Following the news about the SWIFT network attacks, Igor Baikalov, Chief Scientist at Securonix commented below.

Igor Baikalov, Chief Scientist at Securonix:

igor_baikalov“I find it highly amusing that there’s even a discussion of who is responsible for the security of a SWIFT terminal – SWIFT itself, the financial institution, or the local banking regulator? It seems like something that should have been resolved well before the largest global payments network, connecting 10,000 banks, was established.

And banks have long been aware that third-party security is their problem, not that of the third-party. That must have been one of the founding principles behind SWIFT – to create a cooperative that takes care of this problem for its members. Economy of scale, so to speak.

According to recent admissions by several senior SWIFT officials, that was not the case. SWIFT’s priorities were placed elsewhere. Perhaps, in signing up thousands of banks in emerging economies, with little or no support for investigating and prosecuting cyber crimes?

And while blaming North Korea became a default excuse for lax security practices, the terminal’s security is not the only problem here. Try to submit an online request with your bank to transfer a couple of thousand dollars to a new recipient. What do you get? A text message or a phone call asking for confirmation, called out-of-band verification. (If you don’t get it, switch your bank immediately!)

Then why, when the bank receives a SWIFT request to transfer a billion dollars, there’s no verification at all?

SWIFT failed to protect the integrity of its messaging network, allowing attackers to inject malicious messages, and its overall approach to the security of transactions is (like many other things in Brussels) in need of a major overhaul.”

Information Security Buzz