Swift measures highlight external bank cyber vulnerabilities
Swift has launched a raft of new security measures for users to protect against further fraudulent attempts to access the messaging network. Outside of this, banks still need to further invest in their own safeguards.
The Bangladesh Bank security breach last year, although not due to a vulnerability on the Swift network itself, resulted in questions about how the network could assist its customers to be better protected.
Banco del Austro in Ecuador, meanwhile, has also reported a loss of funds after fraudulent messages were sent via the Swift network. Further attempted attacks on Tien Phong Bank in Vietnam were intercepted before the funds could be taken.
Swift has responded by launching new products to help its customers to bulk up their security systems, and protect the operating environment. It has released a payments control service and a security framework aimed at increasing security within banks and in payments transactions.
Customer security controls (CSC) consists of 16 mandatory and 11 voluntary points of compliance that all customers have to comply with. The mandatory aspects have to be implemented by December. Separately, the payment controls service (PCS) is an opt-in service, allowing banks to screen their transactions for signs of fraud.
Ed Adshead-Grant, general manager, payments at Bottomline Technologies, says the move to introduce further layers of protection has been met positively.
“Swift adding on controls is welcomed by the industry," he says. "It is a good start, but the cyber threat will continue to evolve. It is a good baseline of protection.”
The decision to create additional layers of checks followed requests for the service from users.
Tony Wicks, head of anti-money laundering initiatives at Swift, says: “Given recent events, cyber security is a heightened area of focus for all financial services firms. The PCS has been created in direct response to our community’s request for additional services to complement and strengthen their existing fraud controls.”
The system is easy to use and will respond to existing payments data.
Wicks says: “The new PCS uses machine learning to understand the pattern of each subscribing institutions' message characteristics. The service is pre-provisioned, so it is instant switch-on.
"In addition, it also continues to learn over time as the using institution’s behaviours change. This allows the service to understand the institution’s changing business patterns, determine uncharacteristic payment instructions and to spot anomalies. Importantly, the customer is the one that is in control. They select their own policy settings and tailor the system to their own requirements.”
The PCS has been developed more for the customers that might not have the time or financial resources available to create a comprehensive platform themselves.
Wicks says: “We are initially targeting the service at smaller-volume customers. These customers are not well served by other vendor solutions and can benefit most from the utility-based approach. This model gets customers up and running quickly, and frees them of costly system deployment, management or maintenance work.”
Wicks says Swift has a basic level of advisory in place, but it is up to the banks themselves to make the decisions on the level of protections they want in place.
“The service adapts to changing behaviours by learning each using institution’s activity over time," he says. "The rate of learning will depend on the nature and frequency of each institution’s usage and messaging activity – it could take less than a month, or more than six months, depending on the institution’s activity.”
Growing demand for transparency
Wicks says: “Correspondents may either require their respondents to have some fraud-prevention controls in place, or they may charge more for the services they provide to counterparts that do not.
|Tony Wicks, Swift
"To manage their exposure, institutions are seeking additional transparency. They want to understand the risks of doing business with individual counterparts and to know whether those counterparts are managing their own risk with appropriate cyber-controls and fraud prevention.”
While Swift can implement controls, it cannot police the protections used by each institution on its network, or force them to have better levels of monitoring.
Says Wicks: “This service will bolster our customer’s own fraud and cyber-crime controls, but it does not remove the obligation customers have to protect their own environment.”
The view is backed up by the responses in the 2017 Treasury Fraud & Controls Survey report, compiled by Bottomline and consultancy group Strategic Treasurer.
The survey found only 77% of banks already have the ability to monitor suspicious user behaviour within their system. The risk of fraud attempts coming from outside a company have increased dramatically, up to 81% of cases compared with 59% in 2016. Some banks are leaving themselves vulnerable to attack.
Talking specifically about the CSC, Bottomline's Adshead-Grant says there is capacity for Swift to be working as an advisory function.
“The kernel of Swift’s offering is very good, but where the user has bad practice, this is something that Swift cannot control," he says. "It can instead offer to recommend and re-educate its users on bad practice to prevent fraudulent messages from getting into the messaging system.”
Adshead-Grant says one flaw is that the Swift protections only apply to the Swift network. Although widely used, it is not the only messaging platform banks use. If Swift’s platform becomes too difficult for hackers to infiltrate, they might start looking to other platforms.
Bottomline offers its own multi-channel system.
Adshead-Grant says: “The Bottomline platform is not just monitoring the messages but also the user behaviour. It picks up on anything out the ordinary, is scored, and the user is alerted if it needs action. The network is also monitored, so if it is detected that malware blockers have been removed, this will be identified as well.”
Bottomline still advocates that users be up to date with the Swift standards, and Swift itself sees the benefit of multiple services being used in conjunction.
Swift's Wicks says: “Customers are free to choose to use the service or not. Some may choose to use other platforms or services – but even some of these users may still choose to use the service as a secondary layer of control.”
Commenting on the developments by Swift, one banker says they are a welcome move to provide an additional layer of security to using the messaging channels.
However, the banker cautioned that the main issues are coming from the banking sector, which is slow to react to change and needs to make considerable investments into keeping their software up to date.
“As well as looking at Swift, banks also need to rely on the quality of their own security,” the banker says. “It is their responsibility to protect their customers' assets. It is up to them what they are prepared to spend and what they put in place.
"While there is a focus on the need to satisfy the regulators, there needs to be a realization that primarily they have to protect their customers and their own infrastructure.”