OneSpan (NASDAQ: OSPN), recently released The Future of Adaptive Authentication in the Financial Industry, a report prepared by the Information Security Media Group. Based on a broad survey of US financial institutions, the report reveals the sector’s challenges in authentication practices and strategies, and highlights the growing tension between improving security, reducing fraud and enhancing the digital customer experience.
The survey results reveal the biggest challenges stopping banks and financial institutions from being able to confidently authenticate customers and step up security include:
As a result of these challenges, more than 60% of respondents plan to invest in new multifactor authentication technologies in 2019, including those that rely on biometrics and AI/machine learning.
“The report’s findings echo what we are seeing with our customers,” said OneSpan CEO, Scott Clements. “Financial institutions are under pressure to improve their defenses against continuing and evolving threat vectors. Many are now choosing innovative technologies that dynamically respond to attacks as part of a layered security approach that stops fraud while improving the customer experience.”
The report features Aite Group’s Retail Banking and Payments Research Director, Julie Conroy, on the need for financial institutions to improve authentication methods using the latest authentication methods and technologies, including artificial intelligence, machine learning and behavioral biometrics. These emerging technologies, paired with digital identity technologies, provide a better customer experience and help financial institutions remain competitive.
Each year, technology introduces new trends and benefits into the healthcare industry. So, what can we expect to see throughout the coming year? Here, we’ll look at some of the key health care technology predictions for 2019.
This is perhaps the most unsurprising trend the healthcare sector is expected to focus on in 2019. More providers will be looking into adopting Electric Patient Records, helping to better monitor and manage patient treatment. Allowing practitioners to receive updates and records in real-time, this digitalisation is gradually revolutionising the industry.
It’s also likely more services will become digitalised, such as booking appointments, and managing repeat prescriptions.
Due to changes in data privacy, it’s likely the healthcare sector will see policy changes adopted in 2019. As the sector becomes more comfortable managing its data, it’s also expected there will be a move from big cloud data storage to smaller, more specialised cloud storage.
Security wise, cyber attacks are expected to become more prevalent over the next year, forcing healthcare providers to tighten their security.
There has already been an increase in the number of at-home monitoring devices introduced onto the market. However, as pressure is placed onto the sector due to cost cuts, it’s likely we’ll see an increase in patient-controlled health monitoring.
Currently, patients can purchase testing kits for a range of illnesses and conditions, as well as test things such as their cholesterol and blood pressure. As technology continues to advance, we’ll likely start seeing more testing and monitoring devices introduced onto the market.
Innovation is a big factor all businesses should be concerned about. In 2019, it’s thought the healthcare sector is going to focus a lot of its efforts into innovation. Pharmaceutical companies in particular, will be seeking out innovators to boost their portfolio. From digital health companies to biotech upstarts and AI start-ups – there will be a lot of collaboration taking place within the healthcare sector this year.
It’s no secret that the mental health sector is under extreme pressure due to lack of funding and staff shortages. So, in order to try and bridge the gap, in 2019 focus is being placed upon introducing more tech into the sector. This will allow patients to monitor and manage their mental health much more effectively. There will also likely be more tech introduced to help treat and support mental health patients.
The above are just some of the health care technology predictions of 2019. There are certainly a lot of changes occurring within the sector at the moment. Digitalisation in particular, is going to be a huge focus and one of the biggest benefits to the industry.
Almost a third of these breaches were down to organisations neglecting simple security procedures, whilst over three quarters were caused by issues at the application layer, often related to out-of-date software, insecure third-party payment systems, or inadequate scanning. All of these breaches therefore contravened Payment Card Industry Data Security Standard (PCI DSS) requirements.
In one organisation, up to 40 employees used the same password for the server, and had full admin rights to the overall system. Another case saw a coding error present in the website login page, which enabled an attacker to obtain usernames and password hashes – ultimately allowing access to the organisation’s web server.
The analysis also revealed that the £1.74 million in fines issued for these incidents by the ICO in this time period could have amounted to almost £889 million under the General Data Protection Regulation (GDPR).
Phil Bindley, managing director at data centre and managed service provider, The Bunker commented: “PCI DSS compliance is a continuous journey and one that requires regular assessment to identify any weaknesses across an organisation.
“Regulators aren’t going to be lenient about failings in this space, and if businesses don’t invest enough into improving defences, we’re going to see more organisations having to pay the price for a relaxed approach to security.”
Simon Fletcher, managing director at cyber security specialist, Arcturus added: “We’re still seeing businesses failing to implement even basic measures when it comes to securing sensitive information.
“The need for regular and thorough testing is clearly outlined by PCI DSS, and is something that is still forgotten by many or causes confusion, particularly when it comes to the application layer. Testing systems is vital in order to ensure that any issues are quickly addressed to prevent data being put at risk.”
Digital transactions do not end at simple purchases. Cryptocurrency, online betting, and sending cash via the internet have all become popular recently. With the amount of money changing hands online, it is no surprise that hackers see this as an opportunity for identity theft.
Privacy was once the only concern for web browsers, but financial data security has taken a place on the list of essential things to consider when roaming the internet. Digital shopping and online transactions are not going away, so it behooves everyone to learn ways to protect private information.
Seemingly becoming more challenging by the day, internet security is possible. Hackers regularly find new ways to attack their victims but practicing internet safety and putting safeguards in place will help keep your information out of the hands of a cyber-criminal.
The first thing any mobile device user should do is download a VPN app. While a VPN can be used on other devices like laptops or tablets, it is important to protect mobile devices, too.
People frequently connect to Wi-Fi in public places to conserve data costs, leaving themselves vulnerable. Hackers roam unsecured networks hoping to find an easy target. A VPN can create a more secure environment by encrypting data to and from your device.
Social media has created an environment ripe for malicious cyber-attacks. Facebook and Twitter alone often provide hackers with all the information they need to infiltrate the privacy of an individual.
Being safe online is more than avoiding “sketchy” web areas. Avoid putting too much personal information on social media sites and keep your profile restricted to those you know. Decline unknown friend requests and think twice about liking every post you come across.
Hackers prefer easy targets, and many users make themselves very vulnerable by providing so much information online. These details can give hackers tips to decoding your passwords or usernames, which opens you up to a world of digital trouble.
Online transactions are here to stay, and it would be ridiculous to recommend someone avoid digital purchases. However, when buying online, you should pay attention to where you are shopping.
Small online businesses are popping up everywhere, and while they may offer unique and trendy items, it is important to validate their security. Never enter financial information on a site missing the “HTTPS” at the beginning of its URL. The “s” means secure and any site without it should be considered unworthy of your personal information.
Internet security is possible by practicing a little diligence and understanding that your information is valuable. Hackers prefer the easiest targets and creating a few blockades may prevent you from becoming a victim. Practicing safe internet behaviors can help you enjoy your online shopping experience safely.
Great strides have been made in protecting the banking infrastructure from network-based attacks and securing the web and mobile application layer – often the front door into banks through customer interactions. Here Mike Nathan, Senior Director – Solutions Consulting EMEA at ThreatMetrix, A LexisNexis Risk Solutions Company, delves into the ins and outs of cybercrime in the banking sector, offering some insight into the most targeted and vulnerable victims of cybercrime.
Interestingly, fraudsters are not always responding by upping their own technological prowess but turning to con artist style tactics to simply circumvent increasingly sophisticated cybersecurity measures. We have seen a dramatic rise in social engineering attacks, a more analogue approach to hit the banks where it hurts and as a result, customers have now become the new weakest point.
So, what can be done to anticipate or prevent this sort of attack?
Based on my observations, several years ago around 70 percent of attacks against banks involved account takeovers. Accounts can be hacked into using stolen identity credentials, or off the back of a phishing campaign where the customer is tricked into entering their login credentials on a fake site. Once the account has been compromised, the fraudster then accesses their digital banking account and commits the fraud.
Today, however, account takeovers only account for half of the problem due to the rise in social engineering attacks, also known as Authorised Pushed Payments (APP). APPs involve fraudsters contacting account holders directly and tricking them into making a payment. Given that the customer appears to give consent to the transaction, and it is originating from a device that is associated with that user, these attacks tend to be more difficult to detect.
A phone call from a concerned “member” of the fraud team at a bank may make a consumer panic, and instantly put all trust in that person. The consumer might then willingly send all his or her money to a separate account for “safe keeping”. In reality, that money has disappeared and so will the member of the fraud team who made the initial call. This is a simple method of APP attacks used today.
These fraud techniques are especially effective with some of the most vulnerable people in our society, who tend to struggle with the evolution of banking and fintech. Advancements in certain remote access tools that allow the cyber criminals to access and control the customer’s computer are making the job even easier.
If fraudsters are evolving, so must the banking industry. The first step to tackle APP is through education. Ensuring all customers have extensive knowledge on the “dos and don’ts” when it comes to digital and phone banking is of paramount importance. Email alerts reminding customers that their bank would never ask for certain information over the phone, as well as adverts raising awareness on the risks of letting another person access their computer, are but a few options that can be used to ensure customers are protected and well-informed.
It is also imperative for the bank to place protections throughout the customer journey by monitoring user behaviour and spotting anomalies that indicate fraud. Banks must be actively looking for indictors of social engineering and account takeover attacks at crucial customer touchpoints including login, setting up a new beneficiary, and making a payment. By assessing activity in the context of historical activity for that individual, key red flags can emerge to identify suspicious behaviour. An example of this could be a payment from a desktop when the customer traditionally uses the mobile app, or a longer time between login and payment than normal or remote access tools being on the device for the first time.
Once the suspicious behaviour is identified, banks can choose between blocking the transaction or alerting the customer through other means to advise them that something is out of the ordinary. The art here is to strike the delicate balance between maximum protection against fraud – while avoiding blocking or questioning legitimate transactions, which can annoy customers and drain internal resources.
Avoid basing decisions on the typical banking customer but use advanced behavioural analytics to assess how that particular individual typically transacts. By using real-time intelligence on a user’s digital identity and their historical behaviour, banks can deliver security and customer satisfaction without compromise.
Banks implementing protocols like these can help ensure that customers are not placed in harm’s way and that cybercriminals are not entering into bank systems.
It is important to follow the latest fraud trends order to keep ahead of the curve. There will always be new technologies and techniques that increase the threat posed by criminals. However, in the same way technology may sometimes play against us, it also provides us with a number of tools which help us undermine attackers and keep businesses and customers safe.
Research from AVORD – a revolutionary new security testing platform that launches today – reveals 95% of businesses in the financial sector have seen an increase in the number of data breaches over the last five years. And as a result of the growing threat to mobile devices, more than half (52%) are now investing more in identifying and protecting against app-based threats.
Opportunistic multi-national consultancies are being blamed for inflating the price of security testing in the UK, with many financial services businesses being charged inflated prices to conduct tests on their critical assets.
Today’s findings put the spotlight firmly on the security testing market, which is dominated by consultancies who provide services to businesses, sometimes at twice the daily rate of an independent tester – often referred to as ethical hackers. With 76% of businesses claiming the cost of testing is too expensive, there is a clear demand for change.
More than three quarters (79%) of businesses in the financial sector currently outsource the security testing on their critical assets. The need to use consultancies is being driven by a skills shortage, with many (41%) revealing that they don’t fully possess the in-house, employee skills and knowledge to carry out security testing.
More than three quarters (79%) of businesses in the financial sector currently outsource the security testing on their critical assets.
Worryingly, the financial sector was subject to the most security breaches - of all surveyed industries - last year, with two in five (41%) suffering from an attack that directly hit their bottom lines, lost them customers and damaged their brand reputations. Of those hit by a cyberattack, 77% reported that the breach occurred partly as a result of issues with the security testing process.
Over the past five years, the majority of companies have seen a major increase in the number of data breaches: 29% reported an increase of between 11% and 20%, while more than two in five (44%) reported up to 10% more data breaches.
As new emerging technologies are deployed, and applications increasingly underpin core business processes, firms across the UK claimed that cybercriminals are creating new ways to exploit vulnerabilities, which is putting increased stresses on them at an already challenging time.
The impact of breaches in the past 12 months has been wide spread. 84% of those affected reported losing customers, while almost a half (48%) had to pay legal fees and 58% experienced reputational damage. In addition, nearly seven in 10 (68%) were hit by fines from regulators.
Here Stan Swearingen, CEO of IDEX Biometrics, discusses the potential trends for 2019’s biometrics sector.
Following a number of successful trials using fingerprint sensor technology within smart cards across multiple markets, (including Bulgaria, the US, Mexico, Cyprus, Japan, the Middle East and South Africa) the biometric smart card is reaching its inflection point. Key players within the banking industry, including Visa and Mastercard, are already heavily invested in this new payment technology and anticipate that biometrics will play a key role in the revolution of the payments industry.
With mass market rollout on the horizon, here are five key predictions for the biometric payment industry in 2019.
2019: The year of dual interface
The first half of 2017 reported 937,518 cases of financial fraud, resulting in losses of an astonishing £366.4 million, a clear demonstration that the PIN is no longer fit for purpose. Recent research from IDEX Biometrics supports this claim and found that 29% of consumers surveyed felt concerned about the use of PINs to keep their money secure, and as many as 70% believed that contactless payment cards left them exposed to theft and fraud. As consumer concerns continue to grow around the security of payments, so too does the need for a personalised, secure and convenient payment solution.
Enter the biometric dual interface payment card. 2019 will see biometric fingerprint sensors integrated into cards with both a micro-processor and contactless interface, removing the need for PINs. This will provide consumers with the reassurance that their money is safe as any transactions will require their finger print to authenticate it. 2019 will be the year of the dual interface where biometric authentication will be available for both contact and contactless payments!
These advances in technology and those within the payments market have meant that the concept of biometric authenticated payments is no longer a novelty. In fact, according to forecasts by Goode Intelligence, nearly 579 million biometric payment cards will be used globally by 2023. The integration of the biometric sensors in the payment card will be one of the next-generation transformative innovations to breathe new life into the payment industry next year and assist in the fight against payment fraud.
The integration of the biometric sensors in the payment card will be one of the next-generation transformative innovations to breathe new life into the payment industry next year and assist in the fight against payment fraud.
Remote enrolment will be the key to mass market adoption
For mass market deployment of biometric smart payment cards to be possible in 2019, banking infrastructures must look at the implementation of biometric technology and ensure that this method of enrolment is accessible and convenient to all. The elderly or those with physical health limitations may struggle leaving the house to enrol within bank branches and even those who work a 9-5 day can often find making it to the bank within opening hours a challenge.
The latest advancements in remote enrolment of biometric payment cards will mean that enrolment for biometric payment cards can take place in the comfort of your own home. Card users will be able to enrol straight onto the card by simply placing their finger on the sensor (with the aid of a small device that comes with the card) to upload their print to the card’s highly secure EMV chip. There is no need for an external computer, smartphone or internet connection. Once loaded, the fingerprint never leaves the card, thus eliminating multiple attack points.
Biometric payments will bridge the gap to financial inclusion
In 2019 advances in biometric fingerprint authentication will be a vital ingredient when bridging the gap to financial inclusion. Currently, 1.7 billion adults remain unbanked across the globe today. This is for many reasons, from immigration issues, to illiteracy as well as mental health. Those living with dementia are also at risk of losing their financial independence as their short-term memories decline. A fingerprint sensor on the card can take the place of a PIN or even signature, meaning sufferers are able to stay financially independent for longer.
Currently those who lack access to financial services are missing out on the many benefits financial inclusion has to offer. Fingerprint authentication will remove the barriers that face those with literacy challenges, or face difficulty with memory, as card payments will no longer be about what you know, or what you can remember, but who you are.
Currently those who lack access to financial services are missing out on the many benefits financial inclusion has to offer.
Biometric authentication will be a simple, secure and convenient solution eradicating the need for passwords and PINs as a form of authentication. For this to work as a solution to financial inclusion, banking infrastructures and card manufacturers must work together to reach a price point that enables this technology to be available to all.
The possibilities for biometrics are endless…
While biometric authentication technology is already being used with smartphones and passport identification in the UK, 2019 and beyond will see endless possibilities for the use of biometric smart cards into payments and beyond. We can even expect to see biometrics branch into the Government issued identification and IoT enabled devices arenas.
In fact, a whole host of public services is set to benefit from this secure means of authentication. The use of biometric smart cards within the NHS, for example, could see access to sensitive patient records limited only to the patient themselves. Biometric social benefits cards could control how the money is spent and that it is spent by the right person. According to IDEX research, 38% of consumers surveyed would like to see biometric methods of authentication introduced to wider government identification including driving licenses, National Insurance numbers and even passports.
The future of the biometrics – 2019 and beyond!
In 2019, authentication will get even smarter, and further technological advances such as multi-modal or multi-factor authentication will further enhance security within the payments landscape. This refers to technology that combines a variety of different types of biometrics in order to add an additional layer of security, including persistent authentication. For example, instead of having one single authentication, smartphones could continuously scan features to ensure the correct person is using the device.
Whilst the biometric dual interface smart payment card is set to hit the mass market next year – this is just the beginning. The payment card of tomorrow will go beyond just transactions. Biometric smart cards will serve multiple purposes – a payment card, a form of ID for restricted goods and even a loyalty card!
The early days of biometrics where it was felt to be invasive and a privacy concern are long gone. In fact, according to recent research from IDEX, 56% of consumers surveyed state they would trust the use of their fingerprint to authenticate payments more than the traditional PIN. Further to this, 52% would feel more confident if their fingerprint biometric data was stored on their payment card, rather than a bank’s central database.
Consumers are ready for the use of biometric fingerprint methods of authentication for card payments and 66% expect their roll out to authenticate in-store transactions in 2019. We predict that by 2019 biometric smart payment card adoption will go into many millions!
Jumping straight into the top predictions for the security industry in 2019, below Reuven Harrison, CTO at Tufin, provides his thoughts on hacking, cybersecurity, and new technologies this year.
In 2019, we will see new cloud solutions providing security for public cloud coming from the traditional firewall vendors, following up on recent acquisitions of public cloud security companies. This trend is twofold. First, it is a response to the increasing shift of enterprises towards the cloud and their need for security in these environments. Second, the firewall vendors are also realizing the potential of the cloud as a superior platform for software development and big-data analytics.
In 2019, we’ll see the ongoing evolution of next-gen firewalls as they continue to absorb the functionalities of traditional network security solutions to include capabilities such as URL filtering
and other advanced security capabilities.
We will see an increase in breaches that use virtual assistants for privilege escalation or distribution of sensitive information. These attacks will manipulate people into inadvertently giving voice commands or playing audio on their computer, prompting a sequence of events that leads to information on company performance or to further gather network information to ease an attack.
The main factor behind the success of Kubernetes is how it simplifies and speeds up software development and deployment. For example, it enables "immutable infrastructure" which means that instead of deploying incremental changes to update your applications, you create a new version for every change – whether it’s in the application code or in the infrastructure. This concept brings tremendous benefits to the way we develop, deploy and operate applications (and how we secure them).
Another advantage of the microservices architecture is its ability to parallelise development. By decoupling application functions using microservices, large complex development projects can be broken up into smaller, independent teams, speeding up overall development.
In all respects, Kubernetes is driving an IT revolution.
2019 will be the Year of Lessons Not Learned: we’ll see the same security issues and the maturity of technologies that already exist.
In 2018, many organisations undertook their first steps to container security – which translated to vulnerability scanning – getting more data and false positives than they know what to do with and rendering security as a checkbox process. Vulnerable containers will still exist and remain accessible, and organisations can’t take action because they’re inundated with so much data.
Regarding security in the cloud, history is likely to repeat itself, and as the move to the cloud continues, we’ll inevitably see organisations spin up openly accessible servers and data in the cloud. This risk cannot be remediated with traditional security processes that are incompatible with DevOps CI/CD processes.
In 2019, we’ll see more emphasis on security in cloud-native organisations. Many are talking about it; this will be the year that they take action.
To do this, there will be an emphasis on automation. There’s no way that DevOps teams can get security into their environments without automation. To secure cloud-native environments, you must approach it from an automation-first perspective.
In 2019, we’ll see cyber turf wars in which hacking groups attack each other to reap the bounty of their adversaries’ resources. Previously established botnets mining cryptocurrency will be targeted over companies with financial data as the ease of exchange and redemption of this decentralised currency is much more readily accomplished.
Last year, we predicted that automation will reach the tipping point. This came true in the sense that organisations now understand they must adopt automation. What has slowed the process of full adoption is the cultural challenges. In 2019, we’ll see an acceleration of automation across the industry.
With increasing high-street competition, AI is redefining the banking sector with each and every customer interaction. With banks, like NatWest, deploying AI-based virtual assistants to offer customer-facing communication around the clock, the consumer banking experience is now heavily digitised, with 86% of banks stating they now use AI technologies in some way.
Martin Linstrom, Managing Director for UK and Ireland at IPsoft, looks at the next stage in technological evolution of the banking industry and how artificial intelligence (AI) will redefine banking as we know it.
The banking industry has made huge strides to drive innovation by investing in new technologies over the last few decades. Commercial banks first adopted telephone banking, then came internet banking and now, for most customers, all your financial services needs can be met via an app. Now, as we enter the conversational era enabled by cognitive AI, customer expectations have evolved once again.
Banks have long been ahead of the curve in terms of elevating the user experience for their customers and so, it’s perhaps unsurprising that many are already looking to AI-powered digital assistants and are investing in cognitive solutions to upgrade and scale customer-facing financial management processes. Many banks are also looking at how they can provide the same simple, frictionless service to their own employees.
Banks have long been ahead of the curve in terms of elevating the user experience for their customers and so, it’s perhaps unsurprising that many are already looking to AI-powered digital assistants
As AI-powered customer interfaces gain mainstream acceptance, we will once again see a revolution in technological change within the banking industry. So, what functions within banks will cognitive assistants transform?
Virtual assistants have a twofold capability which is driving innovation in the banking industry. Firstly, they can be implemented in back office functions such as finance or HR and secondly, they can supplement customer service centres. Creating a hybrid workforce of human employees and AI-powered virtual assistants can help drive enormous cost efficiencies and increase staff productivity. Employees in administrative roles can pass their repetitive tasks over to their digital colleague, freeing up their time to focus on more creative or interesting work that requires soft skills whilst customer service agents can pass standard requests through an AI system leaving them with only the most complex of customer queries to deal with.
One of the most attractive things about AI-powered customer services for banks is its ubiquity. With virtual customer service agents available 24/7 and through a variety of channels such as live message, telephone or email, it’s a win-win situation for both bank staff and customers. From a customer’s perspective, simple requests such as password resets or international transactions can be performed in an instant and there’s no need to visit the bank or spend an hour in a telephone queue to speak to a human agent.
One of the most attractive things about AI-powered customer services for banks is its ubiquity.
Banks adopting customer-facing AI solutions are in fact seeing increased customer satisfaction rates despite removing the human-to-human contact element. For example, since implementing IPsoft’s AI solution, Amelia, SEB, a leading Nordic bank has been able to avoid 544 hours of escalations to customer support with an average handle time of six minutes. What’s more, Amelia has reached an 85% accuracy in immediate intent recognition which has meant a faster service delivery to customers and soaring customer satisfaction.
Unlike human agents, digital assistants can work around the clock, seven days a week with no breaks and without tiring. For modern consumers, particularly young digital natives who expect to be able to manage their finances at any time of the day, integrating AI into a bank’s customer service centre will soon become the norm. Chatbots are already an industry standard, therefore at the very least, banks that don’t continue scaling this technology throughout their business will find themselves at a severe competitive disadvantage, trailing behind the market by delivering an inferior customer service experience.
Digital assistants with cognitive intelligence capabilities represent the next leap in automation for financial institutions. Digital colleagues like Amelia are now able to perform tasks above and beyond mere transactional ones, digitising more complex financial management processes such as wealth management onboarding and mortgage applications. Unlike simple chatbots, digital colleagues are also able to develop their cognitive abilities through an advanced Natural Language Interface (NLI) which can process customer queries asked in hundreds of different ways, including slang. More importantly for the banking industry, they can handle context switching so that when a customer moves quickly from one request to another, the interface is able to process both requests without starting over.
Many banks have already integrated voice capabilities into their finance management solutions. Customers communicate via text or voice to gain quick answers to banking questions, tailored financial advice and can even carry out transactions all from the same channel. Voice-enabled digital assistants can handle payments and transfers, credit card activation, charge disputes and travel alerts for customers at any time, freeing up customer services teams to focus on more complex customer enquiries and giving customers full control and access to their finances. Conversational AI will become more and more widely accepted as banks start to harness the technology to help drive customer engagement and operational efficiencies.
Sophisticated systems can recognise patterns from the sheer amount of data that they are processing. Thanks to these capabilities, businesses can easily find out the most common types of transactions by customers of a certain demographic and can then retarget this group for specific marketing or sales campaigns, helping to drive revenue.
Unlocking key business insights is another key driver motivating banks to invest in AI. Sophisticated systems can recognise patterns from the sheer amount of data that they are processing. Thanks to these capabilities, businesses can easily find out the most common types of transactions by customers of a certain demographic and can then retarget this group for specific marketing or sales campaigns, helping to drive revenue. These real time insights can help business leaders make better, more strategic decisions that are informed through concrete data.
Real-time data mining can also be applied to improve customer security as many AI tools have built-in privacy and security by design. An AI-powered virtual assistant can pick up on irregular payments immediately, flagging potential “phishers” to a human agent for additional authentication. What’s more, advanced machine learning solutions can improve over time so that banks can continue to scale up their services. Virtual assistants like Amelia can go one step further by ‘learning on the job.’ Essentially, when Amelia does not understand a request or query she can pass it on to a human colleague but remains in the conversation to learn how to resolve the issue next time.
The financial services industry has long been at the forefront of technological innovation. Whilst many businesses are still debating whether to invest in AI, major banks are very much leading the way to invest in the technology and are thriving as a result. As virtual assistants become increasingly more intelligent and their cognitive abilities develop, the expectations for banks and the services they offer will be elevated. Banks that rest on their laurels and refuse to acknowledge this risk falling behind permanently, particularly with the slew of challenger fintech companies that are appearing on the market, offering dynamic and tailored financial services at a lower price.
The blunt truth is, insiders who are close to critical systems—or outsiders who are skilled enough to exploit vulnerabilities in anti-fraud and other security controls—will steal. They may target assets they’re entrusted to protect or cook the books to hide their tracks; in the end both types of fraudsters aim to make off with significant money. Here Chris Camacho, Chief Strategy Officer at Flashpoint, offers expert insight into fighting fraud right on your business’ doorstep.
Fraud persists, and frankly, it’s not realistic to believe businesses can take measures that will permanently eradicate it. Fighting fraud, however, doesn’t have to be in vain.
Anti-fraud systems may be effective and getting better, but they’re not going to deter a profit-motivated criminal. The challenge then becomes an exercise in anticipating the fraudster’s next move. In order to get inside an adversary’s head, anti-fraud professionals must consider what incentivises a fraudster and what their targets could be. In most cases, this is a simple exercise: credit card data, personally identifiable information (PII), user account login credentials, and other types of proprietary data and information are common targets.
It’s also imperative to consider how fraudsters might attempt to hurdle existing controls in order to access your business’ assets. Multi-factor authentication may protect some payment card transactions, but what about gift cards, for example. Unlike bank-issued credit and debit cards, gift cards are generally not held to strict anti-fraud standards, which is largely why they are a desirable asset among many fraudsters. Illicit vendors selling stolen gift cards have become commonplace on the Deep & Dark Web (DDW) in recent years, leading to an uptick in instances of gift card fraud.
Thinking like a fraudster means considering all of the options available to an attacker and admitting that certain systems or processes may be flawed. Proactively identifying and addressing any weaknesses in existing anti-fraud programs—such as what fraudsters determined are often present within gift card security controls—can help businesses better anticipate and prepare for fraud.
Thinking like a fraudster means considering all of the options available to an attacker and admitting that certain systems or processes may be flawed.
Thinking like a criminal is only one part of this strategy. To accurately anticipate how your company, your peers, or your industry is being targeted, it’s important to have insight into the conversations and behaviours of those perpetuating fraud. Not all organisations are going to have proper visibility into these realms, therefore it’s important to have a trusted partner with eyes and ears on the DDW, for example.
Certain DDW forums focus on fraud, and on these forums, certain trends emerge. For example, discussions related to the lax anti-fraud controls of gift cards eventually manifested in a spike in gift card fraud.
Many fraudsters’ ever-evolving tactics bear little resemblance to the tried-and-true fraud schemes with which most businesses are familiar. Although countless variations of credit card fraud, for example, are generally well-known and well-mitigated in the financial services and retail industries, many businesses continue to incur substantial losses from lesser-known types of fraud. In addition to gift card fraud, refund fraud, health savings account fraud, and rewards point fraud are only a few of many such examples that were initially conceived within the cybercriminal underground before posing a threat to businesses.
The DDW can be a rich source of insight into emerging fraud tactics and schemes. But because accessing and engaging within these online communities can be challenging and risky without the proper expertise and protections, businesses are encouraged to work with reputable intelligence vendors to more effectively, easily, and safely gain visibility into the cybercriminal underground.
Just as fraudsters are extremely resilient, persistent, and resourceful, businesses, too, should seek to emulate these characteristics when fighting fraud. This means approaching fraud from new perspectives, learning about emerging schemes and tactics proactively.
Analysts have tied different types of fraud certain regions such as Eastern Europe, forcing businesses go to great lengths to gain insight into new schemes and tactics. These types of insights are critical for establishing countermeasures, the most effective of which typically account for the social, cultural, and linguistic nuances known to characterise fraudulent activity originating in certain regions.
But in recent years, new cybercriminal communities and, as a result—new tactics and types of fraud—have quickly emerged in many more regions. Latin America is one such example. While fraudsters in Latin America have long been considered unsophisticated, unorganised, and unlikely to pose any substantial threats to businesses, this community has since evolved substantially. Many businesses that previously had no reason to monitor the Spanish-language cybercriminal underground are now striving to understand and combat threats originating from fraudsters in Latin America. And given that threats and indicators can vary substantially across different regions and communities, keeping track of these variations and new developments is a must for businesses and anti-fraud teams.
Just as fraudsters are extremely resilient, persistent, and resourceful, businesses, too, should seek to emulate these characteristics when fighting fraud. This means approaching fraud from new perspectives, learning about emerging schemes and tactics proactively, and seeking third-party services and expertise when necessary. While businesses have little control over the existence of fraud, they can control the extent to which they prepare for and mitigate this ever-evolving threat.
In the last few years we have seen the frequency and severity of third-party cyberattacks against global financial institutions continue to increase. According to Tom Turner, CEO at BitSight, there is a growing need for more effective risk management firms in the financial services sector.
One of the biggest reported attacks against financial organisations occurred in early 2016, when $81 million was taken from accounts at Bangladesh Bank. Unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. The Bangladesh Bank managed to halt $850 million in other transactions, and a typo made by the hackers raised suspicions that prevented them from stealing the full $1 billion they were after.
The Financial Conduct Authority (FCA) reported 69 attacks in 2017 compared to 38 reported in 2016, a rise of more than 80% in the last year. We saw two main trends last year. First, there was a continuation of cyberattacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Because SWIFT software is unified and used by almost all the major players in the financial market, attackers were able to use malware to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organisation in the world. Victims of these attacks included several banks in more than 10 countries around the world. Second, we saw the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. Different cybercriminal groups attacked bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds. Their main goal was to withdraw very large sums of money.
With the evolving risk landscape and the challenges of new potential risks including third party risks, companies within financial services need a set of management procedures and a framework for identifying, assessing and mitigating the risks these challenges present. Effective risk management offers sound judgement in making decisions about what is the appropriate resource allocation to minimise and mitigate risk exposure.
The basic principle of a risk management lifecycle is to mitigate risk, transfer risk and accept/monitor risk. This involves identification, assessment, treatment, monitoring and reporting.
In order to mitigate risk, an organisation must measure cyber risk performance and incentivise critical third-party vendors to address security issues through vendor collaboration.
In terms of identification, you can’t manage your risks if you don’t know what they are, or if they exist. The first step is to uncover the risks and define them in a detailed, structured format. You need to identify the potential events that would most influence your ability to achieve your objectives, then define them and assign ownership.
Once the risks are identified they need to be examined in terms of likelihood and impact, also known as assessment. It is important to assess the probability of a risk, and its consequences. This will help identify which risks are priorities and require the most attention. You need to have some way of comparing risks relative to each other and deciding which are acceptable and which require further management. In this way you establish your organisation’s risk appetite.
To transfer risk, an organisation is advised to influence vendors to purchase cyber insurance to transfer risk in the event of a cyber event.
Once the risk has been assessed, an approach for treatment of each risk must now be defined. After assessment, some risks may require no action, to only be continuously monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.
To accept and monitor risk, the organisation must understand potential security gaps and may need to accept certain risks due to business drivers or resource scarcity.
Once the risk is identified, assessed and a treatment process defined, it must be continuously monitored. Risk is evolutionary and can always change. The review process is essential for proactive risk management.
Reporting at each stage is a core part of driving decision-making in effective risk management. Therefore, the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.
Risk transfer is a strategy that enterprises are considering more and more. It mitigates potential risks and complies with cyber security standards. As cybercrime rises, an insurer’s view of cybersecurity has changed from being a pure IT risk to one that requires board-level attention. Insurance is now viewed as fundamental in offsetting the effects of a cyberattack on a financial institution. However, insurers will want to know that appropriate and audited measures are in place to prevent an attack in the first place and respond correctly when cybersecurity does fail. An organisation’s risk management responsibility now extends down the supply chain and insurers will want to know the organisation’s strategies to monitor and mitigate third party vendor risk.
Simplifying risk management and the transfer of risk can also be accomplished by measuring your organisation’s security rating. This is a similar approach to credit ratings for calculating risk. Ratings provide insight into the security posture of third parties as well as your own organisation. The measurement of ratings offers cost saving, transparency, validation and governance to organisations willing to undertake this model.
The benefits of security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. The ratings model within risk management can help organisations collaborate and have productive data-driven conversations with regards to risk and security, where they may not have been able to previously.
This year we will see a continuation of third-party cyberattacks targeting systems running SWIFT, allowing attackers to use malware in financial institutions to manipulate applications responsible for cross-border transactions across the world. Banks generally have more robust cyber defences than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements. However, once breached, financial services organisations’ greatest fear is copycat attacks. This is where an effective risk management strategy can enable better cost management and risk visibility related to business operational activities. This leads to better management of market place, competitive and economic conditions, and increases leverage and consolidation of different risk management functions.
There is a rush to improve speed, convenience and user experience in financial interactions, but at what cost to security?
While for the most part bankers are positive about their ability to improve their financial performance in 2018 and beyond, evolving risks – particularly cyber risk – are no doubt preoccupying their thoughts. A recent report by professional services firm, EY, puts cybersecurity as the number one priority for banks in the coming year, and it comes as no surprise, especially with Britain’s National Cyber Crime Unit data showing 68% of large UK businesses across sectors were subject to a cybersecurity attack or breach in the past 12 months.
It’s a mounting problem, and the financial services industry needs to fight back. We’ve picked out the four key ways of countering the continuing threat to banks’ cybersecurity – and it’s a case of fighting cyber with cyber.
Like it is in retail and manufacturing, for example, artificial intelligence (AI) and advanced analytics will play a key role in banking moving forwards.
And the financial services industry is looking to this technology to play a major part in the prevention of cyber attacks, reducing conduct risk and improving monitoring to prevent financial crime. Mitigating such external and internal threats is critical to both business continuity and limiting operating losses, and so AI shouldn’t be overlooked as a key tool in reaching this goal.
In order to meet the regulatory technical standards, which will be enforced in September 2019 as part of the European Union’s PSD2 payments legislation, the number of transactions requiring two-factor authentication will rise in the coming months.
What has been deemed by the industry as “Strong Customer Authentication” will be required, and this should result in payments and account access relying on customers providing and using a combination of the following: something they know, like a password; something they have, like a phone or card; and something they are, such as a fingerprint.
More factors equals more security is the industry theory here.
Which leads us neatly on to point three: biometrics. This push for two-factor authentication and new electronic identification will pave the way for more biometrics use. With some of the largest players in card payments, including Mastercard, investing heavily in such solutions, we expect others to start to follow suit.
As Ajay Bhalla, President for global enterprise risk and security at Mastercard puts it: “The use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets.
“In payments technology this is something we’re closing in on as we move from cash to card, password to thumbprint, and beyond to innovative technologies, such as AI.”
According to the EY research report, 20-40% of financial service providers are investing in Blockchain now and are planning to increase investment, while approximately the same percentage are investing now but planning to reduce expenditure.
Either way, it shows that Blockchain is very much on the agenda for banks. The main attraction of Blockchain is that it creates an indelible audit trail which is distributed across multiple servers, so there’s no single weak link for cyber attackers to target. This provides banks with unparalleled transparency and increases trust.
Blockchain also has the potential to make a complex global financial system less complicated and reduce the number of middlemen involved in the transferring of money.
So, that’s the technology on offer, but what are the next steps?
Unless banks collaborate more with their peers, or improve their use of the wider ecosystem, the required investment in advanced technologies to address issues of growing cybercrime will be substantial and could strain their ability improve financial performance and grow their businesses.
And, as bank leadership teams focus on investing in the relevant people and technology – and it is the combination of both that’s crucial here – to enhance cybersecurity, they may struggle to find the right skill sets or the right methods for integrating cyber experts into their organisations.
Raising their knowledge of the technology available to help stem the tidal wave of cyber threats is a key requirement for banks, if they don’t want to end up washed up on the shore as a result of their defences being breached.