IT security experts commented below on the new “2017 Faces of Fraud Survey” of US banks and financial institutions issued today by ISMG Research & VASCO Data Security. Among the study’s findings: a majority of respondents believe today’s fraud schemes are too sophisticated and evolve too quickly to keep pace; just 38 percent of those responding have high confidence in their institution’s ability to detect and prevent fraud; and only 13 percent of respondents believe their organization is identifying fraud in real time.
Avivah Litan, VP and Distinguished Analyst at Gartner Research:
“I’m encouraged by the advances in and fine-tuning of machine learning models and other forms of advanced analytics being applied to the fraud use case, and the use of mega global sets of shared data to inform those models. I’m also encouraged by continuous behavioral biometric authentication, along with other continuous identity assessment measures, that raise confidence in a user’s legitimacy. We need this – especially in an era of heavily compromised PII data. It’s much harder for a bad guy to beat a system that he or she cannot easily see.”
Lisa Baergen, APR, MCC, Marketing Director at NuData Security Inc.:
“This survey certainly shows that while consumers may shoulder many direct costs and burdens associated with fraud, institutions are also suffering substantially. The global uptick in fraud, coupled with ever-increasing amounts of PII available on the black market, makes financial institutions more vulnerable and as a result, their security investments are growing yet their confidence in them isn’t.
“Banks, financial institutions, and merchants all struggle with ways to preserve customer confidence and loyalty, without hurting their customer’s experience. The five scariest words in the sector are: ‘My bank account’s been hacked.’
“Detecting potentially fraudulent transactions, money movements or new account fraud before they can result in fraud demands a new approach to authentication methods. Solutions based on consumer behavior and interactional signals are leading the way to provide new levels of security at every step in the transaction chain – including financial institutions, consumers, and merchants. As security threats increase, it gives rise to the requirement of an advanced security solution to identify malicious activities and vulnerabilities. The Faces of Fraud Survey confirms that it’s time to adopt machine learning and verification methods that immediately recognize trusted users and optimize their experience, that can’t be impersonated by would-be thieves, and that can invoke stepped up authentication when high risk, highly questionable circumstances call for it.”
Atiq Raza, CEO at Virsec Systems:
“This survey highlights two alarming trends: current security products are failing against the latest threats, and most banks still value user convenience over security.
“Sophisticated attacks are increasingly flying under the radar of conventional security, which depends on perimeter defense, looking for known patterns of behavior, and patching vulnerabilities if they are discovered. All of these are always playing catchup with fast moving, and innovative hackers. In order to get to the root of modern attacks we need to worry less about incoming threats, and more about detecting and blocking rogue application behavior in real-time.
“The fact that only 35% of banks have deployed multifactor authentication is disturbing. This technology is readily available, easy to deploy, and very effective. While it requires a little more effort for consumers, it also makes them more aware and conscious of security best practices. Banks can insure themselves against financial losses from fraud, but consumer can never recoup the damage of having their identity stolen.”
Christian Lees, Chief Information Security Officer at InfoArmor:
“We certainly see that compromised data, credentials and PII are often used and re-used by threat actors for a variety of activities. Direct ATO, brute force or other, can often be traced to exposed credential dumps. In many cases, breaches can be directly attributed to third party exposure where employees have misused corporate credentials which are then subsequently compromised and leveraged for direct corporate access.
“However, we are also seeing a rise in fraudulent account creation (whether bank accounts, credit cards or loan applications) using PII that has been exposed in large data disclosures. This criminal activity can be difficult to detect, as all of the data matches and appears valid. However, by offering financial institutions the ability to track and monitor third party compromised data disclosures, they can pre-empt this activity with rigorous application.
“As long as threat actors can monetize their nefarious activities, they will persistently seek to profit at the expense of the innocent victims of breach. Thus, enterprises of all size should be increasingly vigilante and seek to continually improve their security posture with products and services designed to alert, notify, pre-empt and defend against such activity. There is not a one size fits all solution. A comprehensive approach leveraging a variety to tools and applications, assessing internal and external risks/exposure should always be deployed.”
John Gunn, CMO at VASCO Data Security:
“In rough numbers you’ve got 80 percent of financial institutions’ customers doing online banking. A few years ago, it was 40 percent doing mobile, and now it’s eclipsed 50 percent and it continues to grow. So as more users come on and more services are offered, [mobile] just becomes a bigger target for hackers. And you have as a backdrop to that: Financial institutions see the benefit of mobile customers. Mobile customers are more sticky. They buy more products. That’s where a financial institution makes their money.
“Regulations couldn’t possibly keep pace with the sophistication and the evolution of new attacks. So it’s that economic argument we talked about, and it’s about the new tools, the next generation and what’s coming. And that is: unified tools, tools that work with each other that are easier to implement. And fraudsters have a real advantage. If you look at game theory, there’s always an advantage to being the attacker because you can pick that one point of vulnerability when you find it. Whereas financial institutions or their vendor partners, such as VASCO, have to cover a thousand potential points of vulnerability. So it’s a monumental task, and it requires coordination, collaboration and staying on the front end of new technologies.”
Julie Conroy, Research Director at Aite Group:
“The continued progress toward faster payments introduces new opportunity for fraudsters, especially given the fragmented approach in the U.S. Expect to see criminals capitalize on this with routines that target faster payments across all channels, including mobile.”
Scott Clements, CEO at VASCO Data Security:
“The survey results echo what VASCO is seeing across the market – there are myriad anti-fraud solutions to choose from, their implementation and use is not easy, and integration between solutions and across channels is limited. In the past, balancing security with implementation and ease of use often came with trade-offs. New identity solutions that integrate multiple authentication technologies are changing this equation enabling trust in identities, transactions and devices with no degradation of the user experience.”