It seems fitting that the first day of October kicks off National Cyber Security Awareness Month in the US and the last day celebrates Halloween.
After a month of remembering the importance of protecting our digital identities, society celebrates by pretending to be another person. But some people spend every day trying to be someone else, and unfortunately it’s not their favourite superhero – it’s you.
Whether you’re a customer or company, you know that the havoc that unseen criminals can wreak when they steal passwords and Social Security numbers and any other information that leads to your money.
Cyber fraud – a costly global threat
The threat of cyber fraud in today’s world cannot be understated.
According to PwC’s 2016 Global Economic Crime Survey, not only does cybercrime represent roughly one-third of all economic crime, but of the 14 types of economic crime studied, it is (along with insider trading, a far less frequent occurrence), the only type that has risen over the past 2 years.
Glance at headlines and you’re bound to read about high-profile breaches. In 2016 alone the public has learned of attacks on major US companies like Yahoo!, LinkedIn, Wendy’s, Verizon, and Snapchat.
Though they may not have led immediately to big paydays, these hacks, like nearly all hacks, were motivated by money. If fraudsters can’t steal money directly, they cash in by selling stolen data on the Dark Web, which in turn creates friction and erodes trust between companies and customers and, ultimately, leads to profit loss.
This year there was, however, one breach where the criminals did make out.
In February, hackers attacked Bangladesh’s central bank.
First they installed malware in SWIFT, a cooperative messaging system used by over 11,000 financial institutions (FIs) worldwide to make international transfers.
Then, after several weeks of tests, the hackers made fraudulent payment requests to the Federal Reserve Bank of New York, which ended up transferring a total of $81 million to the criminals.
Little of that money has been recovered, and the perpetrators remain unknown. Yet even more remarkable is that, as Reuters uncovered, the criminals actually requested $1 billion, which the Fed would have paid, if not for a fluke fraud detection involving an oil tanker, a shipping company, and the word “Jupiter.”
With so much at stake, companies must know their customers’ identities so that they can detect when those identities are being forged. Here is a 7-step plan to keep everyone safe and happy.
1. Understand reality
The global economy that relies on, encourages, and facilitates the use of instantaneous digital payments across multiple jurisdictions will continue to expose FIs to crime.
In this rapidly evolving digital climate, FIs and other companies will never be able to offer the lame excuse to anxious customers and the prying media that hackers caught them unaware. The first step to solving the problem is identifying the problem.
For instance, the recent Verizon Data Breach Investigations Report (DBIR) found that in the financial services industry, 88% of breaches fit just 3 patterns: denial of service, crimeware, and web app attacks.
Hackers know their targets. In some ways, cybercrime is no less an organised professional outfit than an old-fashioned mafia group, where despite its illegality it functions with efficiency and intelligence.
2. Allocate resources
A recent Juniper study found that by 2020 FIs and e-commerce companies will be spending $9.2 billion annually on fraud detection.
That amount — a 30% rise from current spending – will be necessary because of the proliferation of mobile payment channels spreading young people.
In the US, millennials (people ages 18-34) have just eclipsed baby boomers as the nation’s largest demographic, and with their digital savvy comes their need for mobile banking.
According to a recent Salesforce study, 82% of millennials think banks must offer mobile functions for checking balances, depositing checks, and transferring money, and 27% are already completely reliant on these mobile apps.
Companies that fail to accept invest in security commensurate with this trend will inevitably fall behind as the next generation – the first true digital natives – begins acquiring money. And by some accounts, that is what is happening: one study found that 68% of IT professionals at FIs feel underprepared to meet cybersecurity needs.
3. Build trust
Millennials have embraced mobile banking more than any other demographic, but even they have their limits.
Digital wallets, for instance, are one of the most important emerging technologies in financial services.
But even with two of the biggest and most popular technology companies in the world jockeying for market share – i.e. the Apple Pay vs. Google Wallet showdown – adoption is still relatively slow.
The 2015 MEF Global Mobile Money Report, which surveyed over 15,000 people worldwide, found that only 8% of customers have used a mobile wallet, and that the number one barrier to adoption (to the tune of 36%) is a lack of trust.
The companies that can convince customers to toss out their most valuable cards, like credit and debit cards and drivers’ license, in favour of digital version will represent the future of mobile banking. But that will involve the unspoken contract of trust that builds with reliable, frictionless cyber security.
4. Embrace inventive solutions
In the fight against cybercriminals, companies like Socure are taking steps to improve their chances of catching fraud by implementing tools like social biometrics, device fingerprinting, and geodesic IP location tracking.
Social biometrics leverages social media data alongside trusted online and offline information to correlate data in the application process, device fingerprinting determines if a device is known to be good or bad (e.g. one that has already been used to commit fraud), and geodesic coding relies on understanding the distance between the address or locality associated with an identity and the location from which the application or change is initiated.
These types of solutions move beyond outdated knowledge based authentication (KBA) because they value a customers’ complex authentic persona over a question that the customer has long since forgotten, like their high school mascot, but a fraudster with a trove of stolen data keeps handy.
5. Keep tabs on criminals
It’s easier to prevent crime if you know what crime is being committed. For years credit card cloning was a staple of identity theft, but EMV chip-card technology, a staple in Europe that has recently been rolled out across the US, makes that difficult.
Accordingly, hackers have moved on to account takeover and account creation – one study saw account takeover fraud increase by 112% from August 2014 to August 2015.
Awareness of these trends will help the fight against fraud, and that starts at the community level for businesses and consumers.
For instance, in April, when the FBI learned of a dramatic increase in a business email compromise scam, which stripped businesses in at least 79 countries of at least $2.3 billion, it posted a press release with a fraud report hotline and security tips for companies of all sizes.
6. Start the cybersecurity conversation
Cyber security really does start on the individual level. Companies could benefit from reminding customers to be wary of sketchy emails and to learn about basic cybersecurity issues, like what experts at the Federal Trade Commission (FTC) say about changing passwords.
The FTC’s job is to protect consumers, and it encourages them to use websites like IdentityTheft.gov when victimised.
This helps law enforcement build cases against hackers – and that is a win for companies. And companies can utilise public security guidelines themselves, like the FTC’s cybersecurity starter kits for businesses, just as private IT professionals can collaborate on detection and compliance projects, like when last year the National Institute of Standards and Technology crowd-sourced improvements to its Electronic Authentication Guideline.
7. Identify your breaches immediately
The unfortunate reality, of course, is that breaches will never entirely disappear.
Today, hackers strike like lightning. According to the DBIR, 93% of breaches involved systems being compromised within minutes, with data being exfiltrated within minutes 28% of the time. And, once the data was stolen, only 3% of breaches were discovered within minutes, 5% within hours, and 9% within days.
In other words, 83% of victims didn’t learn of the breach for weeks or more. In our instantaneous, interconnected world, every second a breach goes undetected a company risks losing customers and money.
Today’s customers across all demographics live in an increasingly cyber world, and they are keenly attuned to identity and report cyberfraud: as the FTC’s Consumer Sentinel Network Data Book found, although consumer complaints about fraud have been rising steadily over the past two decades, they have skyrocketed in the past few years, from roughly 2.2 million in 2013 to nearly 3.1 million last year.
Customers only want to have their identities compromised one day a year, and they want to be the ones, not some faceless criminal hacking the identity they trusted to their company.