International financial messaging service SWIFT told clients on Friday to share information on attacks on the system to help prevent hacking, after criminals used SWIFT messages to steal $81 million from the Bangladesh central bank.
Earlier on Friday, Reuters reported that Wells Fargo, Ecuador's Banco del Austro (“BDA”) and Citibank, whose managing director, Franchise Risk & Strategy, Yawar Shah, is SWIFT's chairman, did not inform SWIFT of an attack last year in which more than $12 million was stolen from BDA.
The banks and Shah all declined to comment on why they did not inform SWIFT.
Banks use secure SWIFT messages for issuing payment instructions to each other. The network is considered the backbone of international finance but faith in its security has been rocked by the theft from Bank Bangladesh's account at the Federal Reserve Bank of New York.
SWIFT said in a communication to users on Friday that they should "immediately inform SWIFT of any suspected fraudulent use of their institution's SWIFT connectivity or related to SWIFT products and services."
SWIFT spokeswoman Natasha de Teran said banks whose SWIFT systems had been hacked should inform SWIFT. She said she was unable to say whether banks, such as Wells Fargo, that received messages they later discovered were fraudulent, should inform SWIFT.
SWIFT has a role to play in educating its members about cyber threats, said Doug Johnson, senior risk adviser at the American Bankers Association, noting there were disparate levels of security across financial institutions globally. The ABA is a powerful lobby group for the U.S. banking industry.
“This is a teachable moment for everybody who uses the SWIFT system to recognize that there is an effort by criminals underway to compromise the end points of companies using that system,” Johnson said in a statement to Reuters after SWIFT communicated to its users on Friday.
SWIFT is especially concerned about the use of malware to access interfaces with the SWIFT network. The Belgium-based co-operative, which is owned by its user banks, said it needed technical information from systems which have been compromised with malware to better understand the risks of attack.
Malware was used in the hacks on Bank Bangladesh in February and in the BDA case in January 2015.
"It is essential that you share critical security information related to SWIFT with us, "SWIFT said.
SWIFT told clients it would notify them as soon as possible of cases where malware had been used to attack systems "so that you can better target your preventative and detective efforts".
SWIFT did not inform clients about the BDA theft because it was unaware of it, a spokeswoman told Reuters.