By Gaetan van Diemen, General Manager, ThreatFabric
What, for you, are the benefits of attending a conference like the ‘Fraud and Financial Crime Europe’ and what have attendees expect learnt from your session?
The biggest benefit of attending conferences like “Fraud and Financial Crime” is that it brings all stakeholders playing a role in the fight against fraud together. It allows to meet both, peers in the industry and experts from various affiliated domains, with as goal the possibility to examine and discuss core topics, learn from each other and leave the conference with new ideas to fight fraud and cybercrime.
In the last decade we noticed an important increase in the cyber-driven fraud; our challenge is the fragmentation of stakeholders that play a role in the battle against such fraud, leaving the important decisions untaken and risk on the rise.
In the last years new regulations and digitalisation have played a major role in the evolution of online services. This evolution comes with a price, more parties involved in the delivery of the service, the safety of the services, and handling of the customers and their experience.
Participants should use the conference to learn about the different aspects of fraud and cybercrime and build a network of knowledgeable stakeholders in the industry they can collaborate with to keep financial services enjoyable and safe.
In our session, the attendees were shown what is on the other side of the fraud attempts targeting financial institutions. A different aspect on cybercrime that will help understanding how easy it is for newcomers to become fraudsters, how the criminal ecosystem works, why fraud is increasing and how to remediate.
Can you describe some of the key factors that have recently driven the growth of cybercrime and fraud?
With the digitalisation of the financial services life has become easier, payments have become faster, cheaper and more accessible; but with a bright day comes a dark night.
Financially motivated threat actors have long-time noticed and adapted to the shift to digital payments.
By improving customer experience and simplifying access to online payments, we have also opened new opportunities for criminals to perform fraud.
Near real-time transactions are an example of challenge due to the speed at which verification of veracity of transaction needs to be performed. Without the right context and visibility on the transaction, the end-user, its behaviour and its device, such new services are making recovery of fraudulent transactions convoluted.
The general digitalisation and therefore dematerialisation of money has also made fraud simpler as in contrary to a robbery (or materialistic theft), nothing will be physically missing, therefore making the fraud less noticeable. In addition to an ordinary robbery there is no need for the criminal to be physically close to the victim, and the risk of getting caught is way lower when sitting behind a computer, far way, on the other side of the planet. Another related aspect that has its importance in growth of fraud is the fact that a lot of the cyber-driven fraud can be performed at any moment of the day or night as limited, to no interaction, with the victim is needed; once more lowering considerably the risk for the criminals to be detected by the victim.
The conversion to mobile is still playing a role in cybercrime and fraud. By making mobile payments accessible and simple in a matter of a few years, consumers haven’t assimilated its ins and outs and haven’t adopted the adequate behaviour to safeguard their online banking experience. The human behaviour remaining the weak-link in the payment-chain, non-human-dependant solutions to build risk and fraud detection have become even more important.
Another important aspect of the growth of cybercrime and fraud is regulatory and politic.
An issue that is and will remain crucial is the inequality in laws about cybercrime in different countries and regions of the world. In many countries, laws about cybercrime are still limited or even non-existent, leaving criminals unpunished. Such countries often also provide limited or no collaboration on the topic, meaning that even law enforcement is powerless. Cumulating many investigations and threat intelligence research cases, we concluded that financially motivated threat actors are most often located in countries lacking such laws, preventing them from being trialed and giving hope for other newcomer criminals.
Last but not least, another aspect that will probably impact the future generations of fraudsters is the global growth of cybercrime and cyberwarfare. For many years the cyberwar was something that was only visible to consumers through actions movies, but in the last decade it has become a recurrent topic in the news. Punishment of financially motived threat actors will become even harder if state-sponsored attacks become a normality. In addition, the risk related to the increase of such cyberwars is that it might result in a decrease of the attention given to financial crime, motivating threat actors to continue and grow their activities.
What are the key challenges when combating cybercrime and fraud on mobile, and how can companies overcome these challenges?
Two of the key challenges of the fight against cybercrime and fraud on mobile are the ethic and technologic limitations. The human behaviour remains the weak-link in the payment-chain and to answer that weakness, solutions are either educational, either based on technology. Educating users has severe limitations, we can’t ask all consumers to be IT or cybersecurity experts, in addition, social-engineered and technologically advanced attacks will high-probably be able to bypass such education. Therefore, the technological factor remains crucial to fill the gap and effectively detect fraud attempts.
Newer technology to improve mobile payments should be accompanied with newer security measures, to guarantee the balance between user experience and user safety. User behaviour, device reputation and mostly threat detection, is the successful combination to fight cybercrime, but it also implies collection and processing of information related to the consumer and its devices.
With the constantly growing privacy and data protection regulations, acquisition and usage of such information become more and more challenging.
The technological limitation and boundaries are another challenging aspect; while cyber criminals have no limitations to abuse and exploit software in order to perform fraud. Financial institutions need to comply to regulations and use the technical frameworks and interfaces available to be able to detect anomalies. During the last decade we have been fighting cybercrime and one of the remarkable elements in the fight was the capacity for criminals to adapt their malicious software or attack methodology in a short timeframe; turning the fight into a cat and mouse game. Intelligence and agility have been our solution to the problem.
With the increasing number of new mobile apps, online platforms, device vendors and device types, the attack surface exploitable by criminals has also expanded. The result is that the solutions to put in use to fight cybercrime and fraud have a growing range of elements to monitor, making them considerably more complex to use. Translating the complex techniques and technology behind the attacks into actionable information has been an important challenge but also our key success factor.
How do you see the threat landscape evolving and what are your future expectations?
The threat landscape has been constantly evolving, from the first cyber-fraud attacks on computers, till the latest attacks on mobile devices, criminals have been innovating and working hard to find new tricks to steal personal information and bypass fraud prevention measures. This evolution is continuous, and we can expect several focus elements for the future of digital fraud.
To start with, we expect that criminals will broaden the scope of data-theft. Although many financially motivated criminals are limiting themselves to theft of banking credentials and credit card details, we expect some of them to steal all information present on the devices they infected with the idea to monetise that information later. Some examples of monetisation are blackmailing the victim of a public release of personal information, usage of such information to request loans or mortgages, open (bank) accounts to launder money, or even to steal tax refunds.
In addition, we foresee that more and more fraud will be performed from the devices of the victims with help of Remote Access Trojans as this lowers the detection of the fraud attempt tremendously and simplifies the extortion process.
Another trend we expect is that criminals will be inventive on the abuse of the infected devices. Manipulation of an infected mobile device can also be used, for example, to distribute malware further by abusing the contact list, to launch distributed denial of service (DDoS), access the WIFI network and perform lateral movement to take over other devices.
To conclude, we expect a combination of different techniques being used in order to increase the chances for criminals to successfully perform fraud and grow their revenue while needing less interaction with the victim.