Anomaly detection in new SWIFT antifraud reports may fall short

The SWIFT messaging system aims to improve the security of supported banks with new antifraud reports, but experts are unsure how useful the anomaly detection will be.

The SWIFT messaging system for banks has been working on improving security after some high-profile thefts, with the newest attempt in the form of antifraud reports to be offered to supported banks. However, experts said this move could be more about shifting responsibility for fraud back to the banks.

SWIFT said the Daily Validation Reports should "supplement customers' existing fraud controls," and provide a summary of transactions to better allow banks to verify activity and identify potential fraud. The Daily Validation Reports will include Activity Reports, which will show aggregate daily activity on the SWIFT messaging system, and Risk Reports, which will show a "review of large or unusual payment flows and new combinations of payment parties."

Stephen Gilderdale, head of SWIFT's Customer Security Programme, said this should disrupt attackers from "concealing their fraudulent messaging activity on customers' local systems."

"Smaller institutions, in particular, are currently dependent on the accuracy of the data on their own systems, but in the event of a security breach, their locally stored payment and reconciliation data may be altered or unavailable," Gilderdale wrote in a statement. "Daily Validation Reports will provide a reliable and independent source of information, providing such institutions with an activity lens to help them quickly detect fraud -- whether perpetrated by external attackers or by malicious insiders."

Eldon Sprickerhoff, founder and chief security strategist for eSentire Inc., based in Cambridge, Ont., said this may only create more work for the SWIFT member banks that choose to use the service.

"It's difficult to determine how effective the tool will be for daily transactions that usually number in the hundreds or more," Sprickerhoff said. "Unfortunately, this tool will make more work for banks [that] use it because of the sheer time and resources required to manage, monitor and action the reports, which may lack automated alerting capabilities."

Rajiv Dholakia, vice president of products at Nok Nok Labs Inc., based in Palo Alto, Calif., said, "The assumption that local banks are able to maintain secure networks that can prevent intrusions is a fallacy," and aims to fix the wrong problem.

"The root of the SWIFT problems point to lost, stolen or hijacked credentials that are being used to authorize transactions," Dholakia told SearchSecurity. "Until SWIFT is able to implement stronger authentication measures to authorize and monitor transactions, measures like reporting or monitoring and slowing transactions simply put the burden back on the banks."

SWIFT said the new antifraud reports will be introduced in December 2016. The reports will be voluntary, and they will come with a service charge, but details of the fees involved have not been decided.

Avivah Litan, vice president and distinguished analyst at Gartner, said it makes sense to create a voluntary system if there is a cost to participate, but questioned the cost to SWIFT and the value of the service.

"SWIFT should provide these simple validation reports for free, or for a small fee. They are likely very easy to produce, and once automated and set up for distribution, the cost to SWIFT should be nominal," Litan told SearchSecurity. "A more intelligent service -- for example, one that did anomaly detection -- would be more effective, as it would highlight the exceptions that needed to be investigated instead of simply reporting on all transactions. That type of report would command and deserve a higher subscription fee."

Litan said simply notifying SWIFT messaging member banks of large transfers won't be much help because "crooks know how to stay under the radar of these types of rule-based flags. They would find out what the threshold is for such a flag in no time."

The SWIFT announcement stated the notifications could assist banks in detecting "unusual payment flows," but it is unclear how advanced this type of anomaly detection will be.

Sprickerhoff noted some other details missing from the announcement.

"There are some details that could be better defined for clients, such as how out-of-band access will be effected and whether the tool will be provided as part of SWIFT's core service offering," Sprickerhoff said. "It also doesn't clearly resolve any of the nonrepudiation problems raised through the breach cases that prompted the development of this tool in the first place."

The Daily Validation Reports follow other recent efforts to shore up the security of the SWIFT messaging system. Last month, SWIFT launched a campaign to raise awareness of its relationship management application and how the RMA can be used as the "first line of defense" against unwanted and potentially fraudulent message flows. The campaign also promoted the use of two-factor authentication in SWIFT products.

Next Steps

Learn more about the attacks that prompted SWIFT to improve security.

Find out about why network anomaly detection is the essential antimalware tool.

Get info on why SWIFT execs ignored security before the attacks.

Dig Deeper on Risk assessments, metrics and frameworks