Alisdair Faulkner, Chief Products Officer at ThreatMetrix, looks at how financial services companies can avoid becoming victims to cybercrime.
The views expressed in this blog are solely those of the author and should not be attributed to the European Payments Council.
The financial services industry is undergoing a digital revolution, much like many other sectors. This is enabling its businesses to get closer to their customers, offer more engaging services and become more agile in how they deliver these services. It has also given rise to a number of disruptive fintech players. There is just one issue. As more services go online, the risk of loss from cyber fraud multiplies. And the fraudsters are getting better at their job with each passing quarter.
In Q4 2016 alone, 80 million fraud attempts in real-time were detected by ThreatMetrix for its financial services clients. To fully realise the opportunities that the digital revolution brings, and optimise online revenues, firms must get smarter, more dynamic and more contextual in the way they scan for fraud.
Digital identity is the new currency
Banking customers now log-in to their online accounts around three times a week. And growth in mobile banking has been even more spectacular: a 250 percent year-on-year overall increase in account log-ins, account creations and payments.
What does this mean? For one thing the static user logging in on a stationary device is a thing of the past, meaning financial services firms must look to smarter, more context-aware systems to spot fraud. They need to be able to do this across platforms- mobile and desktop – and across borders as their consumer base is increasingly geographically mobile. And they must do so, as fraudsters find increasingly sophisticated ways to exploit security failings. They are aided in this by a huge volume of breached identity data readily available on the dark web, and individual information-stealing attacks on customers.
Our latest data from Q4 2016 shows that financial services continues to be a major target for the scammers, as businesses increasingly shift their operations online. We still hear unconvincing reassurances from breached organisations that customer credit card details were not compromised, but whilst credit card details were traditionally the target for cybercriminals to ‘make a quick buck’, they have now realised that there are greater riches to be had by targeting identity. Unlike a stolen credit card, which has a short shelf life before being cancelled, stolen identity credentials offer greater return when being used to apply for loans, open new accounts, hack existing ones, and monetise fraud attacks with ever-greater success. And that is why there is a brisk trade on the dark web in augmenting and selling on complete identity credentials. In short: identity is the new currency of cybercrime for 2017.
Fintech under fire
New and emerging fintech platforms may be great news for the consumer. But they have also become a major target for the fraudsters. Fraudulent transactions in financial services grew 260 percent year-on-year in Q4 2016 – driven in part by scammers looking to make money via fraudulent Person-to-Person ( ) loans and remittances. Many of these online systems are designed with speed and agility in mind, but that leaves gaps to exploit. As a result, we are seeing higher rejected transaction rates for fintech than for traditional financial services firms.
The ingenuity does not end there. Fraudsters are also making use of stolen identity credentials and device spoofing technology to get around even the complex checks in loan application procedures. And automated bots continue to reap big rewards for them – enabling the mass testing of identity credentials, hacking into existing, trusted user accounts, and even the creation of new accounts. We detected millions of attempts at testing credentials using bots and scripts in Q4.
So what is the answer? Financial services firms are finding it increasingly difficult to distinguish between the multitude of spoofed digital identities used by fraudsters and the genuine article. But an increasing number of new and traditional financial institutions are employing methods, which can expose the use of automated bots and scripts, device and location spoofing and other techniques.
It requires a focus on dynamic intelligence, which is based on real-time analysis of a user’s digital identity, rather than a reliance on static credentials, which can be easily traded on the dark web. This must be combined with behavioural analytics, which can baseline normal behaviour to more effectively spot fraud whilst minimising false positives. It is only with a more sophisticated approach to fraud prevention that financial services firms can fully embrace the opportunities promised by the financial digital revolution going into 2017.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.