SESSION ID:SESSION ID:
#RSAC
Richard Tsai
Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy
FLE-R03
Sr. Product Manager, Fraud & Authentication ManagementNICE Actimize
1
2
WE STOP
BAD PEOPLE FROM DOING BAD THINGS
3
BY FINDING
UNUSUAL BEHAVIOR EARLIER & FASTER
4
5
7
#RSAC
Agenda
Concerns raised by SWIFT attacks
SWIFT security requirements
Fraud: Bolstering a cyber plan … and more
8
#RSAC
Agenda
9
Educate + Learn = Apply
• Identify whether you have fraud detection gaps in context of cyber plan
• How to implement fraud monitoring
• The role of fraud detection in SWIFT security requirements
• What fraud detection should look for
• Concerns raised by SWIFT attacks
• Bolster your cyber controls by with fraud detection controls
Please Read
10
The font for this presentation is Calibri Light. If you do not have this font, it is acceptable to use regular Calibri.
Line-spacing for bullets has been set for you. There’s no need to add an extra “carriage return” (Enter key) between bullets.
Background art, fonts, and the color palette have been formatted for you in the Slide Master.
Read the “Helpful Hints” provided in the Notes Page of this slide (under the “View” menu).
11
#RSACBangladesh Bank Heist – Summary of Transactions
Source: www.ft.com
SWIFT Network
Federal Reserve Bank
Intermediary Banks
Beneficiary
Losses
35 orders worth
951 million USD
placed
30 orders
blocked
5 orders
executed
4 orders worth 81 million USD
(RCBC, a bank in the Philippines)
1 order worth 20 million USD (via
Pan Asia Banking Corporation)
Bloomberry
Resorts
(Casino)
Bloomberry
Resorts
(Casino)
Eastern Hawaii
Leisure Company
(Casino)
Sri Lankan NGO
29 million
USD
31 million
USD
21 million
USDRecovered
12
15m USD Recovered
#RSAC
Lessons Learned Since Bangladesh
Since the Bangladesh Bank hit in February 2016, Actimize has been contacted by many FIs seeking a new kind of fraud coverage for unique challenges.
FIs have a complicated web of applications that connect to the SWIFT interfaces. Creating a cyber-fraud plan requires inventory and assessment.
Complicated ecosystem leads to vulnerabilities
FIs want to combine their coverage with SWIFT network alerts.
FIs must work with SWIFT for coverage
Even when cyber controls fail, payment analytics can detect anomalies which indicate an attack. FIs need a layered cyber-fraud approach
Payment analytics as a key line of defense
FIs often don’t have fraud controls or strategy in place for SWIFT interfaces and transactions
Many institutions lack SWIFT fraud strategy
13
#RSAC
SWIFT: A Call to Action
Customer Security Programme (CSP)Security Controls Framework describes a set of mandatory and advisory security controls
14
What we’ve seen from SWIFT environment assessments
1
What we’ve seen from SWIFT environment assessments
2
What we’ve seen from SWIFT environment assessments
3
#RSAC
Channel vs. Gateway Protection
19
High Level Message Flow
HighInherent Risk:
SWIFT NetworkSWIFT AllianceGlobal Trade
MiddlewareIntake Channel Transaction Application
SWIFT Access
Eximbills Client Server
Eximbills AS400
Trade SWIFT Message Manager*
High Level Message Flow
SWIFT Network
Intake Channel Transaction Application SWIFT Access
HighInherent Risk:
SWIFT AllianceCash management portalNSP /
CopeStar
High
G
C
C
C
C
C
#RSAC
Focus on wire transfers typically associated with MT 100 and 200 series messages. Provides fraud risk scoring on single customer and multi-customer payments
Channel - Customer Initiated
Customer Payments
Scoring each “version” of the payment allows earlier detection of anomalies, better understanding of investigated incidents and quicker resolution
Payment Lifecycle Monitoring
Detecting suspicious outgoing transfers of high amounts, among large volumes of high amounts
Dedicated Models for High Value Fraud
Integration with any channel application with analytics leveraging monetary, customer reference and channel data
Channel System Integration
20
#RSAC
Covers messages sent and received on the SWIFT network, with a focus on MT 100 & 200 messages. Coverage for treasury services activities including foreign exchange, securities transactions, commodities market
Gateway - SWIFT Monitoring
SWIFT Network
Monitors traffic for any type of client (consumer, private wealth, small business, commercial, FI, non-banking FI’s, etc.)
Client and non-client monitoring
Provides fraud risk scoring on money-movement related to MT 200s, which are sent by the ordering institution or through correspondents, and for which the ordering customer is not a customer of the FI
Correspondent monitoring
Detects suspicious outgoing transfers of high amounts, among large volumes of high amounts
High Value Transactions
21
#RSAC
Fraud
Detection
Analytics
#RSAC
Real-time fraud management for money-movement
Monitoring Payments and Transfers
Message Type Description
MT 0xx System Messages
MT 1xx Customer Payments and Cheques
MT 2xx Financial Institution Transfers
MT 3xx Treasury Markets
MT 4xx Collection and Cash Letters
MT 5xx Securities Markets
MT 6xx Treasury Markets - Metals and Syndications
MT 7xx Documentary Credits and Guarantees
MT 8xx Travellers Cheques
MT 9xx Cash Management and Customer Status
23
#RSAC
What is a Predictive Model?
24
What is a Model?
• A model is mathematical calculation of risk
• An algorithm combines calculations of risk to create a better outcome
• Developing a model is both a science and an art
• A predictive model enables fraud risk monitoring in real-time
Machine-learning
• Supervised & Unsupervised learning
• Data-driven
Expert Knowledge
• Scenario based
• Supervised learning
Model Features
•Statistical calculations
•Elements of risk
#RSACSWIFT Profiles ― Length and Strength of Relationships
25
Profile FIs on the Network Profile FI Relationships
Ordering Customer Sender Correspondent Beneficiary
Geography - Transaction - Historic Relationship - Time Period – High Focus Entities
Receiver
#RSACProfile Aggregations ― Length and Strength of Relationships
26
Track many measurements, for example
• Date of first payment
• Date of last (most recent) payment
• Count of payments
• Average number of payments
• Standard deviation of payments
• Sum of payment amounts
• Average of payment amounts
• Standard of payment amounts
• Maximum payment amounts
• Minimum payment amount
Time periods
• Per day, week, month, quarter, year
• Hour of day• Day of week• etc.
Entities
• Ordering customer• Sender• Intermediary• Receiver• Beneficiary• Source system
#RSAC
Predictive Features - sample
Customer Monetary Location
Beneficiary Lists
1 Time
2 Ratio
3 Frequency
4 Velocity
5 Magnitude
6 Context
#RSAC
Creating an Intelligent Feedback Loop
CyberControls
Fraud Monitoring
Fraud and Cyber Controls Inform Each Other
Cyber controls produce alerts that must be fed into a fraud management hub and used in real-time detection models
Payment-level analytics spot anomalies indicative of fraud – and attack. These alerts must be utilized to inform cyber teams
#RSAC
Summary
Concerns raised by SWIFT attacks
SWIFT security requirements
Fraud: Bolstering a cyber plan … and more
29
#RSAC
Apply What You Have Learned Today
30
Next week you should:Identify the systems that connect to the SWIFT network
In the first three months following this presentation you should:Assess the risks of the identified systems and user access
Assess whether you have appropriate fraud controls for wire origination & SWIFT money-movement
Within six months you should:Have already self-attested your compliance to the SWIFT CSP
Begin process to add fraud detection to SWIFT money movement
#RSAC
Richard Tsai, Sr. Product ManagerFraud & Authentication Management
Thank You