SESSION ID:SESSION ID:

#RSAC

Richard Tsai

Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy

FLE-R03

Sr. Product Manager, Fraud & Authentication ManagementNICE Actimize

1

2

WE STOP

BAD PEOPLE FROM DOING BAD THINGS

3

BY FINDING

UNUSUAL BEHAVIOR EARLIER & FASTER

4

5

7

#RSAC

Agenda

Concerns raised by SWIFT attacks

SWIFT security requirements

Fraud: Bolstering a cyber plan … and more

8

#RSAC

Agenda

9

Educate + Learn = Apply

• Identify whether you have fraud detection gaps in context of cyber plan

• How to implement fraud monitoring

• The role of fraud detection in SWIFT security requirements

• What fraud detection should look for

• Concerns raised by SWIFT attacks

• Bolster your cyber controls by with fraud detection controls

Please Read

10

The font for this presentation is Calibri Light. If you do not have this font, it is acceptable to use regular Calibri.

Line-spacing for bullets has been set for you. There’s no need to add an extra “carriage return” (Enter key) between bullets.

Background art, fonts, and the color palette have been formatted for you in the Slide Master.

Read the “Helpful Hints” provided in the Notes Page of this slide (under the “View” menu).

11

#RSACBangladesh Bank Heist – Summary of Transactions

Source: www.ft.com

SWIFT Network

Federal Reserve Bank

Intermediary Banks

Beneficiary

Losses

35 orders worth

951 million USD

placed

30 orders

blocked

5 orders

executed

4 orders worth 81 million USD

(RCBC, a bank in the Philippines)

1 order worth 20 million USD (via

Pan Asia Banking Corporation)

Bloomberry

Resorts

(Casino)

Bloomberry

Resorts

(Casino)

Eastern Hawaii

Leisure Company

(Casino)

Sri Lankan NGO

29 million

USD

31 million

USD

21 million

USDRecovered

12

15m USD Recovered

#RSAC

Lessons Learned Since Bangladesh

Since the Bangladesh Bank hit in February 2016, Actimize has been contacted by many FIs seeking a new kind of fraud coverage for unique challenges.

FIs have a complicated web of applications that connect to the SWIFT interfaces. Creating a cyber-fraud plan requires inventory and assessment.

Complicated ecosystem leads to vulnerabilities

FIs want to combine their coverage with SWIFT network alerts.

FIs must work with SWIFT for coverage

Even when cyber controls fail, payment analytics can detect anomalies which indicate an attack. FIs need a layered cyber-fraud approach

Payment analytics as a key line of defense

FIs often don’t have fraud controls or strategy in place for SWIFT interfaces and transactions

Many institutions lack SWIFT fraud strategy

13

#RSAC

SWIFT: A Call to Action

Customer Security Programme (CSP)Security Controls Framework describes a set of mandatory and advisory security controls

14

What we’ve seen from SWIFT environment assessments

1

What we’ve seen from SWIFT environment assessments

2

What we’ve seen from SWIFT environment assessments

3

#RSAC

Channel vs. Gateway Protection

19

High Level Message Flow

HighInherent Risk:

SWIFT NetworkSWIFT AllianceGlobal Trade

MiddlewareIntake Channel Transaction Application

SWIFT Access

Eximbills Client Server

Eximbills AS400

Trade SWIFT Message Manager*

High Level Message Flow

SWIFT Network

Intake Channel Transaction Application SWIFT Access

HighInherent Risk:

SWIFT AllianceCash management portalNSP /

CopeStar

High

G

C

C

C

C

C

#RSAC

Focus on wire transfers typically associated with MT 100 and 200 series messages. Provides fraud risk scoring on single customer and multi-customer payments

Channel - Customer Initiated

Customer Payments

Scoring each “version” of the payment allows earlier detection of anomalies, better understanding of investigated incidents and quicker resolution

Payment Lifecycle Monitoring

Detecting suspicious outgoing transfers of high amounts, among large volumes of high amounts

Dedicated Models for High Value Fraud

Integration with any channel application with analytics leveraging monetary, customer reference and channel data

Channel System Integration

20

#RSAC

Covers messages sent and received on the SWIFT network, with a focus on MT 100 & 200 messages. Coverage for treasury services activities including foreign exchange, securities transactions, commodities market

Gateway - SWIFT Monitoring

SWIFT Network

Monitors traffic for any type of client (consumer, private wealth, small business, commercial, FI, non-banking FI’s, etc.)

Client and non-client monitoring

Provides fraud risk scoring on money-movement related to MT 200s, which are sent by the ordering institution or through correspondents, and for which the ordering customer is not a customer of the FI

Correspondent monitoring

Detects suspicious outgoing transfers of high amounts, among large volumes of high amounts

High Value Transactions

21

#RSAC

Fraud

Detection

Analytics

#RSAC

Real-time fraud management for money-movement

Monitoring Payments and Transfers

Message Type Description

MT 0xx System Messages

MT 1xx Customer Payments and Cheques

MT 2xx Financial Institution Transfers

MT 3xx Treasury Markets

MT 4xx Collection and Cash Letters

MT 5xx Securities Markets

MT 6xx Treasury Markets - Metals and Syndications

MT 7xx Documentary Credits and Guarantees

MT 8xx Travellers Cheques

MT 9xx Cash Management and Customer Status

23

#RSAC

What is a Predictive Model?

24

What is a Model?

• A model is mathematical calculation of risk

• An algorithm combines calculations of risk to create a better outcome

• Developing a model is both a science and an art

• A predictive model enables fraud risk monitoring in real-time

Machine-learning

• Supervised & Unsupervised learning

• Data-driven

Expert Knowledge

• Scenario based

• Supervised learning

Model Features

•Statistical calculations

•Elements of risk

#RSACSWIFT Profiles ― Length and Strength of Relationships

25

Profile FIs on the Network Profile FI Relationships

Ordering Customer Sender Correspondent Beneficiary

Geography - Transaction - Historic Relationship - Time Period – High Focus Entities

Receiver

#RSACProfile Aggregations ― Length and Strength of Relationships

26

Track many measurements, for example

• Date of first payment

• Date of last (most recent) payment

• Count of payments

• Average number of payments

• Standard deviation of payments

• Sum of payment amounts

• Average of payment amounts

• Standard of payment amounts

• Maximum payment amounts

• Minimum payment amount

Time periods

• Per day, week, month, quarter, year

• Hour of day• Day of week• etc.

Entities

• Ordering customer• Sender• Intermediary• Receiver• Beneficiary• Source system

#RSAC

Predictive Features - sample

Customer Monetary Location

Beneficiary Lists

1 Time

2 Ratio

3 Frequency

4 Velocity

5 Magnitude

6 Context

#RSAC

Creating an Intelligent Feedback Loop

CyberControls

Fraud Monitoring

Fraud and Cyber Controls Inform Each Other

Cyber controls produce alerts that must be fed into a fraud management hub and used in real-time detection models

Payment-level analytics spot anomalies indicative of fraud – and attack. These alerts must be utilized to inform cyber teams

#RSAC

Summary

Concerns raised by SWIFT attacks

SWIFT security requirements

Fraud: Bolstering a cyber plan … and more

29

#RSAC

Apply What You Have Learned Today

30

Next week you should:Identify the systems that connect to the SWIFT network

In the first three months following this presentation you should:Assess the risks of the identified systems and user access

Assess whether you have appropriate fraud controls for wire origination & SWIFT money-movement

Within six months you should:Have already self-attested your compliance to the SWIFT CSP

Begin process to add fraud detection to SWIFT money movement

#RSAC

Richard.Tsai@niceactimize.com

Richard Tsai, Sr. Product ManagerFraud & Authentication Management

Thank You