Bankers are under attack around the world. The assault is not being led by masked men with pistols but rather by anonymous cyber-thieves armed with malicious code.
Their vulnerability stems from a historic shift. Before 1973, the world’s banks had a communication problem. Transferring money involved countless phone calls, telex machine messages and frustration. Bankers needed to take control of the process.
The member-owned message system Society for Worldwide Interbank Financial Telecommunication was born.
For more than four decades, the SWIFT system has standardized the global bank message system, allowing institutions to transfer funds, letters of credit and security transactions quickly and securely. In 2015, operating out of data centers in Belgium and the United States, SWIFT counted more than 11,000 member institutions in 200 countries and routed 24 million messages daily using unique 8- or 11-character codes.
Although SWIFT held no member funds, bankers came to rely on the automated message system. It was beyond reproach until details leaked about a cyber-heist at the Bangladesh central bank where thieves had penetrated the SWIFT system and looted member banks.
The Bangladesh heist was a wake-up call to the industry. Another confirmed attack on a Vietnamese bank last week is a clear indication an orchestrated campaign targeting SWIFT member banks is underway. In both cases thieves stole the SWIFT credentials of member banks. When crooks saw money transferred to other banks held in the member account name, they submitted fraudulent messages asking that money be transferred back to one of their own accounts. To cover their tracks, the thieves used malware code. In the case of the Bangladesh robbery the bandits submitted messages asking for more than $1 billion before eventually making off with $81 million.
These cases are not isolated. Russian cybersecurity firm Kaspersky Lab claims Interpol and other agencies estimate that more than $1 billion has been pilfered from 100 financial institutions during the last two years by the Carbanak cybergang located in Russia, Ukraine and China.
The SWIFT weaknesses are fodder for calls to overhaul the banking system with something far more robust, like Blockchain. Ironically, getting there will involve surrendering the control member firms sought when then created SWIFT in Brussels years ago.
Blockchain is the ledger system underlying the crypto-currency Bitcoin. Its key advantages are that it is shared publicly, decentralized, secure, trusted and automated. Blockchains allow everyone to write to a ledger system and those entries are available for all to see. When a transaction is completed, encrypted software creates a block that is added to the ledger system in linear, chronological order. The ledger constantly evolves and because there is no central authority, entries can never be deleted.
Forty-two of the largest banks , including Goldman Sachs (GS), JP Morgan (JPM), Citigroup (C), Wells Fargo (WFC) and Bank of America (BA), have already begun testing Blockchain. The motivation is largely economic. The banks believe Blockchain will lead to annual back office cost savings of $20 billion . Stumping cyber-criminals would be an extra benefit.
When the financial services industry flocked to the SWIFT message system in the 1970s, few could have imaged hackers toting malicious software would use it to rob untold millions. Fewer still would have believed member firms would respond by experimenting with non-proprietary software. It’s a brave new world for criminals and the people trying to stay one step ahead.
You would think there would be a lot of cybersecurity software companies that we could invest in to make some coin of our own off this phenomenon. But the industry is overvalued, and its services are being commoditized, a bad combination. Two of the top names to watch, though, are Fortinet (FTNT) and Palo Alto Networks (PANW)