fle-r03 bank heists and hacks: protecting money movement in a cyber … · · 2017-07-27bank...
TRANSCRIPT
![Page 1: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/1.jpg)
SESSION ID:SESSION ID:
#RSAC
Richard Tsai
Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy
FLE-R03
Sr. Product Manager, Fraud & Authentication ManagementNICE Actimize
1
![Page 2: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/2.jpg)
2
WE STOP
BAD PEOPLE FROM DOING BAD THINGS
![Page 3: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/3.jpg)
3
BY FINDING
UNUSUAL BEHAVIOR EARLIER & FASTER
![Page 4: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/4.jpg)
4
![Page 5: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/5.jpg)
5
![Page 6: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/6.jpg)
![Page 7: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/7.jpg)
7
![Page 8: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/8.jpg)
#RSAC
Agenda
Concerns raised by SWIFT attacks
SWIFT security requirements
Fraud: Bolstering a cyber plan … and more
8
![Page 9: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/9.jpg)
#RSAC
Agenda
9
Educate + Learn = Apply
• Identify whether you have fraud detection gaps in context of cyber plan
• How to implement fraud monitoring
• The role of fraud detection in SWIFT security requirements
• What fraud detection should look for
• Concerns raised by SWIFT attacks
• Bolster your cyber controls by with fraud detection controls
![Page 10: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/10.jpg)
Please Read
10
The font for this presentation is Calibri Light. If you do not have this font, it is acceptable to use regular Calibri.
Line-spacing for bullets has been set for you. There’s no need to add an extra “carriage return” (Enter key) between bullets.
Background art, fonts, and the color palette have been formatted for you in the Slide Master.
Read the “Helpful Hints” provided in the Notes Page of this slide (under the “View” menu).
![Page 11: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/11.jpg)
11
![Page 12: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/12.jpg)
#RSACBangladesh Bank Heist – Summary of Transactions
Source: www.ft.com
SWIFT Network
Federal Reserve Bank
Intermediary Banks
Beneficiary
Losses
35 orders worth
951 million USD
placed
30 orders
blocked
5 orders
executed
4 orders worth 81 million USD
(RCBC, a bank in the Philippines)
1 order worth 20 million USD (via
Pan Asia Banking Corporation)
Bloomberry
Resorts
(Casino)
Bloomberry
Resorts
(Casino)
Eastern Hawaii
Leisure Company
(Casino)
Sri Lankan NGO
29 million
USD
31 million
USD
21 million
USDRecovered
12
15m USD Recovered
![Page 13: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/13.jpg)
#RSAC
Lessons Learned Since Bangladesh
Since the Bangladesh Bank hit in February 2016, Actimize has been contacted by many FIs seeking a new kind of fraud coverage for unique challenges.
FIs have a complicated web of applications that connect to the SWIFT interfaces. Creating a cyber-fraud plan requires inventory and assessment.
Complicated ecosystem leads to vulnerabilities
FIs want to combine their coverage with SWIFT network alerts.
FIs must work with SWIFT for coverage
Even when cyber controls fail, payment analytics can detect anomalies which indicate an attack. FIs need a layered cyber-fraud approach
Payment analytics as a key line of defense
FIs often don’t have fraud controls or strategy in place for SWIFT interfaces and transactions
Many institutions lack SWIFT fraud strategy
13
![Page 14: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/14.jpg)
#RSAC
SWIFT: A Call to Action
Customer Security Programme (CSP)Security Controls Framework describes a set of mandatory and advisory security controls
14
![Page 15: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/15.jpg)
What we’ve seen from SWIFT environment assessments
1
![Page 16: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/16.jpg)
What we’ve seen from SWIFT environment assessments
2
![Page 17: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/17.jpg)
What we’ve seen from SWIFT environment assessments
3
![Page 18: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/18.jpg)
![Page 19: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/19.jpg)
#RSAC
Channel vs. Gateway Protection
19
High Level Message Flow
HighInherent Risk:
SWIFT NetworkSWIFT AllianceGlobal Trade
MiddlewareIntake Channel Transaction Application
SWIFT Access
Eximbills Client Server
Eximbills AS400
Trade SWIFT Message Manager*
High Level Message Flow
SWIFT Network
Intake Channel Transaction Application SWIFT Access
HighInherent Risk:
SWIFT AllianceCash management portalNSP /
CopeStar
High
G
C
C
C
C
C
![Page 20: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/20.jpg)
#RSAC
Focus on wire transfers typically associated with MT 100 and 200 series messages. Provides fraud risk scoring on single customer and multi-customer payments
Channel - Customer Initiated
Customer Payments
Scoring each “version” of the payment allows earlier detection of anomalies, better understanding of investigated incidents and quicker resolution
Payment Lifecycle Monitoring
Detecting suspicious outgoing transfers of high amounts, among large volumes of high amounts
Dedicated Models for High Value Fraud
Integration with any channel application with analytics leveraging monetary, customer reference and channel data
Channel System Integration
20
![Page 21: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/21.jpg)
#RSAC
Covers messages sent and received on the SWIFT network, with a focus on MT 100 & 200 messages. Coverage for treasury services activities including foreign exchange, securities transactions, commodities market
Gateway - SWIFT Monitoring
SWIFT Network
Monitors traffic for any type of client (consumer, private wealth, small business, commercial, FI, non-banking FI’s, etc.)
Client and non-client monitoring
Provides fraud risk scoring on money-movement related to MT 200s, which are sent by the ordering institution or through correspondents, and for which the ordering customer is not a customer of the FI
Correspondent monitoring
Detects suspicious outgoing transfers of high amounts, among large volumes of high amounts
High Value Transactions
21
![Page 22: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/22.jpg)
#RSAC
Fraud
Detection
Analytics
![Page 23: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/23.jpg)
#RSAC
Real-time fraud management for money-movement
Monitoring Payments and Transfers
Message Type Description
MT 0xx System Messages
MT 1xx Customer Payments and Cheques
MT 2xx Financial Institution Transfers
MT 3xx Treasury Markets
MT 4xx Collection and Cash Letters
MT 5xx Securities Markets
MT 6xx Treasury Markets - Metals and Syndications
MT 7xx Documentary Credits and Guarantees
MT 8xx Travellers Cheques
MT 9xx Cash Management and Customer Status
23
![Page 24: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/24.jpg)
#RSAC
What is a Predictive Model?
24
What is a Model?
• A model is mathematical calculation of risk
• An algorithm combines calculations of risk to create a better outcome
• Developing a model is both a science and an art
• A predictive model enables fraud risk monitoring in real-time
Machine-learning
• Supervised & Unsupervised learning
• Data-driven
Expert Knowledge
• Scenario based
• Supervised learning
Model Features
•Statistical calculations
•Elements of risk
![Page 25: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/25.jpg)
#RSACSWIFT Profiles ― Length and Strength of Relationships
25
Profile FIs on the Network Profile FI Relationships
Ordering Customer Sender Correspondent Beneficiary
Geography - Transaction - Historic Relationship - Time Period – High Focus Entities
Receiver
![Page 26: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/26.jpg)
#RSACProfile Aggregations ― Length and Strength of Relationships
26
Track many measurements, for example
• Date of first payment
• Date of last (most recent) payment
• Count of payments
• Average number of payments
• Standard deviation of payments
• Sum of payment amounts
• Average of payment amounts
• Standard of payment amounts
• Maximum payment amounts
• Minimum payment amount
Time periods
• Per day, week, month, quarter, year
• Hour of day• Day of week• etc.
Entities
• Ordering customer• Sender• Intermediary• Receiver• Beneficiary• Source system
![Page 27: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/27.jpg)
#RSAC
Predictive Features - sample
Customer Monetary Location
Beneficiary Lists
1 Time
2 Ratio
3 Frequency
4 Velocity
5 Magnitude
6 Context
![Page 28: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/28.jpg)
#RSAC
Creating an Intelligent Feedback Loop
CyberControls
Fraud Monitoring
Fraud and Cyber Controls Inform Each Other
Cyber controls produce alerts that must be fed into a fraud management hub and used in real-time detection models
Payment-level analytics spot anomalies indicative of fraud – and attack. These alerts must be utilized to inform cyber teams
![Page 29: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/29.jpg)
#RSAC
Summary
Concerns raised by SWIFT attacks
SWIFT security requirements
Fraud: Bolstering a cyber plan … and more
29
![Page 30: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/30.jpg)
#RSAC
Apply What You Have Learned Today
30
Next week you should:Identify the systems that connect to the SWIFT network
In the first three months following this presentation you should:Assess the risks of the identified systems and user access
Assess whether you have appropriate fraud controls for wire origination & SWIFT money-movement
Within six months you should:Have already self-attested your compliance to the SWIFT CSP
Begin process to add fraud detection to SWIFT money movement
![Page 31: FLE-R03 Bank Heists and Hacks: Protecting Money Movement in a Cyber … · · 2017-07-27Bank Heists and Hacks: Protecting Money Movement in a Cyber-Fraud Strategy ... Cash management](https://reader031.vdocuments.us/reader031/viewer/2022030722/5b082c4f7f8b9a992a8be25b/html5/thumbnails/31.jpg)
#RSAC
Richard Tsai, Sr. Product ManagerFraud & Authentication Management
Thank You