Cyber thieves exploit banks' faith in SWIFT transfer network

The SWIFT logo is pictured in this photo illustration taken April 26, 2016. (Reuters)

Shortly after 7 p.m. on January 12, 2015, a message from a secure computer terminal at Banco del Austro (BDA) in Ecuador instructed San Francisco-based Wells Fargo to transfer money to bank accounts in Hong Kong.

Wells Fargo complied. Over 10 days, Wells approved a total of at least 12 transfers of BDA funds requested over the secure SWIFT system.

The SWIFT network - which allows banks to process billions of dollars in transfers each day - is considered the backbone of international banking. In all, Wells Fargo transferred $12 million of BDA's money to accounts across the globe.

Both banks now believe those funds were stolen by unidentified hackers, according to documents in a BDA lawsuit filed against Wells Fargo in New York this year. The two banks declined requests for comment from Reuters.

BDA is suing Wells Fargo on the basis that the U.S. bank should have flagged the transactions as suspicious.

Wells Fargo has countered that security lapses in BDA’s own operations caused the Ecuadorean bank’s losses. Hackers had secured a BDA employee’s SWIFT logon credentials, Wells Fargo said in a February court filing.

SWIFT, an acronym for the Society for Worldwide Interbank Financial Telecommunication, is not a party to the lawsuit.

Neither bank reported the theft to SWIFT, which said it first learned about the cyber attack from a Reuters inquiry.

"We were not aware,” SWIFT said in a statement responding to Reuters inquiries. “We need to be informed by customers of such frauds if they relate to our products and services, so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information, and are reminding customers of their obligations to share such information with us."

SWIFT says it requires customer to notify SWIFT of problems that can affect the "confidentiality, integrity, or availability of SWIFT service.”

SWIFT, however, has no rule specifically requiring client banks to report hacking thefts. Banks often do not report such attacks out of concern they make the institution appear vulnerable, former SWIFT employees and cyber security experts told Reuters.

Last Update: Wednesday, 20 May 2020 KSA 12:04 - GMT 09:04