Treasury 
Risk Management 
Payments 
Connectivity 
Working Capital 
Accelerate ERP Migrations 
AI in Kyriba 
API Integration 
Cash Forecasting 
Enterprise Security 
Fraud Prevention 
FX Exposure Management 
FX Risk Management 
ISO 20022 Migration 
Liquidity Planning 
Real-time Payments 
Supplier Financing 
Office of the CFO 
Treasury 
Information Technology 
Retail 
Financial Services 
Higher Education 
Healthcare 
Manufacturing 
Mid Sized Companies 
Banks 
Public Sector 
Blog 
eBooks 
Webinars 
Videos 
News 
Fact Sheets 
Success Stories 
Events 
FAQs 
Value Engineering 
Research 
About Us 
Values & ESG 
Recognition 
Leadership 
Careers 
Contact Us 
Kyriba Academy 
KyribaLive 
eBook
AFP Tip Guide: Putting Your Connectivity on Lockdown
Maintaining the security of bank connections is vital for any treasury department. Treasurers move money every day, and if that movement is not secure, there’s no telling whose hands it could end up in. And with a string of recent hacking incidents targeting banks connected to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network, securing bank connectivity has never been more important.
In this new Treasury in Practice guide, underwritten by Kyriba, we will look at how we got here, and define several ways that treasury practitioners can ensure their connections are safe.
A year ago, we didn’t really care so much about this. But there have been some events that happened in the banking world, utilizing payments that were sent unfortunate ways, that woke us up to the fact that connectivity workflows could be compromised.”
Table of Contents
Why Connectivity Matters
During the latest meeting of AFP’s Treasury Advisory Group, Bob Stark, vice president, strategy for Kyriba, led a presentation on securing bank connectivity. He noted that the aforementioned hacking incidents, most notably the $81 million theft from Bangladesh Bank, have brought this concern to corporate practitioners’ attention. Though the bank was ultimately able to recover $15 million, a $66 million loss is nothing to sneeze at.
“A year ago, we didn’t really care so much about this,” he said. “But there have been some events that happened in the banking world, utilizing payments that were sent in unfortunate ways, that woke us up to the fact that connectivity workflows could be compromised.”
Stark noted that, when it comes to securing bank connectivity against fraud, treasury practitioners’ focus should be on payments. “That’s not to say that people couldn’t get ahold of corporate bank balances and transactions, but that’s not really the target,” he said. “The target is compromising payments and being able to somehow work themselves into that workflow and create unauthorized payments, and actually wire money to themselves.”
When attempting to secure connectivity workflows, treasury practitioners need to understand that all endpoints need to be addressed. In the case of the Bangladesh Bank incident, the bank hadn’t updated its SWIFT software, which allowed hackers to get into its internal systems and send fraudulent messages across the SWIFT network.
Again, it comes back to the endpoints. As Steve Mott, CEO of BetterBuyDesign noted during an AFP Executive Forum last summer, even though the SWIFT network is secure, the hacks prove that at least some of the endpoints are not. Hackers don’t need to breach SWIFT’s system if they can compromise a SWIFT user and send fraudulent messages across the network.
In the post-Bangladesh threat environment, connectivity is now at the forefront, Stark noted. “Can our connectivity be compromised? The answer, unfortunately, is yes,” he said. “There are steps that can be taken, but we need to look at what we learned.”
Separation of Duties
While treasury professionals are already quite aware of the importance of separation of duties, that doesn’t mean that this tried-and-true method is always applied when it needs to be. Indeed, it certainly wasn’t in the case of Bangladesh Bank. “There was actually a set of unauthorized payments that were created, approved and sent by the same individual,” Stark said.
You don’t want to grant unfettered access. It’s more important than ever that you understand who can come in and what the access points are.”
Craig Jeffery, CCM, managing partner for Strategic Treasurer, stressed the importance of limiting access to certain systems and responsibilities. Unfortunately, he explained, many treasury departments aren’t doing that. “You don’t want to grant unfettered access,” he said. “It’s more important than ever that you understand who can come in and what the access points are.”
Stark noted that in the United States, unlike regions such as Europe, there is a lot of inconsistency for different types of payments. “We see treasury payments transmitted through different systems or in different ways than say supplier payments or payroll,” he said. “So in many cases, we’ll have a TMS for treasury payments. And then we’ll have supplier payments, and they’re coming from SAP or Oracle. And then we may have a third set of payments going through the bank portals.”
The problem with this is that treasury often has inconsistent payment policies across these different types of payments. Inconsistencies — whether they be different systems, or a lack of cohesion around who can initiate, approve and release payments — can be exploited by cybercriminals. In the Bangladesh Bank incident, there was an access point of which the hackers took advantage.
“So you want to make sure that whatever your policy is, it’s consistently applied across all the different systems, all the different payment types, all the different sizes of payments, as well as all the different geographies,” Stark said. “That consistency offers a more unified front and better protection.”
Two-Factor Authentication
It likely comes as no surprise to treasurers that user IDs and passwords are insufficient. Nevertheless, the number of practitioners who use only a user ID and a password to access their treasury system is highly concerning. User IDs, which are often very easy to figure out if you know the user’s name and passwords, which are often some combination of easily identified bits of personal information, are typically all that a hacker needs to get into email, treasury systems, and payment initiation and approval systems.
“We want to make sure that a user ID and a password aren’t enough to initiate and approve a payment,” Stark said. “For anyone that uses banking platforms, user IDs and passwords aren’t enough to get into those. That’s why we have key fobs. The same logic needs to apply to all the other different treasury and finance systems we use. User IDs can be figured out. Passwords can definitely be figured out, no matter how great a job you do at creating a password.”
Using the same password is not a good idea for various social media sites like Facebook and Twitter, and it’s really not a good idea for treasury systems. But even if you use a unique password for your TMS, it’s still wise to employ two-factor authentication. Many banks issue key fobs that generate random tokens about every 30 seconds, which have proved to be an effective solution.
However, the issue for many corporate treasurers is that they use multiple banks and would need to have a very large keychain to carry all those key fobs around. That’s not a very practical solution; therefore, many treasury professionals’ mobile devices act as “soft” tokens. Practitioners will receive a text from their bank with a random token so they can log in.
“Many ERP systems, many treasury systems and many banks support this now,” Stark said. “It’s technology that’s existed for a long time — it’s text messaging technology — but it allows that same randomly generated key to be sent to a phone. It’s always within reach; it’s a lot more convenient than a key fob. And it allows you to bring together all the systems you need into one device.”
Of course, phones can be hacked, so the soft token method isn’t without its risks. Companies that use a “bring your own device” policy for employees often take steps to “harden” mobile devices, Stark explained. “So if your phone gets lost or stolen, only you can get back into it,” he said. “We’ve heard of some of these incidents in which the FBI was trying to break into a phone and they had trouble doing that; it can be hardened to the point where it’s a very secure device. And then what you’re worried about isn’t whether someone can break into the phone, but whether they can find a way to receive all the SMS and text messages. But we haven’t seen instances of that yet.”
Getting a bit more technical, IP filtering can also be an effective solution for your TMS. Treasury organizations can restrict logins to a predefined set of IP addresses. “You can localize it to just one computer, and nothing else can get into it using that user ID and password,” Stark said. “Or you can set up a range of IP addresses that are specific to your office, as opposed to IP addresses outside the office.”
Another authentication method, which has become particularly popular with IT, is single sign-on. This solution bypasses the login process and allows your login to be tied to your Windows login. “The reason why IT loves this is because it aligns to the organization’s internal security policy,” Stark said. “Having consistency across all those applications is a good thing. It’s a very basic concept, but I haven’t seen it well executed in treasury. Treasury has had a history of being on a bit of an island, away from other systems, other parts of the organization, and information security policies.”
It’s better to come up with a 30-digit password for everything that you never change.” “That’s much more secure than having to constantly reset.”
None of this is to say that you shouldn’t try to create a strong password; every little bit helps. Sassan Parandeh, CTP, treasurer for ChildFund International, noted that one key issue with passwords is that people tend to frequently update them but they change one letter or number each time. “That’s actually really predictable, and it’s better to come up with a 30-digit password for everything that you never change,” he said. “That’s much more secure than having to constantly reset.”
Parandeh added that when he worked for Litton Industries (now part of Northrup Grumman), his password was required to be 30 digits long. “We never were told to change it,” he said. “Research has shown that works. So why are IT and security people pushing so hard to change it?”
Still, even 30-character passwords can be figured out. Hence the reason why, in today’s threat environment, multifactor authentication is still the best way to go.
Going Beyond the Payment
Preventing payments fraud is more than just protecting initiation and transmission. The Bangladesh Bank incident consisted of more than just creating unauthorized payments that were sent through the SWIFT network. The reason this particular fraud nearly went undetected was the clever cover-up of the acknowledgements — the criminals exploited a fairly manual PDF-based process.
“We need to take care of that reconciliation and acknowledgement process as well as the initiation,” Stark said. “You might think you protect the initiation of payments, but if you don’t protect the back end and make sure that you’ve reconciled everything, then there’s a possibility that you would never know that payments are initiated fraudulently, and you would never know to take action to remedy that.”
Reviewing documentation that supports a payment needs to be part of treasury’s policy. That documentation should always be reviewed, especially when it comes to high-value payments headed overseas. “This needs to be part of your policy to ensure that when you’re looking to approve a payment, you don’t have to detach from that system and go find the paper trail from someone down the hall,” Stark said. “It should be already showing that right in front of you. Everything’s in one spot.”
Securing Access to Channels
As stated earlier, SWIFT was not actually hacked in the Bangladesh Bank incident; the bank’s access to SWIFT is where the breach occurred. “Access to those channels is the biggest exposure point that we see,” Stark said.
If multiple systems are used, then files that move between them must be encrypted. “Let’s say you have your ERP and it is sending payments via SWIFT. And there’s a directory where the file is sent before it can be reformatted for the bank. Maybe it gets formatted to EDI or XML format, something that the bank requires it to look like. The ERP folks don’t really know what to do, so they have some middleware transform the file into the bank ready format. The problem is, that file — in a human, readable format — gets left somewhere,” Stark said.
Even though that file is in a “secure” directory, there’s still an excellent chance that someone could see it. “That file should never be unencrypted, because then it can be edited,” Stark said. “You could literally open a file, look at it and see all the amounts, the actual instructions, and the BIC code: If you can actually see those, that’s bad.”
It is absolutely crucial to make sure that someone external or even internal who isn’t supposed to have access to those systems can’t get to them. And if they can get to them, they shouldn’t be able to read the data and manipulate it. Good authentication protocols are therefore a necessity to ensure that there is only authorized access to these systems.
Applying digital signatures to a payment is one fairly reliable protocol that more banks in the U.S. are using to authenticate transactions. 3SKey is SWIFT’s version of this and the most popular in the banking community. If the service has been set up to only receive payments that have been digitally signed, the bank will know when it’s received a good file.
But whatever tactics and technology you use, and no matter what third parties are brought in to install software — SWIFT, a TMS provider, etc. — the onus is on treasury to make sure they don’t leave your systems vulnerable, Jeffery stressed. “If you grant them the rights to come in and work on your machine remotely and they leave it up — those are things that treasury is responsible for as a steward,” he said. “Treasury isn’t IT security, but they are in charge of protecting the accounts and making sure that the structure provides adequate defense.”
For treasury to have a proper security framework, it needs to be involved in and aware of what IT is doing to secure the exterior and the interior, he continued. “They need to know what those layers are, and they need to know whether they’re adequate or not,” he said. “I think people have long been living without enough security, and treasury needs to take a leadership role. They’re ultimately responsible for protecting the liquid assets of the firm, and that involves people, IT and external providers — whether it’s SWIFT, their banks or different software providers.”
But is treasury generally taking up that leadership role? Not that Jeffery has observed. However, he believes the Bangladesh Bank incident may be the wake-up call treasury departments need. “They need to take those steps to address this,” he said. “Every organization, $500 million and up, should have a treasury security framework. They should identify the layers of security that they have in place, and they should be reviewing those because those standards will need to change over time. They need to make sure that the layers of security they have are protected.”
So, Are Corporates Next?
Generally, fraud moves wherever the security isn’t; for example, whenever a nation has adopted chip card technology, card-notpresent (CNP) fraud tends to spike. Following the Bangladesh Bank incident, SWIFT introduced a five-part plan to reinforce the security of its network. That begs the question: if banks en masse vastly improve their SWIFT connections, might cybercriminals move on to SWIFT’s other customers, the corporates?
It’s certainly something corporate treasury professionals need to consider. Those that use the SWIFT network to make large transfers should make sure their entry points are secure. Treasurers have choices when it comes to SWIFT connectivity; they can use a SWIFT service bureau, which takes up much of the responsibility for security, or they can connect directly through Alliance Lite2. If the Alliance Lite2 connection is not hosted by a treasury management system provider that manages the messages as they come through, then it is up to treasury itself to monitor that connection on its own.
Campbell uses his SunGard treasury workstation to access SWIFT and send payments. Although SunGard makes sure the access points are secure, every year H&R Block itself does a full evaluation of its connections. “We actually have our IT guys go out to the data center and do audits; we did that before we implemented the system,” he said. “For somebody to get access to our bank accounts to our systems, you’d have to get to SWIFT, through SunGard. So there’s multiple layers that give us some comfort. But certainly, when I see the SWIFT articles in the paper or get emails from a board member, it’s concerning. We should all be concerned about it.”
Campbell believes that these incidents will prompt more scrutiny of SWIFT among treasury departments. “I pay for corporate membership with SWIFT, and I think that I have the right to call up a relationship manager at SWIFT and say, ‘I want details. I want you to come out and visit me. I want to get comfortable with what the processes are and how you do things,’” he said.
He added that, for a long time, SWIFT was only seen as the connectivity and the communication tool between banks. “But now that SWIFT for Corporates has been running for many years, more and more you’re going to see companies like us saying, ‘This is a network and I’ve trusted it, it’s tried and true, but I want to actually talk to these guys. I want to understand better what their security protocol is, what their response is and how they’re going to protect the users of the SWIFT network,” he said. “I would certainly expect that SWIFT is going to receive more scrutiny from corporates now than it ever has before.”
Magnus Carlsson, AFP’s manager of treasury and payments, wonders if corporates could already be a target of the Bangladesh Bank hackers. “Even if the most recent issues were just related to banks, I certainly think it could apply to corporates as well, especially those who directly connect to the system,” he said.
Stark agreed. “Banks are obviously a bigger target because they have more money, but corporates have also been targeted by hackers,” he said. “It would be naïve to think that corporate treasurers, their organizations, and their use of systems have not been profiled.”
Stark added that we have yet to see anything like this happen, likely because treasurers have, thus far, done a good job of making sure their systems are secure. “But most organizations haven’t done all the things they need to,” he said. “That’s where the concern is going to be. I can’t tell you how many companies come to us after they’ve been affected. If you’re only using a user ID and password to get into your TMS, that’s another user ID and password that a hacker could figure out.”
Added Stark: “If you do the right things to protect the access points, then you’re making it harder for them. And the dollar amounts for a corporate are smaller than the amounts being targeted in these bank attacks. So while those transfers went almost undetected, if you wire $50,000 from a corporate, generally speaking, it’s going to get picked up right away. So they’d be doing more work for less of a reward. But if it becomes easier or the reward gets higher, we’ll probably see some of those situations.”
Looking Ahead
Much like the infamous Target breach, the Bangladesh Bank incident has proven to be a watershed moment for cybersecurity. Although only banks have been targeted by these particular hackers, the incident nevertheless has implications for all kinds of businesses around the globe that have multiple bank connections.
If corporate treasurers want to ensure that they won’t wake up to the news that several million dollars has been mysteriously transferred overseas from their corporation’s accounts, then they need to make sure their connections are secure. And they need to do it now.
Protecting Your Connectivity: 5 Takeaways
Separation of duties is critical.
In the case of Bangladesh Bank, payments that were created, approved and sent by the same individual. That kind of irresponsible behavior can’t be allowed to continue; checks and balances are absolutely necessary.
User IDs and passwords are insufficient.
The number of people that use only a user ID and a password to access their treasury systems is concerning. It’s essential to employ two-factor or multifactor authentication. For treasury in particular, “soft” tokens and IP filtering are particularly effective.
Preventing payments fraud is more than just protecting initiation and transmission.
The reason the Bangladesh Bank fraud nearly went undetected was the clever cover-up of the acknowledgements. Treasury needs to take care of the reconciliation and acknowledgement process, as well as the initiation.
If multiple systems are used, then files that move between them must be encrypted.
It is absolutely crucial to make sure that someone external or even internal who isn’t supposed to have access to those systems can’t get to them. And if they can get to them, they must not be able to read the data and manipulate it.
Banks have been repeatedly targeted, but that doesn’t mean corporates are safe.
Fraud moves where the security isn’t. With banks clamping down on security following the Bangladesh Banking incident, it’s entirely possible those hackers could go after SWIFT’s other customers—corporates.
Related Resources
-
Kyriba Extended SecurityWith fraud and cyberattacks increasing in both frequency and sophistication, it is important to partner with Kyriba to secure your most important data.Read the fact sheet -
Leveraging SWIFT Bank Connectivity with KyribaKyriba is a fully SWIFT-certified Application for Cash Management and Payments, offering multi-bank Connectivity-as-a-Service integrated within Kyriba’s leading liquidity management cloud platform for treasurers and CFOs. This Factsheet explains how your organization can use...Read the fact sheet -
Payment Hub Path to Efficiency, Control & Cost ReductionIn the current environment of rising interest rates and inflation, treasurers are increasingly focused on cost reduction. Learn how Walker & Dunlop reduced payment costs and improved productivity through their payment hub. Get first-hand...Read More