Apparently The Word “Foolish” Is Spelled “SWIFT” by Paul Rosenzweig.
Paul welcomes SWIFT to the modern world by its “expanded support” for two-factor authentication.
Two-factor authentication has a legitimate role, for Amazon, Twitter, perhaps Facebook accounts, but for un-monitored transfers of $millions?
In a very crude sense, two-factor authentication is an “improvement” over the present SWIFT protocols, but only just.
Five attacks on two-factor authentication systems come to mind:
- Key logging and redirection. Not only software, USB drives but USB chargers too. (Think about the highly paid and respected cleaning staffs at banks.)
- Man-in-the-middle attacks. Man-in-the-Middle Tutorial
- Man-in-the-browser attacks. How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication, by Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos.
- Account recovery. Good old social engineering. What makes you think SWIFT isn’t vulnerable to this?
- Third parties. Hacking the origin of the second factor. Isn’t that like breaking Enigma? You want to use the results but preserve your source?
I didn’t remember these off the top of my head. I did look at: Five Most Common Security Attacks on Two-Factor Authentication, but I would avoid that site because every page displays a new ad pop-up. Quite annoying.
I reproduced the list, sans their annotations and gave you some useful links on each possible attack.
Two-factor authentication is an improvement over current SWIFT security, when it is used, but that hardly qualifies for a welcome into ranks of modern cybersecurity. Or as Paul puts it:
…
Apparently, however, SWIFT was not so swift. Only now, after the Bangladeshi attack (and others on banks in the Phillipines and Vietnam) will the bank move to expand its use of two-factor authentication. I would have assumed that for an organization like SWIFT, where security was a critical component of the business model, two-factor authentication would have been implemented long ago. That it has not been until now is simply incredible and says something very bad about SWIFT — for the failure is not just a lapse of technical implementation. The gap suggests very large failures of risk management and organizational governance — and that is not a good thing in an institution that is at the core of the world’s financial system.
I take that to mean there are technical, management and organizational vulnerabilities awaiting discovery and exploitation in SWIFT.
Take heart hackers of the world! Perhaps reporting a vulnerability will get you a new toaster.
(Non-Americans, the “toaster with a new bank account” isn’t a myth. According to Eddy Elfenbein, banks gave away toasters to pass cost savings onto depositors. How’s that for banking trivia?)