It’s been more than a year since the famous Bangladesh Bank cyber heist took place. In February 2016, instructions to transfer $951 million from the Central Bank of Bangladesh to several bank accounts in Sri Lanka and the Philippines were issued via the SWIFT network. Media reports showed that attacks on the network continued throughout 2016.
Given the similarities between SWIFT and the money transfer companies, we approached the Chairman of the International Association of Money Transfer Networks (IAMTN), Mr. Mohit Davar, and talked to him about the lessons the members of the IAMTN can learn from the cyber attacks on SWIFT in order to prevent similar occurrences on their systems. First, we asked Mr. Davar for his assessment of the current status of SWIFT security.
“I’m sure every time they go through this they are building more and more controls in their processes and in their systems to counteract what has happened”, says Davar. “Of course, that does not prevent something new happening, and I think the challenge to SWIFT as a messaging service is that ultimately the quality of their system is only as good as the systems of the member banks. So if the attacks will continue to happen because XYZ bank in ABC country has not gotten the appropriate controls, then I think the SWIFT system still remains vulnerable to a great extent, because the gateway is open. That’s a challenge that will take them quite a while to overcome, until all the banks upgrade their systems and make it secure.
That’s a challenge similar to the challenges money transfer companies face, particularly those dealing with agents: they can have the best security in their system, but if the agents’ systems are not secure, then there is still a chance that somebody is going to break through the agent’s gate. That is the risk.”
Norman Frankel: Is there a certain type of attack money transfer operators should be particularly aware of, and to which they should give priority when they assess their cyber security needs?
Mohit Davar: When I was in the Middle East there was a lot of attacks at the agents, and the agents were having access to the money transfer systems. The transfer systems would then get hacked because the agents were accessing them through web sites that had no real firewall controls. The hackers would penetrate the money transfer companies’ systems and make fictitious transactions. They would effectively create a transaction, send it let’s say from Dubai to Kenya, and the transaction would get cashed out in Kenya. Of course these were fake transactions, but nevertheless the agent and the remittance company would lose the money. That was quite a common thing that was happening, and this was not even digital, this was the traditional agency model.
The money transfer industry has lately been moving very much from the traditional to the digital side. And as you move to the digital side, clearly you are exposing yourself more and more to cyber attacks, and the vulnerability is going to be higher.
Norman Frankel: Are the money transfer companies prepared to deal with this increased vulnerability?
Mohit Davar: My assessment is that the money transfer world in general doesn’t take cyber security as seriously as they should. So I think it’s very much either not an issue, or it’s an issue on the IT departments’plates and it has not really risen its head to where it should be, that is seen as a key issue by the CEO and the board.
Norman Frankel: What is your advice on this matter?
Mohit Davar: I think companies have to take cyber security seriously and I believe it needs to be dealt with in the same way they deal with compliance.
If you go back prior to 9/11, compliance was a non-issue. This industry was not really regulated, and it was not high on anybody’s agenda. And then we went through a phase where compliance was a burden and we had to do it, there was no choice. Now we are in a phase where it’s just integrated into your day-to-day business. Actually, the more compliant you are, the more you have a selling point, not only to your customers, but also to your banks and other stakeholders.
I think cyber security has to go through some of the same learning curve. Maybe right now some people have barely thought about this issue, or maybe they are bordering on: “Oh, it’s a pain, but we have to go through it”. That’s not enough.
They have to get to the realization that this is part of the puzzle of our business, and just as a shop carrying a lot of cash would look at physical security, an operator doing online transactions should look at cyber security, right? It’s got to be one of the key risks that is identified and dealt with, and I don’t think that it’s in the firms’ culture yet. The only time it becomes a higher priority is when it strikes and there is an issue, and then of course it’s too late.
Norman Frankel: What practical steps do you recommend to your members – and to the money transfer companies in general – to address this issue?
Mohit Davar: I think this is a real threat to their business, so they are better off not putting it off, but actually getting cyber security up the agenda and making it a priority.
They should either build the security capability in-house – which is what large companies do – or look at outsourcing it to companies such as iCyber-Security Group or others. At the very least they should get the penetration testing done, and have annual health checks in place on their security systems given the rapid evolution of the threats that are in the market.
They should also get contractors to give them the comfort that their systems are secure – or, if they are not secure, they should bring them up to speed with all the controls they need to put in place to prevent cyber attacks from happening. As they are storing customer data they are regulated, so this is quite a big issue if their system will be breached.
Norman Frankel: In Europe the data protection rules are changing in May 2018, as the EU General Data Protection Regulation (GDPR) will enter into force, and substantial fines will exist for companies found not to be compliant with these new rules, in particular for not disclosing breaches. Do you think companies will change their attitude regarding disclosures?
Mohit Davar: I think they will do that, that’s not a problem. The challenge is that they will never come in the public domain, because they do not want the consumers to know that something has happened, as they don’t want the consumers to lose trust in their service. So they will make a declaration to the regulator, but that’s not public knowledge. If we start to say that the disclosure should be public – in which case it will affect their reputation, it will affect their volumes – then maybe they will take it more seriously.
I think any Money Transfer Operator in Europe should be looking at these rules and ensuring compliance. But actually these rules may make sense for money transfer operators outside of Europe to take a look at as well, as they are a useful starting reference point for good practice. The USA have also adopted new fines for breaches of data on US citizens that can involve a US$2m fine. Given so many remittances originate from the USA, this should be another reason for companies in the industry to adopt good working practices.