Protections Against Digital Bank Robbers
Published by The Lawfare Institute
in Cooperation With
Bonnie and Clyde are a thing of the past. Bank robberies have declined in the past several years, a function in part of improved security measures. Instead, criminals have turned to robbing banks digitally, resulting in the Federal Reserve and other agencies calling on banks to beef up their cybersecurity.
On October 19th, the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office for Comptroller of the Currency issued notice of proposed rules that would heighten cybersecurity requirements for large and interconnected entities. Additionally, there is a proposed tiered system that would further enhance the obligations of entities designated as critical to the financial sector. The proposed standards touch five areas of cybersecurity—cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness. Comments on the proposed rules are due by January 17, 2017.
On the heels of calls to bolster cybersecurity, SWIFT, the Society for Worldwide Interbank Financial Transfers, announced in mid-October that a second hacking group is attempting to rob banks through fraudulent transfers. SWIFT, a non-profit cooperative, operates a global payment network that uses a messaging system through which banks contact one another and exchange payment information.
Last February, the central bank of Bangladesh was hit by hackers who stole the SWIFT codes and successfully transferred $81 million from its account at the Federal Reserve. SWIFT claimed that a group named Lazarus was liable and indicated that it was likely a state actor. Lazarus has been fingered in other SWIFT member heists in southeast Asia, as well as in the 2014 Sony hack.
In late August, SWIFT announced that hackers were still targeting member banks. According to the letter sent to its members, those who were successfully hacked "shared one thing in common; they have all had particular weaknesses in their local security."
On October 11th, SWIFT made yet another announcement about recent hacks: a group called Odinaff has infected 10 to 20 of SWIFT’s member organizations with malware. The malware can hide fraudulent SWIFT message requests from the system. According to Symantec researcher Eric Chien, Odinaff appears to be a financially motivated criminal group, rather than a nation-state actor. Based on similar tactics and the same IP addresses, Symantec believes it may be linked to another hacking group that has been targeting banks and point-of-sale systems since 2014. While SWIFT has not identified specific victims, it stated that most of the attacks occurred in the United States, Hong Kong, Australia, the United Kingdom, and Ukraine.
In order to address the continuing security threat, SWIFT has created its own "customer security intelligence team"—which investigates cyber incidents that harm its member organizations, advises the organizations on defending themselves , and informs them about recent threats. Traditionally, SWIFT has not disclosed the victims of cyber attacks in order to protect the member organizations' privacy. However, it has threatened to change that policy if member organizations are not adhering to cybersecurity standards. SWIFT also threatened to report banks to regulators if they do not install the latest version of SWIFT's software by November 19; the new version of the software addresses some of the security issues. In late September, SWIFT also announced mandatory core security requirements for members. That same month, it introduced a new security tool that provides daily activity and risk reports.
However, some financial groups are looking to systems beyond SWIFT to secure their transfers. After 18 months of preliminary work, Visa has invited a small number of European banks to join in a project that uses a blockchain for interbank transfers. A blockchain is a distributed ledger born in the Bitcoin system that allows a network of computers to contribute to it as well as verify it, negating the need for a central authority. Visa's project also uses smart contracts, self-executing computer protocols that carry out or enforce contractual obligations. This combination allows for simultaneous transfers with heightened security.
Rather than creating its own system, J.P. Morgan Chase is using Ethereum, a publically accessible blockchain-based platform, to develop its own project, Quorum. While running off of a public system, Quorum limits access to transactions to those who need to know the details, known as permissioned blockchain technology.
Four big banks—UBS, BY Mellon, Santander, and Deutsche Bank—have banded together with ICAP, a broker, and Clearmatics, a London-based blockchain company, to explore blockchain transfers. Rather than using bitcoin, they created their own cryptocurrency, the Utility Settlement Coin (USC), which can be exchanged between banks and is the equivalent of its paired real world currency. USCs will be backed by cash in a central bank. They have proposed the project to central banks with an expected roll-out date of early 2018.
These financial institutions are not going it alone. In an August 2016 report, the World Economic Forum found that over 90 central banks were involved in blockchain discussions and expected that over 80 percent of banks will initiate blockchain projects by 2018. According to Greenwich Associates, banks will spend over $1 billion this year on blockchain investments. However, these blockchains are not without their own problems. In mid-July, an application running off Ethereum was hacked to the tune of $55 million. However, because of the decentralized and distributed nature of blockchain, the creators of Ethereum were able to do a “hard-fork,” effectively rewinding the ledger to before the hack. Not without its consequences, this split Ethereum into two separate systems: the old system which had not been “reset” and the new one which had.
As blockchains and their cryptocurrencies have gained momentum, they have also gained government attention. Last week, the European Central Bank issued an opinion, per the request of the European Parliament and Council, which strongly discouraged the promotion of cryptocurrency:
The ECB recognises that the technological advances relating to the distributed ledger technology underlying alternative means of payment, such as virtual currencies, may have the potential to increase the efficiency, reach and choice of payment and transfer methods. The Union legislative bodies should, however, take care not to appear to promote the use of privately established digital currencies, as such alternative means of payment are neither legally established as currencies, nor do they constitute legal tender issued by central banks and other public authorities…. Thus, while it is appropriate for the Union legislative bodies, consistent with the FATF’s recommendations, to regulate virtual currencies from the anti-money laundering and counter-terrorist financing perspectives, they should not seek in this particular context to promote a wider use of virtual currencies.
The United States has taken a different approach. While still Assistant Attorney General, John Carlin called for the regulation of cryptocurrencies: “Just as we did with currency ... we put in different regulations and reporting requirements that made it harder for those who would do bad things to take advantage of our financial system ... So, as we move toward some of these new currencies we will need to take similar steps with them.”
In late August, a terrorist group publicly used digital currency for the first time. The Ibn Taymiyya Media Center, an online jihadist propaganda unit based out of the Gaza Strip, added the ability to pay in bitcoin to their fundraising drive, according to Yaya Fanusie, the director of analysis for the Foundation for Defense of Democracies’ Center on Sanctions and Illicit Finance. In January, Europol reported that despite third-party reports, law enforcement had not observed terrorists using bitcoin.
In order to respond to its potential abuse, the National Nuclear Security Administration is developing an analytical tool that will help with the de-anonymization of cryptocurrencies. However, it appears to be in its early stages, as requirements for the tool were announced in late August.
Meanwhile, Bitcoin, the popular cryptocurrency, may have its own internal problems. The blockchain functions by having computers compete to solve complex problems reconciling the blockchain ledger. The greater the processing power, the more likely a computer will be the first to solve the problem. As a result, Bitcoin mine owners chase cheap power around the globe. Because of cheap power and low wages, 70 percent of the processing power behind bitcoin is in China, which has itself forbidden banks from using it.
The choice is not a binary one, as SWIFT itself is looking into to using blockchains, albeit not exclusively. Whatever the best path for quick and secure transactions may be, banks will be most secure through collaboration, despite the vulnerability it brings. In early August, eight of the big banks—Wells Fargo, J.P. Morgan, Bank of America, Citigroup, BNY Mellon, State Street, Morgan Stanley, and Goldman Sachs—formed a group to share security threats and intelligence, as well as to run war games. Despite the race to achieve blockchain success being likened to an arms race, this cooperation hints at a collaborative road ahead.
The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the U.S. Department of Justice or the U.S. Government.