Cargo shipping payments vulnerable to hackers

An opening exists for hackers to divert cargo shipping payments by manipulating data in the software used for electronic invoicing and payments in the sector, warns security entrepreneur Ken Munro.

A report by penetration testing and security service provider, Pen Test Partners, noted that it was possible for techniques used in conventional invoice fraud through scam email – proven to be highly successful – to be used to exploit a lack of message and payment detail validation in cargo shipping.

This could be done by switching around values within the International Forwarding and Transport message – Freight Costs and other Charges (IFTFCC) – a message sent from a shipping company to the receiver or payer for the shipment as it contains account detail information such as account holder name and number.

“Consider a regular invoice fraud mail: the accounts payable department at the consignee receives a change of banking details letter. They change the bank details, the payment is misrouted and stolen,” said Munro.

He pointed out that in these cases the diversion of money was possible as it was assumed the email was genuine and no one had checked the validity of the request.

Munro points out that on many occasions a security breach is possible due to assumptions made by various parties about security.

He observed that this could cause chaos as organisations would be put on credit hold unnecessarily as they had unintentionally paid the wrong amount and the whole shipping system would “gum up a little”.

Munro emphasised a need for shipping companies and consignees to ensure that the account details in the message matched up with those in the Bill of Lading and implement a cross-check that would limit the ability to carry out fraud.

“Any user of electronic data interchange messaging for anything financial, maritime or not, would do well to check that their systems are secured from message manipulation and related invoice fraud,” he added.

More News