Banks vulnerable to hackers without online interface between CBS, SWIFT


SWIFT, a banking technology for worldwide financial transactions, was allegedly misused by some employees of Punjab National Bank (PNB), ending in a $1.77 billion fraud. Photo: Mint

SWIFT, a banking technology for worldwide financial transactions, was allegedly misused by some employees of Punjab National Bank (PNB), ending in a $1.77 billion fraud. Photo: Mint

Mumbai: Banks have spent thousands of crores of rupees over the last decade to purchase and strengthen their core banking solution (CBS), but a failure to create an online interface between CBS and the SWIFT, a worldwide inter-bank communication system, renders them vulnerable to hackers and individuals who can bypass the system with manual entries.

SWIFT stands for the Society for Worldwide Interbank Financial Telecommunication (SWIFT), which was allegedly misused by some employees of Punjab National Bank, ending in a $1.77 billion fraud.

Even as the Indian government wants to increase the size of India’s digital sector to $1 trillion in the next five years, hackers are spoiling the party by increasingly targeting banks not only in India but across the world by exploiting the SWIFT system.

On 16 February, Reuters reported that hackers stole 339.5 million roubles (about $6 million) from a Russian bank last year in an attack using SWIFT.

Two days later, City Union Bank in India admitted to Reuters that “cyber criminals” had siphoned off nearly $2 million to lenders overseas, again using SWIFT.

In other cases, hackers exploit the SWIFT system by phishing—an attempt to obtain sensitive information such as user names, passwords and other financial details by pretending to be a trustworthy entity. Gullible employees respond by clicking on the malware and infesting the system from the inside. If not detected in time, it could result in huge losses.

In July 2016, hackers cheated Union Bank of India of $171 million, though the money was fully recovered the next day. Similarly, in February 2017, $81 million was stolen from the Central Bank of Bangladesh using similar methods.

In some cases, hackers could collude with internal employees to perform the online heist. In PNB’s case, bank employees allegedly colluded with a firm to send unauthorized and fraudulent messages.

Approximately 11,000 institutions enjoy access to SWIFT. “Previously, accessing the SWIFT network required being physically present at a dedicated terminal…Banks now leverage multiple applications, resident on various user endpoints, to interface with the SWIFT network. Each connected endpoint presents an avenue of attack for threat actors to fraudulently create and send financial messages,” notes a January report titled Cybersecurity in ASEAN: An Urgent Call to Action, by global management consulting firm, A.T. Kearney, and commissioned by technology company, Cisco Inc.

“The CBS has not changed much over the last decade. The software upgrades that many public sector banks are doing is like applying lipstick on a pig,” said the technology head of a public sector bank who did not wish to be named because of the sensitivity of the subject. He pointed out that the SWIFT system can accommodate both manual and straight through processing (STP) requests. STP is used by financial companies to optimize the speed at which they process transactions.

“However, such should be the case only in exceptional cases. In all other instances, all the requests must be processed through an online interface between the CBS and SWIFT. However, many banks are yet to do this, which defeats the purpose of a risk management system,” the person explained.

“In early 2004-2007, due to pressure from RBI, all PSU banks implemented CBS software on a centralised architecture, spending collectively over Rs6,500 crore on this IT upgrade,” corroborated Hanuman Tripathi, a top management executive in the banking technology industry for over two decades.

“All these solutions–whether in retail or trade finance–are expected to be interfaced with the SWIFT gateway. This was a major focus area between 2007 and 2014 when RBI and FATF (Financial Action Task Force) guidelines insisted on making SWIFT an online interface on banking systems to ensure no KYC (Know Your Customer) failure,” he added. Frauds cannot happen until someone has bypassed the technology systems by “sending manual letters and not creating contingent liability in the bank accounts of the customer”, he insisted.

That the SWIFT system can be manipulated, was also pointed out by former RBI deputy governor S.S. Mundra, in a speech on 7 September 2016.

Among other things, he said, “We have also come across instances of fraudulent messages confirming documentary credits being transmitted using SWIFT infrastructure. Although, the latter incidents were mainly a result of failure of internal controls and non-adherence to “four eyes principles”, it is also on account of reliance on disparate systems whereby SWIFT transactions could be done without originating a corresponding transaction in the CBS.”


Written by Loknath Das