Blog post

Fraud hits U.S. real time payments; SWIFT heists repeated?

By Avivah Litan | May 19, 2016 | 4 Comments

In a little noticed event, U.S. Banks started originating real time ACH payments as part of a widespread U.S. move to real time banking payments that should be largely in place by the end of this year. (For more information, refer to NACHA, The Clearing House, and Federal Reserve Faster Payments websites).

But is the U.S. really ready for Faster Payments? The recent news on the SWIFT Heists strongly suggests the answer is NO. According to industry sources, a few banks started opening their faster payment systems up to their customers, but adoption was slow – except among the criminals!

Mary Ann Miller, a payments expert and an executive fraud advisor working for Nice Actimize, a fraud detection vendor, finds that about 20% to as much as 50% of faster payment requests on an average day can be fraudulent attempts.  That’s a staggering rate, especially when you consider that normal confirmed fraud rates are well below a half percent. Interestingly, adoption by customers has been slow but fraudsters proved they are ready to pounce on the new real time rails.

Irrevocable real time payments are fraught with risk.  There is no time for bankers’ fraud staff to manually review transactions, and there is no time to retrieve a fraudulent payment on its way to an unknown bank account far from the reach of U.S. banks and authorities.

Lessons from the SWIFT Heist

Before it is too late, U.S. banks and processors should take a hard look at their internal processes and fraud detection systems so that they too don’t fall prey to scams such as we saw executed against the SWIFT payment system.  What did we learn from that?

  • Stopping fraud is a collective responsibility between the banks and the processors.

Banks who originate payment requests must do their part to strongly authenticate users who access the payment system, and must put in place control processes – such as dual authorization – to help ensure only authenticated and authorized users are able to request payments.

But all of us should know by now that strong authentication and authorization processes have their limitations. Smart knowledgeable criminals have been beating these measures for years (see our 2012 research “When Strong Authentication Fails and What to Do About it”), so payment participants must use a layered fraud detection approach to reduce the chances of fraud.  (See our 2011 research on “The Five Layers of Fraud Prevention, and Using them to Beat Malware”).

The originating banks are not custodians of the centralized payment applications, like SWIFT today and Real Time ACH payments in the U.S. in the future.  They must rely on the payment processors who move requested payments from Point A to Point B to institute layered fraud detection that looks for anomalies in payment requests and destination accounts.

For example, using gesture analytics that measure user gestures, keystrokes and mouse movements has helped major global banks identity criminals trying to hijack legitimate customer accounts.   Combined with other layered fraud detection measures, this passive biometric measure offered by vendors like BioCatch, NuData Security and BehavioSec would likely been instrumental in stopping the SWIFT hackers.

  • Insider Threats are becoming a major issue for banks

While evidence is still inconclusive, it looks like insiders at the SWIFT user banks were instrumental in making the heist possible. Insiders are being actively recruited by criminals on Dark Web forums in order to give criminals detailed information on how their employers’ systems work.

Gartner clients tell us that disgruntled employees who wish to cause harm to their employer are becoming a major threat to their organizations. Now, with the advent of active criminal forums on the Dark Web, these disaffected employees have an easy way to sell their knowledge, services and employer data.  Gartner clients tell us that this theft of assets is a much bigger insider threat than is theft of money.  Indeed, Gartner has received many more calls on insider threats in the past year than it ever did before that.

We are soon publishing some research on best practices for detecting insider threats. In the meantime, we also plan to present on insider threat detection at the June Gartner Security Summit in Washington. We will be joined by a guest speaker, Richard Malewicz, CIO for Livingston County Michigan who will present a live case study on this subject as well.


The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Anat Hovav, PhD says:

    What is so pathetic about this story/blog is that we in academia started talking about the “insiders’ problem” almost 15 years ago (I myself published several papers on the topic starting 2003). Yet, industry ignored us, as they think that academicians no nothing about the real world. And now suddenly all these supposedly smart people get together to pat themselves on the back for identifying a problem we have known, researched and written about for a while.

    May be rather than a CIO with a narrow view of things, Gartner should involve academia, which has a much more holistic view of the problem.

  • Anat Hovav, PhD says:


  • Syed Amir says:

    The whole story looks like a marketing stuff. SWIFT System lacks in basic controls. The system do not have a built-in two factor authentication mechanism. the system do not have a basic fraud detection mechanism like stopping suspicious transactions…

  • Ralf says:

    hey there and thank you for your information – I have certainly picked up something new from right here.
    I did however expertise a few technical points using this site, as I experienced to
    reload the web site many times previous to I could get it to
    load correctly. I had been wondering if your hosting is OK?
    Not that I’m complaining, but slow loading instances times will very
    frequently affect your placement in google and could damage your quality score if ads and marketing with Adwords.
    Anyway I’m adding this RSS to my email and can look out for
    a lot more of your respective exciting content. Ensure
    that you update this again very soon.