Top Trends Driving the Future of Fraud Mitigation: 2020 and Beyond
We regularly host webcasts on topics such as fraud prevention, security best practices, and tech innovation, to provide guidance on how to protect against cyberfraud. If you missed our latest webcast, Top Trends Driving the Future of Fraud Mitigation: 2020 and Beyond with Julie Conroy, research director for Aite Group’s Fraud and AML practice, here is the 5-minute summary. The full presentation is available on-demand.
Financial institutions (FIs) are under constant attack by organized crime rings. Digital channel fraud is fast moving, automated, and perpetrated with sophisticated tech tools designed to bypass traditional fraud controls. For fraud teams, keeping current and sharing information among industry peers has never been more important.
To help fraud teams understand how to evolve their institution’s defenses and address fraud challenges, Aite research director Julie Conroy joined OneSpan to present seven top trends to be aware of right now:
- Data breaches continue to fuel a multitude of attack vectors
- Online/mobile channels continue to be key targets
- Regulation is creating new risk vectors
- Business email compromise continues unabated
- Banks' use of cloud-based detection and authentication is increasing
- We are seeing the rise of the fraud/authentication hub
- FIs are harnessing data and applying advanced analytics
These trends are driving fraud detection and authentication strategies for financial institutions globally, as well as tech investments over the next 12 months.
In this blog, we explore three of these trends and invite you to watch the full presentation on-demand for the rest.
Security Trend #1: Data Breaches Continue to Fuel a Multitude of Attack Vectors
Since 2013, 14.7 billion data records have been breached. The sheer number of large-scale breaches, such as Equifax (143,000,000 records), Marriott Hotels (383,000,000 records), Twitter (330,000,000 records), and Yahoo (500,000,000 records), means that financial institutions need to build their defenses with an understanding that malicious actors already have their customers' data.
“The breached data includes PII, login credentials, and in the case of the Facebook breach, it’s even data related to religion or political affiliations, and recent search history. This has so much utility as organized crime rings work on social engineering-based attacks,” Conroy explains.
Once the data is breached, it is sold on the Dark Web. From there, it is quickly monetized using tools that automate credential stuffing attacks, like Sentry MBA. This in turn leads to account takeover.
Credential stuffing attacks are one of the top challenges for financial institutions and e-commerce merchants. These types of attacks are getting worse, because sophisticated tools make it easy to quickly test login credentials against hundreds or even thousands of online properties to see where they’ll work. This is such an effective tool, because many consumers re-use the same credentials across multiple websites. Cybercriminals love this kind of poor password hygiene.
According to Conroy, credential stuffing tools have become so sophisticated that they can slow the speed at which credentials are entered into an application to better impersonate a genuine consumer inputting their data. These tools can also spread the attack across multiple IP addresses and proxies, bypassing any controls that might look for a series of username/password inquiries coming from a single IP address. Some even have an Optical Character Recognition (OCR) capability to bypass CAPTCHA. This underscores the extent to which organized crime rings are leveraging technology against banks and financial systems -- and adds one more reason why it’s so critical for FIs to quickly put the latest technologies to work against them.
Security Trend #2: The Increasing Use of Cloud-based Detection and Authentication
Threats are growing in sophistication, speed, and automation, but there is good news. There is a lot of technology available to help address cyberattacks, and it’s increasingly cloud-based. In a 2019 research study where Aite interviewed over 40 financial executives across five continents about the evolution of their fraud detection platforms, Conroy was surprised to see cloud adoption gaining traction.
“Cloud has typically lagged in financial crime (fraud and AML) versus other parts of the bank just because there’s so much personally identifiable information involved. Many institutions have been reticent to send that to the public cloud. However, in speaking to executives, what we’re seeing is that 70% of deployments are on-premises, but 30% are now in some version of cloud – either private or hosted, or hybrid cloud. I think we’re going to continue to see gradual movement toward cloud,” Julie Conroy says.
The benefits of cloud deployments include:
- Automatic upgrades: As fast as fraud is moving, banks and merchants can no longer afford to be two or three versions behind on the vendor’s capability set, because they are still waiting in the IT queue to get the resources to upgrade. The benefit of the cloud is the organization gets the upgrade as soon as it is deployed by the vendor.
- Scalability: FIs can leverage Amazon’s or Microsoft’s scale on-demand to account for peak periods. Instead of purchasing and deploying new hardware, an organization can simply provision additional resources from their cloud provider. This elasticity allows organizations to scale their capacity to match their current demand.
- Expense efficiencies: Cloud resources provide maximum flexibility. Organizations do not need to make significant capital expense (capex) purchases. They can factor in a predictable operational expense (opex) and leverage the resources they need, when they need it.
When it comes to the cloud, executives still have concerns related to data security and customization (e.g., can the cloud support the level of customization I have on-premises?). But the benefits are beginning to outweigh some of the concerns, especially as some FIs recognize that the security available in many of the instances of public cloud is actually superior to what they can provide on-premises.
Security Trend #3: The Rise of the Fraud/Authentication Hub
In Q3 2018, Aite surveyed financial executives to understand their plans to implement a fraud or authentication hub in the next two years.
- As many as 18% already had it implemented or were in progress.
- Another 52% responded that they were very likely and 15% likely to do so.
Fraud and authentication hubs solve several key challenges at the same time, so it is no surprise that Aite is seeing such momentum.
As Conroy explains, “With a hub, you have one API that goes to one vendor. That vendor has relationships with a number of different fraud detection and authentication vendors behind it. As you build out your layered solution, you can effectively address your detection needs as well as your customer authentication needs.
"You can have one API call that gets you all of that layered solution you need. So you can get to your device fingerprinting vendors. You can get to your behavioral biometrics capabilities. You can get to your one-time passwords (OTP). You can have the risk engine.”
Many fraud and authentication hubs bring all of these different inputs into a risk engine that can help aggregate alerts into one unifying score. Fraud teams would no longer have to individually manage five vendors and all of their separate alerts.
And in some cases, the hub vendors will even have contractual relationships, so that it’s not just one API call. It may be only one contract. This can prevent banks from wasting precious time and resources going through a lengthy vendor risk management process to onboard a new vendor.
“This is why we are seeing so much interest, because it really does help with so many of the challenges that slow down many banks and merchants ability to be more nimble in the face of changing attacks. And it also helps you to swap out different authentication mechanisms more quickly – because you’re not necessarily having to implement a net-new vendor if you want to move from KBA questions to one-time password. It’s just adjusting some settings within your authentication hub,” Conroy says.
The Cybersecurity Arms Race Continues
Fraud attacks around the globe continue to grow and evolve at a rapid pace. Organized crime rings are successfully using automation and new technologies combined with massive amounts of compromised data readily available on the Dark Web. The result is rising account takeover, card not present (CNP), new account fraud, and application fraud, which in turn leads to increased losses for banks, merchants, and fintechs alike.
At the same time, expectations from regulators and consumers are rising as well—in starkly conflicting manners. While consumers push for seamless customer experiences, regulators around the globe are establishing new requirements. If not properly implemented, these can inject unnecessary friction into digital banking processes. The resulting balancing act for any bank or merchant is a challenging one.
The good news is that sophisticated technologies, such as machine learning, orchestration platforms, and digital identity analytics, represent opportunities for the good guys to keep pace with the criminals, and potentially even get a step ahead.
Explore the Other Top Trends Impacting the Future of Fraud
Though this article only covers three of the top trends driving the future of fraud mitigation, it is important to understand how the rest of these trends will impact financial institutions. For a full report, listen to this 60-minute webinar with fraud experts from OneSpan and Aite Group. They examine each trend in detail and discuss what security best practices can help mitigate fraud in 2020 and beyond.