Cybercrime continues to be an unending botheration for banks. While the focus of attempts and attacks until recently, tended to be on the banks’ customers (via card and account detail compromises), of late fraudsters have become more sophisticated and have raised the stakes.
They have shifted their focus and are now directly targeting banks. They have begun deploying increasingly sophisticated methods of circumventing individual controls in the banks’ local environments and have probed deeper into systems to execute well-planned and finely orchestrated attacks.
One area where fraudsters have increased malicious attacks is Correspondent Banking, especially via SWIFT.
SWIFT was developed at a time when the primary focus was on interconnectivity and security was not really a concern. However, with increased adoption of the SWIFT network, security lapses / gaps in the entire value chain, especially the weaker links, have started getting exposed.
Fraudsters have discovered that they can leverage vulnerabilities in SWIFT’s member banks’ processes and procedures, particularly in countries where regulatory and security controls are less robust.
Here are a few instances –
Bangladesh Central Bank
The February 2016 SWIFT heist was a watershed moment for the payments industry. Though not the first case of fraud against a bank’s payment endpoint, it was the sheer scale and sophistication of the attack which shook up the global financial community.
The fraudsters used the following process to decamp with $81 million –
- Compromising the customer’s environment – by introducing malware using techniques such as phishing or email compromise scams.
- Capturing valid operator credentials – typically through access to password files or by putting key-loggers in place to capture password details, and thereby gaining an understanding of the payment environment and associated behaviors.
- Hiding the transaction activity – by removing payment information from local databases, modifying incoming statement information or rendering the local environments inoperable; and thereby delaying the discovery of the attack and increasing the possibility for the funds to be settled.
A similar modus operandi was seen in the incidents at several other banks as well – Vietnam’s Tien Phong Bank, Ecuador’s Banco del Austro and recently in an Indian private bank.
Indian Private Sector Bank
In this case the modus operandi for the SWIFT attack was on these lines –
- The fraudsters got hold of the operators’ credentials and also quite possibly of the bank’s SWIFT system approvers (probably by planting malware via emails).
- Day 1, 1800 hours approx. – fraudsters initiate the SWIFT instructions from the hacked accounts.
- The transactions were made to 3 different beneficiaries in different geographies – Turkey, China and UAE – to avoid detection. Interestingly, 3 different Correspondent Banks were used for the transactions.
- The fraudsters disabled the printer connected to SWIFT platform, preventing the bank from receiving acknowledgement messages for the fraudulent payment instruction.
- This was a delaying tactic because it ensured that the bank’s staff would not be able to detect the remittances before the next morning.
- Day 2, Morning – the unauthorized remittances are discovered during reconciliation. Approx. $1.8 million is gone.
The root cause
In both cases, even though not all of the money made its way into the fraudsters’ hands, they are still alarming examples of how systems can be duped.
The success of these frauds is an outcome of a combination of factors –
- Exploiting weaknesses in the cyber, fraud, and possibly staff monitoring controls
- Deep, exhaustive and practical knowledge of how banks interact with funds transfer systems
- Sophisticated malware tailored to the target
- Access to detection and response mechanisms, besides funds transfer systems
Banks must counter-attack this combination in a holistic rather than a piece-meal fashion to gain an upper hand over the fraudsters. They must rally efforts on better coordinating their cyber-security, anti-fraud, and staff risk management programs.
SWIFT meanwhile has initiated a Customer Security Program (CSP), wherein it provides elaborative security controls. However, banks should put additional transaction monitoring checks using intelligent fraud detection and prevention systems. This should eliminate fraudulent cases where cyber-security systems have failed in the past.
How a smart enterprise-wide fraud management system helps
A good enterprise fraud management system has the capability to solve most problems in the fund transfer process and prevent big ticket frauds. Some of the highlights of a multi-centric approach of a smart fraud management system are –
- Cross-channel Platform – Banks must remove siloes in their IT ecosystem to allow generating centralized, cross-channel intelligence required to fight multi-faceted frauds. An intelligent, real-time enterprise-wide fraud management system unifies the bank’s CRM, core banking system and remittance processing systems at a single centralized point to generate cross-channel intelligence. It provides a real-time remittance transaction surveillance capability to block suspicious transactions based on centralized fraud intelligence.
- Transaction Monitoring – Real-time remittance transaction monitoring can go a extra mile to reduce instances of cyber fraud. Banks can validate remittance transaction parameters against third-party watch lists, custom high-risk countries and beneficiaries’ lists. Banks can apply transaction velocity or cumulative value-based checks on the outward remittances based on multiple perspectives viz. sender, beneficiary, correspondent bank, user etc. Cross-pollination of remittance instructions’ data with the data from CRM, core banking and other systems provides multi-channel intelligence to counter fraud.
- Limits Monitoring – Banks should implement limits monitoring and control policies at various levels in the fund transfer process (originator, beneficiary, correspondent bank, beneficiary bank, destination country, etc).
- Staff Fraud Management – Operating procedures and processes should limit and protect administrator and system privileges. Banks must implement staff specific remittance transaction checks and controls. It should check for users who abuse or exceed their access. Also, identify anomalies in credentials or access to fund transfer systems (e.g. excessive logins, logins at unusual times) and raise red flags.
- Centralized Case Management System – to enable following up on the red flags raised and to plug loopholes. A Centralized Case Management System clubs together inter-linked suspicious activities for easier and faster investigation.
With cybercriminals continuing to attempt penetrating traditional strongholds, it is imperative that financial institutions take necessary steps to secure their environments. Enterprise-Wide fraud management is one of the approaches that can enable financial institutions to prevent the attacks, as well as increase the likelihood of an attack being detected in time.