Christian Walter ist Geschäftsführer und Redaktionsleiter von swiss made software. Bis Ende 2010 arbeitete er als Fachjournalist für das ICT-Magazin Netzwoche, publizierte zuletzt aber auch im Swiss IT Magazin, der Computerworld sowie inside-it.
In 2016, hackers attempted to steal more than 950 million dollars from accounts held at Bangladesh’s central bank, Bangladesh Bank. While automated systems managed to stop the transfers at 81 million, this was still an impressive demonstration of the vulnerability of the SWIFT system.
The SWIFT network handles messaging and transactions for more than 11,000 banks worldwide. But the SWIFT software that grants access has been hacked on more than just this one occasion. In at least two other cases, hackers were able to successfully penetrate the systems of other institutions.
SWIFT did enact countermeasures, but whether these have been effective across all levels remains unclear. This has created market opportunities for third parties, including the Swiss financial messaging specialists, Incentage. The company’s solution, known as FDPS (fraud detection and prevention solution), has been on the market since 2008. The latest version offers an extensive set of tools to manage the risks in the SWIFT environment. The focus is on situations whereby significant sums are exchanged in a relatively small number of high-value transactions. “Conventional solutions are mostly focused on a larger scale, rather than on individual transactions worth 500 million dollars,” says Incentage CEO Felix Huber.
FDPS comprises four different detection vectors, allowing customers to compile the options that are relevant for them. The attack on the Bangladesh Bank can serve as a case study to illustrate how it works (see image): In the SWIFT system, international transactions pass through four levels. At the top is the banks’ application level. This is where payments are generated. These are then sent to the messaging level, where they are ‘packed’ as messages. Then they are signed in the gateway and fed into the autonomous SWIFT network. They then go through the same process in reverse on the recipient’s side.
Gateway for hackers
In the case of the Bangladesh Bank, the attackers inserted fake messages before the gateway level. These were then officially signed and sent to the receiving system via the SWIFT network. A confirmation receipt is usually used to check whether the payment instructions match the sender’s records. But in this case, the confirmation receipts were intercepted, and so were never able to trigger any security alerts.
FDPS prevents this with its four vectors. Vector one is the bilateral challenge, and is most comparable to two-factor authentication. Here, the customer receives a text message that is sent via a different channel to the login information, i.e. by text message (SMS) rather than via the internet. In the case of FDPS, a hash is generated that is transferred either via point-to-point or blockchain technology. The recipient can then check whether the payment instruction that has just arrived from the SWIFT system matches the original payment instructions generated by the sender’s application.
Vector two is a three-part multi-layer filter. At the Profiling stage, the customer defines a set of rules via a GUI. For example, transactions in US dollars can only by carried out on Fridays between 10 a.m. and 12 p.m., or a ban on all transactions in rubles. The Context Assessment is based on the bank’s policies and blocks any instructions that violate these. The Fraud Detection Rules applied here are based on content analysis.
The third vector integrates external service providers such as sanctions scanners, which check transactions for suspected money laundering or financing of terrorism. The solution is so intelligent that it does not give a simple yes or no answer, rather, the transactions are weighted – for example, a transaction might have an 84 percent probability of being money laundering.
The fourth vector is based on historical behavior and applies statistical methods. To what extent may a payment in Swiss francs to the German Bundesbank deviate from the average, as a percentage? A separate risk profile is created for every transaction partner.
Respond quickly to threats
All this information is combined in a clearly arranged dashboard that provides customers with information on the potential risk present in current payment transactions. There is a prominent ‘nuclear button’ here which can be used to immediately stop all transactions. “This feature was developed explicitly in response to customer requests,” Huber explains. Drill-down options are central to this, because a stop must not take more than 30 minutes. Otherwise, substantial financial losses or reputational damage may result.
In order to be able to react as quickly as possible, FDPS enables filtering of transactions by various criteria, for example, to isolate all transactions relating to particular institutions. This is important, because an individual transaction can often involve several banks. In these cases, the suspect company could be the first, second, or third party in the transaction. A full-text search is also integrated into the system. FDPS stores customer-specific transaction data for entire markets: “One individual market such as the Johannesburg Stock Exchange can easily be associated with more than half a billion transactions in the system. Our solution can search through this volume in just three seconds, even when there are more than a million hits – and based on a full-text search,” says Huber.
Thus, the solution offered by Incentage actively addresses the threats latent in international payment transactions from multiple angles.