Q&A: Security threats to financial organizations
Ori Eisen is the founder and Chief Innovation Officer of 41st Parameter. In this interview he discusses the security threats to financial organizations and their customers, the problem of fraud as well as an evolution of such problems.
What are the biggest security threats to financial organizations today? What can be done to mitigate them?
The two biggest security threats are fraud rings and botnets.
1) Fraud Rings – and their underground market for stolen identities is the largest outside threat to financial organizations today, due to their ability to react quickly to new anti-fraud measures adopted by financial institutions. The tactics used by these fraud rings include fraudulent new account opening, check image fraud/counterfeiting, credit bust-out, account takeover and wire fraud.
2) Botnets – employed by fraud rings, they expose financial organizations to millions of drone devices. Access to such a vast network enables the fraudsters to exploit subtle vulnerabilities within the online channel.
Technology such as tagless device ID, like PCPrint, assists in fighting fraud rings and botnets by allowing the connection of online account activity and devices through link analysis (which is included in our risk engine solutions FraudNet for Account Opening and PhishingNet). If one unfamiliar device is seen accessing an account when using the device fingerprint, all accounts that have been accessed by this same device can quickly be identified and monitored for uncharacteristic behavior. Because fraud rings utilize specialists (phishing scam artists, account hackers, new account originators, account stagers, etc) and each uses different devices, there is a great importance associated with linking device profiles, including language settings, time zone, and other key characteristics. This is also extremely beneficial in identifying additional suspect devices belonging to various stages of the fraud ring activity.
How exactly do these threats have a further impact, on the customer?
Smarter and more technologically empowered fraud rings continue to emerge, and their ability to fool banking customers by using realistic phishing sites, in-session phishing, man-in-the-middle and even offline tools (such as automated voice messaging services) to capture account information from unsuspecting victims further impacts customers. This impact is felt through the losses customers incur and the time spent to resolve fraud when they become a victim. Additionally, offline fraud resulting from online surveillance (such as check image viewing online to glean information for offline counterfeit check production) causes customers additional pain.
What are the challenges of detecting fraud when we’re dealing with large systems with millions of transactions?
One of the biggest challenges is to reduce the number false positives and manage the review rates for the fraud team that is left to investigate potential fraudulent activity. The more log-ins and applications a financial institution is exposed to, the greater the risk for the institution, as well as for customer insult, since there are many legitimate transactions that can look suspicious for various reasons. Our risk engines are tuned to scale with the large bank volumes and combined with our link analysis capabilities keep the outsort rates to a manageable level without increasing the fraud loss incurred.
Where do you see the current security threats your products are guarding against in 5 years from now? What kind of evolution do you expect?
The largest security threats of the future include a focus on mobile banking and botnets.
1) Mobile banking and m-commerce are gaining traction internationally, something that is seen just by looking at the numbers. According to a global study by analyst house Juniper Research, mobile banking users are set to exceed 800 million by 2011. As the number of global mobile banking transactions rise from 2.7 billion annually in 2007 to 37 billion by 2011 and even higher through 2014, banks are faced with the task to enhance their security measures to help address consumer concerns – a key hurdle still needed to be overcome to ensure the continued success of mobile banking. The transactions between a mobile device and institution aren’t as well-guarded as their Internet counterparts, with only basic identification and verification checkpoints. Authenticating a user’s identity in mobile banking is, however, as critical as it is with fixed line Internet. Yet, in reality, mobile banking systems are falling when presented with this particular hurdle. Most mobile banking systems have a “sentry at the gate’ mechanism that catches some fraud, but this is not enough. They aren’t able to ascertain whether the device transacting on its mobile site is in fact a mobile device or a PC or laptop acting as one.
Mobile banking touch points are easier to gain access to as they don’t have the security layers that Internet sites do. Because fraudsters are able to mimic the appearance of a mobile device as easily as they can a PC or a laptop, they are capable of infiltrating an unsuspecting bystander’s mobile banking account. Banks could overcome this hurdle, however, by adopting a multi-layer approach to protection that would ensure that whatever the approach of the fraudster there is always another barrier in the way.
Having many layers of protective measures in place is the most effective way to detect and prevent fraud – be it via mobile or fixed line devices. Beyond the initial “firewall’, mobile banking services should have additional password and encryption barriers. These, in combination with real-time tracking capabilities, would identify instances of devices that were initially refused admission to a site and that have changed their identity to try and gain access. Studies have shown that for fraudsters to change the identity of a device takes only a matter of minutes.
2) Botnets – a continued evolution of these networks will challenge the online channel and test the security measures available in the future. It is critical both now and in years to come for those conducting transactions online to better understand if they are interfacing with a legitimate versus suspect device, in order to minimize their exposure to automated fraudulent activity and attacks. As the industrialization of fraud progresses, the ability to decipher the good versus the bad will be more difficult and the solutions we have available today, coupled with the technology currently in our research labs, will be called upon to maintain the balance and provide the advantage to those employing the latest defense tactics.