Feature: Beating the fraudsters at their own game

07 Apr 2020

Cybercrime is rife and there are no sectors which are completely safe. According to Accenture, the past five years has seen a 67 per cent rise in this type of criminal activity.

Even now, as the world fights the Covid-19 pandemic, cyber criminals are finding ways to breach systems and trick consumers into handing over valuable information.

Research conducted last year by Clearswift found that some 70 per cent of financial companies had suffered a cyber security incident over the past 12 months, and less than a quarter of those polled had felt they had a sufficiently large budget allocated to this area.

“The cyber security threat in banking is real, yet financial firms are having to fight this threat with insufficient budgets and resources,” Alyn Hockey, VP of product management at Clearswift explains.

“The very nature of Open Banking makes those firms even more vulnerable to attack. With banks exposing their customer data APIs to third-party applications, it’s a sector that will become even more appealing to cyber criminals.”

The speed of technological evolution continues to drive a digital revolution in financial services. We are perhaps just a short time away from smart home devices such as Google Home or Alexa carrying out transactions and payments on our behalf.

While these advances are great for the consumer and the banking industry, they bring with them an element of risk as technology is not reserved for the good and, unfortunately, is also being used to revolutionise the approaches that hackers and criminals are taking to get their hands on people’s hard-earned cash.

 Staying one step ahead

So what steps are financial services companies taking to get one step ahead of criminal networks?

Tim Ayling, VP EMEA at anti-fraud solutions provider, buguroo, says banks are already taking proactive steps to detect and prevent fraud, such as using behavioural biometrics to continuously validate a user’s identity when they are banking online.

He explains: “This way, banks can profile each user uniquely, analysing their behaviour throughout each session and comparing it against their online profile, validating that they are who they say they are.

“If a bank profiles every user, it will be able to recognise both a user’s typical modus operandi and that of the fraudsters, and then use this information to identify the fraudsters who may already be operating inside the bank.”

Mr Ayling adds that these types of checks can halt fraudsters in their tracks and give banks a fighting chance at staying one step ahead of the most devious and unscrupulous of criminals.

For Bharat Mistry, principal security strategist at Trend Micro, if banks are to be successful in any way shape or form in protecting their customers from cybercrime then they must tackle it in three keys areas – consumer cyber awareness, security controls and through advanced techniques, such as machine learning, artificial intelligence and analytics

“From a technology and innovation viewpoint, banks should be using two-factor or strong authentication at login, when a new recipient is created or when large sums of money are transferred,” he says.

“Also, employing a defence in depth architecture provides visibility on the infrastructure needed to respond proactively to attacks. An environment where threats are isolated particularly from email gateways, where many of these kinds of attacks start and helps monitor and filter email traffic and weed out anomalous emails.”

Thinking like a criminal

The use of machine learning, artificial intelligence and analytics, as Mr Mistry suggests, means that those fighting cybercrime within banks and financial institutions can start to think like the criminals and build up their defences accordingly.

“Trying to handle breaches and compromises as they occur is already a lost battle,” says Jonathan Knudsen, senior security strategist at Synopsys and teacher of secure software development at Duke University.

“Just like when the dentist tells you that your teeth have cavities, the only thing you can do is try to minimise the damage. What you really need is a time machine to go back in time and practice good dental hygiene.”

He explains that preventing catastrophe starts with how software and systems are built, adding that ‘Secure Development Life Cycle (SDLC or SSDL)’ ensures that security is a consideration at every stage of development.

“This means thinking like an attacker, utilising activities such as threat modelling, architectural risk analysis and red teaming, but also includes more comprehensive testing of software,” he says.

“In the SDLC, testing includes source code analysis, software composition analysis, fuzzing, and other types of testing that help ensure that the software being built will not fail in the face of strange, unexpected inputs and events or outright aggression.

According to Mr Knudsen, software and systems that are built using an SDLC are significantly more robust, more resilient, and more secure than those built with only functionality as a concern.

The good news, he claims, is that that any software development process can be incrementally moved to be an SDLC, by incorporating security at each step and focusing on automation and integration of security testing tools.

“The transition from traditional development to secure development doesn’t have to be painful, but it must happen,” he concludes.