SWIFT Announces Fraud Pattern Detection Controls

Anti-Fraud , Fraud , Risk Management

'Daily Validation Reports' Will Provide Out-of-Band View of Messages SWIFT Announces Fraud Pattern Detection Controls

To help financial institutions better spot attempted fraud, the SWIFT interbank messaging network plans to begin offering voluntary "daily validation reports" to customers in December.

See Also: How to Mitigate Credential Theft by Securing Active Directory

The move is designed to provide an "out of band" view of an institution's messages to help anti-fraud teams better spot unauthorized attempts to move money via SWIFT, the organization says in a statement.

"A key step in the modus operandi in recent wire fraud cases at customer firms involves the attackers concealing their fraudulent messaging activity on customers' local systems," says Stephen Gilderdale, who heads SWIFT's customer security program, in a statement. "Daily validation reports will provide a reliable and independent source of information, providing such institutions with an activity lens to help them quickly detect fraud - whether perpetrated by external attackers or by malicious insiders."

Formally known as the Society for Worldwide Interbank Financial Telecommunication, SWIFT is a member-owned, Brussels-based collective. About 11,000 institutions in more than 200 countries use SWIFT's interbank messaging software and network.

The pending anti-fraud feature follows the February theft of $81 million from the central bank of Bangladesh's account at the Federal Reserve Bank of New York via fraudulent SWIFT messages. As part of the Bangladesh theft, attackers employed malware that prevented details of the transactions from being printed out on the bank's printer, thus delaying the bank's discovery of the fraud.

Research conducted by British defense and security firm BAE Systems found that as part of the attack, hackers gained access to a Bangladesh Bank PC that connected to the SWIFT network. BAE Systems security researchers Sergei Shevchenko and Adrian Nish reported that attackers then injected fraudulent money-moving messages into the SWIFT network and replaced the bank's PDF reader with a Trojanized version that removed traces of the fraudulent messages.

SWIFT has warned customers that the Bangladesh Bank hack was part of a wider attack campaign that has targeted multiple banks, including Vietnam's Tien Phong Bank in late 2015. Some security researchers say that the malware used in the attacks ties to the attack code used against Sony Pictures Entertainment in 2014, and that the attack campaign appears to have been carried out at the behest of North Korea.

Following the Bangladesh Bank hack, and facing criticism that SWIFT should be doing more to help customers stay secure, SWIFT CEO Gottfried Leibbrandt in May announced the launch of a new customer security program. In July, SWIFT also announced that it had assembled an internal intelligence team and tapped BAE Systems and cybersecurity firm Fox-IT to serve as a digital forensics investigation team for assisting any customers whose systems get hacked. SWIFT has not publicly disclosed pricing for that service.

Daily Out-of-Band Validation

SWIFT says the new daily validation reports are part of a new "transaction pattern detection stream" launched as part of the customer security program. The reports, it says, will comprise two parts:

Activity reports: Financial institutions can see "aggregate daily activity across currencies, countries and counterparties" and review it for unusual patterns. Risk Reports: These will flag "large or unusual payment flows and new combinations of payment parties" to help anti-fraud teams more quickly identify "unusual senders, destinations and patterns."

Smaller financial firms should especially benefit from the new reports, SWIFT says. "Smaller institutions, in particular, are currently dependent on the accuracy of the data on their own systems, but in the event of a security breach, their locally stored payment and reconciliation data may be altered or unavailable," Gilderdale says.

Of course, savvy attackers could also target the PCs receiving these daily validation reports in an attempt to suppress them.

Voluntary Program

Signing up for the daily validation reports will be voluntary, and SWIFT has yet to finalize pricing, spokeswoman Natasha de Teran tells The Wall Street Journal. "Our focus is to improve security, not to derive profit," she said.

The introduction of the reports is good news for banks and shows SWIFT reacting to the Bangladesh Bank hack. It follows SWIFT launching an awareness campaign relating to its relationship management application, which it describes as a filter that customers can use "to select and limit the correspondents from whom they wish to receive messages, as well as to restrict the type of messages that they receive." SWIFT portrays it as a first line of defense against fraudulent messages.

But if previous cybercrime campaigns are any measure, then attackers will have also been continuing to refine their efforts - and with a head start.

Independent financial fraud consultant William Murray - who says that banks, not SWIFT, are responsible for ensuring the authenticity of SWIFT messages they send or receive - warns that whoever hacked Bangladesh Bank likely remains active. "The more we learn, the more resourceful these attacks appear to be," Murray said. "[Attackers] are now well funded and we must expect them to be active until we hear of arrests."