Article written by F5 Networks APAC fraud protection solution specialist Shahnawaz Backer Fraud is always going to be top of mind for all financial institutions. The move to digital has made moving money quicker, easier and faster – and it’s done exactly the same for fraud. Digitisation and mass adoption of online and mobile banking is providing new opportunities for criminals to steal from us without even leaving their bedrooms. So how can financial institutions combat these new, increasingly intelligent attacks? Having the right technology will be key and taking a holistic approach to security will be mandatory.
Fraud-as-a Service on the Dark Web is big business - providing cybercriminals with malicious tools such as Malwares, Weaponized Zero-Day exploits, DDOS Services and Hosting Services, to target their financial institution of choice. Automation is also making the management and maintenance of the compromised devices easier. Criminals, with modern command-and-control (C2) servers, now have the capability to automate data collection and increase their gains through economies of scale. These malwares are evolving quickly, and my expectation is that this type of fraud is here to stay and set to grow. To combat the rise in automated attacks, financial institutions are themselves turning to automation technology. Machine learning systems can change how banks manage their fraud risk programs.
If a bank is processing 100,000 transactions per minute, it is just not possible for a human to fend off. However, fully automated, artificial intelligence can perform complex analysis on transactional data and identify and flag potentially fraudulent activity, without needing to be programmed to do so.
With the ongoing juggernaut of digitisation and API (Application Programming Interface) adoption in the banking sector, we expect the use of online and mobile banking apps to increase, and with that, following the money, we can expect the emergence of new financial malwares adopting new techniques to try to get our personal information - and our cash. In addition, with real-time transactions becoming a reality in Australia in 2018, we can expect fraudsters to try to take advantage of this. The New Payments Platform is stepping up efforts to educate consumers on phishing scams and in any increase in electronic fund transfers and automated clearings. As a result, social engineering as a compromise vector will stay and phishing attacks will continue to increase.
With the tightening of security on applications and infrastructure, cybercriminals have for some time been focusing on the weakest link - people. In response, banks will need to roll out stronger digital identities by adopting greater levels of ‘addition of context’, user behaviour and biometrics. Inadequately secured personal devices that are connected to the Internet are a real threat. By infecting them and then reporting to a C2 with confidential information, a fraudster can then masquerade as the user by assuming their identity. Financial institutions need to rethink the digital identity management of their customers. There needs to be context when identifying if people are real. Intelligent capabilities based on analytics (behavioural & heuristic) need to be built into the system to help identify a fraudulent transaction, even if it is coming from a machine with the right credentials and no obvious indicator of having been compromised. Furthermore, from a preventive standpoint, online and mobile banking applications should be able to detect the presence of malwares and deter sniffing attacks. Banking applications should be required to qualify the integrity of a device and cease to function if it detects a potential threat, for example, by not allowing a user to run critical banking transactions on a jailbroken or rooted device.
In the end, the onus is on the banks to make sure they are secure. Banks need to increase their own security by removing the need for their end-users to update their security or install tokens on their own devices, as customers will still be at risk if they do not follow protocols.
Therefore, clientless solutions are needed, as these allow banks to be in control of security and not rely on end-users to secure their own environment. To have a fighting chance against fraud, the industry as a whole, from banks to those that protect them, will need to invest in their own threat researchers and analysts to create reports and share them across the industry. The industry - and all its stakeholders - need to be better educated and invest in the right technology to make sure that these attacks are cut off before they even reach the end user. When it comes to defence from malicious attacks, everybody, from banks to security firms to customers, need to be that little bit smarter.