An electronic messaging system used by the shipping industry to send payment for cargo could be subverted by hackers to steal money.
According to security researchers at Pen Test Partners, the IFTFCC (International Forwarding and Transport message – Freight Costs and other Charges), has specific formats that are very interesting to those trying to steal money. An IFTFCC is a message typically sent from a shipping company to the receiver (or at least whoever is paying for the shipment).
“IFTFCC has specific formats that are very interesting to those trying to steal money,” said Ken Munro, partner at Pen Test Partners.
According to Munro, the message format allows for various compulsory and optional fields. Most of the message covers information about currencies, values, tax etc.
"One could cause chaos by switching around values so that invoices weren't paid correctly. Organisations are put on ‘credit hold' unnecessarily as they paid the wrong amount unintentionally and the whole shipping system gums up a little,” said Munro.
One part of the messaging format was particularly interesting to researchers - FII or Financial Institution Information. This component covers a party's name, address and function, such as message sender, message receiver, payee, payer, ordering party. There is also a segment identifying the financial institution such as a bank and account numbers for the payee only.
Munro said that in FII group C078, there are account details. “Manipulate this data and the payment is misrouted – the consignee pays the wrong account and the funds are stolen,” said researchers.
Researchers said that there should be a cross-check that limits the ability to carry out fraud. “Hopefully, the shipping company and consignee will ensure that the FII details match the Bill of Lading – this is effectively a contract specifying who/what/where/how much etc – everything involved in the billing and shipping process,” said Munro.
But Munro said that there have been many occasions where security breaches have happened as a result of assumptions made by various parties about security.
“Consider a regular invoice fraud email: the accounts payable department at the consignee receives a change of banking details letter. They change the bank details, the payment is misrouted and stolen,” said Munro. “It was assumed that the email was genuine. No-one checked the validity of the change request. If no-one checks that the EDI message involving FII and account detail is genuine, then payments can be stolen.”
He said that he could not determine how widely banking information is transmitted over EDI. “From various messages I've seen, it is clear that some banking information IS transmitted though,” he said.
He said that often, users make assumptions about security with no knowledge of message transport security, authentication and integrity processes.
“Irrespective, any user of EDI messaging for anything financial, maritime or not, would do well to check that their systems are secured from message manipulation and related invoice fraud,” said Munro.