Posted on Jan 15, 2020
The financial services industry is no stranger to artificial intelligence (AI) and machine learning (ML). Even in eras where computers (as we know them today) did not yet exist, the financial services industry used automation technologies for number crunching and data processing. As new technologies enabled automated banking services, malicious actors kept pace, leading to automated fraud technologies such as malware, carding methods, and database attacks. To protect customers from fraud, financial services organizations began incorporating AI/ML as part of their cybersecurity and compliance strategies.
To many, the difference between “financial crime” and “financial fraud’ appears to be an academic distinction. However, for financial institutions, the differing definitions come with business operation process and compliance differences. Financial crimes often involve actions such as bribery and money-laundering, generally covered under the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance requirements.
Financial fraud refers to crimes rooted in deception, such as forgery, scams, and insider threats. Many financial institutions, therefore, report the effects of these crimes as part of their loss liability calculations.
In other words, while institutions often consider “financial crimes” a compliance risk, “financial fraud” more directly relates to the organization’s overarching asset-liability reporting and financial strength.
Implementing controls that mitigate fraudulent activities arising from cyber criminals, financial institutions need to engage in a risk analysis that aligns the customer banking service journey with the digital risks that exist at each step.
Identifying the types of data, data storage locations, and the manner through which the institution collects and transmits information. A 2019 McKinsey report identifies four attack channels and their associated fraud risks.
Most often associated with skimmers, ATMs represent a significant cybersecurity and customer information breach weakness. ATM skimmers are card reader attachments that malicious actors attach to machines so that they can collect debit card numbers and PINs. In some cases, malicious actors inject the machines with malware to create a persistent attack.
Using these tools, malicious actors steal customer identities, enabling them to siphon money from user accounts or to create new accounts under the customer’s name.
Although most financial institutions must meet Payment Card Industry Data Security Standard (PCI DSS) compliance requirements, debit/credit cards remain a consistent data breach vector. Most financial institutions use credit/debit cards as a way to confirm their customers’ identities. When malicious actors obtain this data, the customers’ data integrity, accessibility, and confidentiality can be compromised.
Gaining access to customer information can also occur as a part of regular transactions. Services such as new account generation and wire transfers historically required customers to be present in a physical branch. Online banking services enable customers to engage in these types of transactions via the internet. While this makes banking easier for customers, it also increases the cyber and fraud risks that financial institutions must mitigate.
In response to this, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) released its cybersecurity framework to help financial institutions mitigate the risks inherent in these transaction types.
Even though most financial institutions segregate their networks to protect customer data, endpoints and applications running on an institution’s networks become a potential threat vector. As the financial services industry increasingly adopts cloud-based infrastructures, financial institutions need to monitor their security controls’ effectiveness, including individual branch locations, which can become overwhelming as they scale their operations by adding more branches or purchasing other institutions.
Each of the four attack channels leads to a singular purpose: using legitimate customer information to engage in fraudulent activities. Although some malicious actors may drain an account once they have the credentials, most prefer to use the customer data as a way to electronically disguise themselves. Most customers link their accounts to an email address to communicate with their financial institution or receive communications from the institution.
Malicious actors, therefore, often hijack systems or databases via one of the attack channels, then use customer email addresses to send the financial institution digital requests. In response to the increase in these activities, the Financial Crimes Enforcement Network (FinCEN) released the “Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes” in July 2019. The Advisory broadened the definition of “email compromise fraud” with the following updates:
The problem underlying the FinCEN advisory is twofold. First, it assumes that customers cannot protect their email addresses from cybercriminals. While this may be partially true, the Advisory also hints at financial institutions’ inability to protect customer data and prevent fraud.
Financial institutions have long incorporated the newest technologies to protect their customers, and themselves, from fraud. Although often vigilant about protecting customers from fraud, financial institutions’ reliance on AI/ML may not be the most proactive approach.
Traditional fraud detection enabled institutions to check geolocation details. For example, an institution might correlate credit card or customer’s billing zip code with the geolocation and historical reputation of the purchasing IP address to mitigate online fraud risk. If the geolocations do not match or the purchasing IP has a history of suspicious activity, the card is declined or frozen until the cardholder contacts the financial institution.
Problematically, these technologies led to a high rate of 'false positives', both inconveniencing the consumer and enabling attackers to bypass restrictions when they use tunneled proxy IP addresses located within the vicinity of the real cardholder zip code.
Next generation AI fraud mitigation technologies incorporate context, taking the new attack channels into consideration. These technologies leverage significantly more data points when assessing a risk profile including factors such as IP reputation, geolocation, e-mail address reputation, typical user browsing patterns and login patterns, and hardware/software fingerprinting. These data points can give insight into the probability that a transaction is fraudulent as well as an indication that a user account may have been compromised as part of the fraudulent activity, such as when the malicious actors creates a new “fake” account.
Analysis of the additional data points can help lower the false positive alert frequency for legitimate transactions and increase the alerts’ legitimacy when notifying the institution of suspicious activity.
Unfortunately, both of these AI/ML use cases take a reactive, rather than proactive, approach to mitigating fraud. In both of these cases, as well as the recent Advisory’s use case, cybercriminals already exfiltrated customer information.
Financial institutions need to be proactive about preventing fraud. Although cybercriminals may be able to exfiltrate email login information directly via the customer, they may also be using one of the four above-listed channels.
Financial institutions, therefore, need to incorporate new AI/ML technologies as part of their continuous fraud risk mitigation strategies. Managing cybersecurity vulnerabilities and ensuring continuous control effectiveness is now a way to protect themselves from financial fraud.
With more customer data stored, transmitted, and collected in the cloud, continuous controls monitoring becomes a fraud risk mitigation imperative. As part of their risk analysis, most institutions assign customer names, birth dates, social security numbers, and/or account numbers a “high” risk level. As such, they segment the networks containing this information and mitigate the risks with the appropriate controls.
Imagine the following scenario. A cybercriminal obtains access to a branch network and exfiltrates a list of customer email addresses. This provides the cybercriminal with the only two data points necessary for engaging in email compromise fraud: an email and a bank whose customer has that email.
Another potential scenario might be a cybercriminal intercepting a money transfer. Many bank transfers no longer require senders to list a recipient’s account number; they only require the sender to use the email address attached to the recipient’s account. By gaining access to the money transfer information, the malicious actor, again, knows an email and a bank associated with the email.
In both of these scenarios, the cybercriminal obtained email information from one of the four attack channels and did not need account information. Both of these scenarios increase the potential for email compromise fraud.
SecurityScorecard’s platform enables financial institutions to continuously monitor their controls’ effectiveness. Our platform gathers information across ten groups of risk factors, including IP reputation, network security, web application security, endpoint security, patching cadence, DNS health, hacker chatter, leaked credentials, and social engineering.
Our platform provides visibility into a financial institution’s cybersecurity posture, as well as the posture of its business partners. Our easy-to-read security ratings use an A-F scale, with A being the highest rating, so that financial institutions can gain at-a-glance insight into their strongest and weakest controls. Using our platform, organizations can also prioritize their remediation strategies by focusing on the most important risks.
By taking a proactive approach to financial fraud prevention, institutions can mitigate asset loss risk and increase customer account security.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.