THANK YOU FOR SUBSCRIBING
Fusion center…a trendy term or necessity? Recently this conversation occurs frequently and rightfully so. Although obvious for years, it is now more apparent than ever that cyber threats and fraud have some correlation. Yet, it was not until recently that fraud got its proverbial seat at the table, as both a separate entity and a stakeholder, when it came to enterprise risk. Though it was unfair, the fact was that many InfoSecurity teams were relied on to not only assess network and cybersecurity risks, but also speak to the fraud risks, a niche that these teams may not be entirely qualified to speak for. In fact, outside industries still use the terms “cybersecurity risk” and “fraud risk” interchangeably.
As fraud becomes a more diverse category, and continuous conversations are initiated about dissecting what these frauds are, and how they are perpetrated, the distinction was becoming clearer. As fraud incidents were identified the same response by business lines of “but we got InfoSec approval” was consistently echoed, and frustratingly followed by the face palms and head shakes of those on the infosecurity team. I reflect on this here, as I feel I’m in good company to express our needs to be “partners in crime” for the increasingly digital world.Unfortunately, it took some significant, reputation-damaging incidents for many C-Suites to realize the need for these two verticals to stand alone, and, yet, together.
Naturally, the best way to start this conversation would be by jumping into industry alphabet soup. Simply put, you are nobody if you have not implemented AI or ML (also often mistaken as interchangeable) into your robust, enterprise-wide fraud engine, filled with tags of profiling physical and behavioral biometric data, coupled with device fingerprinting. Although I sound like I’m oozing sarcasm, everything stated is extremely valid and essential to dealing with today’s threats.
As the anti-fraud community soon realized, however, OTPs and MFA are constantly being circumvented by social engineering and “human hacking”. It became apparent that these “step- ups” cannot be relied on to determine legitimacy of a transaction or session. Thus, the need to take the human out of the security equation, and determine for ourselves who is conducting the transaction, becomes the focus of collecting all this data and authentication. This comes with its own caveats, of course.
AI and ML are crucial in risk-rating and transaction analytics, but as has been alluded to in recent media articles, they are only as good as those deciding the output, as well as the strength of the feedback loop that digests it back into the models. Often large-scale fraud events are dismissed as legitimate due to the large volumes of transactions across many customers appearing normal. Similarly, fraud detection is only as good as the quick reaction of the analysts.
For example, if a fraudulent transaction is flagged as legitimate, that pattern is now validated, and, now aids in proliferating the fraud. Using this data, along with more traditional, Boolean “if/then” statements, helps to ensure that your bias is not being pointed in the wrong direction.
As always, the adversaries will be one-step ahead and realize the benefit of hacking the victim to initiate the transaction him/herself, as best way to bypass the controls employed to detect who or what is NOT the customer. Additionally, the rise and ease of creating synthetic identities compromises our efforts even more, since now the fraudster can control stolen accounts while shielded behind a person who doesn’t even exist.
That said, behavioral biometrics, physical biometrics, and proof-of-life authentication, are only effective if a fraudster doesn’t beat the real customer to the punch. Additionally, if someone is using your SSN with other fabricated PII, and has a larger digital presence than you have as a real person, there are some vendors that will register the fake persona as more likely to be the real deal than you are. Add in the ever-growing trend of deep fakes, and 3D printers stealing identities, and we are in a constant battle.
I wish I can offer a silver bullet but, in reality, we are in a continuous game of reactive prevention. Even with all of these advances on the leading edge of fraud detection, we are naïve, or simply ignorant, to not acknowledge that these technologies have been in use for years by fraudsters. Authentication should not be a competitive advantage, and unfortunately, that is how it is marketed in the current landscape.
For the CISO and technical audience, I think it’s appropriate to end with a quote from Bruce Schneier in his book Secrets and Lies, “Security is not a product, it’s a process. You can’t just add it to a system after the fact. It is vital to understand the real threats to a system, design a security policy, commensurate with those threats, and build in appropriate security countermeasures from the beginning.”
The irony is that these words were published in the year 2000, yet it seems like a quote appropriate for the future. We, as a society, continue to push for instantaneous and nonrefundable payments, yet, we are shocked when a substantial amount of money is lost. I would say there’s hope that we are learning our lessons, but the same warnings were published over 20 years ago, and are just as relevant today.
As we continue to collaborate, I’ll end with a cheer to all those fighting the good fight.