Traditional approaches to cyber security in payments aren’t working – and the recent huge rise in hacks and fraud proves it. James Wood says it’s time for a radical shift in how we approach cyber security in payments.
At the moment, the payments industry is showing a disturbing lack of urgency about the rapid rise in cyber-attacks, especially those linked to financial fraud. Sure, hacktivism and in particular state-sponsored attacks grab all the headlines.
But a mid-2021 study from Hackmageddon shows only 13 percent of all cyber-attacks are linked to terrorism or political activity, with the huge majority of attacks (87 percent) linked to financial crime.
“87% of all cyber-attacks are linked to financial crime.”
What’s more, attacks and fraud aren’t using company mainframes as a means of entry any more. The World Economic Forum (WEF) has conducted research showing that a third of all cyber attacks access systems through mobile devices, and – disturbingly given the rising popularity of crypto – another fifth (21 percent) come through crypto-mining on linked third-party devices such as home computers.
These statistics matter. Leaving aside the raw cost of cyberattacks to business – estimated at half a million dollars a year on average for every company in Europe and North America – security breaches also erode consumer trust in digital business at a time when all businesses are migrating to digital payments.
A recent study from KPMG claimed that one in five shoppers would never use a business again after a major cyber breach, while another third of shoppers would stay away from that merchant for at least three months.
Cyber security used to be simpler
Twenty years ago, things were simpler – if not any easier. Back in the day, companies employed firewalls to defend their corporate networks. This mostly worked at a time when phones were still dumb and everyone worked in offices except when they were on business trips. If people worked out of the office, regularly updated firewalls and controlled usage policies that banned suspect sites did an OK job.
How times have changed. These days, most enterprises use cloud storage as a minimum, while many of the most innovative payments companies are FinTechs with their entire operations in the cloud. Even before COVID-19, working from home was on the rise, with first-generation distributive and collaborative technologies such as Skype growing fast.
As long ago as 2014, 15 percent of the US workforce worked remotely at least part of the time: by 2021, that figure had risen to 61 percent. While that number will decline as COVID recedes, it’s likely to remain higher than in the past.
“With two-thirds of employees working from home, and devices used for everything from shopping to videoconferencing, malware risk is shooting up.”
Add to this the fact that mobile devices are used for almost everything these days, from work calls to shopping and socialising, and it’s clear that companies face a new and complex landscape in which mobile devices, tablets and laptops are paired with corporate networks.
Needless to say, this creates a risk multiplier in which – for example – an employee might acquire malware from an e-commerce website which then infects their company’s cloud operations. This is especially the case when people are working or shopping across borders – something one-third of users in Europe and North America do at least once in any given year.
Just how bad things have got – and how rapidly – can be seen in a new study from BAe Systems which reports 74 percent of banks experienced a rise in cyber crime in the first year of the pandemic, and overall financial cybercrime went up by almost a third – at a time when security budgets were being cut to save money.
The link between these attacks and the wide range of devices being used to access corporate networks can be seen in Verizon’s 2020 Data Breaches study, which shows that mistakes made by individuals, ID theft and attacks via social media account for two-thirds of all successful attacks.
Covering every base – and then some
Nadav Namaan is Chief Product Officer at PayU, a payment services provider (PSP) operating across borders in more than 50 markets worldwide. Namaan says cybersecurity is now top of mind for PSPs, since recent cyberattacks – including those outside the payments universe, such as the breach experienced by India’s Aadhar digital ID register in 2018 – have negatively affected their ability to deliver a smooth payments experience.
“Fraud is increasingly coming through the mobile channel, and is being executed by authenticated buyers. While developments like PSD2 in Europe have helped to step up authentication, we believe better merchant education is going to help them identify and control fraud – alongside other measures.”
“Governments and regulators have a role to play in a co-ordinated approach to fight cybercrime, including establishing standards between markets.” – Nadav Namaan, PayU
Namaan says merchant education initiatives include better understanding about the risks associated with sending links to customer by email, and monitoring interactions to associate them with a particular user ID.
At the same time, he believes cyber-risk will remain elevated until there’s more and better coordination across borders, including the development of minimum standards for digital ID and the local integration of international payments systems.
Cyber security – Radical rethink required
Michael Farrell, Principal Technical Director at Microsoft Azure, says companies urgently need to switch their approach from protecting their digital assets behind firewalls and passwords to an approach fit for today’s multiple-device, cloud-based and distributed technologies.
Two principles should inform this new approach, according to Farrell: the principle of zero trust, and the capacity to inspect memory on all and any assets in a cloud-based system.
“Zero trust starts from the assumption that your system has already been breached”, he says. “Telemetry is pervasive. It begins by enforcing least privileged access across the ecosystem – which means users get just-enough-access, just-in-time across your entire digital estate.
For each engagement, explicit verification is required – this allows for context-based decisions depending on risk profiles that can be adapted, as you see fit.”
While this sounds daunting for a payments industry seeking to reduce friction, rather than introduce further layers of security, Farrell believes that the combination of increased use of continuous authentication and authorization, device health assessment, plus geo-location and geo-fencing features that identify a user’s device location and enable certain functions to be closed off, will make identity easier.
Some civil liberties campaigners may balk at the use of geo-location technologies to prevent fraud – but Farrell believes they’re a key component in confirming a match between user ID and device. In other words, making sure that people are who they claim to be, and that they’re using their device where they say they are. Organizations can tweak these thresholds based on risk tolerance and relevant local laws.
As we’ve seen, the use of multiple devices to access networks dramatically raises the risk of malware on one device infecting an entire network, as well as the risk of bad actors using a permissioned device to access a network for nefarious purposes.
Attackers also seek to stealthily infect the source data and application that all users rely upon. Microsoft’s Farrell says new developments in the security fabric of the cloud will help to identify the most sophisticated threats and detect new breaches as they occur.
“Growth in the number and type of devices accessing networks and their pervasive use of cloud – especially when it comes to payments – is accelerating”, he says.
“To fight breaches and fraud, we need a real-time solution that’s capable of detecting the most advanced threats moments after they first show up on the system. This solution needs to operate without burdening the system and discover the most stealthy threats used by crime syndicates and nation state actors – these threats are resident only in system memory.”
Microsoft’s Project Freta is the first cloud-based system available which claims to be able to achieve this via a technique they call “trusted sensing.”
In essence, this system sweeps an organisation’s entire available stack of cloud data for undiscovered malware. Named after the street in Warsaw where Marie Curie was born, Microsoft say Freta can perform full memory audits of all the cloud-based assets of a company.
“By scanning all of the memory associated with an organisations’ cloud operations for malware, we make system-based hacking and fraud an incredibly onerous and expensive process for the most sophisticated criminals and attackers. Put simply, fraud quickly becomes more hassle than it’s worth when your cloud-based fraud attempts are being recorded and assessed in real time.”
Cyber security: The damage done – and the fix
Thanks in part to COVID-19, and boosted by the application of yesterday’s solutions to today’s problems, cyber-attacks and payments fraud in digital channels are at an all-time high.
According to Abnormal Security, the first six months of 2021 saw an almost 50 percent increase in the number of “phishing” attacks from cloned corporate e-mail addresses, while almost two-thirds of firms (61 percent) said they had been the victim of attempted fraud via a hacked e-mail account from one of their suppliers.
“Cyber-attacks in payments are at an all-time high. The first six months of 2021 saw a 50% increase in the number of phishing attacks.”
That’s the bad news. The good news is that the switch to digital is creating opportunities for payments companies to completely rethink how they approach cyber-security and anti-fraud measures, taking a fresh look not just at their approach, but what’s new out there.
While firewalls, strong passwords and other measures have their place, even the most cursory glance at the numbers tells us a completely new approach if consumer trust in the payments system – so vital to profitable growth – is to be maintained.
The Shifting Sands of Cybercrime – while recent reports from Kaspersky and others point to a decline in “traditional” cybercrime attacks such as credentials theft, there’s no question of cybercrime going away any time soon. Instead, the evidence is that criminals are now targeting companies and even regulators. Most recently, the UK’s FCA has reported it receives 80,000 malicious emails every month.