THE STATE BANK OF VIETNAM
THE INFORMATION TECHNOLOGY DEPARTMENT
Official Dispatch No. 758/CNTH8 dated June 10, 2016 of the State Bank of Vietnam on strengthening and ensuring information security of SWIFT system
|
To:
|
- Credit institutions;
- Branches of foreign banks.
|
In the past period, the fact that cybercrime offenders attacking banks' financial systems, especially SWIFT international payment system (hereinafter referred to as SWIFT system), has happened in a complicated manner, caused adverse impacts and influences on operations of banking system.
The Information Technology Department, affiliated to the State Bank of Vietnam, upon the inspection and assessment, finds that the management, operation and use of SWIFT System are facing certain risks. To be specific:
- Risks in processes of SWIFT payment operations: processes of relevant operations in SWIFT System are not formulated or have been available but the enforcement thereof is not strict without the supervision of compliance thereof. For example: lending user account; a SWIFT member only buys 1 concurrent user license or fails to make appropriate arrangement of personnel resulting in that the separation between personnel creating messages and that verifying existing messages is not ensured; conducting irregular comparison and control of messages or failing to carry out careful control, etc.
- Risks in integration and development of SWIFT System;
+ A number of institutions enter into lease contracts with SWIFT payment service providers but fail to take measures for managing and supervising safety and security of such services.
+ A number of institutions carry out the integration of other systems (such as core banking system) into SWIFT System by using connectivity solutions which cannot ensure the authentication resulting in fraudulent messages sent over SWIFT System from a malware or another operational computer.
- Risks in configuration of SWIFT System:
+ There is no limitation on the number of host computers which can be connected to SWIFT Network (SWIFTNet).
+ Fail to set up prior authorization before messages are sent over SWIFTNet.
+ Financial institution still remains a Relationship Management Application (RMA) with institutions who are no longer its counterparties (counterparty’s BIC).
- Authentication of login in SWIFT system and prior authorization of messages: Presently, almost users log in on SWIFT system by using a private username and corresponding password. Therefore, if an institution fails to create a strong password for a user account or application privileged account, it is unable to manage and control the operating system and database of SWIFT System in an appropriate manner resulting in account information leaked and hackers may take advantage of this situation to access swift system for conducting fraudulent transactions and changing database, deleting and/or removing any transactions from the hacked account history, installing illegal software or changing the system configuration, etc.
Click download to see the full text
