Security for international payments
In 2016, hackers attempted to steal more than 950 million dollars from accounts held at Bangladesh’s central bank, Bangladesh Bank. While automated systems managed to stop the transfers at 81 million, this was still an impressive demonstration of the vulnerability of the SWIFT system.
The SWIFT network handles messaging and transactions for more than 11,000 banks worldwide. But the SWIFT software that grants access has been hacked on more than just this one occasion. In at least two other cases, hackers were able to successfully penetrate the systems of other institutions.
SWIFT did enact countermeasures, but whether these have been effective across all levels remains unclear. This has created market opportunities for third parties, including the Swiss financial messaging specialists, Incentage. The company’s solution, known as FDPS (fraud detection and prevention solution), has been on the market since 2008. The latest version offers an extensive set of tools to manage the risks in the SWIFT environment. The focus is on situations whereby significant sums are exchanged in a relatively small number of high-value transactions. “Conventional solutions are mostly focused on a larger scale, rather than on individual transactions worth 500 million dollars,” says Incentage CEO Felix Huber.
FDPS comprises four different detection vectors, allowing customers to compile the options that are relevant for them. The attack on the Bangladesh Bank can serve as a case study to illustrate how it works (see image): In the SWIFT system, international transactions pass through four levels. At the top is the banks’ application level. This is where payments are generated. These are then sent to the messaging level, where they are ‘packed’ as messages. Then they are signed in the gateway and fed into the autonomous SWIFT network. They then go through the same process in reverse on the recipient’s side.
Gateway for hackers
In the case of the Bangladesh Bank, the attackers inserted fake messages before the gateway level. These were then officially signed and sent to the receiving system via the SWIFT network. A confirmation receipt is usually used to check whether the payment instructions match the sender’s records. But in this case, the confirmation receipts were intercepted, and so were never able to trigger any security alerts.
FDPS prevents this with its four vectors. Vector one is the bilateral challenge, and is most comparable to two-factor authentication. Here, the customer receives a text message that is sent via a different channel to the login information, i.e. by text message (SMS) rather than via the internet. In the case of FDPS, a hash is generated that is transferred either via point-to-point or blockchain technology. The recipient can then check whether the payment instruction that has just arrived from the SWIFT system matches the original payment instructions generated by the sender’s application.
Vector two is a three-part multi-layer filter. At the Profiling stage, the customer defines a set of rules via a GUI. For example, transactions in US dollars can only by carried out on Fridays between 10 a.m. and 12 p.m., or a ban on all transactions in rubles. The Context Assessment is based on the bank’s policies and blocks any instructions that violate these. The Fraud Detection Rules applied here are based on content analysis.
The third vector integrates external service providers such as sanctions scanners, which check transactions for suspected money laundering or financing of terrorism. The solution is so intelligent that it does not give a simple yes or no answer, rather, the transactions are weighted – for example, a transaction might have an 84 percent probability of being money laundering.
The fourth vector is based on historical behavior and applies statistical methods. To what extent may a payment in Swiss francs to the German Bundesbank deviate from the average, as a percentage? A separate risk profile is created for every transaction partner.
Respond quickly to threats
All this information is combined in a clearly arranged dashboard that provides customers with information on the potential risk present in current payment transactions. There is a prominent ‘nuclear button’ here which can be used to immediately stop all transactions. “This feature was developed explicitly in response to customer requests,” Huber explains. Drill-down options are central to this, because a stop must not take more than 30 minutes. Otherwise, substantial financial losses or reputational damage may result.
In order to be able to react as quickly as possible, FDPS enables filtering of transactions by various criteria, for example, to isolate all transactions relating to particular institutions. This is important, because an individual transaction can often involve several banks. In these cases, the suspect company could be the first, second, or third party in the transaction. A full-text search is also integrated into the system. FDPS stores customer-specific transaction data for entire markets: “One individual market such as the Johannesburg Stock Exchange can easily be associated with more than half a billion transactions in the system. Our solution can search through this volume in just three seconds, even when there are more than a million hits – and based on a full-text search,” says Huber.
Thus, the solution offered by Incentage actively addresses the threats latent in international payment transactions from multiple angles.
More articles on General Security
- Tuesday 22.11.2022
Die eigene Recovery-Box
Trotz Cloud-Vorteilen ist vielen unwohl, wenn sie die Kontrolle über die Kerndaten verlieren. Sedion bietet dafür eine kombinierte Box- und Cloud-Variante. - Thursday 09.12.2021
Das Passwortarchiv bleibt in der Schweiz
Alpein Software Swiss bietet einen lokal gehosteten Passwortmanager für Privatpersonen und Unternehmen. - Thursday 26.09.2019
Keine Zero Days mehr
Das ETH-Spinoff Xorlab will Cyberattacken stoppen, bevor sie ins Rollen kommen. Dafür wurde ein neues Verteidigungskonzept entwickelt. - Monday 26.08.2019
Einfach zertifizieren
Regularien werden immer anspruchsvoller. Um den Überblick zu behalten und gleichzeitig die Komplexität zu beherrschen, bietet das Start-up CISS deshalb eine digitale Lösung. - Tuesday 02.04.2019
Das Ökosystem hinter der SwissID
Neben SwissSign sind zahlreiche Partner Teil des SwissIDÖkosystems. Zusammen wollen sie das Herzstück für weite Teile der kommenden Digitalisierung bilden, und zwar, ohne die Privatsphäre der Nutzenden zu tangieren. - Friday 01.12.2017
Interview Gilbert Semmer: «Hersteller können nicht die alleinige Verantwortung tragen»
Gerade im vernetzten Gesundheitswesen ist Cyber-Sicherheit ein Gemeinschaftsprojekt. Trotz Fortschritten ist ein gesellschaftlicher Diskurs zu diesem Thema nach wie vor nötig, wie Sicherheitsexperte Gilbert Semmer im Interview darlegt. - Friday 24.11.2017
Sicherheit hat Mehrwert – am Computer und im Geschäft
Moderne Cyber-Security verlangt mehr als nur die Erhöhung der Schranken, um Angreifer abzuwehren. Der altbekannte Trade-off von Sicherheit und Bequemlichkeit hat als Argumentation ausgedient. Eine zeitgemässe Lösung muss neben Sicherheit und Bequemlichkeit auch neue Businesskonzepte unterstützen. - Friday 24.11.2017
Innovation und Sicherheit im vernetzten Gesundheitswesen
Das labormedizinische Unternehmen Viollier setzt voll auf digitale Innovation, um sich am Markt zu differenzieren. Um die Sicherheit der medizinischen Daten zu garantieren, kooperiert das Unternehmen mit dem Berner Sicherheitsspezialisten United Security Providers. - Friday 24.11.2017
Sicherheit klingt gut
Viele Nutzer verzichten zu Gunsten von Bequemlichkeit auf angebotene Security-Lösungen. Futurae versucht einen neuen Ansatz: Sicherheit durch den Vergleich von Umgebungsgeräuschen. - Friday 24.11.2017
Das verschlüsselte Unternehmen
Während Private und Staaten mit der dauernden Ausspähung des Internets beschäftigt sind, steigen parallel die rechtlichen Anforderungen an den Datenschutz. - Friday 24.11.2017
Dreidimensionales Schach
Sicherheit muss auf mehr als nur der ICT-Ebene gedacht werden. Sicherheitsanbieter agieren deswegen auf einem überaus komplexen Terrain, das nicht nur von kriminellen, sondern auch von nationalen Interessen geprägt ist.