Is the US Ready for Faster Payments?SWIFT-Related Bank Heists Raise Questions About Outdated Authentication Practices
Before moving to faster payments, U.S. banks should scrutinize the security gaps exploited in the SWIFT-related bank heists and build effective risk-mitigation strategies that include stronger layers of authentication, financial fraud experts say.
See Also: Taking Advantage of EMV 3DS
After an $81 million SWIFT-related theft from the central bank of Bangladesh in February, SWIFT warned that a "wider and highly adaptive campaign" was underway. Investigators now suspect that a dozen or more banks may have been targeted by a group of attackers - possibly with ties to North Korea - who have been using fraudulent SWIFT messages to transfer millions into attacker-owned accounts, aided by customized malware that's designed to trick SWIFT's client software (see Bangladesh Eyes Insider Angle for SWIFT Bank Attack).
The bank-to-bank messaging system maintained by SWIFT - formally known as the Society for Worldwide Interbank Financial Telecommunication - is designed to guarantee that money-moving messages between banks are authentic. In markets where real-time payments have been adopted, SWIFT facilitates those payments.
But the reliability of the system, which is used by more than 11,000 member institutions throughout the world, has been called into question following revelations that SWIFT-using banks were falling victim to malware-wielding attackers (see Another SWIFT Hack Stole $12 Million).
The SWIFT-related heists have exposed weaknesses in the authentication and transaction verification practices now in place for rapid bank-to-bank transactions, says financial fraud expert Avivah Litan, an analyst at Gartner.
"In the U.S., we've got very good guidance from the regulators explaining what the customer's responsible for and what the banks are responsible for," says Litan, who blogged about the lessons the SWIFT-related heists should teach U.S. banks about authentication weaknesses and lacking security controls. "We don't see that same kind of guidance or rules applying to bank-to-bank transactions. The assumption is that by the time the instruction gets to the bank to actually execute the payment, everything has been cleared and authorized, and the bank can just execute the transaction without doing too much review, which is what happened here in the SWIFT heist. The rules that we've seen imposed on customer-to-bank transactions need to be imposed on bank-to-bank, especially in the era of real-time payments."
As the SWIFT-related heists prove, payments must be verified and re-authenticated as they move along from one bank to the next, she says. Relying on transactions to only be authenticated when a payment is initiated is risky; that's ultimately what caused the losses in recent SWIFT transactions, Litan contends.
"In the era of real-time payments, you don't have time to review payments," Litan says. "In the old world, the correspondent bank could still get money back once fraud was detected. But now that time window goes away, so it's even more important that we have good controls."
'Wake-Up Call' for the Fed
The Federal Reserve, which is now accepting proposals for technologies and solutions that could be used to facilitate faster payments in the U.S., should learn from the mistakes made by SWIFT and its member banks, Litan says.
In the current payment system, Litan notes, "the banks have had a few minutes, sometimes up to an hour, to review a payment even when it's a wire payment," she says. "If it's ACH, there's a day or more to review it. So the banks are all used to having the review period of the suspect transactions - that goes away in a real-time payment, and even furthers the imperative for bank-to-bank fraud controls, because there's no time to get the money back once it moves from one bank to another."
The SWIFT-related bank heists should be a "wake-up call" for the Fed, says financial fraud consultant Richard A. Parry, who previously served in IT and cybersecurity roles for Visa, JPMorgan Chase and others. He contends that banks shouldn't blame SWIFT for fraud that could have been prevented by numerous links in the transactional chain.
"Taking pot-shots at SWIFT is easy, but they are an association," he says. "They have just had a spectacular wake-up call that should make them revisit their operating model as it pertains to risk and accountability. But their members [the banks] are not blameless, either. ... Hopefully, the Fed, like SWIFT, has had a wake-up call also."
Authentication in a Real-Time World
Before moving to faster payments, U.S. banking institutions must first evaluate how they authenticate, verify and approve wire, ACH and online payments today, Parry says.
"Online banking has been an instruction medium, not a payment medium," he says. "With faster payments, be it ACH or online, the control framework is fundamentally changed. We must focus on the control and speed of payments concurrently. The reputation of ACH will depend on it."
To move to faster payments, banking institutions, payments providers and processors will have to enhance their authentication practices, ensuring that transactions are re-evaluated at different points throughout the chain, Parry adds.
"Authentication is a very complex area, and in some contexts, where machines and tokens are being authenticated, rather than carbon-based life forms at the controls, there is vulnerability," he says. "When an authorized user is successfully impersonated, internal controls like tokenized authentication and encryption are moot. This is why post-initial-authentication layers of control are so critical. You shouldn't bet the farm, or in this case bank, on no one getting in along the way. Assume they will."
Mary Ann Miller, who serves as senior director and executive fraud adviser at NICE Actimize, says too many U.S. banks still fail to recognize the security vulnerabilities faster payments can pose.
"Real-time payments will change every aspect and cadence of your authentication, fraud management, customer experience and operational approach," she says. "So a program approach needs to be taken to prepare the bank to support the products and services that real-time payments will enable. Managing your authentication and fraud strategy requires an organizational view and alignment that will enable layered security to work. However, the cross-channel functions are often not aligned or talking to each other. We know now that authentication and fraud strategies need to be coordinated from a policy, strategy and technology execution point of view. I believe that current events will bring more attention and focus to make this discussion as a priority."
Most of the payment systems and capabilities available in the U.S. today were not built with security in mind, notes Ben Knieff, an analyst at consultancy Aite.
"Security has often been bolted on over time," Knieff says. "Institutions are not operationally ready for real-time payments. The operational demands for managing real-time payments are quite a bit different than what most financial institutions are accustomed to. It can be easy to embrace new technology conceptually, but actually operationalizing it is a whole different task."