Emailed instructions
Hackers are always searching for the weak spot
Why you shouldn’t believe everything you read
An ongoing case involving one of our clients reminded us just recently of the perils of email communication. The history of this occurrence dates back to the beginning of the year, before they began using our services. A payment instruction was issued via what appeared to be a genuine email from a trusted source. In fact, it came from a hacked account. The payment process was instigated and several hundred thousand dollars sent.
And here we encounter a second systemic failure; the payment should have failed due diligence from the receiving bank. Instead, it was passed on and the money settled in favour of multiple suspicious accounts. When the problem was identified and reported, the protracted process of recovery began… and still continues. It’s impossible now to catch the bad guys, but it’s taken almost a year to establish who was to blame for the failure. Hopefully our client will shortly be repaid, but the process highlights what can go wrong.
If only they’d been using CertiQi’s eKeyiD platform back then. We strongly discourage anyone from using email in this context, but that was only the beginning of the problem. Under the eKeyiD regime, the instruction would have passed under far more rigorously implemented controls. And those controls would have propagated all the way along the payment path, regardless of technology or dissimilar messaging systems. Paradoxically, eKeyiD would even have provided extra security if part of the chain had involved email (but we still advise against it)..Not only is it more likely that the irregularities in the transaction would have been spotted before settlement, but an immutable audit trail would exist to allow rapid unpicking of problems and even potential prosecution of the malfeasants. As it is, the receiving bank will almost certainly be required to refund our client, who has already suffered almost a million dollars’ loss of liquidity. The receiving bank also faces a heavy penalty for its compliance failure and the lawbreakers, if they do exist, have demonstrated that crime does pay.
It’s always a good time to take a fresh look at your processes, and speaking to us about an easy route to best practice is a good place to start.