SWIFT Customer Security Program

SWIFT’s Customer Security Programme (CSP) has been established to support customers in the fight against cyber-fraud. Its key objectives are
 

1) CSP will define an operational and security baseline that customers must meet for the SWIFT customer infrastructure

2) CSP will define an assurance framework to ensure SWIFT customers comply with the security requirements

3) CSP will reinforce cybersecurity intelligence sharing

4) CSP will work to improve transaction pattern detection for SWIFT customers

5) CSP will be applicable to both SWIFT products and services as well as third-party software products/services

SWIFT Customer Security Framework establishes a set of mandatory and advisory security controls for SWIFT customers.
 
The SWIFT infrastructure includes
 
  • SWIFTNet switches
  • SWIFTNet PKI security systems
  • SWIFTNet Directory systems
  • SWIFT store and process apps (e.g., FIN, InterACT etc.)

FIN messaging - Overview

Connection to SWIFT –
  • SWIFTNet Link is a mandatory software product that customers must use to access the features and functions of the messaging services.
  • Alliance Gateway is the SWIFT communications interface used in Citi
  • Messaging interface – can be either SWIFT provided (for e.g., Alliance Access) or 3rd party like what Citi uses
SWIFTNet PKI
  • Public Key Infrastructure (PKI) is a mandatory feature that, together with SWIFTNet Link, provides security and trust across all SWIFTNet services.
  • Each entity has its own PKI security profile and SWIFT certifies the public keys of each PKI security profile
  • SWIFT-generated certificates in the SWIFTNet Directory with their DNS. Customers stores a password protected PKI security profile locally on an HSM
Subscription to Messaging Service
  • Messaging services are InterAct, FileAct, SWIFT WebAccess, MI Channel, and FIN.
  • Each SWIFTNet service has a service profile and a service name. The service can be administered by members or by SWIFT. Each service is associated with a Closed User Group.
  • Relationship Management Application (RMA) is a means to manage business relationships. Customers exchange of customer authorizations and apply rules to control the traffic

FIN Message security

Confidentiality
  • FIN user-to-user messages and system messages that contain customer data are encrypted in transmission. Messages are stored and forwarded.
Message authentication and integrity
  • FIN enforces the use of a SWIFTNet PKI digital signature. Live traffic is signed based on the PKI certificate stored in the HSM. The digital signature allows the receiver to verify the identity of the sender and the integrity of the message.
Message authorization
  • RMA allows users to exchange authorizations to send and receive FIN messages.
  • Setup a relationship with either a correspondent bank or a customer BIC. The authorization to send (or receive) has to be accepted by the correspondent
  • Before sending a FIN message, the sending interface must check that the traffic is authorized by the recipient. Similarly, while receiving traffic from a correspondent, the interface must check that there is a matching authorization to receive

Authored By - Hussainali Ladha
TCS Cyber Security Practice

 

Rate this article: 
0
No votes yet
Article category: 
Keywords: