On Jan. 12, 2015, a message from a secure computer terminal at Banco del Austro (BDA) in Ecuador instructed San Francisco-based Wells Fargo to transfer money to bank accounts in Hong Kong.
Wells Fargo complied. Over 10 days, Wells approved at least 12 transfers of BDA funds over the secure SWIFT system.
The SWIFT network — which allows banks to process billions of dollars in transfers each day — is considered the backbone of international banking.
In all, Wells Fargo transferred $12 million of BDA's money to accounts across the globe.
Both banks now believe those funds were stolen by hackers, according to documents in a BDA lawsuit filed against Wells Fargo in New York this year. BDA is suing on the basis that the U.S. bank should have flagged the transactions as suspicious.
Wells Fargo said Friday that it "properly processed the wire instructions received via authenticated SWIFT messages" and was not responsible for BDA's losses.
Wells Fargo says security lapses in BDA's operations caused its losses. Hackers had secured a BDA employee's SWIFT logon credentials, Wells Fargo said in a February court filing.
Neither bank reported the theft to SWIFT (the Society for Worldwide Interbank Financial Telecommunication), which first learned about it from a Reuters inquiry.
SWIFT requires customers to notify it of problems that can affect the "confidentiality, integrity or availability of SWIFT service."
SWIFT, however, has no rule specifically requiring client banks to report hacking thefts.
No one has full picture
The Ecuador case illuminates a central problem with preventing such fraudulent transfers. Neither SWIFT nor its client banks have a full picture of cyberthefts, according to former SWIFT executives, users and cybersecurity experts.
The case raises new questions about the oversight of the SWIFT network and its communications with member banks about cyberthefts and risks. The network has faced intense scrutiny since cyberthieves stole $81 million in February from a Bangladeshi central bank account at the Federal Reserve Bank of New York.
It is unclear what SWIFT tells member banks about cyberthefts, which are typically first discovered by the bank that has been defrauded.
On Friday, SWIFT urged all of its users to notify it of cyberattacks.
Reuters was unable to determine the number or frequency of attacks involving the SWIFT system, or how often banks report them to SWIFT officials.
The lack of disclosure may foster overconfidence in SWIFT network security by banks, which routinely approve transfer requests made through the messaging network without additional verification.
The criminals behind such heists are exploiting banks' willingness to approve SWIFT requests at face value rather than making additional manual or automated checks, said John Doyle, who held senior roles at SWIFT between 1980 and 2005. "SWIFT doesn't replace prudent banking practice" he said, noting that banks should verify requests, as they would for transfers outside the SWIFT system.
SWIFT checks the codes on messages sent into its system. But once cyberthieves obtain legitimate codes and credentials, SWIFT has no way of knowing they are not the true account holders, former SWIFT executives and cybersecurity experts said.
The Bank for International Settlements, a trade body for central banks, said in a November report that increased sharing of information on cyberattacks is crucial to helping financial institutions manage the risk.
Systemic risk
SWIFT, a cooperative owned and governed by representatives of the banks it serves, was founded in 1973 and operates a secure messaging network that has been considered reliable. But recent attacks involving the Belgium-based cooperative have underscored how the network's central role in global finance also presents systemic risk.
SWIFT is not regulated, but a group of 10 central banks from developed nations oversee the organization. Among its stated guidelines is a requirement to provide clients with enough information to enable them "to manage adequately the risks related to their use of SWIFT."
However, some former SWIFT employees said the cooperative struggles to keep banks informed on risks of fraud because of a lack of cooperation from the banks. SWIFT's 25-member board of directors is filled with representatives of larger banks.
"The banks are not going to tell us too much," said Doyle, the former SWIFT executive. "They wouldn't like to destabilize confidence in their institution."
Banks also fear notifying SWIFT or law enforcement of breaches because that could lead to regulatory investigations that highlight failures, said Hugh Cumberland, a former SWIFT marketing executive who is now with the cybersecurity firm Post-Quantum.
Cases of unauthorized money transfers rarely become public, in part because disagreements are usually settled bilaterally or through arbitration, which is typically private. Salvatore Scanio, a lawyer at the Washington-based firm Ludwig & Robinson, said he had consulted on a dispute involving millions of dollars of stolen funds and the sending of fraudulent SWIFT messages similar to the BDA attack. He declined to provide details.
Vietnam's Tien Phong Bank said last week that its SWIFT account, too, was used in an attempted hack last year. That effort failed, but it is another sign that criminals are increasingly targeting the network.
New York-based Citibank also transferred $1.8 million in response to fraudulent requests made through BDA's SWIFT terminal, according to the BDA lawsuit against Wells Fargo. Citibank repaid the $1.8 million to BDA. Wells Fargo refunded to BDA $958,700 out of the $1,486,230 it transferred to an account in Los Angeles.
Anatomy of a cyberheist
BDA acknowledged in a January court filing that more than a week passed after the first fraudulent transfer request before BDA discovered the missing money.
After obtaining a BDA employee's SWIFT logon, the thieves fished out previously canceled or rejected payment requests that remained in BDA's SWIFT out box. They then altered the amounts and destinations on the transfer requests and reissued them.
BDA has alleged that Wells could easily have spotted and rejected the transfers, since the payment requests were made outside of normal business hours and involved unusually large amounts.
The BDA theft and others underscore the need for banks on both sides of such transactions — often for massive sums — to rely less on SWIFT for security and strengthen their own verification protocols, Cumberland said.
"This image of the SWIFT network and the surrounding ecosystem being secure and impenetrable has encouraged complacency," he said.
With your current subscription plan you can comment on stories. However, before writing your first comment, please create a display name in the Profile section of your subscriber account page.