By Tom Bergin
LA HULPE, Belgium (Reuters) - More than a dozen current and former board directors and senior managers of SWIFT, the bank messaging system that helps transmit billions of dollars around the world every day, have told Reuters the organization for years suspected there were weaknesses in the way smaller banks used its messaging terminals – but did not address such vulnerabilities.
The sources said that until February, when hackers tried to steal nearly $1 billion dollars by breaking into the messaging system at Bangladesh's central bank, SWIFT had not regarded the security of customer terminals as a priority. Top executives either did not receive information from member banks about specific attempts to hack the messaging network, or failed to spot those attempts themselves, the managers said.
In SWIFT's annual reports and strategy plans from the past 17 years Reuters could find only one reference to SWIFT helping its users to secure their systems. That reference – to helping "our community to strengthen their own infrastructure" – was in the 2015 annual report published in June this year, months after the Bangladesh heist, in which the fraudsters ended up making off with $81 million.
"The board took their eye off the ball," said Leonard Schrank, who was chief executive of SWIFT from 1992 to 2007.
"They were focusing on other things, and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system."
Schrank said he was broadly aware that users' terminals were a weak link in SWIFT's overall security, but paid too little attention to it. "So I am partially responsible," he said.
The messaging business failed to act in part because the risks were not properly appreciated, the former directors and managers said.
SWIFT did not comprehensively track security incidents or monitor the extent of sloppy security practices among users. It saw smaller banks as a potential – but not immediate – threat to the security of the network, according to the former managers and directors.
SWIFT never acted, former board member Arthur Cousins said, because the organization believed bank regulators – rather than SWIFT – were responsible for ensuring smaller banks' security procedures were robust enough to repel hackers.
A spokeswoman for SWIFT, a cooperative owned by banks, defended the organization. "SWIFT and its Board have prioritized security, continually monitoring the landscape and responding by adapting the specific security focuses as threats have evolved. Today's security threats are not the same threats the industry faced five or ten years ago – or even a year ago – and like any other responsible organization we adapt as the threat changes."
SWIFT was, and still is, dominated by large Western banks, including Citibank, JP MORGAN, Deutsche Bank and BNP Paribas, that built the network decades ago. That contributed to the lack of concern over security, said the former directors, because the larger banks tend to have sufficient defenses to prevent criminals from hacking into their SWIFT systems. But since the 1990s, many smaller banks in emerging markets have joined SWIFT, and some may have weaker computer security. In all, more than 10,000 institutions are now connected to SWIFT.
Gottfried Leibbrandt, CEO since 2012, said it was only with the benefit of "hindsight" that one could see that SWIFT needed to put more focus on security at customer terminals. "Hindsight is always a wonderful thing," he said. "Sometimes it takes a crisis to change things."
RISE IN SMALL USERS
In the Bangaldesh heist, hackers broke into a computer interface called Alliance Access, a piece of software sold by SWIFT for accessing its central network. It is still unclear exactly how the thieves gained entry. Bank Bangladesh has alleged that a botched upgrade of its system left vulnerabilities in it. SWIFT has rejected any responsibility for the way Bangladesh Bank upgraded its systems.
Whatever specific weakness the thieves in the Bangladesh case exploited, former SWIFT directors and managers said the system became more vulnerable as it got bigger.
Alessandro Lanteri, a former executive with Italian bank Unicredit who served on SWIFT's board between 1995 and 2000, said security challenges increased when smaller banks in emerging markets joined the SWIFT network. "The difficulty is always to keep the security system very effective when you deal with little banks and emerging countries," he said. "There, it is very difficult to be sure that all the procedures of security are managed in the correct way."
The number of countries and territories covered by SWIFT swelled from 126 in 1994 to 200 in 2003 and 212 now.
Bigger western banks considered SWIFT more cost effective and secure than alternative means of communication, Cousins said, and encouraged smaller banks to become members.
But despite the rise in the number of smaller institutions as members, the big banks continued to dominate SWIFT. The organization's revenues, which hit 710 million euros last year, are driven by a concentrated number of large western correspondent banks like Citigroup and HSBC, former SWIFT staff said.
Traditionally, 90 percent of messaging revenue comes from banks in just 25 countries – almost all developed nations – data in the decade to 2011, the last year for which SWIFT published a breakdown, shows.
Some people working at the coalface spotted evidence of deteriorating security well before this year's Bangladesh case.
Two years ago, Martin Ullman, a Prague-based SWIFT consultant, was browsing a LinkedIn forum for SWIFT users when he saw a posting from a recently-appointed technician at the Central Bank of Solomon Islands (CBSI). The technician needed to install an upgrade to the bank's SWIFT messaging system but didn't know how. He wanted advice.
Ullman emailed the man and told him that raising such issues in a public forum could endanger security and advised him to seek expert help. The technician said the bank couldn't afford it, and said he finally managed to install the system himself. CBSI declined to comment. Reuters was unable to contact the technician to confirm the incident.
Yet security was vital: Six former directors of SWIFT said any breach of the broader system could put the bedrock of SWIFT – the willingness of banks to accept messages at face value – at risk.
TRAIL OF INCIDENTS
Hugh Cumberland, a former SWIFT executive who now advises banks on payments technologies, said he first saw security risks in 1993. He told Reuters that, when he was working as a technology contractor with BZW, an arm of BARCLAYS, in London. Cumberland arrived for work one day to be met by policemen carrying Heckler & Koch submachine guns. Two staff members had been arrested for attempting to use their access to a SWIFT terminal to send 10 million pounds of "unnamed client money" to accounts controlled by them. Cumberland did not know the outcome of the case. Both SWIFT and Barclays declined to comment.
Another incident occurred in 1995, when officials at Dubai Islamic Bank (DIB) began sending fraudulent payment instructions to Citibank, telling it to pay money from DIB's account at the U.S. bank into the account of a fraudster, according to a lawsuit DIB filed against Citibank in New York in 1999. More than $150 million was allegedly stolen by DIB executives in collaboration with Foutanga Dit Babani Sissoko, a West African businessman previously jailed for trying to bribe U.S. customs officials. Sissoko was deported from the United State before the DIB allegations were made in court. Reuters could not contact him.
A lawyer involved in the case confirmed the messages were sent via SWIFT, which has a near monopoly on such international payment instructions. The court dismissed the claim of negligence against Citibank. The banks declined to comment on the case. (Swift was not involved in the legal proceedings.)
More recently, thieves exploiting SWIFT systems stole $250,000 from Bangladesh's Sonali bank in 2013 and more than $12 million from Ecuador's Banco del Austro in 2015. Later in 2015, Vietnam's Tien Phong Bank foiled an attempt to steal money via SWIFT, which was reported by Reuters in May. SWIFT officials said the banks involved in these three cases did not immediately inform it of the incidents, though the banks did confirm them later.
The senior management at SWIFT appears to have been unaware of the events. Leibbrandt told Reuters in May that, before the Bangladesh heist in February, he had not been told of any successful or unsuccessful attempt to steal money using SWIFT.
Asked why SWIFT had not logged the incidents described above, a spokeswoman said: "SWIFT has always maintained an uncompromising focus on security as evidenced by our track record."
Some former SWIFT executives and directors said the failure to spot the security risks around user terminals reflects weaknesses in SWIFT's board. Schrank, the chief executive from 1992 to 2007, said some directors lacked the experience needed to help steer such a big and important enterprise.
"Generally the SWIFT board, with very few exceptions, are back-office payments people, middle to senior management," he said.
Of 48 current and former non-executive SWIFT directors for whom Reuters could find career histories, only two sat on their employer's management board. Only one sat on the board of a listed company other than their employer.
Fritz Klein, a former Credit Suisse banker who served on SWIFT's board from 1998 to 2002, said an even greater concern was the length of tenure of some members, which he said did not encourage fresh thinking. At any time, a third of members had been there for "very long, perhaps too long," he said.
A spokeswoman for SWIFT said: "SWIFT's large and diverse group of Board members have decades of experience in operations, management, IT, risk assessment, and various other disciplines. SWIFT's Board composition includes long-standing members with a deep understanding of how SWIFT works, as well as newer members who contribute with a fresh outside view."
The board is dominated by larger banks: the six countries which have the greatest messaging volume have the right to appoint two directors each. The next 10 largest user countries can appoint one each.
Lanteri, the former Unicredit banker who used to be a SWIFT director, said: "When I was on the board I had no direct contact with the little countries." Board members came from all over the world, he said, but "from the most important banks."
The Bangladesh heist has changed attitudes. In May, SWIFT published a new "customer security plan," promising to strengthen security on software tools such as Alliance Access; to develop new tools to spot when an account has been compromised and when a payment instruction deviates from normal patterns; and to allow banks to issue "stop payment" orders quickly.
In July, SWIFT announced the creation of a "Forensics and Customer Security Intelligence team," in conjunction with cyber security firms BAE Systems1 and Fox- IT2. The team will gather information on any attempts to commit thefts through SWIFT, analyze the risks these attacks highlight and share the lessons with the wider SWIFT community.
(Additional reporting by Andrew MacAskill in London; Edited by Richard Woods and Alessandra Galloni)