How Fraud & Cyber Security Will Evolve in 2015

Banks need to implement new security measures and tactics, and fraudsters are sure to respond by changing their operations.

When news broke of the Target breach in December 2013, it was a fitting precursor for what was to come in 2014. A Ponemon Institute survey released in September found that 43% of US companies had experienced a security breach in the past year. Big names were impacted, including eBay, American Express, JPMorgan Chase, and the Home Depot. And with the big names came big headlines. The rhythm of breaches, headlines, and reactions was unrelenting.

So that was 2014. And 2015 will likely be more of the same. "It's hard to imagine that enough organizations will be able to fortify their defense over the next year to see a significant decrease in successful attacks," Colin McKinty, head of cyber security strategy at BAE Systems Applied Intelligence, told us.

The big question of 2015 isn't whether there will be just as many attacks, he said; it's whether organizations will start responding better. "Leadership teams at financial services organizations need to understand that today's approach for cyber security must be based on detection of attacks and preventing the criminals from leaving with key assets." That means investing in solutions that help detect and contain intrusions quickly. Last year, the mean time to detection for a data breach was eight months, Hewlett-Packard's security head Art Gilliland said in an interview with Fortune.

Ryan Wilk, director of customer success at NuData Security, has said that, in addition to having a containment plan in place for a breach incident, banks need to be better at monitoring vulnerable access points. "For instance, look at VPN. Companies can use thsat, but it can be vulnerable. You're just putting access out there on the Internet. You need intel from that kind of access point to get visibility into unusual behavior."

Companies should also try to move away from an active directory type of access model in their own networks, Wilk said. The Target hackers were famously able to gain access to customer data and credit card credentials by acquiring admin credentials to the network active directory, allowing them to bypass firewalls and other security measures.

Organisations also need to get better at identifying whether users logging in really are really who they say they are, Wilk said. That will require using multiple authentication methods and data points that can be applied depending on the risk involved in a certain login or activity.
Banks "need to use multiple inputs to get a deep view of who the user is," he said. "They need to know who comes in, and look them up and down, and pull together an ID based on behavioral analytics, device analytics, and biometrics."

That issue of knowing who is logging in extends beyond banks' networks to their customers' accounts. Wilk has predicted that customer account takeover-attacks will substantially increase in 2015, because fraudsters are getting so good at them. "They're very sophisticated around how they test accounts to get in, and you can buy pre-tested account usernames and passwords now."

Bob Olson, vice president of global financial services at Unisys, said banks will have to leverage multiple authentication methods and data sources with customer logins, like they should with those logging into their own networks.

"If you look at the Internet of Things, more and more things will have access to the Internet and to financial services accounts and credentials," he said. "There will have to be a shift towards a 'Bring Your Own Identity' approach [with a profile] that leverages biometrics, IP addresses, and analytics on the backend."

The challenge for banks in implementing such an authentication approach will be in delivering it across different channels, Olson said. "Banks will have different vendors for authentication in different channels, but they need a framework that goes on top of that and can be dialed up or down when needed. And it will also need to incorporate device-specific authentication like GPS."

In the near future, he said, regulators will likely assign new customer authentication guidelines for banks. "One treasury management executive recently told me that his organization already has funds set aside for new authentication methods that regulators will require. They are going to mandate something imminently."

As new authentication methods are picked up by the industry and EMV is rolled out in the US ahead of the October liability shift, banks can expect fraudsters to look for new attack vectors and targets, according to Mary Ann Miller, senior director and fraud executive adviser for industry relations at NICE Actimize.

"When the US market matures [with EMV adoption], 85-90% of global card transactions will be chip-and-PIN," Miller said. "So fraud will transition as crooks look to replace that revenue. The more sophisticated ones will move to digital identity theft and account takeover. Those that are less so will move to check fraud."

As those fraud shifts take hold, banks should look to set up a central fraud observatory or hub that can track trends across channels and lines of business. This will enable institutions to track and react as fraudsters look for new vulnerabilities. "Banks should put together an integrated technology platform that looks at logins, changes in addresses and other customer information, and transactions," she said. "They need to start to look at customer protection holistically and whittle down silos for a centralized approach."

Fraudsters will also have to change targets as EMV rolls out and retail consumer cards stop being the easiest pickings, Miller said. First, fraudsters will look to take advantage of slow EMV adopters -- banks that haven't migrated their portfolios and merchants that haven't upgraded their point-of-sale terminals. "Then we will also see more attacks on private banking and commercial banking. That's where we see the large money movements, and that's what the fraudsters are after."

To better secure those large transactions, banks need to look at events leading up to the initiation of the transaction. "Was there a change in the beneficiary's info, for instance? Banks need to look at those precursor events and risk-score those to raise red flags before the money has moved."

http://www.banktech.com/security/how-fraud-and-cyber-security

« Plans to Conquer: Chinese Internet Giant Tencent Targets Silicon Valley
Critical Infrastructure: Hackers Successfully Target German Steel Mill »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Titania

Titania

Titania provide network security and compliance software. Find your Network Security gaps before hackers do with our security & compliance tools.

Mobile Guroo

Mobile Guroo

Mobile Guroo is a strategy and systems integrator for Enterprise Mobility Management projects.

Truth Technologies Inc (TTI)

Truth Technologies Inc (TTI)

TTI is a premier provider of worldwide anti-money laundering, anti-fraud, customer identification, and compliance products and services.

Tinfoil Security

Tinfoil Security

Tinfoil is a simple, developer friendly service that lets you scan your website for vulnerabilities and fix them quickly and easily.

FIDO Alliance

FIDO Alliance

FIDO Alliance is a non-profit organization formed to address the lack of interoperability among strong authentication devices.

Sumo Logic

Sumo Logic

Sumo Logic simplifies how you collect and analyze machine data so that you can gain deep visibility across your full application and infrastructure stack.

Segusoft

Segusoft

With its encryption platform SEGULINK, Segusoft provides standard software for companies to securely transfer files and messages.

Center for Research on Scientific & Technical Information (CERIST)

Center for Research on Scientific & Technical Information (CERIST)

CERIST is a scientific and technical research centre with activities focused in the area of networks, information systems and IT security.

Digital Security

Digital Security

Digital Security is an Ecuadorian company specialized in providing comprehensive information security solutions.

Austrian Institute of Technology (AIT)

Austrian Institute of Technology (AIT)

AIT is Austria's largest research and technology organisation and a specialist in the key infrastructure issues of the future including data science and cybersecurity.

Blueskytec (BST)

Blueskytec (BST)

Blueskytec has applied its experience of over three decades of working in the field of embedded systems and encryption to provide a scalable and appropriate technology for cyber-physical devices.

Converge Technology Solutions

Converge Technology Solutions

Converge Technology Solutions Corp. is a North American IT solution provider delivering advanced analytics, cloud, cybersecurity, and managed services solutions.

CertiProf

CertiProf

CertiProf has been enhancing professional lives since 2015, offering a wide range of IT certifications and agile framework training.

Quod Orbis

Quod Orbis

Quod Orbis are a fast-growing, innovative company providing market-leading expertise in cyber security and Continuous Controls Monitoring (CCM).

Sri Lanka CERT

Sri Lanka CERT

Sri Lanka CERT is the National Centre for Cyber Security, which has the national responsibility of protecting the nation’s cyberspace from cyber threats.

CyberNut

CyberNut

CyberNut are a security awareness training solution built exclusively for schools.