Fraud hits U.S. real time payments; SWIFT heists repeated?

In a little noticed event, U.S. Banks started originating real time ACH payments as part of a widespread U.S. move to real time banking payments that should be largely in place by the end of this year. (For more information, refer to NACHA, The Clearing House, and Federal Reserve Faster Payments websites).

But is the U.S. really ready for Faster Payments? The recent news on the SWIFT Heists strongly suggests the answer is NO. According to industry sources, a few banks started opening their faster payment systems up to their customers, but adoption was slow – except among the criminals!

Mary Ann Miller, a payments expert and an executive fraud advisor working for Nice Actimize, a fraud detection vendor, finds that about 20% to as much as 50% of faster payment requests on an average day can be fraudulent attempts.  That’s a staggering rate, especially when you consider that normal confirmed fraud rates are well below a half percent. Interestingly, adoption by customers has been slow but fraudsters proved they are ready to pounce on the new real time rails.

Irrevocable real time payments are fraught with risk.  There is no time for bankers’ fraud staff to manually review transactions, and there is no time to retrieve a fraudulent payment on its way to an unknown bank account far from the reach of U.S. banks and authorities.

Lessons from the SWIFT Heist

Before it is too late, U.S. banks and processors should take a hard look at their internal processes and fraud detection systems so that they too don’t fall prey to scams such as we saw executed against the SWIFT payment system.  What did we learn from that?

• Stopping fraud is a collective responsibility between the banks and the processors.

Banks who originate payment requests must do their part to strongly authenticate users who access the payment system, and must put in place control processes – such as dual authorization – to help ensure only authenticated and authorized users are able to request payments.

But all of us should know by now that strong authentication and authorization processes have their limitations. Smart knowledgeable criminals have been beating these measures for years (see our 2012 research “When Strong Authentication Fails and What to Do About it”), so payment participants must use a layered fraud detection approach to reduce the chances of fraud.  (See our 2011 research on “The Five Layers of Fraud Prevention, and Using them to Beat Malware”).

The originating banks are not custodians of the centralized payment applications, like SWIFT today and Real Time ACH payments in the U.S. in the future.  They must rely on the payment processors who move requested payments from Point A to Point B to institute layered fraud detection that looks for anomalies in payment requests and destination accounts.

For example, using gesture analytics that measure user gestures, keystrokes and mouse movements has helped major global banks identity criminals trying to hijack legitimate customer accounts.   Combined with other layered fraud detection measures, this passive biometric measure offered by vendors like BioCatch, NuData Security and BehavioSec would likely been instrumental in stopping the SWIFT hackers.

• Insider Threats are becoming a major issue for banks

While evidence is still inconclusive, it looks like insiders at the SWIFT user banks were instrumental in making the heist possible. Insiders are being actively recruited by criminals on Dark Web forums in order to give criminals detailed information on how their employers’ systems work.

Gartner clients tell us that disgruntled employees who wish to cause harm to their employer are becoming a major threat to their organizations. Now, with the advent of active criminal forums on the Dark Web, these disaffected employees have an easy way to sell their knowledge, services and employer data.  Gartner clients tell us that this theft of assets is a much bigger insider threat than is theft of money.  Indeed, Gartner has received many more calls on insider threats in the past year than it ever did before that.

We are soon publishing some research on best practices for detecting insider threats. In the meantime, we also plan to present on insider threat detection at the June Gartner Security Summit in Washington. We will be joined by a guest speaker, Richard Malewicz, CIO for Livingston County Michigan who will present a live case study on this subject as well.