Four lessons learned about fraud in 2019
Last year was a busy time for fraud. The National Cyber Security Centre thwarted more than a million cases of payment card fraud, but at the same time, UK banking customers lost £616 million during the first half of 2019, up 40% on the same period in 2018.
It was also a year that contained some of the biggest data dumps in history, including the Collection 1-5 leaks and the breach of email validation service Verifications IO, both of which exposed over 2 billion records, writes Mark Crichton, senior director of security product management at OneSpan.
New methods of fraud hit the headlines, from SIM swap fraud, to the rise of deep fakes, and emerging technologies such as behavioural biometrics and machine learning entered the conversation.
Here, we look back at the year gone by to see what lessons we can take with us this year.
Protecting the mobile channel needs to be a priority
The mobile platform has been under attack since day one, but as mobile banking continues to grow in popularity, so does the risk of fraud. The number of incidences highlighting the vulnerabilities of both Androids and iPhones in 2019 show just how vulnerable and hostile the mobile environment can be.
Banks need to take steps to protect their mobile banking apps, as it’s clear they can’t depend on Google or Apple to ensure the security of the environments in which their apps run. Using mobile in-app protection and app shielding provides an extra layer of protection beyond that provided by the platforms (Android or iOS) or the app stores. App shielding monitors the app, regardless of where it’s installed to ensure its execution environment is safe and secure to shut down any malicious behaviour before it’s too late. It’s also important to include security in the application development lifecycle and to continually examine that security.
The rise of SIM swap fraud
2019 also saw SIM Swap emerge into mainstream conversation, largely due to several high-profile cases of cryptocurrency investors losing large sums of money. However crypto investors aren’t the only ones at risk. Twitter CEO Jack Dorsey fell victim to SIM swap fraud as attackers took control of his Twitter account, and in theory, anyone that uses SMS-based authentication as their primary form of authentication is at risk.
From a financial institution standpoint, many have already started to make the switch to Mobile PUSH notifications, which are inherently more secure than SMS. While SMS is a good method for notifying users, it shouldn’t be used to allow privileged access. Consumers should enable PUSH two-factor authentication on their mobile banking app as soon as possible, while disabling SMS 2FA in order to avoid falling victim to attackers.
Victims of fraud should receive compensation
Should a victim be refunded or compensated if they’re a victim of fraud? In 2019, the answer for many would be yes.
The APP Scams Steering Group launched a new voluntary code that aims to protect customers by reimbursing them if they fall victim to authorised push payment fraud. Eight payment service providers, representing over 85% of authorised push payments, signed up to the code, including Barclays, HSBC, Santander, RBS and Lloyds.
However, it’s important to note that this is a voluntary code, and that banks can refuse payments if the customer can’t prove they believed the transaction was legitimate and didn’t ignore any fraud warnings. TSB went one step further and pledged to compensate anyone who suffers a fraud attack.
A report from the Commons Treasury advised that financial companies should be required by law to refund victims of bank transfer scams and should consider reimbursing the many thousands defrauded since 2016. They also said that companies who fall victim to a data breach, leading to incidences of fraud, should be forced to pick up the bill for reimbursing customers.
Data is key to fighting fraud
Finally, 2019 saw banks take advantage of new AI and ML powered risk-based technologies and modern identity methods to spot suspicious activity. These tools give them the ability to analyse multiple pieces of cross-channel data from different sources to make real-time security decisions and better manage their risk of fraud – especially for remote, faceless transactions.
For example, adaptive authentication uses AI and machine learning to score vast amounts of data, analyse the risk of a situation, and adapt the authentication levels accordingly. If someone were to make a payment outside of their normal spending habits, instead of blocking the transaction outright and causing unnecessary frustration, an additional level of authentication, such as a fingerprint or facial recognition may be required.
However, no single method in isolation will be able to provide a complete answer to fraud prevention. Instead, they should take a layered approach, and place more value and importance on dynamic and flexile controls that moves security from being a black and white binary story to becoming precise and intelligent – providing the exact level of security as and when it is needed.
2019 has taught us that fraud isn’t disappearing off the agenda any time soon. Cybercriminals are continuing to adapt their methods to exploit vulnerabilities, and customers want to stop becoming victims of crime. So, as we look to 2020 it’s imperative that banks make the most of new technologies to boost their security infrastructure and are particularly vigilant when operating in new channels or offering new products. By doing this, they’ll be able to hold cybercriminals at bay and keep customers safe without compromising their experience.
By Mark Crichton, senior director of security product management at OneSpan