Girl frowning while looking at cell phone

3 Reasons Why You’re More Vulnerable to Fraud Than You Think

With the vast amount of cyber threat intelligence accumulated over the last 20 years combined with an array of solutions available today to secure every aspect of the customer experience, you’d think that financial fraud is on the way out. Unfortunately, for many banks and financial institutions operating in the 21st century, that’s not the case. Fraud prevention in the age of multiple digital channels, inclusive of mobile banking applications running on different devices, has become a never-ending struggle. Just as one threat seems to be eliminated, more fraud crops up to take its place. Even organizations that pride themselves on a thorough and cutting-edge risk management approach are not immune.

Here’s why:

1. Fraud-Readiness Now Is No Guarantee of Fraud-Readiness in the Future

The reason for this is simple: fraud continues to grow. There are no guarantees about your future risk profile — except that it’s likely going to be elevated or differentiated compared to historical data. According to the United States Federal Trade Commission (FTC) Consumer Sentinel Data Book for 2020, fraud reports reached an all-time high in 2020, up from a previous all-time high in 2019, which was up from a previous all-time high in 2018. You get the picture.1 In fact, the only break from increasing numbers of fraud reports since 2001 were minor dips in 2016 and 2017. With identity theft responsible for the largest chunk of fraud reports (29.39 percent over 1.3 million), it’s clear to see why banks and financial institutions need to remain in an adaptive combat stance. Securing the online banking experience while providing a value-based system that treats trusted identities as a first-class currency is key.

Image
Fraud Skyrockets in 2020Number of Fraud Reports Submitted to the FTC3.12 M3.24 M4.72 MYear201820192020

Ultimately, increasing evidence suggests that a risk management strategy solely based on previous years’ threats is doomed to fail. Reactive security postures don’t guarantee threat tolerance in the future, no matter how well they’re established. Being proactive means incorporating solutions that include zero-day fraud detection and prevention capabilities combined with a defense-in-depth (layered security) approach that encompasses physical, technical and administrative controls. Banks should also consider adding machine learning-driven risk management that can isolate anomalies and flag new threats as they emerge — not after they’ve already exploited vulnerabilities and done damage to an organization’s reputation, which becomes more costly to repair.

2. No Organization Is an Island

Major breaches have become a fixture in the news. When threat actors don’t target your organization, it may seem like you’ve been spared. However, no organization is an island. Banks today don’t exist in a vacuum, and any large-scale breaches have ripple effects that adversely impact every corner of the organization. Each piece of information that fraudsters, cybercriminal organizations or state actors acquire about bank consumers will compromise their login information and ultimately contribute to transactional fraud using consumers’ valued assets.

Take the massive SolarWinds hack as an example. Discovered at the close of 2020 and targeting major corporations as well as United States government agencies, the consequences of the SolarWinds hack are still reverberating well into 2021. The data breach incident is a case study on the interconnectedness of our online environment today, with a laundry list of affected organizations.2 Microsoft was one of the higher profile organizations initially cited to be breached as a result of the attack, including many of their cloud environments and Azure Active Directory. On March 16, the cybersecurity firm Mimecast announced that its source code had been breached as well.3  On March 17, the United States Cybersecurity and Information Security Agency (CISA) released a table of techniques, tactics and procedures used by the threat actor to help firms defend against future similar attacks, which is information every cybersecurity team should be aware of — including yours.4  While we can’t prevent breaches at other organizations, we can ensure that our risk management solution is able to field both known and unknown threats so that we are not left vulnerable when a cyber-attack breaches customer data.

3. Too Often, The Source of Fraud Is Close to Home

Customer experience and security hang in a delicate balance. Given the high expectations of today’s consumers, balancing security and usability is crucial. Maintaining trust is the end goal here. Enhanced security that adversely affects the customer experience is not viable, but unintuitive user journeys can become more costly. Internally, organizations bolster security by educating employees through infosec seminars or instituting policies and procedures to head off illicit access and minimize the risk of breach. However, customers have always been a diverse group who bank in various unsecured environments, potentially around people with bad intentions. They may have their passwords on sticky notes or saved in their phones or browsers without protection, or they may use the same password for every online service they access.  They may even share their answers to common security questions through social media quizzes (which are actually data-harvesting schemes), put out for their entire network to see.5  

Image
Hand touching screen on phone

Predictable consumer behaviors and poor infosec practices create opportunities for fraudsters that reactive security postures cannot address. A layered security strategy should become the organization’s baseline. This must also emphasize on treating identities as a first-class currency by going beyond traditional authentication. None of these measures should come at the cost of a great customer experience, however, which is why adding an adaptive and machine learning-driven/risk-based authentication solution can provide a major advantage in balancing the user journey. Rounding this up with behavioral biometrics that includes a wide variety of consumer attributes (location, time of day, device type, OS, browser details, etc.) will enable continuous identification and authentication by preventing identity theft and enhances security without impacting ease of use, giving the bank a better defense against ongoing threats.

Take a look at The Ultimate Guide to Risk Management Systems >>

References:

1. 2020 Federal Trade Commission (FTC) Consumer Sentinel Network Data Book.

2. Here's a simple explanation of how the massive SolarWinds hack happened and why it's such a big deal.

3. Mimecast Reveals Source Code Theft in Solarwinds Hack.

4. SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures.

5. Don’t give away historical details about yourself.

RECENT POSTS

HID Origo™ 개발자 포털 소개

HID Origo™ 개발자 포털의 가용성에 대한 소식을 전해 드릴 수 있게 되어 기쁘게 생각합니다. 이 포털에서는 기술 파트너들에게 직원들의 물리적 및 디지털 경험과 기술이 혼재하는 앱과 API 통합을 구축하는 데 필요한 도구와 지원을 제공합니다.

10월은 국가 사이버 보안의 달입니다

매년 10월은 정부와 사이버 보안 업계가 협력을 도모하기 위해 지정한 국가 사이버 보안 인식의 달(NCSAM)입니다. 이 교육 기간 동안 유익한 정보를 통해 기업과 개인이 온라인에서 스스로를 보호할 수 있는 방법에 대한 인식을 고취시킬 수 있습니다.