“SWIFT was not hacked,” said Mark Webster, a partner at consulting firm Treasury Alliance Group. “A number of banks were hacked, and once they got into those banks, the hackers then used SWIFT messages.” Webster noted that the cybercriminals who hacked into the central bank of Bangladesh were using “fairly sophisticated malware.”

The cybersecurity of the banks that were robbed in some cases seems to have been substandard. For example, Bangladesh's central bank reportedly lacked a firewall and was relying on a cheap router.

“You're only as strong as your weakest link,” Webster said, adding that even corporates with strong cybersecurity could have holes, “which is why we recommend that people do a security review periodically.”

SWIFT Response

In the wake of the bank hacks, SWIFT announced a customer security program to define security standards for organizations using its network and to enhance its services to bolster protections for those customers. The program it outlined includes improving the sharing of information about cyber incidents; developing audit processes and certification standards for customers' cybersecurity around SWIFT messages; bolstering transaction pattern detection; and enhancing the support provided by third parties.

Among the enhancements of its own tools, SWIFT mentioned the use of two-factor authentication.

Ed Adshead-Grant, general director of payments and cash management at Bottomline Technologies, which operates a SWIFT service bureau and also provides access to SWIFT through its Universal Aggregator payments service, said he had seen “a lot more interest in the uptake” of two-factor authentication for SWIFT messages in the wake of the bank hacks. “And there's been a strong communication campaign on that in terms of adding extra to the users' security levels,” he said.

Earlier this week, SWIFT also announced that it was hiring two cybersecurity companies, BAE Systemsand Fox-IT, and creating a customer security intelligence team that would investigate hacks of the environments of SWIFT users.

Service Bureaus vs. Alliance Lite2

The SWIFT network, which is owned by the banks, reaches more than 10,800 banks around the world. According to a recent SWIFT press release, more than 1,500 corporates use SWIFT to communicate with their banks. There are three ways that companies can connect to SWIFT: by installing their own interface—an expensive and infrequently used option; by employing a service bureau; or by using SWIFT's cloud solution, Alliance Lite2. A SWIFT spokesman said the organization does not disclose what portion of companies use the various methods.

FIS operates a service bureau, and Monaco cited corporate interest in using service bureaus as a way to access SWIFT. Companies that connect to SWIFT via the cloud with Alliance Lite2 have to take the responsibility for the security around their SWIFT messages, he said. “You need to ensure that you have the proper processes, protection, encryption. If you cannot handle it as an organization, if you do not have the proper tech expertise, it is then best to vend that out.

“That's where I think you see the trend toward looking at service bureaus,” said Monaco, pictured at left. “Why do I want to take the management and responsibility to protect this environment when there are organizations out there that have it encapsulated and protected, and monitor the environment for things like malware and fraud?”

Adshead-Grant also argued that the current environment is one in which companies may welcome working with someone with expertise in cybersecurity. “If you have an outsource partner, you can focus on your own business instead of worrying when these things come up,” he said. “We'll make sure your particular area is secure.”

Webster said that using Alliance Lite2 requires technology savvy that some companies lack. “You need a security officer, you need to go through training,” he said. “If you're using one of the better service bureaus and have really done your due diligence on whether they've done their security stuff, my take is that you're a little more secure going that way.

“We've done some work with major international companies where they ended up, after initially saying, 'We're going to manage the whole thing,' saying, 'Maybe we should go through a service bureau just to leverage the knowledge base,'” Webster added.

A service bureau alsocan help companies deal with differences in the way various banks use SWIFT messages, he said.

One of the arguments against using a service bureau is that it costs more than Alliance Lite2. But Webster said that while the fees for a service bureau are higher than fees for Alliance Lite2, companies have to consider all the costs involved in using Alliance Lite2, including training and staffing.

“The majority of companies that I'm aware of are using service bureaus at this point,” he said. “If it were way more expensive, people wouldn't be doing it that way.”

SWIFT's Technology

Enrico Camerinelli, a senior analyst at technology consulting company Aite Group, said the cyber heists indicate that SWIFT needs to upgrade its technology.

While the banks that were hacked may not have been taking all the necessary precautions, “if you want to be a universal system that all the banks use, you have to take that into account,” he said.

Camerinelli suggested the incidents will push SWIFT to invest more in cybersecurity, including the use of crypto-based algorithms.

Given “the capabilities of people working in software today to make systems more secure, maybe now is the time for SWIFT to start changing the system and adopting safer software,” he said, adding that given the technological capabilities of the hackers, “I'm afraid placing controls over controls will just make the system heavier and more difficult to use.”

Securing Payments

Of course, companies were thinking about the security of their payments even before the cyber heists. Monaco noted that a recent FIS survey of finance executives at more than 170 corporations worldwide found that more than half (52%) were very concerned about fraud stemming from payments and connectivity, while 59% cited improving controls as a key target of their payments projects.

Companies are tackling payment problems by centralizing processes and standardizing controls within their divisions, he said, and they are looking at using a payment factory or hub to give the corporate the visibility of payments being released globally within their organization. “By centralizing my process, I can more easily put security in place that can alert my organization of any suspicious behavior and stop potentially fraudulent payments prior to being sent to my bank,” Monaco said.