The Union Bank of India, a public sector bank, was under attack from cyber criminals who attempted to steal $170 million last July, the Wall Street Journal reports. The attack was initiated after a bank employee opened an email attachment which looked like it was sent by the Reserve Bank of India (RBI).
The malware in the attachment stole Union Bank’s Society for Worldwide Interbank Financial Telecommunication (SWIFT) codes and initiated a transfer of the money to an account in Citigroup in New York. SWIFT is a global network which links financial institutions to send and receive transactions. The report added that Union Bank traced the money and blocked the transaction.
The attack was similar to an earlier successful heist that targeted Bangladesh’s central bank. SWIFT had warned banks across the globe to comply with security procedures following the Bangladesh Bank attack.
According to SWIFT, cyber-theft attempts have increased. Some of these thefts have been successful, although it did not specify how much money was stolen or from which banks. The network mentions that the thieves exploited weaknesses in local security that compromised local networks to send a fraudulent message and request transfers.
Since then there have been continuous attacks across the world:
– An occurred on a commercial bank in Vietnam – where the attack involved a malware and both were similar to a 2013 heist of the Sonali Bank.
– Similarly, thieves send SWIFT messages as Banco del Austro, a bank in Ecuador, to get Wells Fargo to transfer $12 million fraudulently.
– In December 2016, hackers stole 2 billion Rubles from Russia’s central bank. An anonymous Ukrainian bank was also apparently one of the banks to have lost money through compromised networks.
Importance of educating employees
As Vivek Pai noted, most attacks happen through direct access to a bank’s local network or access to important passwords of key members or lax ground level security, rather than being an exploit of the SWIFT network. As such, it is important that banks educate their employees on the importance of online security – for example not sticking a pen drive in work computers or using weak passwords or leaving them written around.