Blog

Posts tagged Fraud
The Future of Facial Recognition

Facial recognition has a central position at the high-tension intersection of privacy debates, security requirements and consumer demands for increasing convenience. Digital identities are critical to companies competing to offer their services quickly while demanding less input from customers. Facial recognition is in many ways the best tool for verifying identity. It is considered the best biometric, and is ultimately convenient. In fact, it can require no action by the consumer, unless identity confirmation fails.

Since the release of the iPhone X (and its groundbreaking facial recognition capability) many consumers have come to understand the allure of, and accept, facial recognition. And it is gaining greater adoption in all areas of e-commerce—especially in the security-conscious financial industry. FIthas already been accepted as valid identification method by Europe’s banks. JetBlue has started using it instead of boarding passes. And it is rapidly becoming big business: Allied Market Research predicts that the global face recognition technology market will generate sales of $9.6 billion in 2022.

Read More
Synthetic Identity Fraud

Synthetic identity fraud, in which an identity is created instead of stolen, has been around in some form for a long time. Estimates are that it produced over $6 billion in losses in 2016 alone. But as the security community has been able to successfully address other forms of cybercrime and fraud, synthetic identity fraud has become much more popular.

Synthetic identity fraud is uncommon in that it requires both a long-term view and long-term expenditures—often for years—before the identity can be exploited. But the crime is also very difficult to detect. In fact, it is impossible to know how many “busted out” identities still exist, inactive and tagged with an abysmal credit rating.

The crime begins with a social security number. It is often a child’s, but criminals can also simply make up a number. The rest of the identity will consist of a mix of stolen and made-up PII (personally identifiable information) and a “home” address controlled by the criminal.

The SSN should have no credit history attached to it. The criminal sets about building one. The simplest way to do this is to apply for—and get rejected by—credit cards. This will establish a credit history. Eventually they will get a card with a very low limit. Then they diligently work to improve the credit rating and increase card limits. Some pay credit repair agencies and for-profit “credit piggybackers” to hasten that process.

Eventually, perhaps after years, the criminal will “bust out” the identity, running all the cards up to their limit and walking away from the identity.

A developed synthetic identity can also be assumed by a real person, for instance an undocumented immigrant or even someone who wants a better credit score.

Any company that doesn’t employ in-person verification at some point is vulnerable to this type of fraud. It is difficult to detect because there is no way (yet) for companies to verify SSNs with the government. Another is that SSNs have been randomized since 2011 and are no longer correlated to date or place of birth. Security programs lost those critical verification factors.

For consumers, once the issue shows up on your credit report it is too late. But you may want to freeze your children’s credit score (if that is allowed in your state). Companies have the larger challenge, but a sophisticated verification system that looks at depth and consistency of PII will help.

Read More
Formjacking, a New Security Threat Facing Consumers

Formjacking is an increasingly popular tool in the ever-escalating war for your data. It is the digital equivalent of card skimming: Where a skimming device captures your card data when you swipe it at a gas pump or ATM, formjacking code captures it the moment you submit an order entry form on an infected website.

As a consumer there is nothing you can do to prevent it (short of making all your purchases offline). It is not your device that is infected with the code, it is the website. Even well-established, well-regarded online retailers are vulnerable, if cybercriminals are able to infect less-protected third-party software down their supply chain.

Symantec reports almost 4 million formjacking attack attempts in 2018, with an average of about 4,800 sites successfully infected monthly. The cyber security community can protect against these attacks, but as always systematic and comprehensive vigilance is the key.

As a consumer you won’t know you’ve been formjacked until your data is used. So, this is another good reason to monitor your financial statements and credit reports carefully. You should institute a credit freeze the moment you suspect a problem—and strongly consider doing it now.

Read More
A Challenging Cyber Security Talent Market

If you are responsible for an organization’s cybersecurity, challenges are part of your daily life. Building a talented and cohesive team is among them.

The demand for cyber professionals far surpasses the supply of those that have training or experience in the field. A study by ISACA’s Cybersecurity Nexus (CSX) reports barely 50 percent of organizations can count on receiving at least five applications for each cybersecurity opening.

In such a competitive market the talent will be choosing you as much as you are choosing them.

You need to be proactive and creative in your talent search. Include relevant technical schools and professional organizations in your pipeline. Take pains to show you welcome diverse talent such as women and minorities into your department—data show both are underrepresented and underpaid in this industry.

Finally, cybersecurity talent should have analytic skills, attend to detail, and in the best case have communication skills that allow them to collaborate effectively across every area of your company. Those are the traits to look for in junior hires. The techniques of cybersecurity can be taught. New hires should have a passion for cybersecurity, but a background in mathematics, analytics, problem solving, and investigations can be just as promising as one in programming.

So think expansively. Core skills can be more important than certifications. Creating a supportive environment where employees continually learn new skills from other seasoned pros in the group (in addition to formal training) helps guard against another hazard of this competitive market—talent poaching by your industry peers.

Read More
Data Centric Security: Shifting Cyber Defense to the Core

Firewalls and infrastructure-level cybersecurity tools have proven themselves unequal to contemporary cybercriminals—and to the demands of contemporary business. Data breaches occur at an alarming rate, and the traditional castle and moat tools won’t be enough to protect the sensitive data in your organization. Your adversaries will try to penetrate your infrastructure so they can gather and monetize your sensitive data. By shifting to a data-centric cyber defense you focus on what is important: identifying that sensitive data and surrounding it with rings of defense.

The central mandate in the data-centric approach is to maintain control over your sensitive data at all times. That involves an extensive process of, first, identifying where all of that data is and what system processes, applications and functions use it. Second, classify it by determining whether it involves business sensitive data, intellectual property, account level data, or customer info. By using the correct level of encryption and data protection tools for each type of information you create the first line of defense against the adversary.

Just as important is restricting access by using the proper authentication and access control tools and procedures as well as by monitoring access to these files. This simplifies tracking the movement of those assets, and real-time monitoring will readily identify suspicious behavior and unauthorized use.

A good data-centric approach will provide the core foundation for integrating additional layers of cyber defense, including network monitoring, endpoint, DLP, vulnerability identification and remediation, behavioral tools, and privileged access monitoring.

Read More
Building Efficient and Collaborative Work Environments for Today’s Cyber and Tech Units

Team building for cyber and tech units presents special challenges and prerogatives. The most direct challenge occurs when a specific cyber or tech team — or complimentary functions which are critical interaction points — are geographically dispersed.

One priority should be coordinating simulation or collaboration activities for teams that are geographically separate. Keep in mind that this will require more overhead than it would for geographically centralized teams. Encourage and improve their use of the real-time collaboration technology provided by your company. As you improve your team’s coordination skills and their interactions become a daily fluid event, their camaraderie and trust in each other’s skills will increase and the difficulties of geographic dispersion will melt away.

That dispersal has benefits as well. Cybersecurity has become integrated in all areas of business, so the more your team understands of your organization’s business activities and strategic vision, the better. Culturally integrating your team members throughout the company should be priority, but you may have to fight for support for their inclusion in other group’s activities.

To successfully protect your company from attacks, your team needs to be constantly studying your networks, applications, and remote channels with the most critical eye. But that eye needs contextual understanding of the products and business processes driving all that technical activity. A strong team will have a good pipeline for moving ideas and analysis rapidly through the group. As the Chief Information Security Officer, you should work to engender a culture that encourages constructive criticism as well as the appropriate reactions to constructive criticism. Any good cyber pro understands that there could always be an angle that someone else’s eye sees more clearly.

Many discussions of team building in cyber and IT seem to start with the difficulties of team building with a group that prefers interacting with technology to interacting with each other. I have found that the best IT and cyber professionals are excellent communicators who understand technology and are able to articulate it to laymen and experts alike. They also know how to use collaborative tech channels to connect to their partners and peers.

Read More
Conventional Cybersecurity No Longer Works

Cybersecurity focuses on protecting your company’s sensitive data from criminals. But with constantly advancing and expanding threats, conventional analysis is no longer meeting the challenge. An organization’s data is now most often the most important tool in that fight. The tools of collection and analysis associated with big data have evolved to be the most effective tools in preventing breaches—and in identifying them quickly when they do occur.

Anti-virus programs and IT departments alike increasingly rely on big data. It is their best option for identifying new threats—advanced threat detection is powered by big data’s ability to quickly recognize patterns associated with malicious files. Machine learning allows programs to recognize a greater range of anomalous events, catching threats that would have bypassed any set of rules established by a security expert. The greater the range of threats the dataset contains, the more able a machine learning system will be to spot new types of threats.

The article “When big data and cybersecurity collide,” from CIO magazine’s Ravi Kumar, further explores new trends in protecting your company’s data.

Read More
State Sponsored Attacks Against Financial Institutions

In a 2018 report published by The Carnegie Endowment for International Peace, Erica D. Borghard detailed how the U.S. economy is at risk by “national security adversaries in cyberspace.”

“The U.S. financial system is a target for foreign cyber adversaries for several reasons,” she stated. “First, the financial sector is one of the bedrocks of the U.S.—and global—economy. Significant disruptive or destructive attacks against the financial sector could have catastrophic effects on the economy and threaten financial stability. This could occur directly through lost revenue as well as indirectly through losses in consumer confidence and effects that reverberate beyond the financial sector because it serves as the backbone of other parts of the economy. For instance, cyber attacks that disrupt critical services, reduce confidence in specific firms or the market itself, or undermine data integrity could have systemic consequences for the U.S. economy.”

Iran, North Korea and Russia are just three examples of adversaries cited by Borghard, an assistant professor at the Army Cyber Institute at the United States Military Academy at West Point.

As we embark on a new year, FinTech fraud experts are working assiduously to prevent such state sponsored attacks to their assets.

Read More
Credential Stuffing Increasing

Credential stuffing is one of the most common techniques used to take over user accounts.

According to The Open Web Application Security Project, research shows that past Dropbox, JP Morgan, Sony and Yahoo breaches resulted from credential stuffing.

In this type of attack, the perpetrator acquires spilled usernames and passwords from a website breach or password dump site and uses an account checker to test the stolen credentials against a variety of websites. When an attempt succeeds, the attacker takes over the account matching the stolen credentials and drains stolen accounts of stored value, credit card numbers, and other personally identifiable information.

In this Credential Stuffing Prevention Cheat Sheet, OWASP recommends several steps for thwarting credential stuffing attacks, from multi-factor authentication to avoiding the use of email addresses as user ID’s.

Read More
How General Data Protection Regulation Will Impact Risk Mitigation in 2019

Data use regulation and consumer consent is far and away the biggest concern of many developers in risk and fraud systems. It is something that could have significant effects across all areas of FinTech. There are too many unknowns and hundreds of different opinions across all fields on what is acceptable today and what may be acceptable tomorrow. This applies to all use cases including fraud.

The General Data Protection Regulation (“GDPR”) is a legal framework that currently requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. Watch for similar legislation to come to the state and federal level in the U.S.

Read More