In February 2016, hackers captured the credentials of Bangladesh Central Bank employees and used them to carry out fraudulent money transfer requests over the Society for Worldwide Interbank Financial Telecommunication (SWIFT) platform. The hackers managed to move $81 million from the Bangladesh Central Bank to a corporation in the Philippines through four different transfer requests.
Following the attack, the FBI issued a warning to banks on May 23 advising them to be aware of potentially fraudulent international transfer requests. Two weeks later, the Federal Financial Institutions Examination Council (FFIEC) issued a statement reminding financial institutions of the need to manage the risks associated with interbank messaging and wholesale payment networks.
Interbank payment networks have not always been a hot topic of discussion among bankers, but the brazen cyberattack on Bangladesh Central Bank, as well as the recent release of information from hackers that could assist criminals in breaking into SWIFT servers, have increased concerns about the security of interbank payment networks.
In CSI’s latest Banking Priorities Study–a benchmarking survey in which banking executives from across the country share their thoughts on a range of topics to shed light on their strategies and plans for the coming year–nearly 20 percent of respondents said interbank payment network attacks were their greatest security threat heading into 2017. This marks the first time in the history of the survey that interbank payment network attacks were specifically mentioned as a security concern.
To help bankers understand and mitigate this rising threat, the following tips and tricks will help you stay secure while using interbank payment networks. But first, let’s take a look at what interbank payment networks are and how they are used in the United States and around the world.
A Deep Dive into Interbank Payment Networks
According to the FFIEC, payment and securities settlement systems in the U.S. consist of numerous financial intermediaries, financial services firms and non-bank businesses that create, distribute and process large-value payments.
The lion’s share of these payments are processed electronically and are used to purchase, sell or finance securities transactions; disburse or repay loans; settle real estate transactions; and make such large-value, time-critical payments as those for the settlement of interbank purchases.
There are two primary networks for interbank, domestic funds transfer payment orders:
- Fedwire® Funds Service – This network is operated by the Federal Reserve Banks, and provides interbank payment services for U.S. government and agency securities.
- CHIPS – The Clearing House Interbank Payments System (CHIPS) is a privately operated payments system used for large dollar payments. CHIPS is owned by financial institutions, and any banking organization with a regulated U.S. presence may become an owner and participate in the network.
International funds transfer works differently than domestic large-value funds transfer. The two domestic systems mentioned above carry out the actual moving of the funds, while a network like the SWIFT platform does not actually transfer funds, but instead uses its own system of codes to send payment orders between institutions’ accounts.
SWIFT is an industry-owned cooperative that supplies secure, standardized messaging services and interface software. The SWIFT community comprises a variety of financial services firms, including banks, broker/dealers and investment managers, as well as their market infrastructures in payments, securities, treasury and trade. According to their website, SWIFT began operations in 1973 with 15 countries, and now connects more than 11,000 banking and securities organizations in more than 200 countries and territories.
Recently, SWIFT developed a security framework that contains 16 mandatory controls to which customers must attest. SWIFT will require its customers to provide self-attestation against the mandatory controls by the end of 2017, and on an annual basis thereafter. There is also a set of 11 “advisory” controls that are recommended, but not yet mandatory.
Now that we have examined what interbank payment networks are and how they are used, let’s discuss how to stay secure while using them.
How to Become More “Cyber Resilient"
In my time as a cybersecurity professional, I’ve noticed the mindset regarding security has shifted over the last few years. Organizations used to focus on becoming “hack proof.” But as more and more organizations realized this status was impossible to achieve, the goal evolved into becoming “cyber resilient” instead.
Cyber resiliency is the ability to either withstand an attack or bounce back from one. Here are six tips for increasing your interbank network cyber resilience:
- Employee training and awareness: Many cyber incidents stem from social engineering attacks that target employees to gain network access. Train your employees on security do’s and don’ts, including avoiding websites that are prohibited or questionable, and not clicking on suspicious links in emails.
- Segregate critical workstations: If your institution requires access to interbank payment networks, make sure you access those networks from a machine dedicated solely for that purpose, and not a machine used for everyday functions. This greatly decreases the risk of potential incidents, as well as reduces the collateral damage should an incident occur.
- Control employee privileges: Always err on the side of least privilege. For example, do not allow employees to run as local administrators on their machines. Malware must have local admin privileges in order to attack specific parts of the machine, so limiting privileges will cause the attack vector of the malware to fail.
- Real-time monitoring: If possible, monitor and review large volume transactions or anything that gives way to transferring large sets of data in real time. If real-time monitoring is not a possibility, I recommend daily monitoring. Monitoring and reviewing logs on a regular basis is also a must.
- Share information with your peers: Traditionally, the financial industry has not been quick to dispense security-related information, but if the bad guys share information with each other to gain an advantage, why shouldn’t financial institutions? Participation in such forums as the Financial Services Information Sharing and Analysis Center (FS-ISAC) can improve an institution’s ability to identify attack tactics and be more proactive in the fight against malware and other malicious agents. After all, knowledge is power.
- Multi-factor authentication: Multi-factor authentication requires a user to present several pieces of verification in order to access a system. Typically, the user must present something from two of the following three categories:
- Something they know (e.g., a password or PIN)
- Something they have (e.g., a security token)
- Something they are (e.g., retina scans or fingerprint readers
The tips in this blog post are good suggestions for boosting your organization’s cyber resiliency in the world of interbank payment networks and for increasing your overall cybersecurity posture, as well.
Tyler Leet serves as director of Risk and Compliance Services for CSI’s Regulatory Compliance Group. With more than a decade of experience in the information security, risk and compliance industries, Tyler oversees and participates in the development and maintenance of the risk and compliance-related services conducted for a wide variety of financial institutions and organizations in other vertical markets. He frequently speaks at conferences and seminars and is often cited in industry publications.