Information security standards and requirements are constantly being updated and supplemented. This is due to external factors such as a pandemic and the development of the skills of attackers. New attack vectors and techniques are emerging. More and more users are using mobile devices and other means of remote work. Insider threat is on the rise too. The use of antifraud systems in banks can significantly reduce the damage from classic and new fraudulent schemes.
What new challenges do banks face?
First, I should notice that the behavior patterns of users have changed significantly. Due to COVID-19, there have been more Internet-based transactions and less spending on transport and tourism. In addition, one can note a lot of changes in patterns associated with the loss of income sources for some users and, accordingly, an overall decrease in spending for some categories of users.
Due to the introduction of restrictive measures and the general increase in the level of stress, attackers have more opportunities to run social engineering tricks through straightforward intimidation. Scams, where malefactors pretend to be bank security officers, have gained momentum.
It is also worth noting that there have appeared more legitimate ways to lead victims to scammers through regular advertising channels. As a rule, through advertising fake social assistance services or offers to take a survey.
The same applies to hiring new front-line "employees" for both banking fraud and many other illegal activities. Due to the loss of income, many people began to look for new sources of income. As a result, they get involved in different types of online crime. They join the groups of money mules or employees of fraudulent call centers.
If earlier many people were often a priori suspicious of any offers on the Internet, then the pandemic slightly weakened their alertness (but did not increase the actual computer and financial literacy), and this becomes the reason for the increase in the number of cases of both social engineering and computer virus infections.
How to detect and prevent bank fraud?
It is advised to implement a cross-channel system for detecting fraudulent transactions in real-time. For effective analysis, the solution should combine methods for detecting anomalies both based on rules (policy module) and machine learning technologies (risk assessment module).
The transaction risk assessment module should be engaged in profiling objects and further calculating a set of features that are used in the probabilistic model for assessing the risk of transactions. The main model can be represented as a specially constructed Bayesian tree. Its nodes represent a set of probability scores for various interesting combinations of events and features.
Using the policy module, in addition to the initially created rules, the bank can implement its own business scenarios using both the final risk assessment from the scoring module and many other features from user profiles (and other objects) or algorithms specified by employees.
The advantages of such an approach include the following:
- A unified model allows detecting both abnormal behavior and cases that are known to be similar to fraudulent ones.
- There is minimal dependence on external systems when profiling objects. There is no need for constant queries to external databases to find out the statistics.
- The ability to easily re-train models based on new customer data.
What is the main problem of banks when verifying transactions?
There is no guaranteed total protection. An attacker can come to a bank with a fake ID and approve the transaction, even if it was previously rejected. Of course, banks would like to know everything about their customers and spend enough time evaluating transactions. But in practice, banks keep statistics on users (and other objects and connections) for just several months, and the system should give an answer in less than a second (depending on the SLA level). Therefore, it is almost impossible to be 100% sure about each transaction.
Running additional specific checks, you can reduce the probability of an error. As a rule, this is enough to find a balance between the risk of missing a fraudulent transaction and the costs of checking (and possibly delaying) legitimate events.
How do banks distinguish a bot and an attacker from a legitimate user?
Technical and behavioral indicators are used for this. Different signs are suitable for detecting different types of attacks. For example, it is relatively easy to temporarily freeze the account of a user who suddenly began to initiate several identical actions per second in the bank's mobile application. This is the simplest behavior valuation based on technical features.
One of the most dangerous types of attacks, of course, are different variations of social engineering, especially when they involve people close to the victim, whom the user trusts. In this case, high-level behavioral signs are essentially the only way to stop or slow down an illegitimate operation. In the event of a user data leak (including biometric data), which can lead to identity theft, the behavioral analysis also allows banks to block fraudulent transactions in time.
How bad is the insider threat problem?
Employees who work remotely, even when using personal computers, connect to the remote workplace software, which is deployed in the organization's data center, which makes it somewhat difficult for cybercriminals to infect devices or run other types of attacks.
It is difficult to track anomalous behavior when an employee requests information about a particular bank client (which, from the point of view of the workflow, is very similar to the regular work). When employees work from home, there is simply no one to follow them. Therefore, the ideal option is to monitor an employee using a webcam built into his computer similar to how supervisors and security services monitor the office space through a video surveillance system.
Of course, cameras cannot always detect fraudulent actions when the employee is sitting straight without any movements. However, these days monitoring systems got smarter, and thanks to previously collected data and AI, security systems allow banks to do a unified risk assessment and promptly make decisions when abnormal behavior of an employee is detected. Such security components may work both as part of an agent installed on a client device or using a web interface and can also be integrated into a banking application.
Fraud prevention systems and eroded perimeters
The erosion of the traditional secure perimeters of organizations is a fact now. The model, where inside the perimeter (VPN / office), all data and events are legitimate, and outside there are only attackers, is a thing of the past. Verification and protection must occur at many levels of interaction; otherwise, any breach in the perimeter will compromise the entire system. At each stage of making payments, you should collect all key features, evaluate the risks, and decide on the further processing of the payment.
How do antifraud solutions work in the cloud?
When moving to the cloud, some typical internal risks are mitigated because some functions are delegated to third parties that are not interested in compromising the system.
In terms of the system's normal operation, the quality of antifraud scoring may even increase because, in the case of a cloud implementation, it becomes possible to combine some data from many sources and build profiles of many objects, creating a common pool of information on user behavior.
It is clear that some other risks in the case of a cloud installation increase, in particular, there is a risk of attacks from employees working for cloud providers or the possibility of a data breach due to the lack of awareness of bank employees that data may be available to third parties.
This problem can be solved by encrypting a significant part of sensitive data when it leaves the perimeter. The remaining data is sufficient to obtain a qualitative risk assessment.
Besides banks, where else are fraud prevention systems used?
There are a lot of examples where you can use identical or similar systems, for example, in payment services both card services, such as VISA and services such as PayPal, money transfer services like Western Union, large marketplaces and online stores like Amazon, and some service providers like Uber.
What are the fraud prevention trends?
I can distinguish several tendencies. First, great progress is seen in blocking internal threats using new technologies: both monitoring the work of employees and automating the roles most susceptible to internal fraud. Also, relatively small banks that find it difficult to protect their systems move them to the cloud. An antifraud system may become one of the first such systems in a typical small bank.
AI is developing very quickly; what was just an idea several years ago is now being actively implemented for fraud prevention. Integration with third-party information systems will also expand, as we often see with credit scoring systems. Finally, new tools will emerge to protect less traditional channels and services.
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation.
David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent
focus on ransomware countermeasures.