIFT, the bank messaging system that helps transmit billions of dollars around the world every day, have told Reuters the organization for years suspected there were weaknesses in the way smaller banks used its messaging terminals – but did not address such vulnerabilities.
The sources said that until February, when hackers tried to steal nearly $1 billion dollars by breaking into the messaging system at Bangladesh's central bank, SWIFT had not regarded the security of customer terminals as a priority. Top executives either did not receive information from member banks about specific attempts to hack the messaging network, or failed to spot those attempts themselves, the managers said.
In SWIFT's annual reports and strategy plans from the past 17 years Reuters could find only one reference to SWIFT helping its users to secure their systems. That reference – to helping "our community to strengthen their own infrastructure" – was in the 2015 annual report published in June this year, months after the Bangladesh heist, in which the fraudsters ended up making off with $81 million.
"The board took their eye off the ball," said Leonard Schrank, who was chief executive of SWIFT from 1992 to 2007.
"They were focusing on other things, and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system."
Schrank said he was broadly aware that users' terminals were a weak link in SWIFT's overall security, but paid too little attention to it. "So I am partially responsible," he said.
The messaging business failed to act in part because the risks were not properly appreciated, the former directors and managers said.
SWIFT did not comprehensively track security incidents or monitor the extent of sloppy security practices among users. It saw smaller banks as a potential – but not immediate – threat to the security of the network, according to the former managers and directors. Continued...