Cybercrime in Banking: Customers Now the Most Targeted Vulnerability
Cybersecurity measures within banking have changed dramatically over the last decade, driven by rapid advancements in technology across the sector.
Great strides have been made in protecting the banking infrastructure from network-based attacks and securing the web and mobile application layer – often the front door into banks through customer interactions. Here Mike Nathan, Senior Director – Solutions Consulting EMEA at ThreatMetrix, A LexisNexis Risk Solutions Company, delves into the ins and outs of cybercrime in the banking sector, offering some insight into the most targeted and vulnerable victims of cybercrime.
Interestingly, fraudsters are not always responding by upping their own technological prowess but turning to con artist style tactics to simply circumvent increasingly sophisticated cybersecurity measures. We have seen a dramatic rise in social engineering attacks, a more analogue approach to hit the banks where it hurts and as a result, customers have now become the new weakest point.
So, what can be done to anticipate or prevent this sort of attack?
Based on my observations, several years ago around 70 percent of attacks against banks involved account takeovers. Accounts can be hacked into using stolen identity credentials, or off the back of a phishing campaign where the customer is tricked into entering their login credentials on a fake site. Once the account has been compromised, the fraudster then accesses their digital banking account and commits the fraud.
Today, however, account takeovers only account for half of the problem due to the rise in social engineering attacks, also known as Authorised Pushed Payments (APP). APPs involve fraudsters contacting account holders directly and tricking them into making a payment. Given that the customer appears to give consent to the transaction, and it is originating from a device that is associated with that user, these attacks tend to be more difficult to detect.
A phone call from a concerned “member” of the fraud team at a bank may make a consumer panic, and instantly put all trust in that person. The consumer might then willingly send all his or her money to a separate account for “safe keeping”. In reality, that money has disappeared and so will the member of the fraud team who made the initial call. This is a simple method of APP attacks used today.
These fraud techniques are especially effective with some of the most vulnerable people in our society, who tend to struggle with the evolution of banking and fintech. Advancements in certain remote access tools that allow the cyber criminals to access and control the customer’s computer are making the job even easier.
If fraudsters are evolving, so must the banking industry. The first step to tackle APP is through education. Ensuring all customers have extensive knowledge on the “dos and don’ts” when it comes to digital and phone banking is of paramount importance. Email alerts reminding customers that their bank would never ask for certain information over the phone, as well as adverts raising awareness on the risks of letting another person access their computer, are but a few options that can be used to ensure customers are protected and well-informed.
It is also imperative for the bank to place protections throughout the customer journey by monitoring user behaviour and spotting anomalies that indicate fraud. Banks must be actively looking for indictors of social engineering and account takeover attacks at crucial customer touchpoints including login, setting up a new beneficiary, and making a payment. By assessing activity in the context of historical activity for that individual, key red flags can emerge to identify suspicious behaviour. An example of this could be a payment from a desktop when the customer traditionally uses the mobile app, or a longer time between login and payment than normal or remote access tools being on the device for the first time.
Once the suspicious behaviour is identified, banks can choose between blocking the transaction or alerting the customer through other means to advise them that something is out of the ordinary. The art here is to strike the delicate balance between maximum protection against fraud – while avoiding blocking or questioning legitimate transactions, which can annoy customers and drain internal resources.
Avoid basing decisions on the typical banking customer but use advanced behavioural analytics to assess how that particular individual typically transacts. By using real-time intelligence on a user’s digital identity and their historical behaviour, banks can deliver security and customer satisfaction without compromise.
Banks implementing protocols like these can help ensure that customers are not placed in harm’s way and that cybercriminals are not entering into bank systems.
It is important to follow the latest fraud trends order to keep ahead of the curve. There will always be new technologies and techniques that increase the threat posed by criminals. However, in the same way technology may sometimes play against us, it also provides us with a number of tools which help us undermine attackers and keep businesses and customers safe.