Cyber attacks on banks from Bangladesh to Ecuador are raising questions about the security of the global payment system and one of its key components, the SWIFT messaging network.
Following is a basic explanation of how bank payments work in the euro zone:
WHAT HAPPENS WHEN I MAKE A PAYMENT?
Most bank payments in the euro zone are settled via the Target 2 payment system, owned and managed by the European Central bank and the national central banks (NCBs) of euro zone countries.
Target 2 is used by around 1,800 banks in 25 European countries to make payments on their own account or on behalf of their customers, according to ECB data.
When a bank makes a payment to another bank via Target 2, the account of the paying bank at its NCB is debited and the account of the recipient bank at its own NCB is credited.
Each payment corresponds to an electronic message between the payer and the recipient. Target 2 relies on SWIFT, a cooperative owned and governed by the banks it serves, for the exchange of these payment messages.
A key part of SWIFT’s job is to authenticate these messages, encrypt them and ensure they remain confidential and safe until they are delivered.
Target 2 participants must install their own SWIFT infrastructure to be able to send and receive payment messages.
HOW DOES SWIFT WORK?
To generate a payment message, the payer uses its SWIFT credentials to sign and encrypt the message, which is then sent to the SWIFT network.
After performing security and format checks, SWIFT forwards the message to the Target 2 platform.
The payment has to pass through several other controls (including of the message’s syntax, the participant’s status and the availability of funds) before it is debited on the account of the sender and credited on that of the recipient.
If the message passes these checks, a settlement confirmation is generated in Target 2 and sent to SWIFT, which forwards it to the recipient.
WHAT HAPPENED DURING THE RECENT CYBER ATTACKS?
As part of its messaging system, SWIFT provides software such as Alliance Access that links banks’ internal IT systems to the SWIFT network.
Researchers at British defence contractor BAE Systems said Alliance Access was probably manipulated by hackers who stole $81 million dollars from a U.S. account of Bangladesh’s central bank earlier this year, in a bid to help hide their traces.
SWIFT, whose network is used by about 11,000 banks around the world and helps move billion of dollars every day, released a mandatory security update to the software earlier this month.
Hackers also managed to transfer $12 million from the Wells Fargo account of an Ecuadorian lender to bank accounts in Hong Kong over the SWIFT network.
SWIFT spokeswoman Natasha Deteran told Reuters that the common point in these cases was that internal or external attackers compromised the banks’ own environments to obtain valid operator credentials.
Cyber-criminals also unsuccessfully tried to send money using the SWIFT network from a Vietnamese bank to a Slovenian one in December.
A top Vietnamese central bank official said TPBank was hit because a third-party vendor it had used to connect to the SWIFT money transfer system was likely infected with malware.
WHOSE JOB IS IT TO OVERSEE TARGET 2?
The Eurosystem, which includes the ECB and the euro zone’s national central banks, is responsible for the smooth functioning of the area’s payment systems.
Their oversight duties include not only collecting and assessing information but also introducing change when it is necessary.
The ECB has yet to comment on its response to growing concerns about cyber attacks on banks.
ECB Governing Council member and Lithuanian central bank governor Vitas Vasiliauskas told Reuters his bank was working daily to improve its own and banks’ ability to prevent cyber attacks, but he saw no need to make changes.
WHO USES TARGET 2?
Taking into account branches and subsidiaries, more than 55,000 banks across the world can be reached via Target 2. Foreign payment systems and firms which settle financial transactions also have access to Target 2.
On the average day in 2015, Target 2 handled 343,729 payments, worth some 1.8 trillion euros ($2.02 trillion).
Around 55 percent of payments were between bank customers, 30 percent between banks themselves and the remainder were so-called ‘ancillary system payments’, such as transactions relating to financial securities.
While the average transaction was worth 5.3 million euros, more than two-thirds of all Target 2 payments had a value of less than 50,000 euros.
In total, 99.9 percent of Target 2 payments were processed in less than five minutes. ($1 = 0.8921 euros)