Once upon a time, bank robbers wore balaclavas and dug tunnels. No longer. Three months ago, the world experienced the biggest bank robbery in history when thieves stole $101m from the central bank of Bangladesh.
But these 21st-century fraudsters did not use guns; instead they acquired the access code for the global cross-border bank payment messaging system known as Swift, and used these to persuade the US Federal Reserve to transfer money to their accounts. Then they tampered with the banks’ software to erase their cyber fingerprints.
That is alarming. More worrying still, this is not an isolated heist. This week Swift officials confirmed that a Vietnamese bank suffered a similar attack six months ago when robbers tried (and happily failed) to take more than $1m.
And Swift officials have now told their customers that they are investigating “multiple” cases of seemingly similar attempted breaches, using those access codes and software that erases fingerprints.
Unsurprisingly, this has sent shockwaves around the world and led banks such as JPMorgan to tell its employees that it is limiting access to Swift codes. In a 21st-century version of Bonnie and Clyde, this would be the moment when spooky music starts to play and bankers fear that robbers are in the vaults with a magic key capable of unpicking their locks.
How should the financial world respond? There are at least two clear priorities. First, this saga shows why global regulators and private sector financial officials urgently need to improve their level of cyber defence.
In recent years, cyber defences at most large western banks have improved; indeed, what is striking about the situation on Wall Street, say, is just how few cyber attacks actually succeed, given that the largest financial institutions are now suffering “tens of thousands” of attacks every minute, according to one bank chief executive.
But while the level of security at individual banks is high, cross-border co-operation is often slow and there are some surprising gaps in the system.
This week, for example, insurance industry executives in London alleged that barely a tenth of financial groups have effective insurance against cyber hacking. The legal framework to prosecute hackers is also very patchy and information-sharing between banks is often poor. And while the central banks in the UK and Sweden have demanded that private sector banks now strengthen surveillance of their Swift codes, there has been little public response from governments in emerging markets.
The second, related lesson from these heists is that regulators and investors alike need to pay more attention to the “nodes” of the financial system; after all, a chain is only as strong as its weakest link. And the Swift link is one node that deserves far more scrutiny - and public debate.
The group, officially called the Society for Worldwide Interbank Financial Telecommunication, was set up in 1973, as a non-profit co-operative in Brussels, owned by its 10,000-odd member banks. Until recently, its messaging network seemed so mind-numbingly dull that it rarely attracted attention. But while Swift has just 2,400 employees (and revenues of €650m) it punches way above its size in geopolitical terms: its messages are used to transmit around half of all high-value cross-border payments.
To some observers, this mismatch looks alarming. It raises questions, for example, about whether Swift’s corporate governance structure is sufficiently nimble and well resourced to cope with today’s fast-moving innovation. Little surprise, then, that fintech entrepreneurs argue that it is high time that Swift is replaced with something else, such as blockchain, the technology underlying bitcoin, or other systems being created by Silicon Valley whizz-kids.
But the problem is that these technologies are vulnerable, too; blockchain, say, has suffered its own frauds. And in a world in which US technology companies are sowing as much discord as trust, the fact that this corner of finance is still controlled by a non-American, non-profit utility is, in some senses, cheering; after all, the world needs as many platforms for neutral cross-border collaboration as possible.
Either way, if Swift is to have any future, it must now prove beyond doubt that its codes can be secure - and, above all, persuade its members to install better cyber locks. It is the biggest challenge in Swift’s four-decade history. We had better hope that it can meet it. If it cannot, yet another link in global finance will look alarmingly weak.
