By Parth Desai
The almost unceasing reports of major cyber hacks should be incentive enough to ensure that financial institutions reassess existing fraud protection for their payments systems. Recent official warnings could scarcely be starker, with Prof Richard Benham, chairman of the National Cyber Management Centre, predicting that “a major bank will fail as a result of a cyber-attack in 2017”.
A dire prediction indeed. So how do these threats affect us as a global payments community? The recent well-publicised cases of payments fraud provide an indication of some of the specific challenges we face. The hacking of Bangladesh Bank’s gateway to the SWIFT network in February last year, resulting in theft of $81m from its account at the Federal Reserve Bank of New York, has been followed by further revelations of global payments fraud.
While the modus operandi of these cases may vary, collectively they demonstrate an increased focus by highly sophisticated criminal entities upon the global financial payments system. As a response to this heightened threat, there are several important lessons that we should learn, and act upon, to ensure the continued integrity of global payments infrastructures.
The Weakest Link
The fraud experienced by Ecuadorian Bank Banco del Austro (BDA), with criminals making off with around $12m, highlights the necessity of going beyond standard authentication of wire transfers to counter criminals targeting financial payments.
At least a dozen SWIFT messages originating from BDA and transferring $12m to bank accounts in Hong Kong, Los Angeles and Dubai were fraudulent. The bank has enquired why these were not identified as suspicious by counterparties as they were made outside of normal office hours for unusually large amounts to unusual account numbers. The counterparty rejoinder that the “authenticated SWIFT messages” did not require further validation raises some important issues for the payments community.
Without making any judgment on this particular case, it demonstrates that the security and integrity of global payment systems are as potentially vulnerable as their weakest link – any unauthorized access, from whatever source, is capable of issuing technically valid and ‘authenticated’ payment instructions to global counterparties - this includes to you.
Numerous such cases of payments fraud, however different in origin, commonly exploit the traditional readiness of banks to approve ‘authenticated’ SWIFT messages at face value – without a requirement to conduct the additional checks that would be considered best practice outside a secure and closed network. It is clearly now debatable whether such an assumption of authenticity, without secondary validation, should be prudently made as standard.
Understanding Payments Vulnerabilities
On the surface, the recently reported cases of payments fraud seemingly illustrate a common source of specific vulnerabilities – the external gateway hacker. A common perception of cyber criminals utilizing malware to circumvent the local security systems of a bank, thereby gaining access to payments messaging networks to send ‘fraudulent’ messages to initiate fund transfers, is a simple, yet incomplete picture.
Some instances, such as the headline Bangladesh case, demonstrate highly sophisticated malware fraud. In other reported cases, an employee’s SWIFT credentials have been ‘compromised’ by unknown methods.
While external intrusion protection should be an essential requirement for all organizations, a sole narrow focus upon the ‘external’ hacker threat is misplaced for two principle reasons. Firstly, recent investigations by the Association of Certified Fraud Examiners (ACFE) reveals that 78% of overall fraud losses stem from actions committed internally by employees. Fraud counter-measures that only guard against ‘external’ intrusion provide no protection from unauthorized activity from within an organization.
Secondly, as I have already emphasized, with globalised payments infrastructures such as SWIFT, each ‘legitimate’ member is potentially as vulnerable as the weakest participant – securing the integrity of your ‘own’ network, whilst important, is no guarantee that your organization will not receive ‘authenticated’ fraudulent payments instructions – which you may process in good faith, but nevertheless could result in financial and reputational damage to your organisation. With over 11,000 banking, securities and corporate customers in over 200 countries connecting to the SWIFT network, it would be foolhardy to assume that every participant operates to the same high level of security.
Lines of Defence
SWIFT’s Chief Information Security Officer Alain Desausoi has described the fraud threat we face as “persistent, adaptive and sophisticated”, and one that is “here to stay”. Given this reality, how can we collectively best approach these dangers?
SWIFT itself has introduced several new counter fraud measures over the past twelve months, recently introducing its Daily Validation Reports service that enables members to verify the previous day’s messaging activity against payment norms. SWIFT sees the scheme as enhancing banks’ ability “to identify possible fraud attempts” and where possible to attempt cancellation and recovery if fraudulent transactions are detected.
Such initiatives are to be welcomed and can potentially help to indentify payments fraud in a timely manner - in the Ecuadorian case there was a 10-day delay between the first fraudulent payment and its discovery by the bank. Whilst speedy detection is obviously beneficial, it does not represent a comprehensive preventative counter fraud solution.
Race we can win
The National Crime Agency in the UK has warned of a cyber technology arms race where “criminal cyber capability currently outpaces the UK’s collective response to cyber crime”. SWIFT itself echoes the warning that global financial networks face criminals that are “sophisticated, use advanced tools and technologies and invest heavily in their fraudulent activities”.
We can as a payments community utilise tools that are effective in combating an international threat to the continued integrity of the global financial system. This ‘cyber arms race’ requires solutions that do not merely respond to past patterns of attack, but ones that deploy highly advanced predictive and anomaly aware technology – detecting and preventing fraudulent payment patterns in real-time. The deployment of machine learning and other Artificial Intelligence disciplines are proven and powerful fraud prevention tools that payments participants can deploy to provide real-time secondary validation and authentication, regardless of the apparent bona fides of the wire payment instruction received.
The adoption of such technology is no panacea, but it can provide a robust and reliable approach to secondary payment validation - whilst still ensuring the uninterrupted flow of 26 million valid messages sent each day across the SWIFT network. With such additional scrutiny, the fraud suffered by Bangladesh Bank and BDA would likely have been identified as anomalous and prevented.
Such advanced AI Fraud Prevention systems are being utilised today by individual banks and payments participants – it is an approach that deserves wider scrutiny to ensure our global financial infrastructures remain secure. Criminal gangs will continue to invest in new ways and new technologies to commit fraud. With the right approach, and the right tools, this is a challenge the payments community can rise to and win.