How Fraud & Cyber Security Will Evolve in 2015

Uploaded on 2015-01-27 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial, TECHNOLOGY--Hackers

Banks need to implement new security measures and tactics, and fraudsters are sure to respond by changing their operations.

When news broke of the Target breach in December 2013, it was a fitting precursor for what was to come in 2014. A Ponemon Institute survey released in September found that 43% of US companies had experienced a security breach in the past year. Big names were impacted, including eBay, American Express, JPMorgan Chase, and the Home Depot. And with the big names came big headlines. The rhythm of breaches, headlines, and reactions was unrelenting.

So that was 2014. And 2015 will likely be more of the same. "It's hard to imagine that enough organizations will be able to fortify their defense over the next year to see a significant decrease in successful attacks," Colin McKinty, head of cyber security strategy at BAE Systems Applied Intelligence, told us.

The big question of 2015 isn't whether there will be just as many attacks, he said; it's whether organizations will start responding better. "Leadership teams at financial services organizations need to understand that today's approach for cyber security must be based on detection of attacks and preventing the criminals from leaving with key assets." That means investing in solutions that help detect and contain intrusions quickly. Last year, the mean time to detection for a data breach was eight months, Hewlett-Packard's security head Art Gilliland said in an interview with Fortune.

Ryan Wilk, director of customer success at NuData Security, has said that, in addition to having a containment plan in place for a breach incident, banks need to be better at monitoring vulnerable access points. "For instance, look at VPN. Companies can use thsat, but it can be vulnerable. You're just putting access out there on the Internet. You need intel from that kind of access point to get visibility into unusual behavior."

Companies should also try to move away from an active directory type of access model in their own networks, Wilk said. The Target hackers were famously able to gain access to customer data and credit card credentials by acquiring admin credentials to the network active directory, allowing them to bypass firewalls and other security measures.

Organisations also need to get better at identifying whether users logging in really are really who they say they are, Wilk said. That will require using multiple authentication methods and data points that can be applied depending on the risk involved in a certain login or activity.
Banks "need to use multiple inputs to get a deep view of who the user is," he said. "They need to know who comes in, and look them up and down, and pull together an ID based on behavioral analytics, device analytics, and biometrics."

That issue of knowing who is logging in extends beyond banks' networks to their customers' accounts. Wilk has predicted that customer account takeover-attacks will substantially increase in 2015, because fraudsters are getting so good at them. "They're very sophisticated around how they test accounts to get in, and you can buy pre-tested account usernames and passwords now."

Bob Olson, vice president of global financial services at Unisys, said banks will have to leverage multiple authentication methods and data sources with customer logins, like they should with those logging into their own networks.

"If you look at the Internet of Things, more and more things will have access to the Internet and to financial services accounts and credentials," he said. "There will have to be a shift towards a 'Bring Your Own Identity' approach [with a profile] that leverages biometrics, IP addresses, and analytics on the backend."

The challenge for banks in implementing such an authentication approach will be in delivering it across different channels, Olson said. "Banks will have different vendors for authentication in different channels, but they need a framework that goes on top of that and can be dialed up or down when needed. And it will also need to incorporate device-specific authentication like GPS."

In the near future, he said, regulators will likely assign new customer authentication guidelines for banks. "One treasury management executive recently told me that his organization already has funds set aside for new authentication methods that regulators will require. They are going to mandate something imminently."

As new authentication methods are picked up by the industry and EMV is rolled out in the US ahead of the October liability shift, banks can expect fraudsters to look for new attack vectors and targets, according to Mary Ann Miller, senior director and fraud executive adviser for industry relations at NICE Actimize.

"When the US market matures [with EMV adoption], 85-90% of global card transactions will be chip-and-PIN," Miller said. "So fraud will transition as crooks look to replace that revenue. The more sophisticated ones will move to digital identity theft and account takeover. Those that are less so will move to check fraud."

As those fraud shifts take hold, banks should look to set up a central fraud observatory or hub that can track trends across channels and lines of business. This will enable institutions to track and react as fraudsters look for new vulnerabilities. "Banks should put together an integrated technology platform that looks at logins, changes in addresses and other customer information, and transactions," she said. "They need to start to look at customer protection holistically and whittle down silos for a centralized approach."

Fraudsters will also have to change targets as EMV rolls out and retail consumer cards stop being the easiest pickings, Miller said. First, fraudsters will look to take advantage of slow EMV adopters -- banks that haven't migrated their portfolios and merchants that haven't upgraded their point-of-sale terminals. "Then we will also see more attacks on private banking and commercial banking. That's where we see the large money movements, and that's what the fraudsters are after."

To better secure those large transactions, banks need to look at events leading up to the initiation of the transaction. "Was there a change in the beneficiary's info, for instance? Banks need to look at those precursor events and risk-score those to raise red flags before the money has moved."

http://www.banktech.com/security/how-fraud-and-cyber-security

« Plans to Conquer: Chinese Internet Giant Tencent Targets Silicon Valley
Critical Infrastructure: Hackers Successfully Target German Steel Mill »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Federal Office For Information Security (BSI)

Federal Office For Information Security (BSI)

The BSI (Bundesamt fur Sicherheit in der Informationstechnik) is the federal cyber security agency and the chief architect of secure digitalisation in Germany.

Deep Identity

Deep Identity

Deep Identity is a boutique system integrator, with expertise in tailored identity governance & administration (IGA) and identity access management (IAM) solutions.

e-Lock

e-Lock

e-Lock services include IT security consulting and training, security systems integration, managed security and technical support.

Information & eGovernment Authority (iGA) - Bahrain

Information & eGovernment Authority (iGA) - Bahrain

The Information & eGovernment Authority facilitates many services catering to different parts of the community within the IT sector in Bahrain including information security.

Recruit.net

Recruit.net

Recruit.net allows job seekers to instantly find millions of jobs from thousands of web sites with a single search.

Sky Republic

Sky Republic

Sky Republic offers a Smart Contract Platform to integrate and synchronize business networks beyond EDI and API.

VIRTIS

VIRTIS

VIRTIS' mission is to provide today's leading organizations peace of mind that their entire digital network perimeter is safe from hackers and data breach.

Maritime Cyber Threats Research Group - University of Plymouth

Maritime Cyber Threats Research Group - University of Plymouth

The Maritime Cyber Threats research group of the University of Plymouth is focused on investigating marine cyber threats and researching solutions.

Institute for Pervasive Cybersecurity - Boise State University

Institute for Pervasive Cybersecurity - Boise State University

Boise State University’s Institute for Pervasive Cybersecurity is a leader of innovative cybersecurity research and advancement in Idaho and the region.

Advantex Network Solutions

Advantex Network Solutions

Advantex Network Solutions are a leading provider in Mitel, IT Solutions, Networking, and iP surveillance.

International Cyber Threat Task Force (ICTTF)

International Cyber Threat Task Force (ICTTF)

The International Cyber Threat Task Force is a not-for-profit initiative promoting the ecosystem of an International independent non-partisan cyber security community.

Gradient Cyber

Gradient Cyber

Gradient Cyber is a trusted cybersecurity partner specializing in small businesses and mid-market enterprises concerned about cybersecurity but lacking the staff to give it the attention it deserves.

Involta

Involta

Involta orchestrates IT transformation journeys using well-defined and rigorous processes to deliver hybrid cloud solutions, consulting and data center services tailored to our clients’ needs.

Onyxia Cyber

Onyxia Cyber

Onyxia's unique dynamic cybersecurity platform identifies gaps and prioritizes recommendations for proactive cybersecurity strategy, performance, remediation and management.

Antivirus Tales

Antivirus Tales

Antivirus Tales offers a platform to resolve all types of antivirus-related issues. The platform also provide various blog articles and informative guides to fix antivirus software errors.

RIIG Technology

RIIG Technology

Our mission is to empower organizations with high-quality, verifiable data and advanced intelligence solutions, ensuring robust security and effective risk management.