Cyber bank heists no surprise as the internet was 'never designed to be secure,' according to expert

Criminals take advantage 'weaknesses which are inherent in this kind of network of networks,' says the Global Commission on Internet Governance's commissioner

PUBLISHED : Monday, 06 June, 2016, 6:40pm
UPDATED : Tuesday, 07 June, 2016, 1:28pm

Cyber bank heists such as the one that hit a Bangladesh Central Bank account held by the New York Fed, should not come as a surprise and only serve to highlight that the internet is ill-equipped to deal with the cybercrime, an expert in internet security says.

Last week, a U.S. congressional committee launched an investigation into the Federal Reserve Bank of New York's handling of the heist of more than US$80 million from accounts it maintains for the central bank of Bangladesh.

The committee told the NY Fed that it wanted to know what oversight the Fed had conducted of the SWIFT system, an international electronic financial messaging system used by banks worldwide to authorise billions of dollars a day in money transfers.

The system, known formally as the Society for Worldwide Interbank Financial Telecommunication, has come under pressure from cyberattacks targeting banks and one expert says the internet was not built to be secure as it needed to be for global money transfers.

"The internet was never designed to be secure, its originators thought it was a wonderful global innovation, as it is, but of course the criminals have taken advantage of the weaknesses which are inherent in this kind of network of networks," according to Professor Sir David Omand, Commissioner at the Global Commission on Internet Governance.

"So we've seen malware being introduced into systems that banks have been using and we've seen (criminals) also having help from the inside so it's not just technical, it's human as well. So I'm not surprised that criminals have gone after the SWIFT system because that is where the major money transfers take place."

Omand noted that the criminals involved in the NY Fed fraud were diligent in their preparation for the cyberattack.

"Can you stop all the attempts, can you pick out the one transaction that's flawed in hundreds of millions of transactions – in this case the US$81 million from the Bank of Bangladesh – you can see that that one was very carefully prepared and I've also seen reports that the gang tried out the malware on a Vietnamese bank just to make sure they knew exactly how to insert the malware and carry out their crime."

SWIFT last month launched a new customer security program to "reinforce the security of global banking" but insisted that in recent fraudulent payment cases, its own "network, software and services had not been compromised" and that the security breaches had occurred within its customers "locally-managed infrastructure."

Omand said that innovative security measures would need to be retro-fitted onto existing systems, such as SWIFT.

"Somehow we've got to add further layers of security and the big lesson is coming towards us which is the Internet of Things (interconnected devices in the home and workplace) so we have to ensure the security is built in from the very start, we can't afford to repeat the history of the internet itself," he said.

-CNBC's Eamon Javers contributed reporting to this story.

Follow CNBC International on Twitter and Facebook.