How Fraud & Cyber Security Will Evolve in 2015

Uploaded on 2015-01-27 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial, TECHNOLOGY--Hackers

Banks need to implement new security measures and tactics, and fraudsters are sure to respond by changing their operations.

When news broke of the Target breach in December 2013, it was a fitting precursor for what was to come in 2014. A Ponemon Institute survey released in September found that 43% of US companies had experienced a security breach in the past year. Big names were impacted, including eBay, American Express, JPMorgan Chase, and the Home Depot. And with the big names came big headlines. The rhythm of breaches, headlines, and reactions was unrelenting.

So that was 2014. And 2015 will likely be more of the same. "It's hard to imagine that enough organizations will be able to fortify their defense over the next year to see a significant decrease in successful attacks," Colin McKinty, head of cyber security strategy at BAE Systems Applied Intelligence, told us.

The big question of 2015 isn't whether there will be just as many attacks, he said; it's whether organizations will start responding better. "Leadership teams at financial services organizations need to understand that today's approach for cyber security must be based on detection of attacks and preventing the criminals from leaving with key assets." That means investing in solutions that help detect and contain intrusions quickly. Last year, the mean time to detection for a data breach was eight months, Hewlett-Packard's security head Art Gilliland said in an interview with Fortune.

Ryan Wilk, director of customer success at NuData Security, has said that, in addition to having a containment plan in place for a breach incident, banks need to be better at monitoring vulnerable access points. "For instance, look at VPN. Companies can use thsat, but it can be vulnerable. You're just putting access out there on the Internet. You need intel from that kind of access point to get visibility into unusual behavior."

Companies should also try to move away from an active directory type of access model in their own networks, Wilk said. The Target hackers were famously able to gain access to customer data and credit card credentials by acquiring admin credentials to the network active directory, allowing them to bypass firewalls and other security measures.

Organisations also need to get better at identifying whether users logging in really are really who they say they are, Wilk said. That will require using multiple authentication methods and data points that can be applied depending on the risk involved in a certain login or activity.
Banks "need to use multiple inputs to get a deep view of who the user is," he said. "They need to know who comes in, and look them up and down, and pull together an ID based on behavioral analytics, device analytics, and biometrics."

That issue of knowing who is logging in extends beyond banks' networks to their customers' accounts. Wilk has predicted that customer account takeover-attacks will substantially increase in 2015, because fraudsters are getting so good at them. "They're very sophisticated around how they test accounts to get in, and you can buy pre-tested account usernames and passwords now."

Bob Olson, vice president of global financial services at Unisys, said banks will have to leverage multiple authentication methods and data sources with customer logins, like they should with those logging into their own networks.

"If you look at the Internet of Things, more and more things will have access to the Internet and to financial services accounts and credentials," he said. "There will have to be a shift towards a 'Bring Your Own Identity' approach [with a profile] that leverages biometrics, IP addresses, and analytics on the backend."

The challenge for banks in implementing such an authentication approach will be in delivering it across different channels, Olson said. "Banks will have different vendors for authentication in different channels, but they need a framework that goes on top of that and can be dialed up or down when needed. And it will also need to incorporate device-specific authentication like GPS."

In the near future, he said, regulators will likely assign new customer authentication guidelines for banks. "One treasury management executive recently told me that his organization already has funds set aside for new authentication methods that regulators will require. They are going to mandate something imminently."

As new authentication methods are picked up by the industry and EMV is rolled out in the US ahead of the October liability shift, banks can expect fraudsters to look for new attack vectors and targets, according to Mary Ann Miller, senior director and fraud executive adviser for industry relations at NICE Actimize.

"When the US market matures [with EMV adoption], 85-90% of global card transactions will be chip-and-PIN," Miller said. "So fraud will transition as crooks look to replace that revenue. The more sophisticated ones will move to digital identity theft and account takeover. Those that are less so will move to check fraud."

As those fraud shifts take hold, banks should look to set up a central fraud observatory or hub that can track trends across channels and lines of business. This will enable institutions to track and react as fraudsters look for new vulnerabilities. "Banks should put together an integrated technology platform that looks at logins, changes in addresses and other customer information, and transactions," she said. "They need to start to look at customer protection holistically and whittle down silos for a centralized approach."

Fraudsters will also have to change targets as EMV rolls out and retail consumer cards stop being the easiest pickings, Miller said. First, fraudsters will look to take advantage of slow EMV adopters -- banks that haven't migrated their portfolios and merchants that haven't upgraded their point-of-sale terminals. "Then we will also see more attacks on private banking and commercial banking. That's where we see the large money movements, and that's what the fraudsters are after."

To better secure those large transactions, banks need to look at events leading up to the initiation of the transaction. "Was there a change in the beneficiary's info, for instance? Banks need to look at those precursor events and risk-score those to raise red flags before the money has moved."

http://www.banktech.com/security/how-fraud-and-cyber-security

« Plans to Conquer: Chinese Internet Giant Tencent Targets Silicon Valley
Critical Infrastructure: Hackers Successfully Target German Steel Mill »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Council on Foreign Relations (CFR)

Council on Foreign Relations (CFR)

CFR is dedicated to better understanding the world and the foreign policy choices facing the USA and other countries. Cyber security is covered within the CFR topic areas.

NetLib Security

NetLib Security

NetLib Security’s powerful, patented data security platform helps companies control data loss prevention (DLP) by managing what data can be transferred outside of their network.

File Centre

File Centre

File Centre is a leading specialist when it comes to data backup, we offer our clients a premium backup retrieval and delivery solution.

Augur Security

Augur Security

Augur Security (formerly SecLytics) is the only cybersecurity platform using AI-powered behavioral modeling and agentic automation to reliably predict and block threats before they launch.

SteelCloud

SteelCloud

SteelCloud has spent the last decade inventing technology to automate policy compliance, configuration control, and Cloud security.

Microchip Technology

Microchip Technology

Microchip Technology Inc. is a leading provider of smart, connected and secure embedded control solutions.

Clear Skye

Clear Skye

Clear Skye, an Identity Access and Management (IAM) software company, reimagines enterprise identity access and risk management software to make a complicated problem easier to manage.

Laminar

Laminar

Laminar provides the only Public Cloud Data Protection solution that provides full visibility and enforcement capabilities across your entire public cloud infrastructure.

SYN Ventures

SYN Ventures

SYN Ventures invests in disruptive, transformational solutions that reduce technology risk.

RSK Cyber Security

RSK Cyber Security

RSK Cyber Security are a leading cyber security services company that uses services, consulting, and product knowledge to lower security risk across the board.

Trojan Horse Security

Trojan Horse Security

Trojan Horse Security are specialists in corporate security. Our services include: Comprehensive Cyber Security Analysis, Penetration Testing, Network Security and Security Audits.

Ivolv Cybersecurity

Ivolv Cybersecurity

Ivolv is here to assist your organization in building effective protection and resilience against cyber attacks.

Geobridge

Geobridge

Geobridge was one of the first information security solutions providers to support cryptography and payment applications for payment processors, financial institutions and retail organizations.

ACDS (Advanced Cyber Defence Systems)

ACDS (Advanced Cyber Defence Systems)

ACDS was founded in the belief that cyber security can be done better. We’re combining emerging technologies and proven methods to bring a new approach to tackling the growing threat landscape.

SOC-E

SOC-E

SOC-E is a leading technology provider for high-availability and deterministic networking, sub-microsecond synchronization and cybersecurity solutions for critical sectors.

Stack Overflow

Stack Overflow

Founded in 2008, Stack Overflow’s public platform is used by nearly everyone who codes to learn, share their knowledge, collaborate, and build their careers.