October 31, 2016
In the light of a recent heist of the Bangladesh Bank account from the New York Federal Reserve that resulted in cybercriminals making off with $81 million, many in investment banking are questioning whether there is a need to review financial software to improve cybersecurity measures within their institutions.
While the recent heist was foiled to prevent the intended transfer of $1billion dollars from Bangladesh Bank’s account, it still raises some concerns as to how and why the fraudulent activity wasn’t detected earlier and how it could be prevented in the future.
The whole premise behind the heist involved using the centrally governed SWIFT (Society for Worldwide Interbank Financial Telecommunication) messaging system that is universally used and trusted by over 11,000 members. Using this system, the hackers stole the SWIFT credentials and sent 35 fraudulent messages in one day, requesting transfers totaling $1billion from the Bangladesh Bank to individual accounts. While looking at Bangladesh Bank’s account history should have already indicated something suspicious to the NY Federal Reserve, it didn’t. And it appears that the detection of the fraudulent messages was, in fact, a stroke of luck, rather than deliberate detection.
Initially, the 35 messages were rejected by the NY Fed because they missed vital information, but on resubmission by the hackers with the correct information supplied, five got through. However, the others were rejected by chance as the street name for the recipient bank in the Philippines was Jupiter Street, which just happens to be an Iranian oil tanker and shipping outfit that is under US sanctions.
The scale of the recent heist has emphasized that despite numerous fortifications against cybercriminals, bank institutions are still vulnerable to tried and trusted methods of sophisticated cyber-theft.
However, financial industry experts such as Samee Zafar, from Edgar Dunn Company, talk about whether the basic principles of blockchain and distributed ledgers could be a possible solution for protecting the world’s banks.
Blockchain was originally developed for bitcoin, a virtual currency, providing a decentralized system using a network of different computers to write coded ledgers that create an irrefutable and incorruptible record of past transactions in individual blockchains. These blockchains are shared publicly as part of the decentralized system, meaning no central authority is required to process or record transactions, therefore making interactions safe, secure and trusted. The structure of the blockchain was specifically designed to create ledgers within an automated system, but distributed ledgers can offer a more comprehensive and robust system that can be supported by all types of systems. This would allow banks to implement varying levels of control and permissions within the system for greater flexibility, rather than be autonomous.
At present, other than the SWIFT system, there is not much of a unified approach to risk assessment and management. The responsibility to carry out risk assessments and implement risk management systems currently falls to the individual institutions and happens internally, which has lead differing best practices and procedures across the board. This could make smaller banks with less-sophisticated risk management systems more vulnerable to cyberattacks.
But with a distributed ledger system that is fully integrated across all banking systems worldwide, it could deliver much better cybersecurity. As much of the distributed ledgers are automated and the ledger history is ubiquitous and unchangeable – detailing a linear and chronological blockchain of transaction history – it is not possible to delete or alter past transactions, so potential high-tech cyberattacks could be prevented before they happen.
With this in mind, it seems that many of the world’s central banks such as Goldman Sachs, JPMorgan, Citigroup, Wells Fargo and Bank of America are already experimenting with blockchain. However, it’s worth noting that at this stage, much of the motivation behind this is economic rather than preventing cyberattacks. It’s thought that blockchain could lead to significant operational savings, which would inevitably be beneficial, and preventing cyber-fraud in the process would be an added bonus.
When it comes to investment banking, the need to cover the eventuality of cybercriminality is key to protecting capital. Therefore, investing in a robust and reliable level of finance software is essential.