Gartner Blog Network


Fraud hits U.S. real time payments; SWIFT heists repeated?

by Avivah Litan  |  May 19, 2016  |  12 Comments

In a little noticed event, U.S. Banks started originating real time ACH payments as part of a widespread U.S. move to real time banking payments that should be largely in place by the end of this year. (For more information, refer to NACHA, The Clearing House, and Federal Reserve Faster Payments websites).

But is the U.S. really ready for Faster Payments? The recent news on the SWIFT Heists strongly suggests the answer is NO. According to industry sources, a few banks started opening their faster payment systems up to their customers, but adoption was slow – except among the criminals!

Mary Ann Miller, a payments expert and an executive fraud advisor working for Nice Actimize, a fraud detection vendor, finds that about 20% to as much as 50% of faster payment requests on an average day can be fraudulent attempts.  That’s a staggering rate, especially when you consider that normal confirmed fraud rates are well below a half percent. Interestingly, adoption by customers has been slow but fraudsters proved they are ready to pounce on the new real time rails.

Irrevocable real time payments are fraught with risk.  There is no time for bankers’ fraud staff to manually review transactions, and there is no time to retrieve a fraudulent payment on its way to an unknown bank account far from the reach of U.S. banks and authorities.

Lessons from the SWIFT Heist

Before it is too late, U.S. banks and processors should take a hard look at their internal processes and fraud detection systems so that they too don’t fall prey to scams such as we saw executed against the SWIFT payment system.  What did we learn from that?

  • Stopping fraud is a collective responsibility between the banks and the processors.

Banks who originate payment requests must do their part to strongly authenticate users who access the payment system, and must put in place control processes – such as dual authorization – to help ensure only authenticated and authorized users are able to request payments.

But all of us should know by now that strong authentication and authorization processes have their limitations. Smart knowledgeable criminals have been beating these measures for years (see our 2012 research “When Strong Authentication Fails and What to Do About it”), so payment participants must use a layered fraud detection approach to reduce the chances of fraud.  (See our 2011 research on “The Five Layers of Fraud Prevention, and Using them to Beat Malware”).

The originating banks are not custodians of the centralized payment applications, like SWIFT today and Real Time ACH payments in the U.S. in the future.  They must rely on the payment processors who move requested payments from Point A to Point B to institute layered fraud detection that looks for anomalies in payment requests and destination accounts.

For example, using gesture analytics that measure user gestures, keystrokes and mouse movements has helped major global banks identity criminals trying to hijack legitimate customer accounts.   Combined with other layered fraud detection measures, this passive biometric measure offered by vendors like BioCatch, NuData Security and BehavioSec would likely been instrumental in stopping the SWIFT hackers.

  • Insider Threats are becoming a major issue for banks

While evidence is still inconclusive, it looks like insiders at the SWIFT user banks were instrumental in making the heist possible. Insiders are being actively recruited by criminals on Dark Web forums in order to give criminals detailed information on how their employers’ systems work.

Gartner clients tell us that disgruntled employees who wish to cause harm to their employer are becoming a major threat to their organizations. Now, with the advent of active criminal forums on the Dark Web, these disaffected employees have an easy way to sell their knowledge, services and employer data.  Gartner clients tell us that this theft of assets is a much bigger insider threat than is theft of money.  Indeed, Gartner has received many more calls on insider threats in the past year than it ever did before that.

We are soon publishing some research on best practices for detecting insider threats. In the meantime, we also plan to present on insider threat detection at the June Gartner Security Summit in Washington. We will be joined by a guest speaker, Richard Malewicz, CIO for Livingston County Michigan who will present a live case study on this subject as well.

 

Category: 

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio


Thoughts on Fraud hits U.S. real time payments; SWIFT heists repeated?


  1. […] where money-moving systems are concerned, especially with real-time transactions, Gartner analyst Avivah Litan says in a […]

  2. […] pour Avivah Litan, chez Gartner, il semble nécessaire d’aller encore plus loin. L’analyste relève que […]

  3. […] who recently blogged about the lessons the SWIFT-related heists should teach U.S. banks about authentication weaknesses […]

  4. […] the customer’s responsible for and what the banks are responsible for,” says Litan, who blogged about the lessons the SWIFT-related heists should teach U.S. banks about authentication weaknesses […]

  5. […] the customer’s responsible for and what the banks are responsible for,” says Litan, who blogged about the lessons the SWIFT-related heists should teach U.S. banks about authentication weaknesses […]

  6. Anat Hovav, PhD says:

    What is so pathetic about this story/blog is that we in academia started talking about the “insiders’ problem” almost 15 years ago (I myself published several papers on the topic starting 2003). Yet, industry ignored us, as they think that academicians no nothing about the real world. And now suddenly all these supposedly smart people get together to pat themselves on the back for identifying a problem we have known, researched and written about for a while.

    May be rather than a CIO with a narrow view of things, Gartner should involve academia, which has a much more holistic view of the problem.

  7. Anat Hovav, PhD says:

    *know

  8. […] who recently blogged about the lessons the SWIFT-related heists should teach U.S. banks about authentication weaknesses […]

  9. […] who recently blogged about the lessons the SWIFT-related heists should teach U.S. banks about authentication weaknesses […]

  10. Syed Amir says:

    The whole story looks like a marketing stuff. SWIFT System lacks in basic controls. The system do not have a built-in two factor authentication mechanism. the system do not have a basic fraud detection mechanism like stopping suspicious transactions…

  11. Ralf says:

    hey there and thank you for your information – I have certainly picked up something new from right here.
    I did however expertise a few technical points using this site, as I experienced to
    reload the web site many times previous to I could get it to
    load correctly. I had been wondering if your hosting is OK?
    Not that I’m complaining, but slow loading instances times will very
    frequently affect your placement in google and could damage your quality score if ads and marketing with Adwords.
    Anyway I’m adding this RSS to my email and can look out for
    a lot more of your respective exciting content. Ensure
    that you update this again very soon.

  12. […] While evidence is still inconclusive, it looks like insiders at the SWIFT user banks were instrumental in making the heist possible. Insiders are being actively recruited by criminals on Dark Web forums in order to give criminals detailed information on how their employers’ systems work, (via Gartner). […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.