Rapid digitalisation of operations and processes by firms globally is generating many new opportunities for hackers.
Digital transformation is fueling competition across all industries globally, and the financial services sector is arguably being impacted the most. There is, however, growing evidence that the rapid pace of digitalisation itself is generating a new wave of cybercrime.
In Heidi Bleau’s experience as Consultant, Fraud and Risk Intelligence Solutions at RSA, digital opportunities are creating new and unprecedented digital risks: “It now happens all the time. A financial services company launches an innovative new service to make it more convenient for consumers and clients to do business – only to find they’ve also made it easier for cybercriminals to do their business.”
Bleau points to a number of incidents to highlight the link between digital innovation and cybercrime. In one case a group of leading lenders in Spain launched a new instant bank transfer service as a way to provide more convenient digital payment options for their customers: “Who wouldn’t rather use their phone number or email address to transfer money between accounts? And who doesn’t like the option of moving money anytime, anywhere?”. However, it didn’t take long for cybercriminals to catch wind of this latest innovation. They moved quickly to phish for account numbers and other enabling information, resulting in a 178% increase in phishing attacks targeting financial institutions in Spain.
When an inter-bank debit card network in Canada merged with the company that operated the network’s online and transfer services, cybercriminals were quick to take notice. Following the merger, there was a flurry of phishing attacks in which someone pretending to represent the card network attempted to get victims to reveal login credentials by claiming they were confirming a transaction. “Within months of the merger, nearly half of global phishing attack volume was targeted at Canadian financial institutions and their customers,” says Bleau.
Another case relates to the launch of a new third-party payments app in Japan. The company offered a generous cash-back promotion during the holiday shopping season as a way to drive consumer adoption. When word got out in the cybercriminal community, carding markets became flooded with Japanese payment card numbers for sale which were then used to sign victims up for the service. “In this case, fraudsters essentially looted twice; first, they used the stolen cards to make fraudulent purchases through the app and got a second windfall in the form of cash back.”
Financial innovation breeds digital risk
The challenge of increasing customer convenience without also increasing security risks isn’t new, but digital transformation has clearly raised the stakes considerably. “In a rush to get new products and services out the door, basic security controls often get overlooked. While much attention is focused pre-launch on managing risks associated with data privacy controls and business resiliency – for example making sure the website isn’t going to crash from an influx of traffic – some financial institutions fail to plan for the risks that arise post-launch and are only forced to act when cybercriminals seize the opportunity to perpetrate fraud.”
Bleau warns that cybercriminals are always on the alert for any change in the financial services infrastructure, whether the launch of a new product or service, or even changes in the way they authenticate online payments. Financial services providers however can fight back by narrowing the window of opportunity for fraudsters to take advantage and Bleau suggests a few measures firms can take to do so.
She points out that cybercriminals openly share best practices on new or impending changes, process vulnerabilities, and the best methods of cashing out in dark web forums, and even on social media. Real-time monitoring of this chatter is therefore a good place to start in keeping abreast of weaknesses in an organisation’s defences.
Bleau also urges firms to evaluate how prepared you are to identify and respond to cyber-attacks. “If your organisation was suddenly hit by a surge in phishing attacks following the rollout of a new service, how quickly could you respond? Do you have enough resources, or even the right resources?” Beyond phishing and malware, organisations also need to consider their response capabilities to address new breeds of malicious activity in the form of rogue mobile apps or social media attacks, she says.
Another must is a review and rethink about payment authentication: “Moving beyond the conversation about complex passwords is essential. Having the right technology and controls in place is critical to any fraud prevention strategy, and this includes the use of risk-based, adaptive authentication – a type of multi-factor authentication – to watch for signs of fraud based on device, user behaviour, location, and other indicators.
She points to RSA research on fraud patterns associated with account takeover and new account fraud, for example, which show that new accounts have 15 times greater fraud rates in the first ten days. “You can spot suspicious behaviour on existing accounts by watching for logins from new devices, account profile changes, or the addition of new payees – which is when 70% of fraudulent payments are made. Understanding where the most digital risk lies enables the right authentication policies and controls to be put in place to prevent advanced cyberattacks.”
Considering the increasing sophistication and cunning of hackers, Bleau says it is difficult to see the challenge of finding and fighting cybercrime becoming any easier for financial institutions as they become increasingly digital. “In a relatively short time, we’ve gone from individuals presenting themselves in person to not being present at all, across a multitude of transaction channels – even to the point of being represented by devices in the age of IoT. Cybercriminals are exploiting this trend, both by taking advantage of the increasing difficulty of authenticating identities and by taking advantage of digital technologies themselves.
“As the digital transformation of both business and cybercrime continues, financial institutions must be increasingly vigilant, and increasingly well-equipped technologically, to protect themselves from sophisticated attacks. In this way, digital transformation becomes both a critical contributing factor in the problem of growing cyber risks today—and a critical resource for solving it.”