Security Experts:

FFIEC Issues Security Statement on SWIFT-based Attacks

The FFIEC has issued a statement alerting US financial institutions (FIs) to the interbank transfer threat following the recent spate of SWIFT-based attacks and thefts. Five such attacks are currently known, two of which successfully stole $12 million from the the Wells Fargo account of an Ecuadorian bank, and $81 million dollars from the Bangladesh Central Bank account with the New York Fed.

The FFIEC is an interagency body comprising representation from the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). FFIEC security regulations provide the primary information security framework for US financial institutions.

The FFIEC does not directly enforce the security framework. This is done by the authority responsible for each type of financial institution.

The statement, issued on Tuesday, warns that financial institutions "need to actively manage the risks associated with interbank messaging and wholesale payment networks." It explains that the recent attacks have demonstrated hackers' ability compromise origination environments, use valid operator credentials, understand the funds transfer operations, use customizable malware that can delay detection of fraud, and employ rapid transfer of stolen funds across multiple jurisdictions to avoid recovery.

It warns, "Unauthorized transactions involving interbank messaging and wholesale payment networks may subject the originating bank to financial loss and compliance risk." All of the originating banks in the SWIFT attacks have been foreign; but the statement makes it clear that the US banks have to be ready to detect fraudulent transfers that the foreign banks miss.

The statement also makes it clear that it "does not contain new regulatory expectations. It is intended to alert financial institutions to specific risk mitigation techniques related to cyber attacks exploiting vulnerabilities and unauthorized entry through trusted client terminals running messaging and payment networks." The implication, then, is that the existing regulatory framework is considered sufficient to mitigate against these threats.

The reality, however, is that in recent months this has failed at least twice to serious effect.

One of the risk management procedures included in the statement and 'in accordance with regulatory requirements and FFIEC guidance' is: "Establish a baseline environment to enable the ability to detect anomalous behavior." This is an important statement in view of the two successful SWIFT frauds. In both cases the originating bank has claimed that the relevant US bank failed to detect and act on red flags that arose during the fraud.

The Ecuadorean bank has even started a court action against Wells Fargo on that basis. The Bangladeshi bank has made several accusations that the New York Fed similarly missed red flags. Although, at the time of writing, it doesn't seem that Bangladesh has commenced legal action against the New York Fed, it is known that all 35 fraudulent transactions were initially blocked, before four were honored on a second submission. Furthermore, it is suggested that the same names appeared in some of both the honored and the blocked transactions, and that the transfer destinations were unusual.

This further implies that Wells Fargo and the New York Fed were not strictly abiding by the requirements of the FFIEC security framework; that is, to be able to detect anomalous behavior. If any court action finds in favor of the originating bank it would effectively be a de facto statement of non-compliance with FFIEC regulations. That in itself could result in further sanctions from the US regulatory body concerned.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.