It has been an interesting news cycle in Fintech. First we had Lending Marketplace Meltdown Week. The takeaway: “all this new fangled stuff is messed up and its time to go back to the tried and the true”. Then we had the news that SWIFT, the venerable cross border payment system got hacked again, for the second time in weeks. The takeaway: “the old tried and true is broken, its time to accelerate plans to bring in the new fangled stuff we have been brewing in our labs”.
Our mantra is “once means nothing, twice is coincidence and three times is a trend”. So the second SWIFT hack prompted a deeper look into what went wrong and to assess the likely second order impact.
Reactions from experts
First, here is the official SWIFT security announcement on 13 May after the second attack.
Daily Fintech asked some experts in FX and cross border payments for their reactions.
Alan Scott, a serial entrepreneur with deep experience of FX, cross border payments and blockchain technology focussed on the inherent weaknesses of closed systems:
“SWIFT derives most of its security from being a closed system operated by and for trusted parties. Block chain as originally envisioned is an open system operated by trust less parties. This hack really demonstrates the weakness of the first system, once in the hacker is protected by the system as by definition everyone in the system is trusted. Once discovered, the owners of the system have a problem larger than the financial impact of the hack, that is do they inform the world that their system of trust has been broken? Or can they just quietly fix the problem and inform only those on a needs to know basis? In an open system system like block chain attempted hacks are visible, defences can be built and the issue of trust is owned by the entire community (distributed versus central). In this way the technology evolves in a more organic manner, adapting when and where it needs to. This ability to evolve is its competitive strength and why it will over time in my opinion prove to be superior.”
Howard Tolman, a serial entrepreneur with deep experience of FX, cross border payments and security technology focussed on the difficulty of bolting stable doors after the horse has gone:
“Any dangerous malicious attack on a major financial institution will not only attract a lot of attention but will also get people running up and down trying to find immediate solutions which quite frequently are just not attainable. Swift probably knew about the fact that there was a potential problem through Application Security Testing either static, dynamic or interactive and network scanning applications would mean that they were also probably aware that they had applications running that had been updated to remove security flaws. The problem that large integrated organisations have is that installing a patch on a production application might in some cases do more commercial damage in the short term than the results of hacking. I would say that large numbers of institutions have reports on their desks saying that they have massive vulnerabilities but they just can’t solve them quickly for various reasons. So they hope for lady luck to help them out.
In the Java space the only real way to solve things quickly is to eliminate the problem at the virtualisation layer through implementation at the JVM. This means that the application itself does not have to be changed but the problem from a practical standpoint is removed. This is the concept of RASP.
Of the cuff I would say that the real big problems come about by systematic malicious attacks over a long period of time without discovery. Blockchain type technology has as its core complete transparency which almost by definition would mean malicious attacks would be recognised promptly. I am not an expert on specific security features in blockchain but what I describe in the previous sentence is certainly important. There seems to be tremendous momentum for those organisations with products that require distribution of transactional data to multiple parties towards Blockchain type applications. The SWIFT hacking can only exacerbate that migration process.”
Basic Phishing Does Work
In my spam filter I recently an email telling me “We have sent the payment to your account as instructed by our customer. Kindly check the attached Swift copy of your confirmation.” Clearly some people do fall for this. Hackers only need one open door.
The weakest link in a chain
Hackers got hold of access credentials to send messages on SWIFT. As of publish date, it is not publicly known whether this was via internal collusion or via a phishing attack. The SWIFT statement has something about a PDF reader but that is the only clue. The earlier posted guidelines issued by SWIFT show the kind of best practices that consumers are told to do in order to avoid getting hacked. One might assume that banks operate to higher standards. The problem is that while that is true for 99.99% of banks, hackers only need to find one door to enter and then, as Alan puts it, “once in the hacker is protected by the system as by definition everyone in the system is trusted.”
As SWIFT Gets Bigger, Blockchain Maybe the answer
SWIFT is already far and away the biggest global payment system. Any bank that wants to send/receive payments internationally is a member. Corporates are also members. With great skill, one can build very large enterprise scale systems. SWIFT is an example. It is very, very big and has mostly worked very well. Now we are in an era when we need to build on an even bigger scale to allow more people to transact cross border and do it faster and at less cost. The most resilient massive system is the Internet – a truly decentralised system. Decentralized scales better than centralised. And a decentralised Blockchain based system can offer real time payments. SWIFT already has a Blockchain initiative. SWIFT has the perfect corporate structure to implement a Blockchain based cross border payment system on a global basis for banks because it is a cooperative owned by the member banks. SWIFT has the trust of Banks and an annual gathering of the tribes at SIBOS where personal relationships are renewed. If anybody can implement Blockchain based global payments on a mass scale it is SWIFT. We suspect that the SWIFT Blockchain team won’t lack for budget after these recent hacks.
Permissioned or Permissionless – the inclusion question
SWIFT can replace the 1970s based system with a 21st century Blockchain system. That is the easy bit. It is like a core banking system overhaul for a massive global bank. It takes a long time and costs a lot of money and requires a good team, but with all those ingredients, it is a very achievable. That SWIFT Blockchain upgrade can be done with a permissioned Blockchain system for the existing approx 8,000 current members of SWIFT. It would be much faster and much lower cost. Problem solved? Not entirely. This still puts Banks as the intermediaries to do cross border payments. A truly inclusive peer to peer network would be permissionless – everybody can transact cross border directly. This could be done in such a way that Banks are “in the loop” to offer loans and other value added services. This would be a bolder move by SWIFT. It will be interesting to see what they do.
Daily Fintech Advisers provide strategic consulting to organizations with business and investment interests in Fintech. Bernard Lunn is a Fintech thought-leader.