It’s been discovered that a second group of hackers – Odinaff – has broken into the SWIFT system, the lynchpin of the global financial system. Odinaff were found to be using the same approach as the those who stole $81m from the Bangladesh bank earlier this year. Kevin Bocek, Chief Cybersecurity Strategist at Venafi commented below.
Kevin Bocek, Chief Cybersecurity Strategist at Venafi:
“The SWIFT system was state-of-the-art when it was created two decades ago, but in cybersecurity and fraud prevention, 20 years might as well be a millennium. A complete rethink of outdated payments architectures, including SWIFT, is long overdue.
These attacks on SWIFT are like old-school bank robberies for a digital age; the hackers are taking money right from the bank’s safe. This is a shift from previous attacks that have been more focused on stealing from banking customers – after the success of the first SWIFT hack, it’s unsurprising to see the headlines doing the rounds again and I’d be shocked if this is the last we see of it.
The fact is, hackers have clocked on to something that organisations still haven’t woken up to: hackers are abusing our systems of authentication, privacy and control – which establish trust on the internet – and essentially turning our defences against us. The perfect disguise for any bank robber is to have a valid security badge and credentials. Criminals want to gain trusted status and go undetected for long periods, they are therefore targeting cryptographic keys and digital certificates as they help them to gain access to even higher value targets than ever before and remain undetected.
A critical step for both SWIFT and banks to mitigate the risk of breaches like these is to make sure they are able to determine who and what can and cannot be trusted. Only by understanding how this system of digital trust that depends on keys and certificates was breached can we hope to secure the global banking system of the future.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.