Mitigating the Insider Threat: Lessons From PNB Fraud CaseAfter PNB Incident, Security Practitioners Discuss Technologies to Mitigate Risks
Now that it's been confirmed that an insider at India's Punjab National Bank paved the way for $1.8 billion in fraudulent transactions, the Reserve Bank of India, the nation's central bank, is reiterating the need to strengthen security measures tied to SWIFT interbank transactions, and security experts are weighing in with risk mitigation advice.
See Also: Threat Briefing: Ransomware
For example, experts say that banks can help fight against insider threats by leveraging proper governance and risk management controls and considering the use of new technologies, such as user and entity behavioral analytics, or UEBA, as well as blockchain.
The fraud apparently began when diamond firms owned by billionaire Nirav Modi (no relation to Indian Prime Minister Narendra Modi) approached PNB to open letters of credit (a letter issued by a bank to another bank, especially one in a different country, to serve as a guarantee for payments) to fund the import of rough stones (see: $1.8 Billion Fraud Case at PNB Raises Security Questions)
Under the terms of the letter of credit, PNB would pay the overseas suppliers on behalf of Nirav Modi's firms within a certain period (typically three months) and recover the money from Modi. This is normally done on the basis of letters of understanding, or LoUs. But in this particular case, PNB employees issued fake LoUs, on the basis of which foreign branches of Axis Bank and Allahabad Bank gave loans to PNB.
Unauthorized Password Access
A deputy manager at PNB, Gokulnath Shetty, has been arrested and has confessed that he had unauthorized access to a Level-5 password to the SWIFT system to authorize issuance of money through Letters of Undertaking (LoUs) and Foreign Letters of Credit (FLCs), according to the Central Bureau of Investigation. A LoU is a widely accepted provision of bank guarantees under which a bank can allow a customer to raise money from another Indian bank's foreign branch. An FLC is a guarantee to a third party or vendor that money for the goods supplied would be paid.
The Level-5 password, which is supposed to be accessible only to higher authorities, enabled Shetty to reach out to several banks to release money to Modi through the SWIFT system, the CBI said.
Shetty also informed the investigators that he shared the password with other individuals, as well as directors of Modi's company, CBI reports.
The Insider Threat
Security incidents involving insiders can have a huge impact, as the PNB case illustrates.
"An insider has adequate access to reach to the right place. It is too difficult to detect since there are no failures happening where detection controls can detect," says a senior practitioner, of an IT services firm.
RBI has repeatedly urged banks to follow proper security mechanisms. A statement released by the RBI on Tuesday said it had alerted banks at least three times since August 2016 on the potential malicious use of the SWIFT infrastructure.
"RBI, as part of its ongoing efforts for strengthening of the supervisory framework in the country, has been issuing necessary instructions to banks from time to time on a variety of issues of prudential supervisory concern, including the management of operational risks inherent in the functioning of banks," RBI says in the statement. "The risks arising from the potential malicious use of the SWIFT infrastructure, created by banks for their genuine business needs, has always been a component of their operational risk profile."
After the PNB episode, the RBI is reminding banks to implement within stipulated deadlines the prescribed measures for strengthening the SWIFT operating environment.
In 2016, after revelations that hackers had infiltrated the Bangladeshi central bank's computer systems to siphon off money, RBI reminded all the country's lenders to ensure their computer networks were properly integrated with SWIFT.
"The biggest thing that didn't happen was the linkage between SWIFT and the bank's back-end software - they didn't talk," says Abizer Diwanji, a financial services partner in India at the accountancy firm EY India, according to the Times of India. "The ball was first dropped" when PNB missed a chance to reconcile the two systems, he contends.
Although the RBI's recommendations to banks are confidential, officials at a few banks tell Information Security Media Group that the main mandate by the central bank has been to link SWIFT with a bank's core banking system, or CBS.
In the case of PNB, the CBS was not aligned to SWIFT for transactions of non-fund based transactions, such as LoUs, while the monetary transaction entry to CBS was done manually, according to news media reports.
"Manual CBS entry is when a bank manually generates a voucher by debiting the concerned account in CBS. After due processing, this goes to a SWIFT cell and the required SWIFT message is sent to correspondent bank," says Rakesh Goyal, managing director at Sysman Computers, an auditing firm. "Post this, the SWIFT system generates a message and a log. At the end of day, all logs will be tallied with corresponding counter entry, mostly in CBS or any other system."
The RBI has asked banks to automate the process of connecting SWIFT with a CBS, says the CISO of a Bengaluru-based bank who did not wish to be named. Goyal says that involves connect SWIFT and CBS using an API.
But some banks find it challenging to comply with RBI's mandates.
"RBI can only give guidelines but banks need to take ownership," says a CISO of a bank in Tamil Nadu who asked not to be named. "There isn't any third party which will take control on behalf of the bank. More often than not, decisions regarding these things get stuck at the board level."
The CISO acknowledges that his bank is in the process of linking its CBS with SWIFT and following other guidelines from RBI.
Commenting on linking a CBS with SWIFT, the CISO of a Bengaluru-based bank, who requested anonymity, says: "The process isn't very difficult as it doesn't involve too much cost. It's probably the lack of willingness of the part of the banks to follow guidelines."
Mitigating Insider Threats
So how can banks battle insider threats?
"When the bad motive is intentional, the only way banks can control these things is by having proper governance and risk management controls," says Anuj Tewari, CISO at HCL, an IT firm. "Audits needs to be done thoroughly as well, but again audits are a once in a year phenomenon. Proper governance is the key."
User and entity behavioral analytics, or UEBA, can help banks in mitigating such risks, some security experts point out. Banks worldwide are considering UEBA tools because their previous breach prevention and detection efforts have fallen short.
"Machine learning is the phase one intelligence which can be built and orchestrated by applying AI engine on top would be a good next step. In that way, UEBA and associate technologies is perfect to detect behavioral patterns and intent of users when they are accessing critical or confidential information," Tewari says. "It monitors different activities of a user. These solutions will also baseline the behavior of a user and see if there are any anomalies."
But UEBA, and all technologies, must be implemented properly to succeed.
"Most banks have in place sophisticated technology solutions, but they fail to implement them properly," says a CISO of a Mumbai-based bank who requested not to be identified. "For instance, machine learning and artificial intelligence will have little relevance if we don't update the machines with new learnings and patterns."
Role of Blockchain
Some practitioners are suggesting banks use blockchain to mitigate risks.
"In the recent public sector bank fraud, issuance of fake LoUs would not have been possible on blockchain as the smart contract would have identified inconsistencies based on automatic reconciliation with core banking system and following the established limits; it would have restricted the payment initiation over SWIFT network," Vikram Pandya, director of FinTech at the SP Jain School of Global Management, tells the Economic Times.
"If the core banking system is integrated with blockchain, willful defaulters and clients breaching individual or group borrowing limits can be immediately identified," Pandya says.