In the first of a two-part review of cyberfraud and risk management approaches, James Richardson, Head of Market Development Risk and Fraud for Bottomline Technologies, looks at the lessons that can be learnt from recent payment fraud attacks.
The headlines are unrelenting. Hardly a week goes by without news of yet another organisation suffering critical data breaches or cyber fraud assault – resulting in financial loss and severe reputational damage.
Customer confidence is degraded, business is lost, and regulatory fines often follow.
Banks, financial institutions, corporates, and government bodies internationally have been the target of malicious hackers and fraudsters, with the National Cyber Management Centre warning that “a major bank will fail because of a cyber-attack in 2017.” In response, organisations have understandably increased investments in security defences against malware and unauthorised external hacking. But has this investment addressed the actual spectrum of threats we face?
Where are the real vulnerabilities?
There are certainly access validation weaknesses that are vulnerable to exploitation by criminals – for example, the malware heist that successfully made off with $81 million from Bangladesh Bank last year, although the attempt was for close to $1 billion. This was due to compromising log-on credentials in a SWIFT member’s local environment.
Heightening access and identity management is seen by some as top priority in the battle against the fraudsters. The expansion of biometric technology in particular has been championed over previous multi-factor authentication tools such as simple hardware token presentation.
Do biometric solutions – facial recognition, fingerprints, iris scans, and voice detection – address core fraud vulnerabilities? Like all other forms of identity validation, biometrics is far from infallible. Even ignoring the previous thefts of biometric depositories – most notably the fingerprint records of 5.6 million government employees stolen in 2015 – biometric systems have been foiled by the most low-tech of approaches by criminals. Fingerprint sensors have been bypassed using outputs from ink-jet printers available from most highstreets for less than £50.
Iris profiles and fingerprints have also been extracted and reproduced by hackers from photographs (including unlocked a device using iris data extracted from a photo of Chancellor Angela Merkel). The recently announced ‘highly secure’ facial recognition access system of one leading global manufacturer was subverted with a simple photo pulled down from LinkedIn.
This is not to denigrate biometric tools. They are useful tools as part of an overall security envelope. Of more importance is the risk of limiting a fraud prevention focus to the narrow issue of strengthening access controls and our ‘external defences’ to keep bad actors at bay – such an approach fails to address the full spectrum of fraud threats we face as a global financial community.
Insider fraud and global connectivity
While hacks committed by external fraudsters continue to generate media headlines, industry investigations confirm that 78% of fraud losses involve employees. This statistic is further supported by Bottomline Technologies’ research; where 84% of finance contacts confirmed that system and process loopholes would allow them to commit fraud, and only a minority of organisations have the ability to monitor suspicious behaviour.
A focus solely upon strengthening an organisation’s digital perimeter defences against authorised access can overlook this significant internal ‘authorised’ risk. In addition, in an environment of globally connected financial infrastructure networks, we are collectively reliant upon accepting the legitimacy of messaging instructions received from our counterparties. Recent major payment frauds exploiting this trust demonstrate the financial and reputational risk that even the most secure organisations face from simply accepting payment instructions at face value and without conducting some form of secondary validation and fraud screening.
Addressing the challenge
How can this more complex – and prevalent – insider challenge be addressed?
An effective fraud prevention strategy should include the ability to monitor user activity along the full payments chain and payments systems. Insider fraud prevention solutions can compare user behaviour in real-time against historical norms to alert security teams of unauthorised or suspicious behaviour, preventing crime, data and identity theft.
Such an approach ensures staff accountability by capturing user behaviour across multiple platforms in all environments, creating centralised visibility. In addition, once employees are aware system actions are being monitored, unauthorised activity is deterred.
So a comprehensive fraud prevention approach needs to extend well beyond identity authentication and intrusion protection to safeguard against the full threat profiles we face as a global financial community. Without visibility into authorised users' behaviour, organizations are missing a critical layer of defence and are less able to detect and prevent fraud and data breaches.
The second part of this review will look in more detail at how such a comprehensive approach can provide a critical infrastructure for combatting internal fraud and information leakage in your organisation, enabling a proactive response to prevent crime, rather than mere ‘after-the-fact’ detection.
Download your copy of the 5 Keys to Staying Ahead In a Fast-Moving Threat Environment whitepaper by Bottomline Technologies to learn more.