Blog

Posts tagged Cybersecurity
Cybersecurity Best Practices for Fintech

As the digital world expands, so does the ever-growing threat of cyberattacks targeting customer data and transactions. On average, it takes 206 days for a U.S. company to detect a data breach, costing them an average of $4.45 million per breach. Account takeovers (ATOs) were trending at the highest loss rate among different fraud types in 2020.

While it is unrealistic to expect to never be the target of a cyberattack, the best cybersecurity practice that fintech companies can adopt to proactively ensure the security of customer data is a layered security defense. Layered security entails implementing several security products and strategies to create multiple layers of defense. If a breach of one layer of security occurs, the subsequent layers will eliminate it. While every company has its own specific needs, a robust layered security solution should have the following features. 

My new article on LinkedIn describes these. Read it here.

Read More
Fiserv’s 2020 Fraud and Security Survey

Over the summer Fiserv interviewed 1,037 American adults to determine consumer trends in digital commerce. The results shed light on ways the COVID-19 pandemic has been central to consumer decisions, especially in driving greater adoption of digital commerce and payment options. Even as 79% of consumers say they are at least as concerned about cybersecurity threats as they were last year.

A third of respondents have increased their use of touchless payments, and more (69%) anticipate increasing their use of touchless payments going forward. Credit and debit cards are still the preferred payment types (used by 52% of respondents), but 33% said they often use phone apps to pay and 15% use QR codes. Gen Z consumers lead in adoption of mobile payments apps (with 41% using them regularly). Millennials are close behind at 38%, while 21% of both groups report using QR code payments regularly.

Touchless payments have facilitated a rise in buying online and picking up in-store (or “BOPIS” shopping, at 43% usage) or curbside (50%). In fact, 43% of Gen Z’ers report that their phone has replaced their physical wallet—against only 16% of Baby Boomers.

Increasing confidence in the security of e-commerce platforms

Consumers show increasing confidence in the security of e-commerce platforms. Only 18% considered it the most vulnerable channel (in 2017 52% felt they were most vulnerable to a cyber-attack while shopping online). And only 22% of consumers reported a credit card compromise in the last year (down from 57% in 2017), a decline that is attributable to the rise of chip cards as well as improved cyber security.

Younger consumers are much more likely to report having shared their personal data with someone through email, and perhaps therefore are seeing their personal information compromised as a much higher rate. Among all respondents, only 23% are confident in the security of the Personally Identifiable Information (PII) they use in payments. 36% report they are changing their passwords more frequently this year.

Based on these responses, Fiserv encourages businesses to incorporate multi-factor authentication into user profiles as a way of boosting security and customer confidence. Touchless payments will continue to grow in the years ahead. For more insight, read the survey results here.

Read More
Cyber Security and Physical Security

In cyber security we focus on cybercrime as our main threat. But to protect our organization’s data, we also need to understand physical threats. It is a relatively low-risk venture for someone halfway around the world to send out malware and hope it penetrates critical systems. But with the presence of both high-value information and a determined adversary, you have to be ready for traditional espionage techniques as well as the most advanced digital tools.

Old-fashioned black-bag jobs are not out of the picture, as one CEO learned in 2017 when he returned to his office after a company celebration. Moles are also still used, and disgruntled employees may be approached by hostile actors.

As a cyber professional, such physical attacks will not be your sole responsibility. But by working with other departments you can play a central role in preventing them. In fact, as in conventional cyber security, identifying and tagging critical data is the most important step. Then you can limit access to and usage of that data, and then flag and trace unusual usage patterns.

It may be tempting to focus on high-risk areas—for instance an employee taking a laptop on a business trip to a foreign country. But as in all areas of cybercrime, hostile actors look for weak points (and may just as likely to attempt physical access to that employee’s data when he is at a conference in Las Vegas). Critical data must be protected no matter its location. And just as you identified your critical data, seek out and identify weak points in all areas of your security infrastructure.

Read More
The Future of Facial Recognition

Facial recognition has a central position at the high-tension intersection of privacy debates, security requirements and consumer demands for increasing convenience. Digital identities are critical to companies competing to offer their services quickly while demanding less input from customers. Facial recognition is in many ways the best tool for verifying identity. It is considered the best biometric, and is ultimately convenient. In fact, it can require no action by the consumer, unless identity confirmation fails.

Since the release of the iPhone X (and its groundbreaking facial recognition capability) many consumers have come to understand the allure of, and accept, facial recognition. And it is gaining greater adoption in all areas of e-commerce—especially in the security-conscious financial industry. FIthas already been accepted as valid identification method by Europe’s banks. JetBlue has started using it instead of boarding passes. And it is rapidly becoming big business: Allied Market Research predicts that the global face recognition technology market will generate sales of $9.6 billion in 2022.

Read More
Synthetic Identity Fraud

Synthetic identity fraud, in which an identity is created instead of stolen, has been around in some form for a long time. Estimates are that it produced over $6 billion in losses in 2016 alone. But as the security community has been able to successfully address other forms of cybercrime and fraud, synthetic identity fraud has become much more popular.

Synthetic identity fraud is uncommon in that it requires both a long-term view and long-term expenditures—often for years—before the identity can be exploited. But the crime is also very difficult to detect. In fact, it is impossible to know how many “busted out” identities still exist, inactive and tagged with an abysmal credit rating.

The crime begins with a social security number. It is often a child’s, but criminals can also simply make up a number. The rest of the identity will consist of a mix of stolen and made-up PII (personally identifiable information) and a “home” address controlled by the criminal.

The SSN should have no credit history attached to it. The criminal sets about building one. The simplest way to do this is to apply for—and get rejected by—credit cards. This will establish a credit history. Eventually they will get a card with a very low limit. Then they diligently work to improve the credit rating and increase card limits. Some pay credit repair agencies and for-profit “credit piggybackers” to hasten that process.

Eventually, perhaps after years, the criminal will “bust out” the identity, running all the cards up to their limit and walking away from the identity.

A developed synthetic identity can also be assumed by a real person, for instance an undocumented immigrant or even someone who wants a better credit score.

Any company that doesn’t employ in-person verification at some point is vulnerable to this type of fraud. It is difficult to detect because there is no way (yet) for companies to verify SSNs with the government. Another is that SSNs have been randomized since 2011 and are no longer correlated to date or place of birth. Security programs lost those critical verification factors.

For consumers, once the issue shows up on your credit report it is too late. But you may want to freeze your children’s credit score (if that is allowed in your state). Companies have the larger challenge, but a sophisticated verification system that looks at depth and consistency of PII will help.

Read More
Formjacking, a New Security Threat Facing Consumers

Formjacking is an increasingly popular tool in the ever-escalating war for your data. It is the digital equivalent of card skimming: Where a skimming device captures your card data when you swipe it at a gas pump or ATM, formjacking code captures it the moment you submit an order entry form on an infected website.

As a consumer there is nothing you can do to prevent it (short of making all your purchases offline). It is not your device that is infected with the code, it is the website. Even well-established, well-regarded online retailers are vulnerable, if cybercriminals are able to infect less-protected third-party software down their supply chain.

Symantec reports almost 4 million formjacking attack attempts in 2018, with an average of about 4,800 sites successfully infected monthly. The cyber security community can protect against these attacks, but as always systematic and comprehensive vigilance is the key.

As a consumer you won’t know you’ve been formjacked until your data is used. So, this is another good reason to monitor your financial statements and credit reports carefully. You should institute a credit freeze the moment you suspect a problem—and strongly consider doing it now.

Read More
A Challenging Cyber Security Talent Market

If you are responsible for an organization’s cybersecurity, challenges are part of your daily life. Building a talented and cohesive team is among them.

The demand for cyber professionals far surpasses the supply of those that have training or experience in the field. A study by ISACA’s Cybersecurity Nexus (CSX) reports barely 50 percent of organizations can count on receiving at least five applications for each cybersecurity opening.

In such a competitive market the talent will be choosing you as much as you are choosing them.

You need to be proactive and creative in your talent search. Include relevant technical schools and professional organizations in your pipeline. Take pains to show you welcome diverse talent such as women and minorities into your department—data show both are underrepresented and underpaid in this industry.

Finally, cybersecurity talent should have analytic skills, attend to detail, and in the best case have communication skills that allow them to collaborate effectively across every area of your company. Those are the traits to look for in junior hires. The techniques of cybersecurity can be taught. New hires should have a passion for cybersecurity, but a background in mathematics, analytics, problem solving, and investigations can be just as promising as one in programming.

So think expansively. Core skills can be more important than certifications. Creating a supportive environment where employees continually learn new skills from other seasoned pros in the group (in addition to formal training) helps guard against another hazard of this competitive market—talent poaching by your industry peers.

Read More
Data Centric Security: Shifting Cyber Defense to the Core

Firewalls and infrastructure-level cybersecurity tools have proven themselves unequal to contemporary cybercriminals—and to the demands of contemporary business. Data breaches occur at an alarming rate, and the traditional castle and moat tools won’t be enough to protect the sensitive data in your organization. Your adversaries will try to penetrate your infrastructure so they can gather and monetize your sensitive data. By shifting to a data-centric cyber defense you focus on what is important: identifying that sensitive data and surrounding it with rings of defense.

The central mandate in the data-centric approach is to maintain control over your sensitive data at all times. That involves an extensive process of, first, identifying where all of that data is and what system processes, applications and functions use it. Second, classify it by determining whether it involves business sensitive data, intellectual property, account level data, or customer info. By using the correct level of encryption and data protection tools for each type of information you create the first line of defense against the adversary.

Just as important is restricting access by using the proper authentication and access control tools and procedures as well as by monitoring access to these files. This simplifies tracking the movement of those assets, and real-time monitoring will readily identify suspicious behavior and unauthorized use.

A good data-centric approach will provide the core foundation for integrating additional layers of cyber defense, including network monitoring, endpoint, DLP, vulnerability identification and remediation, behavioral tools, and privileged access monitoring.

Read More