…The Word “Foolish” Is Spelled “SWIFT” [Two-Factor Authentication As Improvement. Really?]

Apparently The Word “Foolish” Is Spelled “SWIFT” by Paul Rosenzweig.

Paul welcomes SWIFT to the modern world by its “expanded support” for two-factor authentication.

Two-factor authentication has a legitimate role, for Amazon, Twitter, perhaps Facebook accounts, but for un-monitored transfers of $millions?

In a very crude sense, two-factor authentication is an “improvement” over the present SWIFT protocols, but only just.

Five attacks on two-factor authentication systems come to mind:

  1. Key logging and redirection. Not only software, USB drives but USB chargers too. (Think about the highly paid and respected cleaning staffs at banks.)
  2. Man-in-the-middle attacks. Man-in-the-Middle Tutorial
  3. Man-in-the-browser attacks. How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication, by Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos.
  4. Account recovery. Good old social engineering. What makes you think SWIFT isn’t vulnerable to this?
  5. Third parties. Hacking the origin of the second factor. Isn’t that like breaking Enigma? You want to use the results but preserve your source?

I didn’t remember these off the top of my head. I did look at: Five Most Common Security Attacks on Two-Factor Authentication, but I would avoid that site because every page displays a new ad pop-up. Quite annoying.

I reproduced the list, sans their annotations and gave you some useful links on each possible attack.

Two-factor authentication is an improvement over current SWIFT security, when it is used, but that hardly qualifies for a welcome into ranks of modern cybersecurity. Or as Paul puts it:


Apparently, however, SWIFT was not so swift. Only now, after the Bangladeshi attack (and others on banks in the Phillipines and Vietnam) will the bank move to expand its use of two-factor authentication. I would have assumed that for an organization like SWIFT, where security was a critical component of the business model, two-factor authentication would have been implemented long ago. That it has not been until now is simply incredible and says something very bad about SWIFT — for the failure is not just a lapse of technical implementation. The gap suggests very large failures of risk management and organizational governance — and that is not a good thing in an institution that is at the core of the world’s financial system.

I take that to mean there are technical, management and organizational vulnerabilities awaiting discovery and exploitation in SWIFT.

Take heart hackers of the world! Perhaps reporting a vulnerability will get you a new toaster.

(Non-Americans, the “toaster with a new bank account” isn’t a myth. According to Eddy Elfenbein, banks gave away toasters to pass cost savings onto depositors. How’s that for banking trivia?)

Comments are closed.