Financial fraud expert Avivah Litan, a Gartner analyst, says the SWIFT-related heists, which have defrauded banks out of millions of dollars in recent weeks, are not cause for "the sky is falling" alarm (see Report: Bangladesh Probes 2013 Bank Hack via SWIFT).
"When I read the reports and the reactions to those transactions from some of our politicians, I was pretty amazed at that strong reaction that they had that our financial system could be in jeopardy, that there's frailness in the worldwide financial system," Litan says during this interview with Information Security Media Group. "The sky isn't falling. We have technology and measures that could be put in place to prevent what happened at SWIFT."
Nevertheless, Litan says that SWIFT, an interbank messaging system for payments, "didn't seem to have some of the very basic fraud-detection controls that could have stopped the heists - looking for abnormal payees, looking for remote account takeover, looking for abnormal access. These are all fraud-detection measures that the U.S. regulators have mandated that U.S. banks put in. So it was pretty shocking to me that SWIFT did not have these measures, apparently, and relied so heavily on authentication instead."
Stronger Controls Needed
Litan, who recently blogged about the lessons the SWIFT-related heists should teach U.S. banks about authentication weaknesses and lacking security controls, says banks need to implement the same controls for interbank transactions that they have in place for customer-to-bank payments.
Fraud detection and risk mitigation is a shared responsibility, she adds. "We read a lot in the media about finger pointing, where SWIFT was saying it was the banks' responsibility and the banks were saying it was SWIFT's responsibility," Litan says. "Everyone needs to wake up and realize this is a shared responsibility."
During this interview (see audio player below photo), Litan also discusses:
- A five-layered security approach to prevent heists like the ones that compromised SWIFT transactions. "You have to assume the criminals can beat one layer, and maybe even two. But it's highly unlikely that they'll beat all five."
- Why bank-to-bank transactions should follow the same guidelines for ACH and wire payment security outlined by the Federal Financial Institutions Examination Council for customer-to-bank transactions;
- How the SWIFT attack reveals security concerns for real-time payments; and
- The need for transaction authentication and verification across numerous links in the payments chain.
Litan, a vice president at Gartner Research, is a recognized authority on financial fraud. She has more than 30 years of experience in the IT industry. Her areas of expertise include financial fraud; authentication; access management; identity proofing; identity theft; fraud detection and prevention applications; and other areas of information security and risk. She also covers security issues related to payment systems and PCI compliance.