Story image

Why banks need to show more initiative in tackling cyber fraud

01 Mar 18

Article written by F5 Networks APAC fraud protection solution specialist Shahnawaz Backer

Fraud is always going to be top of mind for all financial institutions. The move to digital has made moving money quicker, easier and faster – and it’s done exactly the same for fraud. Digitisation and mass adoption of online and mobile banking is providing new opportunities for criminals to steal from us without even leaving their bedrooms.

So how can financial institutions combat these new, increasingly intelligent attacks? Having the right technology will be key and taking a holistic approach to security will be mandatory.​

Automation – the rise of Malwares

Fraud-as-a Service on the Dark Web is big business - providing cybercriminals with malicious tools such as Malwares, Weaponized Zero-Day exploits, DDOS Services and Hosting Services, to target their financial institution of choice.

Automation is also making the management and maintenance of the compromised devices easier. Criminals, with modern command-and-control (C2) servers, now have the capability to automate data collection and increase their gains through economies of scale.  

These malwares are evolving quickly, and my expectation is that this type of fraud is here to stay and set to grow.

To combat the rise in automated attacks, financial institutions are themselves turning to automation technology. Machine learning systems can change how banks manage their fraud risk programs.

If a bank is processing 100,000 transactions per minute, it is just not possible for a human to fend off. However, fully automated, artificial intelligence can perform complex analysis on transactional data and identify and flag potentially fraudulent activity, without needing to be programmed to do so.

New digital threats

With the ongoing juggernaut of digitisation and API (Application Programming Interface) adoption in the banking sector, we expect the use of online and mobile banking apps to increase, and with that, following the money, we can expect the emergence of new financial malwares adopting new techniques to try to get our personal information - and our cash.

In addition, with real-time transactions becoming a reality in Australia in 2018, we can expect fraudsters to try to take advantage of this. The New Payments Platform is stepping up efforts to educate consumers on phishing scams and in any increase in electronic fund transfers and automated clearings.

As a result, social engineering as a compromise vector will stay and phishing attacks will continue to increase.

Securing the weakest link

With the tightening of security on applications and infrastructure, cybercriminals have for some time been focusing on the weakest link - people.  In response, banks will need to roll out stronger digital identities by adopting greater levels of ‘addition of context’, user behaviour and biometrics.

Inadequately secured personal devices that are connected to the Internet are a real threat. By infecting them and then reporting to a C2 with confidential information, a fraudster can then masquerade as the user by assuming their identity.

Financial institutions need to rethink the digital identity management of their customers. There needs to be context when identifying if people are real. Intelligent capabilities based on analytics (behavioural & heuristic) need to be built into the system to help identify a fraudulent transaction, even if it is coming from a machine with the right credentials and no obvious indicator of having been compromised.

Furthermore, from a preventive standpoint, online and mobile banking applications should be able to detect the presence of malwares and deter sniffing attacks. Banking applications should be required to qualify the integrity of a device and cease to function if it detects a potential threat, for example, by not allowing a user to run critical banking transactions on a jailbroken or rooted device.  

Banks taking the lead

In the end, the onus is on the banks to make sure they are secure. Banks need to increase their own security by removing the need for their end-users to update their security or install tokens on their own devices, as customers will still be at risk if they do not follow protocols.

Therefore, clientless solutions are needed, as these allow banks to be in control of security and not rely on end-users to secure their own environment.

To have a fighting chance against fraud, the industry as a whole, from banks to those that protect them, will need to invest in their own threat researchers and analysts to create reports and share them across the industry.

The industry - and all its stakeholders -  need to be better educated and invest in the right technology to make sure that these attacks are cut off before they even reach the end user.  When it comes to defence from malicious attacks, everybody, from banks to security firms to customers, need to be that little bit smarter.

Australian businesses get serious about SD-WAN
"SD-WAN is doing to enterprise networks what virtualisation did to enterprise data centres almost a decade ago, but it's happening much faster."
How to keep network infrastructure secure and available
Two OVH executives have weighed in on how network infrastructure and the challenges in that space will be evolving in the coming year.
White box losing out to brands in 100 GE switching market
H3C, Cisco and Huawei have all gained share in the growing competition in the data centre switching market.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
How Fujitsu aims to tackle digitalisation and the data that comes with it
Fujitsu CELSIUS workstations aim to be the ideal platform for accelerating innovation and data-rich design.
Genesys PureCloud generates triple-digit revenue growth year on year
In Australia and New Zealand, the company boosted PureCloud revenue by nearly 100%.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.