Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

FFIEC Issues Security Statement on SWIFT-based Attacks

The FFIEC has issued a statement alerting US financial institutions (FIs) to the interbank transfer threat following the recent spate of SWIFT-based attacks and thefts.

The FFIEC has issued a statement alerting US financial institutions (FIs) to the interbank transfer threat following the recent spate of SWIFT-based attacks and thefts. Five such attacks are currently known, two of which successfully stole $12 million from the the Wells Fargo account of an Ecuadorian bank, and $81 million dollars from the Bangladesh Central Bank account with the New York Fed.

The FFIEC is an interagency body comprising representation from the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). FFIEC security regulations provide the primary information security framework for US financial institutions.

The FFIEC does not directly enforce the security framework. This is done by the authority responsible for each type of financial institution.

The statement, issued on Tuesday, warns that financial institutions “need to actively manage the risks associated with interbank messaging and wholesale payment networks.” It explains that the recent attacks have demonstrated hackers’ ability compromise origination environments, use valid operator credentials, understand the funds transfer operations, use customizable malware that can delay detection of fraud, and employ rapid transfer of stolen funds across multiple jurisdictions to avoid recovery.

It warns, “Unauthorized transactions involving interbank messaging and wholesale payment networks may subject the originating bank to financial loss and compliance risk.” All of the originating banks in the SWIFT attacks have been foreign; but the statement makes it clear that the US banks have to be ready to detect fraudulent transfers that the foreign banks miss.

The statement also makes it clear that it “does not contain new regulatory expectations. It is intended to alert financial institutions to specific risk mitigation techniques related to cyber attacks exploiting vulnerabilities and unauthorized entry through trusted client terminals running messaging and payment networks.” The implication, then, is that the existing regulatory framework is considered sufficient to mitigate against these threats.

The reality, however, is that in recent months this has failed at least twice to serious effect.

One of the risk management procedures included in the statement and ‘in accordance with regulatory requirements and FFIEC guidance’ is: “Establish a baseline environment to enable the ability to detect anomalous behavior.” This is an important statement in view of the two successful SWIFT frauds. In both cases the originating bank has claimed that the relevant US bank failed to detect and act on red flags that arose during the fraud.

Advertisement. Scroll to continue reading.

The Ecuadorean bank has even started a court action against Wells Fargo on that basis. The Bangladeshi bank has made several accusations that the New York Fed similarly missed red flags. Although, at the time of writing, it doesn’t seem that Bangladesh has commenced legal action against the New York Fed, it is known that all 35 fraudulent transactions were initially blocked, before four were honored on a second submission. Furthermore, it is suggested that the same names appeared in some of both the honored and the blocked transactions, and that the transfer destinations were unusual.

This further implies that Wells Fargo and the New York Fed were not strictly abiding by the requirements of the FFIEC security framework; that is, to be able to detect anomalous behavior. If any court action finds in favor of the originating bank it would effectively be a de facto statement of non-compliance with FFIEC regulations. That in itself could result in further sanctions from the US regulatory body concerned.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...