A digital security point of view for the digital business era

Stronger SWIFT Authentication with Vein ID

28 Sep 2017

The Society for Worldwide Interbank Financial Telecommunication or SWIFT as it is commonly known, is the de facto global standard secure network for the sending of messages for international financial transactions. Member banks and financial organisations can act on behalf of their own customers or as agents for other banks/FI’s in their region who are not members.

Every day, thousands of licensed member organisations send millions of messages with around 50 per cent of the volume relating to payments, around 40% relating to securities transactions and the remainder being treasury related. By 2014 SWIFT carried 5.6 billion messages per year.

Since it was set up over 40 years ago, increasingly, SWIFT’s role is to provide services relating to compliance issues with a strong focus on tools for Know your Customer (KYC) and Anti-Money Laundering (AML).

Like all major financial services providers, SWIFT has to continually ensure that it can stay one step ahead of the growing threat from both cyber fraud and internal banking fraud and implemented a new payment controls service for risk management in April 2017. Based on their previous history, customers are alerted on unusual activity detected on their accounts, including unexpected patterns for transaction size, destination and counterparty mix.

Whilst very welcome, this can be seen in part as a retrospective approach to risk management. Among the cases of fraud within SWIFT users, one of the most common problems is the execution of transactions via unauthorised personnel. This can occur through social engineering, theft of or sharing of credentials. Many banks that fall victim to internal fraud are reluctant to make any public declarations as it can be seen as a sign of weakness leading to a loss of confidence.

If we look at recent well publicised SWIFT breaches in Bangladesh, Vietnam and Ecuador which led to tens of millions of dollars being stolen, we find a similar pattern emerging. Upon review, security at some of the local member sites was found to be poor with a lack of preventive measures and use of outdated technology leading to fraudulent transfer instructions being issued into the system.

As a result, SWIFT has instructed members to improve authentication and to impose stricter password policies but has little authority to actually enforce such changes apart from threatening to publicise those members that fall victim to fraud due to lax security policies and practices.

Members can of course take a far more pro-active approach to curtail fraud at source by implementing a strong authentication regime based on biometrics.

Hitachi’s finger vein technology is widely implemented in financial applications with use cases ranging from digital signature validation for corporate payments processing through to authorisation of securities trades and self-service transactions and into the realms of cash replacement via “pay by finger”. The various types of financial institutions that have implemented the solution have found it to be privacy compliant, easy to use, highly secure and reliable whilst offering a range of practical options for integration from “on premise” with existing applications or provision via a cloud service.

For SWIFT message authentication, it can be used by members to both validate interactively keyed messages as well as bulk message files sent to SWIFT agents for processing via non-members.

SWIFT processing agents can protect the login access to their banking portals and validate that incoming bulk file transfer data has been prepared and released by appropriately authorised staff.

The bottom line is that credentials cannot be shared and there is full visibility and accountability regarding the chain of events that lead to messages entering the network.

With flexible options for both wired and wireless connectivity, finger vein authentication could make a real difference in the areas of banking security and compliance in your organisation. If you would like to discuss how Hitachi can help to secure your SWIFT operations or treasury services, please contact