The banking world has been rocked in recent years by revelations of several major fraud events, each of whichnetted perpetrators from $2 million to more than a billion dollars. In every case, the bad actors used the rails of the SWIFT payment transfer system. SWIFT, which stands for Society for Worldwide Interbank Financial Telecommunications, is used by more than 11,000 banks worldwide to facilitate cross-border financial transactions.
The SWIFT system itself wasn’t breached; it was merely the instrument that carried out the bankers’ instructions. In the case of one national bank, malicious insiders orchestrated the fraud scheme that unfolded over the span of seven years. The investigation highlighted three process failures that facilitated the fraud:
* Bank employees shared their SWIFT password with an outsider, thus enabling fraudulent authorization of numerous SWIFT transactions.
* The mandatory reporting of SWIFT transactions didn’t happen, so the actions went unnoticed.
* Checks and balances procedures were ignored when only two people rather than the required three were able to authorize the transactions.
Clearly, the lengthy duration of the overall scheme indicates the bank was lacking the necessary measures to bring the fraud to light as soon as it began.
Cybersecurity breaches lead to fraud
In the same timeframe, several other banks suffered losses tied to abuses of the SWIFT system due to their own cybersecurity breaches that allowed account takeovers. Attackers obtained and used the credentials of bank employees who had legitimate authority to initiate and approve the payment transfer transactions. To SWIFT, the instructions appeared to be normal because, for all intents and purposes, they came from authorized user accounts.
The common theme among these attacks is the lack or failure of measures that could detect the account takeovers that eventually enabled the payment transfers.In all these cases of the SWIFT system abuse, if an advanced fraud analytics platform with user and entity behavioral analytics (UEBA) capabilities had been in place, the fraud could have been prevented.
Behavior analytics can help prevent the SWIFT abuses
Enterprise fraud management platforms have been around for years, but many legacy platforms lack the capabilities to make critical data associations and identify anomalous behaviors of user accounts. However, recent advancements in a range of technologies from Big Data to machine learning have coalesced to help build a new kind of advanced fraud analytics platform.
This type of solution can use machine learning to analyze millions of data points from a variety of siloed, cross-channel sources, such as a core banking system (CBS) and the SWIFT system.By linking data from these disparate systems in a Big Data system, anomalous behavior can be identified quickly. For example, in the national bank’s case, the fact that payments were made from the CBS but there were no
corresponding activities reported as required by SWIFT is not normal procedure. This mismatch of activities would raise a high priority alert to prompt immediate investigation by the bank.
Now consider the instances where malicious actors gained access to legitimate credentials. It might not seem possible to detect that the payment instructions aren’t being directed by the authorized employee, but this is where behavioral analytics come into play. Behavioral analytics look at everything about a specific user identity, including what his network and application permissions are, when and where he typically performs his work activities, what device he commonly uses, and so on. While it’s possible for a hacker to gain access to a worker’s login credentials – and thus assume his permissions and privileges – it’s not possible to mimic everything else about the worker’s behavior. A hacker wouldn’t use the worker’s computer and his IP address, or have the same work schedule and the same geo-location. Those variations in behavior would raise an alert, and the bank could activate an immediate mitigation such as dropping the person’s access to the payment transfer system.
The fraud detection measures are completely unobtrusive to workers performing their legitimate duties. Yet the speed and accuracy of identifying, prioritizing and alerting on high-risk activity can drive corrective or response actions in other systems based on the value of the risk score. Such actions can be automated to take place in real time or near real time; for example, to put a hold on the SWIFT funds transfer until the alert details can be investigated.
Banks are highly regulated financial institutions. They all have a fiduciary responsibility to protect their depositors’ and investors’ interests and assets. An advanced fraud analytics platform is a necessity to accurately detect fraud in real time and to have the opportunity to disrupt the scheme and prevent the loss.