With accumulated cyber threat intelligence over the last 20 years and an array of solutions available today to secure every aspect of the customer experience, you'd think that financial fraud is on the way out. Unfortunately for many banks and financial institutions operating in the 21st century, that's not the case. Fraud prevention in the age of multiple digital channels, inclusive of mobile banking applications running on different devices, has become a never-ending struggle. Just as one threat seems to be eliminated, more fraud crops up to take its place. Even organizations that pride themselves on a thorough and cutting-edge risk management approach are not immune. Here's why:
1. Fraud-readiness now is no guarantee of fraud-readiness in the future.
The reason for this is simple: fraud continues to grow. There are no guarantees about your future risk profile—except that it's likely going to be elevated or differentiated compared to historical data. According to the United States Federal Trade Commission (FTC) Consumer Sentinel Data Book for 2020, fraud reports reached an all-time high in 2020, up from a previous all-time high in 2019, which was up from a previous all-time high in 2018. You get the picture.1 In fact, the only break from increasing numbers of fraud reports since 2001 were minor dips in 2016 and 2017. With identity theft responsible for the largest chunk of fraud reports (29.39% - over 1.3m), it's clear to see why banks and financial institutions need to remain in an adaptive combat stance. Securing the online banking experience while providing a value-based system that treats trusted identities as a first-class currency is key.
Ultimately, increasing fraud evidence suggests that a risk management strategy solely based on previous years' threats is doomed to fail. Reactive security postures don't guarantee threat tolerance in the future, no matter how well they're established. Being proactive means incorporating solutions that include zero-day fraud detection and prevention capabilities combined with a defense-in-depth (layered security) approach that encompasses physical, technical and administrative controls. Banks should also consider adding machine learning-driven risk management that can isolate anomalies and flag new threats as they emerge—not after they've already exploited vulnerabilities and done damage to an organization's reputation, which becomes more costly to repair.
2. No organization is an island.
Major breaches have become a fixture in the news. When threat actors don't target your organization, it may seem like you've been spared. However, no organization is an island. Banks today don't exist in a vacuum, and any large-scale breaches have ripple effects that adversely impact every corner of the organization. Each piece of information that fraudsters, cybercriminal organizations or state actors acquire about bank consumers will compromise their login information and ultimately contribute to transactional fraud using consumers' valued assets.
Take the massive SolarWinds hack as an example. Discovered at the close of 2020 and targeting major corporations as well as United States government agencies, the consequences of the SolarWinds hack are still reverberating well into 2021. The data breach incident is a case study on the interconnectedness of our online environment today, with a laundry list of affected organizations.2 Microsoft was one of the higher profile organizations initially cited to be breached as a result of the attack, including many of their cloud environments and Azure Active Directory. On March 16th, the cybersecurity firm Mimecast announced that its source code had been breached as well.3 On March 17th, the United States Cybersecurity and Information Security Agency (CISA) released a table of techniques, tactics and procedures used by the threat actor to help firms defend against future similar attacks, which is information every cybersecurity team should be aware of—including yours.4 While we can't prevent breaches at other organizations, we can ensure that our risk management solution is able to field both known and unknown threats so that we are not left vulnerable when cyber-attack breaches customer data.
3. Too often, fraud comes from close to home.
Customer experience and security hang in a delicate balance. Given the high expectations of today's consumers, balancing security and usability is crucial. Maintaining trust is the end goal here. Enhanced security that adversely affects the customer experience is not viable, but unintuitive user journeys can become more costly. Internally, organizations bolster security by educating employees through infosec seminars or instituting policies and procedures to head off illicit access and minimize the risk of breach. However, customers have always been a diverse group who bank in various unsecured environments, potentially around people with bad intentions. They may have their passwords on sticky notes or saved in their phones or browsers without protection, or they may use the same password for every online service they access. They may even share their answers to common security questions through social media quizzes (which are actually data harvesting schemes), put out for their entire network to see.5
Predictable consumer behaviors and poor infosec practices create opportunities for fraudsters that reactive security postures cannot address. A layered security strategy should become the organization's baseline. This must also emphasize treating identities as a first-class currency by going beyond traditional authentication. None of these measures should come at the cost of a great customer experience, however, which is why adding an adaptive and machine learning-driven/risk-based authentication solution can provide a major advantage in balancing the user journey. Rounding this up with behavioral biometrics that includes a wide variety of consumer attributes (location, time of day, device type, os, browser details, etc.) will enable continuous identification and authentication by preventing identity theft and enhances security without impacting ease of use, giving the bank a better defense against ongoing threats.
References:
1. 2020 Federal Trade Commission (FTC) Consumer Sentinel Network Data Book.” https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf
2. Here's a simple explanation of how the massive SolarWinds hack happened and why it's such a big deal.” https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12
3. Mimecast Reveals Source Code Theft in Solarwinds Hack.” https://www.zdnet.com/article/mimecast-reveals-source-code-theft-in-solarwinds-hack/
4. SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures.” https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf
5. Don't give away historical details about yourself.” https://krebsonsecurity.com/2018/04/dont-give-away-historic-details-about-yourself/