Threat Model: Remittances¶
Status: Draft | Owner: Security Team | Last Updated: 2026-04-03 Methodology: STRIDE | Scope: Cross-border remittance flow end-to-end
Overview¶
STRIDE threat analysis for Simpaisa's Remittance product. Covers cross-border money transfers across corridors involving PK, BD, NP, and IQ. Remittances carry elevated regulatory risk due to AML/CFT obligations, FX exposure, and cross-jurisdictional data handling.
Data Flow Diagram¶
┌──────────┐ HTTPS ┌──────────┐ gRPC ┌────────────┐
│ Merchant │─────────────▶│ KrakenD │────────────▶│ Remittance │
│ / Partner│ (signed) │ Gateway │ (mTLS) │ Service │
└──────────┘ └──────────┘ └──────┬─────┘
│
┌────────────────────────────────────┤
│ │ │
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌───────────┐
│ FX Rate │ │ AML │ │ Corridor │
│ Service │ │ Screening│ │ Router │
└────┬─────┘ └────┬─────┘ └─────┬─────┘
│ │ │
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌───────────┐
│ Rate │ │Refinitiv │ │ Provider │
│ Provider │ │/ Dow Jones│ │ Adapter │
│ (Reuters)│ └──────────┘ │(Remit Co.)│
└──────────┘ └─────┬─────┘
│
┌──────────┐ ┌─────┴─────┐
│ SurrealDB│◀───────────────────────│ Temporal │
│ │ │ Workflow │
└──────────┘ └───────────┘
Attack Surfaces¶
| Surface | Entry Point | Trust Level |
|---|---|---|
| FX rate API | Internal rate service | Trusted (mTLS) |
| AML screening flow | Internal → external provider | External |
| Cross-border data | Corridor provider APIs | External |
| KYC document upload | Merchant portal / API | Authenticated |
| Corridor config | Admin portal | Privileged |
STRIDE Analysis¶
S — Spoofing¶
| ID | Threat | Likelihood | Impact |
|---|---|---|---|
| S-RM-1 | Fake beneficiary identity (synthetic ID) | Medium | Critical |
| S-RM-2 | Corridor provider impersonation | Low | Critical |
S-RM-1: Synthetic identity - Attack: Attacker creates fake sender/receiver KYC profiles using fabricated or stolen identity documents to launder money through the remittance corridor. - Mitigation: KYC verification via external provider (document verification + liveness check). Cross-reference against sanctions lists. Velocity checks per sender (daily/monthly limits). Enhanced Due Diligence (EDD) triggered above thresholds.
S-RM-2: Provider impersonation - Attack: Attacker impersonates a corridor provider's API to inject false completion confirmations. - Mitigation: mTLS with pinned certificates per provider. Callback signature verification. Out-of-band reconciliation against provider settlement files.
T — Tampering¶
| ID | Threat | Likelihood | Impact |
|---|---|---|---|
| T-RM-1 | FX rate manipulation (MITM on rate source) | Low | Critical |
| T-RM-2 | Rate lock abuse (lock favourable, execute late) | Medium | High |
| T-RM-3 | AML screening result tampering | Low | Critical |
T-RM-1: FX rate manipulation - Attack: Man-in-the-middle attack on the connection to rate provider (Reuters/XE), injecting manipulated rates to profit from the spread. - Mitigation: TLS 1.3 with certificate pinning to rate providers. Multi-source rate validation (cross-check against 2+ providers). Rate deviation alerts: reject rates >2% from rolling average. All rate fetches logged with source hash.
T-RM-2: Rate lock abuse - Attack: Client locks an FX quote during a favourable market movement, then delays execution until the market moves further, profiting from the locked rate while Simpaisa absorbs the loss. - Mitigation: Quote TTL strictly enforced (30 seconds to 5 minutes, configurable per corridor). Expired quotes rejected at Temporal workflow level. Rate markup accounts for volatility window. Re-quote required after expiry.
T-RM-3: AML result tampering
- Attack: Compromised internal service modifies AML screening result from BLOCK to CLEAR, allowing a sanctioned transfer to proceed.
- Mitigation: AML results written as immutable audit entries. State transition from AML_PENDING requires cryptographic proof from screening provider. Dual-service verification for high-risk corridors.
R — Repudiation¶
| ID | Threat | Likelihood | Impact |
|---|---|---|---|
| R-RM-1 | Sender denies initiating transfer | Medium | High |
| R-RM-2 | Compliance officer denies clearing a flagged tx | Low | Critical |
R-RM-1: Sender repudiation - Mitigation: Full audit trail: KYC verification, HMAC-signed request, IP address, device fingerprint. Temporal workflow history provides immutable execution record.
R-RM-2: Compliance officer repudiation - Mitigation: Manual AML review decisions logged with officer ID, timestamp, rationale, and MFA confirmation. Immutable audit entry. Dual-approval for high-value clearances.
I — Information Disclosure¶
| ID | Threat | Likelihood | Impact |
|---|---|---|---|
| I-RM-1 | KYC document exposure | Medium | Critical |
| I-RM-2 | Corridor pricing leak (competitive intel) | Low | Medium |
| I-RM-3 | Cross-border data jurisdiction violation | Low | High |
I-RM-1: KYC document leak - Attack: KYC documents (passport scans, ID photos) exposed through API vulnerability or log leakage. - Mitigation: KYC documents stored in encrypted object storage with separate key per document. Access requires explicit authorisation + audit log entry. No KYC data in application logs. 90-day auto-deletion after KYC expiry.
I-RM-3: Jurisdiction violation - Attack: Personal data of BD citizens processed/stored in a jurisdiction without adequate data protection (e.g. routing via IQ infrastructure). - Mitigation: Data residency rules per corridor in CorridorConfig. Routing logic enforces data stays within permitted jurisdictions. ControlPlane.com workload placement policies.
D — Denial of Service¶
| ID | Threat | Likelihood | Impact |
|---|---|---|---|
| D-RM-1 | FX quote flooding | Medium | Medium |
| D-RM-2 | AML screening backlog | Low | High |
D-RM-1: FX quote flooding - Attack: Attacker requests thousands of FX quotes per second, exhausting rate provider API quota and preventing legitimate quotes. - Mitigation: Rate limiting on quote endpoint (10 quotes/sec per merchant). Quote cache for identical corridor/amount within 5-second window. Circuit breaker on rate provider.
D-RM-2: AML screening backlog - Mitigation: Async AML screening via Temporal activity with timeout. Fallback to secondary screening provider. Queue prioritisation based on amount and risk tier.
E — Elevation of Privilege¶
| ID | Threat | Likelihood | Impact |
|---|---|---|---|
| E-RM-1 | Corridor fraud (fake beneficiaries) | Medium | Critical |
| E-RM-2 | Structuring / smurfing | High | Critical |
| E-RM-3 | Sanctions evasion via intermediary corridor | Medium | Critical |
E-RM-1: Corridor fraud - Attack: Creating multiple fake beneficiary accounts in the target country to siphon funds through seemingly legitimate remittance transactions. - Mitigation: Beneficiary de-duplication (name + account + country). Velocity limits per beneficiary. Network analysis to detect beneficiary clusters receiving from multiple senders.
E-RM-2: Structuring / smurfing - Attack: Breaking large transfers into multiple smaller amounts below reporting thresholds to avoid AML scrutiny. - Mitigation: Aggregate monitoring: rolling 24h/7d/30d totals per sender. Threshold alerts at 80% of reporting limit. Pattern detection for round amounts just below threshold. Automated STR (Suspicious Transaction Report) filing.
E-RM-3: Sanctions evasion - Attack: Routing funds through an intermediary corridor (e.g. AE→NP→PK instead of AE→PK) to avoid sanctions screening on the direct corridor. - Mitigation: AML screening applied at each corridor hop. Beneficiary country checked against sanctions list regardless of routing. Corridor chaining detection in transaction analytics.
Risk Matrix¶
| Threat | Likelihood | Impact | Risk Level | Mitigation Status |
|---|---|---|---|---|
| S-RM-1 | Medium | Critical | High | Implemented |
| S-RM-2 | Low | Critical | Medium | Implemented |
| T-RM-1 | Low | Critical | Medium | Implemented |
| T-RM-2 | Medium | High | High | Implemented |
| T-RM-3 | Low | Critical | Medium | Planned |
| R-RM-1 | Medium | High | High | Implemented |
| R-RM-2 | Low | Critical | Medium | Implemented |
| I-RM-1 | Medium | Critical | High | In progress |
| I-RM-2 | Low | Medium | Low | Implemented |
| I-RM-3 | Low | High | Medium | Planned |
| D-RM-1 | Medium | Medium | Medium | Implemented |
| D-RM-2 | Low | High | Medium | Implemented |
| E-RM-1 | Medium | Critical | High | In progress |
| E-RM-2 | High | Critical | Critical | Implemented |
| E-RM-3 | Medium | Critical | High | Planned |
ADR Cross-References¶
| Mitigation Area | Related ADR / Standard |
|---|---|
| AML/CFT compliance | CROSS-BORDER-COMPLIANCE-FRAMEWORK |
| FX rate management | ADR-035 FX Rate Management |
| KYC data handling | PII-HANDLING-STANDARD |
| Data residency | ADR-040 Data Residency |
| Audit trail | ADR-031 Audit Trail |
| Rate limiting | RATE-LIMITING-POLICY |
| Secret management | SECRET-MANAGEMENT-STANDARD |