US banks told to check security before hackers strike
HONG KONG — U.S. regulators have put the country’s banks on notice, warning them to secure vulnerable computer systems before hackers are able to strike.
A group of U.S. regulatory agencies have directed banks to quickly shore up authorization practices and fraud detection in order to guard against hacks through their messaging and payment networks.
The warning from the Federal Financial Institutions Examination Council comes after hackers known as the “Lazarus Group” pulled off at least four high-profile digital bank heists, stealing more than $100 million — and so far, getting away with it.
What the hackers have done is steal a bank’s credentials from SWIFT, the worldwide interbank communication network that settles transactions, in order to make transfers.
The hacks have exposed a flaw in the integrity of the international banking system. That system is based on trust — the understanding is that if a bank approves a transaction, it’s really that bank making the call.
But only the largest banks — typically those in the United States and Europe — are well protected. As the CEO of Mastercard recently put it: Smaller banks are the weak link in the chain.
In January 2015, hackers broke into Ecuador’s Banco del Austro, stealing $12 million in bank funds that were being held by Wells Fargo in the U.S.
Last October, a bank in the Philippines was targeted. Bankers’ desktop computers were infected with computer code that gave hackers control of the system, though it’s unclear if any cash was stolen.
Then, in December, hackers tried to transfer out $1 million from Vietnam’s TPBank, but failed.
The most recent case came earlier this year in February, when the hackers broke into Bangladesh’s central bank and stole $101 million from its account at the New York Federal Reserve.
As a response to these hacks, SWIFT is forcing banks to increase their security. Moving money will require additional steps that prove a real banker is approving a transaction.