Fighting a Shared Threat: Fraud & Security Merges in Banks and FinServ
Separating anti-fraud and cyber-sec activities in independent operating groups within credit unions, banks and other financial services firms (aka ‘FinServ’) actually compounds the problem of developing and deploying effective solutions. The reason is that because there is minimal leveraged learning and limited or no joint procedures, processes, and teams to detect and prevent fraud schemes and breaches.
To do so, security and fraud prevention teams would need to reach out of their silos and cross organizational boundaries to simultaneously tackle bifurcated challenges. They would need to: understand both problems and combine their playbooks, know both types of bad actors, share intelligence about threat vectors, find sources of government or law enforcement support, evaluate new technologies or access legacy solutions, and finding other fixes.
We know the following:
- Cyber-fraud is a criminal activity that includes hacking, phishing, vishing, spamming, ATM skimming, fake transactions, and various types of fraud schemes using false identities (especially synthetic identity fraud or SIF). Credit unions, banks and many other FinServ firms tend to place anti-fraud activities together in one group organizationally and operationally that is separate from the cyber-security group.
- Cyber-security or Cyber-sec includes cyber-threats and attacks that map to a variety of “hacks” and specifically, adware, bots, crypto-exploits, DDOS attacks, phishing, malware, ransomware, security breaches, trojan horses, worms, viruses, and others. While many cyber-security exploits use active measures, such as machine learning and other tools, others use passive measures, such malware or viruses embedded in emails, etc. Credit unions, banks and many other FinServ firms tend to place cyber-security group organizationally and operationally separate from the anti-fraud group.
Risk officers, academics, government officials and other experts consider fraud and security breaches an asymmetric threat that is increasingly interlinked. Asymmetric threats are a broad and unpredictable spectrum of digital activities conducted by nation states, criminal organizations, terror groups, hacker groups, or individual hackers. They typically target weaknesses and vulnerabilities in the computers, software, systems, devices, and networks of businesses and specifically, the banking and FinServ industry. By this definition, we know that both anti-fraud and cyber-security activities are separately designed and implemented to thwart asymmetric threats often created by perpetrators with common traits and0 similar motivations, and who utilize the same or similar tools, and run the same or similar playbooks.
By combining anti-fraud and cyber-sec activities, banks and FinServ firms can reduce the complexity, impact and costs associated with waging a two-front war against these asymmetric threats. This combination would create significant economies of scale since these firms would be better prepared to deal with current and new threats, to use new technologies, and to seek out help from new sources of support.
Tools – specifically, machine learning – represent a threat offset by anti-fraud and cyber-security convergence. The preferred tool today among today’s more sophisticated bad actors is machine learning. These top players favor ML because many governments and businesses have not yet built countermeasures against it. SIF is a good case in point. SIF attacks are created by combining machine learning algorithms and personal data – or personally identifiable information (PII). There is a long list of data items that fall into the PII category. It includes full names, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, email addresses, and more. Lots of these data items are available on the Dark Web and social media. When ML goes to work using PII, bad things happen.
The only way to address the security challenges related to the use of ML with PII is with ML solutions. In this case, for example, old school rules-based systems will not work nor keep pace with the dynamic changes associated with ML at scale. That scary picture is of auto-generated synthetic identities by the thousands that are then used to infiltrate hundreds of institutions simultaneously. It’s a numbers game that’s exacerbated by ML, and one that reaps massive rewards for the criminals behind these schemes. For institutions to stay ahead of the curve, novel ML solutions and organizational alignments are necessary. It’s in fact the only way FinServ firms will be able to counter the threats and stay ahead – or at least catch-up and stay even.
The learning around machine learning is a two-way street. Not only do bad actors learn on their own how to harness ML, but they also learn from other bad actors. We know that nation states will share hacks, tips ‘n’ tricks and playbooks with criminal organizations and even terror groups. Many believe that ML-driven SIF originated with this cooperation scenario.
But on the other side of the fence, credit unions, banks and FinServ firms could learn from their own internal anti-fraud and cyber-sec groups working together on analytics, countermeasures and intel sharing. Also, when one institution is organized and uniformly aligned, they are in a position, in turn, to work with other firms in the financial industry. The U.S. Government learned a very painful lesson in the aftermath of 9/11 when it was revealed that agencies – especially, the FBI and CIA – were competing with one another rather than cooperating and sharing information.
It’s not only the perpetrators and their tools that will drive the merger of anti-fraud and security, but also their motivations and techniques. The main motivation that drives these entities is money. For nation states (such as China, Russia, North Korea, Iran and others), the ill-gotten gains are often put into efforts to cause the decline of the United States, diminishing its international leadership and prestige. For criminal organizations (such as the Russian Mafia, Asian criminal organizations in each country, and others) the motivation after money or funding is digital transformation and technology leadership (so their criminal enterprises can be more effective). For terror groups and hacker groups – after remuneration – their main objective is to use the proceeds to spread fear, shock and terror. Finally, individual hackers have a range of motivations but after monetary compensation, achieving fame through hacking feats is a leading driver for them.
Finally, techniques are shared by fraudsters and cyber-sec hackers – another unifying theme driving this merger. While SIF is type of identity theft that is used by bad actors to create initial funding that leads eventually to a “bust-out”, social engineering with internal cooperation; multi-party pyramid schemes; use of NSA-tools to listen through mobile phones or crack passwords and crypto, and other social engineering, network and software coding techniques are used by both fraudsters and hackers.
In banks and FinServ firms, the convergence of anti-fraud and cyber-security is inevitable given that they are shared asymmetric threats, and that the motivations, tools, and techniques of the perpetrators have so many similarities. But an equally important driver is the positive elements of leveraged learning, the benefits of intelligence sharing, and the lower costs associated with merged activities.