By Parth Desai
The observation that “generals always plan to fight the last war” is an often-repeated criticism of a lack of military foresight. Economists have likewise faced repeated charges of “planning to fight the last depression”. In today’s environment of increased cyber-attacks and payments fraud, there is perhaps a similar temptation to focus on protecting global financial flows from the most recent fraud or hack. We increase the defences, but the enemy has moved on.
The reported cases of payments fraud do of course provide some indication of specific challenges we face – but above all else they confirm the highly sophisticated tools and versatile methods used by criminals to commit fraud. Our response as a global payments community to this fluid risk environment needs to be equal to these ever-evolving threats – and there are some essential lessons to learn in order that we do not repeat the mistake of preparing to fight yesterday’s battles.
Threats from multiple sources
The widely-publicised hacking of Bangladesh Bank’s SWIFT gateway in February 2016, resulting in the theft of $81m, shows the potential vulnerabilities of international high-value wire transfers. The Bangladesh Bank example demonstrated a highly complex technical deployment of malware to circumvent the bank’s local security systems to send fraudulent SWIFT messages.
The simplistic threat profile of the ‘external hacker’ is incomplete however. Yes, there have been Instances involving malware fraud and external intrusion protection should be an essential requirement for all organisations. In other reported cases of payments fraud, the SWIFT credentials of employees have been ‘compromised’ by unknown methods. The Association of Certified Fraud Examiners (ACFE) found that 78% of overall fraud losses stem from actions committed internally by employees. Fraud counter-measures that only guard against ‘external’ intrusion provide no protection from unauthorised activity from within an organisation.
Going beyond validation
The fraud experienced last year by Ecuadorian Bank Banco del Austro (BDA), where criminals issued at least a dozen fraudulent SWIFT messages transferring around $12m to bank accounts in Hong Kong, Los Angeles and Dubai, highlights a specific challenge to ensuring the continued integrity and security of global payments.
Despite these transfers being made outside of normal office hours for unusually large amounts to unusual account numbers, the counterparties accepted the transactions as they were all “authenticated SWIFT messages” – and as such do not require further validation.
Any unauthorized access to global payment infrastructures, from whatever source, can issue technically valid and ‘authenticated’ payment instructions to global counterparties. Securing the integrity of your ‘own’ network, whilst important for all institutions, is no guarantee that your organisation will not receive ‘authenticated’ fraudulent payments instructions from different organisations. These may be processed in good faith, but nevertheless could result in financial and reputational damage to your organisation if created by criminal entities which have gained access to a bank’s credentials.
With over 11,000 banking, securities and corporate customers in over 200 countries connecting to the SWIFT network alone, it would be foolhardy to assume that every participant operates to the same high level of security. This raises the necessity of going beyond standard technical authentication of wire transfers to counter criminals targeting financial payments.
Fighting Tomorrow’s Battles
The National Crime Agency in the UK has warned of a cyber technology arms race where “criminal cyber capability currently outpaces the UK’s collective response to cyber crime”. SWIFT itself echoes the warning that global financial networks face criminals that are “sophisticated, use advanced tools and technologies and invest heavily in their fraudulent activities”.
This ‘cyber arms race’ requires solutions that do not merely respond to past patterns of attack, but deploy highly advanced predictive and anomaly aware technology – detecting and preventing fraudulent payment patterns in real-time. Fortunately, such technology is available and already being deployed by some of the most innovative institutions and companies.
The deployment of Machine Learning and other Artificial Intelligence disciplines are proven and powerful fraud prevention tools that payments professionals can deploy, providing real-time secondary authentication, regardless of the apparently valid credential of wire payment instructions received. The adoption of such technology can provide a robust and reliable approach to secondary payment validation – analysing a wide spectrum of data to give assurance and validation for each financial message. It works in real time, ensuring the uninterrupted flow for the several millions of valid payments each day. With such additional scrutiny, the fraud suffered by Bangladesh Bank and BDA would likely have been identified as anomalous and prevented.
Such advanced AI fraud prevention systems are being used today by some leading banks and organisations. This is an approach that deserves wider exploration and adoption to ensure global financial infrastructures remain secure. Criminal gangs will continue to invest in new ways and new technologies to commit fraud. With the right approach, and the right flexible and agile tools, we can ensure the payments community is prepared to win today’s, and tomorrow’s, battles against the fraudsters.
About Parth Desai
Parth Desai graduated from Georgia Tech with a Master's Degree in Artificial Intelligence and was quickly hired to work with one of the most celebrated global pioneers of Artificial Intelligence, Roger Schank. Parth rapidly built a deep expertise in AI and Natural Language Processing (NLP) that has drive his own ability to innovate over the past two decades. During that time, Parth built a global team and nurtured their collective AI expertise. Working collaboratively with the Banking. Financial Services and Insurance domain for Banks and Corporates, PArth has built a thorough understanding of Payments, Securities, Anti Money Laundering and Risk Management from both the business and technology viewpoints. As Founder and CEO of Pelican, which provides banks and corporates with solutions that enhance, streamline and secure the payments lifecycle, Parth works closely with his global team to deliver consistent innovation and client value.
