One would need some inside baseball knowledge to effectively hack SWIFT. Not only do you need 1 (or more) BO or Senior BO PINs to verify the send, a hacker also needs to properly format the send without including any details that will tip the recipient off that it is fake.
That said, things are changing significantly with SWIFT gpi payments and the much more automated nature of the new system may actually make techniques such as fake sends more, rather than less, effective until solid mitigation strategies are attached.
That would be easily implementable in a bank's SWIFT gpi software as that system gains traction. Probably doesn't add any value in the current system as the recipient as no way to confirm the challenge-response scheme was actually completed as would be implied (beyond, perhaps, coordination between sending and receiving institutions outside SWIFT proper). Although I could be simply not sufficiently creative enough.
The bigger point I should have made is that most send fraud doesn't actually occur on SWIFT and is conducted using falsified documents to give the impression of a correct send, typically to get funds released before the fraud is revealed. It relies much more on social engineering than any kind of actual systems hacking skill.
Well, no, they are just controlling the whole line of delivery for the data packages; its not uncommon in critical infrastructure, that you have to deploy some special hardware stuff for whatever security reasons.
For sure, the typical HN-mentality is: "there is no security and since this a dumb bank/financial-service, they are just trolling and they dont know what they are doing" - no, let me tell you that you are wrong with this assumption: SWIFT is pretty secure and there haven't been any larger (successful) attacks on the network itself (hint Central Bank of Bangladesh losing 90m in a CEO-scam is not a problem of SWIFT, same for similar cases)
IT, even when huge sums are spent on it, is still seen as a cost center (rather than a competitive advantage) at the vast majority of banks.
However, as the other reply said to you... I've really not seen any evidence the SWIFT system isn't decently well constructed. When attacks (such as Bangladesh) have happened it has been due to not following best practices as established by SWIFT and other institutions.
Yes, thank you - I should have been clear that SWIFT terminals are kind of like Bloomberg terms in that they're not going to be easily cloned at home. Better off attempting the social engineering tactic for most criminals.
There is a Darknet Diaries episode about this heist, which is very recommendable as most of this podcast's episodes: https://darknetdiaries.com/episode/72/
Yes, although Bangladesh' central bank was notoriously lax in their operation of their SWIFT handling. This was well known and a big reason why some of our clients would not use Bangladeshi recipient banks due to a lack of trust in the central bank.
That said, things are changing significantly with SWIFT gpi payments and the much more automated nature of the new system may actually make techniques such as fake sends more, rather than less, effective until solid mitigation strategies are attached.