12:27 PM
Jonathan Camhi
Jonathan Camhi
Connect Directly

How Fraud & Cyber Security Will Evolve in 2015

Banks need to implement new security measures and tactics, and fraudsters are sure to respond by changing their operations.

When news broke of the Target breach in December 2013, it was a fitting precursor for what was to come in 2014. A Ponemon Institute survey released in September found that 43% of US companies had experienced a security breach in the past year. Big names were impacted, including eBay, American Express, JPMorgan Chase, and the Home Depot. And with the big names came big headlines. The rhythm of breaches, headlines, and reactions was unrelenting.

So that was 2014. And 2015 will likely be more of the same.

[For more on the Target attackers' tactics, check out: What Banks Can Learn from the Target Breach]

"It's hard to imagine that enough organizations will be able to fortify their defense over the next year to see a significant decrease in successful attacks," Colin McKinty, head of cyber security strategy at BAE Systems Applied Intelligence, told us.

The big question of 2015 isn't whether there will be just as many attacks, he said; it's whether organizations will start responding better. "Leadership teams at financial services organizations need to understand that today's approach for cyber security must be based on detection of attacks and preventing the criminals from leaving with key assets." That means investing in solutions that help detect and contain intrusions quickly. Last year, the mean time to detection for a data breach was eight months, Hewlett-Packard's security head Art Gilliland said in an interview with Fortune.

Ryan Wilk, director of customer success at NuData Security, said that, in addition to having a containment plan in place for a breach incident, banks need to get better at monitoring vulnerable access points. "For instance, look at VPN. Companies can use that, but it can be vulnerable. You're just putting access out there on the Internet. You need intel from that kind of access point to get visibility into unusual behavior."

Companies should also try to move away from an active directory type of access model in their own networks, Wilk said. The Target hackers were famously able to gain access to customer data and credit card credentials by acquiring admin credentials to the network active directory, allowing them to bypass firewalls and other security measures.

Multilayered authentication
Organizations also need to get better at identifying whether users logging in really are who they say they are, Wilk said. That will require using multiple authentication methods and data points that can be applied depending on the risk involved in a certain login or activity.

Banks "need to use multiple inputs to get a deep view of who the user is," he said. "They need to know who comes in, and look them up and down, and pull together an ID based on behavioral analytics, device analytics, and biometrics."

That issue of knowing who is logging in extends beyond banks' networks to their customers' accounts. Wilk predicted that customer account takeover attacks will increase in 2015, because fraudsters are getting so good at them. "They're very sophisticated around how they test accounts to get in, and you can buy pre-tested account usernames and passwords now."

Bob Olson, vice president of global financial services at Unisys, said banks will have to leverage multiple authentication methods and data sources with customer logins, like they should with those logging into their own networks.

"If you look at the Internet of Things, more and more things will have access to the Internet and to financial services accounts and credentials," he said. "There will have to be a shift towards a 'Bring Your Own Identity' approach [with a profile] that leverages biometrics, IP addresses, and analytics on the backend."

The challenge for banks in implementing such an authentication approach will be in delivering it across different channels, Olson said. "Banks will have different vendors for authentication in different channels, but they need a framework that goes on top of that and can be dialed up or down when needed. And it will also need to incorporate device-specific authentication like GPS."

In the near future, he said, regulators will likely assign new customer authentication guidelines for banks. "One treasury management executive recently told me that his organization already has funds set aside for new authentication methods that regulators will require. They are going to mandate something imminently."

Fraudsters switch things up
As new authentication methods are picked up by the industry and EMV is rolled out in the US ahead of the October liability shift, banks can expect fraudsters to look for new attack vectors and targets, according to Mary Ann Miller, senior director and fraud executive adviser for industry relations at NICE Actimize.

"When the US market matures [with EMV adoption], 85-90% of global card transactions will be chip-and-PIN," Miller said. "So fraud will transition as crooks look to replace that revenue. The more sophisticated ones will move to digital identity theft and account takeover. Those that are less so will move to check fraud."

As those fraud shifts take hold, banks should look to set up a central fraud observatory or hub that can track trends across channels and lines of business. This will enable institutions to track and react as fraudsters look for new vulnerabilities. "Banks should put together an integrated technology platform that looks at logins, changes in addresses and other customer information, and transactions," she said. "They need to start to look at customer protection holistically and whittle down silos for a centralized approach."

Fraudsters will also have to change targets as EMV rolls out and retail consumer cards stop being the easiest pickings, Miller said. First, fraudsters will look to take advantage of slow EMV adopters -- banks that haven't migrated their portfolios and merchants that haven't upgraded their point-of-sale terminals. "Then we will also see more attacks on private banking and commercial banking. That's where we see the large money movements, and that's what the fraudsters are after."

To better secure those large transactions, banks need to look at events leading up to the initiation of the transaction. "Was there a change in the beneficiary's info, for instance? Banks need to look at those precursor events and risk-score those to raise red flags before the money has moved."

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/11/2017 | 1:22:15 PM
Pending Review
This comment is waiting for review by our moderators.
User Rank: Apprentice
1/25/2015 | 8:52:26 PM
Cybersecurity Boardroom Workshop 2015
President Barack Obama focused on a number of new cyber security proposals that will encourage greater information sharing between the government and corporations. How boards of directors and CXOs can build the proper foundation to address today's IT security challenges is the topic of Cybersecurity Boardroom Workshop 2015, 2-day seminar well-known cybersecurity expert Edgar Perez will conduct in Dubai, Hong Kong, Seoul, Singapore, London and New York City. This is the first seminar developed for leaders for whom cybersecurity preparedness is a relatively new yet critically important area to be intelligently conversant about.
User Rank: Apprentice
1/9/2015 | 3:02:16 AM
Cyber security hinges on reliable passwords
Using a strong password does help a lot even against the attack of cracking the leaked/stolen hashed passwords back to the original passwords.  The problem is that few of us can firmly remember many such strong passwords.  It is like we cannot run as fast and far as horses however strongly urged we may be.  We are not built like horses.

 At the root of the password headache is the cognitive phenomena called "interference of memory", by which we cannot firmly remember more than 5 text passwords on average.  What worries us is not the password, but the textual password.  The textual memory is only a small part of what we remember.  We could think of making use of the larger part of our memory that is less subject to interference of memory.  More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

 By the way, some people shout that the password is dead or should be killed dead.  The password could be killed only when there is an alternative to the password.  Something belonging to the password(PIN, passphrase, etc)and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password.  Neither can be something that has to be used together with the password (biometrics, auto-login, etc). What could be killed is the text password, not the password.  
User Rank: Apprentice
1/7/2015 | 9:07:15 AM
Data analytics is a powerful fraud prevention and policy enforcement tool
Good advice for banks to maintain sophisticated tools such as analytics to prevent fraud and protect customer data. Data analytics should be a key weapon in every company's fraud protection arsenal and can strengthen your internal controls. I work for McGladrey and there's a very informative whitepaper on our website that readers of this article will be interested.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.