By Tim Ayling, Vice President EMEA, Buguroo
What, for you, are the benefits of attending a conference like the ‘Fraud and Financial Crime Europe’ and what have attendees learnt from your session?
The conference presents a fantastic opportunity to rub shoulders with and learn from smart people in the industry. And it’s always interesting to see and discuss the issues our customers and others in the financial crime industry are facing, as this helps inform our work.
My session concentrated on the relationship between cybersecurity and fraud prevention, exploring the ways in which broad technological advances in financial services have resulted in the migration of crime from the old-fashioned bank robbery to digital channels. In particular, attendees heard about the development of criminal profiling in the modern digital age and how, by learning how fraudsters behave and operate, businesses are in a better position to defeat them.
In your opinion, how have the roles of criminals and crime prevention evolved?
Again, it’s all to do with advances in technology. Financial criminals thrive in the digital world for many reasons, with the main one being that there is plenty of money to be made, and little risk of getting caught ‘red-handed’. The rate of prosecution for online banking fraud is so low that it’s almost a risk-free crime. It’s virtually impossible, for example, for authorities in the UK to prosecute a fraudster sitting behind their computer in Russia. Any investment a crime ring can make into refining their techniques is likely to generate a handsome return.
Crime prevention solutions need to keep pace with this innovation, but banks have a problem. They must endeavour to strike a balance between protecting both users and themselves, and maintaining the coveted frictionless user experience that online banking has helped to create. The key here is to pinpoint fraudster techniques and then make it as hard – and expensive – as possible for the criminals to perpetrate their crimes.
How can modern day cyber-crime be combatted with technology?
As part of the mission to make life difficult for fraudsters, physical biometric checks have become an everyday aspect of digital security and are, without doubt, a better alternative to passwords. The downside is that they create friction in the customer journey, and so negatively impact the customer experience. They also only provide a one-off authentication, so can’t detect or protect against a hacker hijacking a session part-way through.
As an improvement to this, banks are now beginning to deploy behavioural biometrics solutions, which work by creating unique profiles for users, making it possible to spot anomalies in their behaviour patterns.
Behavioural biometrics offers better protection because it is effective across an entire session, from log on to log off. It looks for changes in end user behaviour throughout the session, and will flag up any user impersonation immediately. It also works invisibly and seamlessly in the background, without impacting on the user experience; another huge advantage for banks.
The truth is that when fraud is being perpetrated, there will always be an anomaly somewhere – whether that’s a piece of malware, someone taking over an account, or a user being manipulated. Behavioural biometrics focuses on spotting that anomaly.
In your opinion, how effective is machine learning and behavioural biometrics when it comes to criminal profiling?
To create unique profiles, you cannot rely on a single data input. For accuracy, you instead need to combine a vast quantity of data points, including information derived from the analysis of the user’s device and network, with behavioural biometrics; how you swipe your phone, use your mouse, tap the keyboard, etc. And machine learning means the solution is continuously becoming more effective at spotting the differences between legitimate and suspicious behaviour.
Then, just like behavioural biometrics is able to profile the unique behaviour traits of every banking customer, it can also be employed to repeat the exercise for cybercriminals. It works by identifying the fraudsters who are already active in the bank and building a unique ‘cyber profile’ for each one based on the way they operate.
This protects real users from impersonation or manipulation attacks, whilst banks can use the information to profile the ways in which the criminals behave in order to recognise and expose them when they try to attack.
How do you think cyber-crime will evolve over the next decade?
This is almost impossible to answer with accuracy, as cybercriminals are of course a law unto themselves. However, currently, there seems to be a big focus on perpetrating new account fraud, as using synthetic identities more often than not allows criminals to bypass onboarding checks, which some banks are reluctant to enhance due to fears of negatively impacting the user experience.
Stolen personal data will remain key to cybercrime, and fraudsters will continue developing and inventing social engineering techniques in order to obtain this information. In parallel, data information will be key to protecting end users – that means continuing to analyse a high volume of high-quality data that can be contextualised to enhance decisions about fraud risk.
