Interbank communication network SWIFT needs its local software installations to be protected with reliable and user-friendly two-factor authentication (2FA). “We have achieved excellent results by implementing the Nexus authentication solution. It covers both current and future demands,” says Kirill B. Lebedev, CEO of the Russian IT security company Power Security.
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a platform and services that enable financial institutions worldwide to send and receive information about financial transactions in a standardized, reliable and secure environment.
Local SWIFT installations under attack
“While SWIFT’s network and software haven’t been compromised, incidents have occurred where customers have suffered security breaches within their local infrastructure,” says Lebedev.
The most common attack method is to secretly compromise PCs or servers inside a bank, which allows the attacker to study the infrastructure, compromise the most important infrastructure points and collect user credentials.
“The aggressor can then conduct an attack using the collected credentials and other data,” says Lebedev.
Market demand for enhanced security
To support the industry, SWIFT introduced their Customer Security Program, which contains a set of mandatory security controls, including multifactor authentication.
In 2015, Power Security – which focuses on authentication, public key infrastructure (PKI) and digital signature solutions – identified the market demand to enhance security for the SWIFT environment in the Russian Federation, the Eurasian Economic Union and the Commonwealth of Independent States (CIS).
“We started to cooperate with the large Russian SWIFT service bureau Alliance Factors to help SWIFT bureaus and clients implement an authentication solution based on the Nexus authentication platform,” says Lebedev.
SWIFT demands two-factor authentication
In the spring of 2017, SWIFT published the Customer Security Controls framework, a set of mandatory and recommended measures to protect SWIFT users.
“This document is based on the analysis of cyber threats, interaction with industry experts and feedback from users. In addition to compulsory two-factor authentication when accessing the SWIFT web interface, it is also required to provide strong authentication for other protocols, such as RDP or SSH,” says Lebedev.
The Customer Security Controls framework also introduces the term jump server, which is an intermediate point through which communications between the servers in a secure SWIFT network and the computers of the operators and administrators should be carried out.
The Nexus 2FA solution solves all problems
“The Nexus authentication solution carries out all tasks required by SWIFT. Moreover, the Nexus solution also covers a number of recommended measures, such as VPN, whitelisting of external resources, etc.,” says Lebedev.
Power Security and Alliance Factors have now implemented the Nexus authentication solution for a considerable number of SWIFT bureaus and clients – including some of the largest banks in Russia and the CIS – and have achieved excellent results, according to Lebedev.
“The Nexus solution is a state-of-the-art, enterprise-grade authentication server that covers both current and future demands introduced to financial organizations by SWIFT. We expect a significant increase in the security of interbank communications by the introduction of strong authentication and access protection with the Nexus solution. A big bonus is that the solution requires very little capital expenditure,” says Lebedev.
Recognized for reliable solutions
Alexander Kusheverskiy, managing director of Alliance Factors, is excited about the partnership with Nexus and Power Security.
“We have successfully brought IT solutions from international companies to our region for many years, and it is a very good match for us to team up with Nexus and Power Security, since they are both recognized for their reliable authentication solutions for the financial industry,” says Kusheverskiy.
The user connects via the Nexus software
Schematic diagram of the SWIFT authentication solution based on the Nexus authentication platform.
The Nexus authentication platform, called Nexus Hybrid Access Gateway (HAG), is a part of identity and security company Nexus Group’s comprehensive Smart ID solution. HAG is a very versatile authentication platform that can be used for a wide range of applications. In the SWIFT scenario, it works like this: before reaching the target application, the SWIFT Alliance Web Platform (AWP) user connects to the HAG and authenticates using a one-time password (OTP).
In most cases, the OTP is generated by a plastic card, using the open OATH HOTP algorithm. After authentication, the user works with the target application via the HAG Access Point, and at the end of the session, the user’s access to the target application is terminated.
Attackers can’t reach the target application
“HAG’s remote access functionality is one of the factors that makes this a very secure solution since the protected target application is located behind the HAG Access Point and isn’t accessible to a potential attacker. Thus, even if there are so called zero-day vulnerabilities in the target application, or if the static user credentials are compromised, the attacker will not be able to use them under any circumstances, since he can’t use the second authentication factor,” says Lebedev.
Other important factors behind Power Security’s choice of authentication platform is that HAG offers flexibility in choosing authentication methods and processes, centralized user and token lifecycle management, flexible access policies, and the ability to audit and log all important actions and events.
“Yet another big plus with the Nexus solution is that there is no vendor lock-in when it comes to the authentication tokens. The customers are free to purchase any tokens on the market that use open standards, which give them the possibility to choose the most suitable and economical options, as well as select tokens and authentication methods in accordance with their own security requirements,” says Lebedev.
The 6 main advantages of the Nexus solution
Thus, according to Lebedev, the main advantages of the Nexus authentication solution in comparison with the standard mechanism implemented in SWIFT are:
1. An additional layer of security on the protected target application.
2. A wide choice of methods, tokens and authentication processes.
3. The ability to lifecycle manage the authentication tokens.
4. The possibility to implement backup authentication methods that can be used if the main method is inaccessible.
5. Centralized authentication management.
6. Audit and logging.
6 additional benefits with the Nexus solution
In addition to the advantages listed above, Lebedev also points out the following reasons to opt for the Nexus authentication solution:
1. It complies with modern requirements for information security.
2. There’s no vendor lock-in when it comes to tokens.
3. It can be used for a wide range of tasks.
4. It provides authentication and remote access to the infrastructure of the organization.
5. Integration is easy and there are no restrictions on the number of authentication channels, protected applications, etc.
6. It’s possible to implement a fault-tolerant and high-availability architecture.