With the heightened usage of digital devices, the security and access mechanisms of these devices are under constant threat from hackers looking to gain access to sensitive information or initiate fraudulent transactions. With account details, card information, passwords, etc. being saved into these devices in order to have quick access to payments, it has become more difficult for banks or merchants to differentiate real vs fraudulent transactions. With the use of jailbreak devices, open source operating systems and apps by users, these have become an easy target for bots and malware/phishing programs. These things are no different for domestic or cross-border transactions.

What makes cross-border transactions more attractive to hackers is the slim chance of recovery that banks have, once the money has left the bank. The lack of transparency around the path of these transactions means it can be exploited easily by hackers. Furthermore, there is no single global regulatory body controlling cross-border transactions - every country has its own regulations and security policies. In a bid to expand business opportunities, emerging countries often have even less strict policies around security and access mechanisms, making them ever more vulnerable for hacks.

Bank technology teams have been focusing more and more on the channels through which the payments are initiated by customers due to the diversity of options, however, the backend systems by which payments are being distributed to correspondent banks, via bilaterally agreed transfer mechanism (FTP) or via networks like SWIFT, are given lesser priority when it comes to tightening the security and access mechanisms. Take an example of what happened last year where hackers siphoned close to $81m out of Bangladesh’s central bank. It is said that the thieves hacked into the bank’s system, used malware to log on to the SWIFT network using the bank’s unique code, and re-routed transactions to new beneficiaries through to multiple countries. To date there are no reports of any money being recovered.

What can firms do to prevent attacks?

Technology companies should be encouraged to counter the threat of cyberattacks by tightening the access control mechanism (granular entitlements for access) and implement technology level security standards as part of the total solution, i.e. not only at the channel side but also at the distribution side. For example, using RESTful API’s only to access the payment channel is one of the ways to secure access and vulnerability to outside attacks. In addition, having technology that presents granular entitlement control delivers the flexibility to provide specific access to the required parties.

Every action taken by the system/program or human user should be recorded and made available for investigation. Additionally, having integration with fraud engines to scan every transaction that it processes for cleanliness, also improves the chances of catching errant behaviour. In case of suspect fraud, transactions are put into exception queues for operations to investigate and take appropriate action. 

When looking to implement a new cross-border payment system, firms should ensure the technology has gone through a rigorous testing for code coverage, ethical hacking, penetration testing, access security testing and other such practices so that the application is always kept up-to-date to combat against the attacks. The system should also be capable of supporting various encryption techniques to encrypt data when it is to be distributed to correspondent banks or other partner applications.

These techniques are not very different for domestic vs cross-border transactions, however, it’s important for firms to have higher access and approval levels for cross-border transactions than for domestic ones, along with installing specific security patches. SWIFT, as the main network provider for cross-border transactions, is also making every effort to keep its network secure and is working to increase transparency with the introduction of GPI.

While there are increased risks for cross-border transactions, there are practical technological steps banks can take to protect their payments from outside threats. By working together with fintech firms to implement cross-border payment systems that provide end-to-end security, banks can be secure in the knowledge that their payments will end up the right hands.