The financial services industry is under increased threat from cybercriminals who use ingenious methods to attack institutions and consumers.
Cybercriminals are employing ever more sophisticated means to intercept online transactions and commit fraud. Banks, financial services companies and consumers are permanent targets in this online battleground, while countermeasures have to be able to track an increasingly diverse set of attacks.
Online retail fraud accounts for about 65 percent of incidents globally, followed by online banking fraud at 27 percent, according to a report by Juniper Research. Analysts from this UK-based firm also estimate that by 2020, the value of fraudulent online transactions worldwide will be US$ 25.6 billion – around double what it is now.
Fortunately, “South Africa’s advanced financial and banking systems offer good protection against elaborate attacks,” says Gerhard Oosthuizen, CIO of fintech company Entersekt. But what about the future? What new ways will fraudsters and hackers find to circumvent security systems?
Firstly, with mobile banking apps now an established way of transacting, these apps will remain under attack for the foreseeable future. An attack vector that is currently common is through a malicious app (e.g. BankBot) that impersonates an actual banking app. A user is tricked into downloading an app they are interested in that offers them entertainment, a free version of a service that others would pay for, or some related incentive. This app might be functional and deliver the expected action, but in the background, it also detects which banking applications the user already has on their phone.
In one typical scenario, the malware then creates a “push event” that impersonates the user’s existing banking app in, for example, asking the user to update their details. The screen certainly looks like the real thing, but it’s actually from the rogue app that is secretly capturing that username, password, PIN and other sensitive information, and passing it on to the fraudster, who can then use it to gain entry to the genuine bank account and steal money.
In even more advanced attacks, fraudsters are modifying the actual software or the build tools used by legitimate app developers, inserting malware as the app is compiled. After the app has been legitimately published, it is downloaded by users, at which point this “trojan” malware hitches a ride onto the user’s smartphone, where it starts keylogging user information.
Another method that is beginning to be explored by fraudsters is data poisoning. This is a problem for authentication systems that use algorithms to assess risk factors in a transaction. These systems are built to track legitimate user behaviour: activity and location data is fed into an intelligence engine to create a profile of each user. When a user then logs in in future and uses the app, their behaviour at that point is matched against their expected behaviour. If it fits, they get in; if not, they don’t.
For example, if a mobile banking customer generally transacts in the morning and from a location in South Africa, a payment from Russia after midnight will trigger a red flag. The system will signal that this is unusual conduct for that particular customer, and deny the transaction. Such risk-based authentication systems require virtually no input from consumers themselves; the user is typically unaware of this even happening. However, they only work if the user’s behaviour profile is accurate.
Cybercriminals are experimenting with how to feed these systems false data (i.e. “poisoning” the data) about users. One form of attack would be to feed a system tons of false data, causing user profiles to deteriorate and the risk engine to throw out a lot of exceptions and false declines. The bank will not be able to pick out which data sets are real and which not. In this way, the value of the system is reduced, since the bank’s risk thresholds may need to be lowered simply to restore the system to a working state. Once that happens, the attackers have a much easier way into the system, since its defenses are down.
“Most South African banks use multi-factor authentication (MFA), which requires some input from users in order to finally authorize transactions,” explains Oosthuizen. “This is a solid foundation for security that can also be implemented in slick ways. The risk-based authentication systems that are currently trending are aimed exclusively at providing hassle-free transactions, and consumers are not asked to go to the bother of supplying added authorisation. This may save a few seconds of the consumer’s time, but potentially adds a lot of risk. We’ve seen that consumers would rather want to be part of the security decision, than just randomly be declined if their behaviour drifts outside of their norms.”
MFA ensures that the consumer is always in control and that he or she says a final “yes” or “no” to any transaction, typically via the mobile device that is always in their possession. This is a powerful safeguard against fraud.
“Banks and financial institutions are constantly targeted by cybercriminals, and the challenge for them is to secure their systems against a growing set of threats,” says Oosthuizen.
He also cautions: “A successful breach – resulting in a breakdown of trust – can cause devastating reputational damage to banking and payment ecosystems.”