A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

July 12, 2021 • Issue 21:07:01

Cracking fraud's code

By Dale S. Laszig

Post-pandemic commerce presents more choices and threats to merchants, consumers and service providers than ever before. While abundant checkout options delight consumers and merchants, they create a buffet line for bad actors who are focused on stealing our data, identities and money, according to recent reports. Statistics show attackers return to their victims and reenact the same crimes, impacting businesses, careers and costs of goods and services.

Government and private agencies, jointly combating fraud, urge businesses to engage with the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC) and other information sharing agencies. CISA and MS-ISAC published a free ransomware guide in September 2020, with tips on preventing and responding to ransomware attacks. Businesses that maintain offline backups have no need to pay ransoms for readily accessible data, researchers noted.

The Green Sheet sought advice from cybersecurity leaders on how to deal with ransomware and other types of cyber threats. Experts interviewed herein serve on the frontlines of cyberwarfare and use advanced, automated technologies and artificial intelligence (AI) to address increasingly automated and distributed criminal attacks. Following are highlights from our discussions.

Bankrupt fraudsters

Kevin Gosschalk, chief executive officer and founder at Arkose Labs, observed payments professionals can both underthink and overthink cybercriminals. It's a mistake to view all hackers as evil geniuses, he noted, adding that most are low level functionaries who use prepackaged tools. Reacting to attackers who infiltrate your network is not an effective security posture.

"Our strategy is more deterrence than mitigation, because even if you block 95 out of 100 attacks, one of the remaining five can fund another 29 days of attempts," Gosschalk said. "We think about solving fraud by asking why it happens. Most attacks are financially motivated, so we apply adaptive friction and challenges to bad actors to increase their cost and effort. Attackers will go elsewhere if they can't make money."

Gosschalk also observed that ransomware would disappear if people stopped paying for it. "The reason ransomware is even a thing is because we're paying these ransoms, because the pain to a business is too high and shareholders say, yeah, just pay the bill," Gosschalk said. "It all comes back to the incentive structure. When people are willing to pay the fee, there's blood in the water, and criminals will keep doing it."

Invest in AI

Anthony Winslow, vice president of product marketing at Socure, recommended making AI part of a centralized identity strategy. "AI can outsmart fraudsters while instantly approving legitimate individuals accessing services at scale," he said. "Socure's predictive analytics platform applies artificial intelligence and machine learning with trusted online/offline data intelligence from email, phone, address, IP, device, velocity, and the broad internet to verify identities in real time."

Acknowledging that AI is only as good as the data that powers its decisions, Winslow noted that Socure uses AI-driven models to curate online and offline data for a multidimensional view of identity. He explained that these models seek to understand holistic identity across different data sources and elements while contributing to an ever-growing customer feedback loop, and as they learn to tell good identities from bad, the AIs get smarter with each decision.

"Our self-learning models constantly incorporate customer feedback into our data set and employ new, innovative machine learning technologies," Winslow said. "We experiment with external data sources and model features, measuring performance against existing models; if we see something works better and is more accurate, we deploy it."

Detect unknown unknowns

Shaun Taylor-Smith, senior director and global head of solutions at ThetaRay, agreed AI models are becoming more agile and responsive. ThetaRay models test multidimensional behavioral patterns against normalcy in an ongoing, automated manner, classifying potentially suspicious events into anomaly clusters to evaluate root causes and severity and then sharing any unusual patterns with customers for further review, he stated.

"Model Drift is an important measurement of our continuous system monitoring of analysis chains," Taylor-Smith said. "As new data batches are analyzed, we signal the Admin user when model drift is detected."

In June 2021, ThetaRay released SONAR, an SaaS solution designed to enhance the company's anti-money laundering solution for correspondent banking. SONAR's AI models monitor cross-border transactions to protect payments from money laundering, human trafficking, and terrorist and narcotics financing, Smith-Taylor noted.

Know your service providers

Martin Pashley, chief commercial officer at Kompli-Global, was fed up with fraudsters gaming the system and exploiting vulnerabilities, activities that inspired the Great Kompli-Global KYB Bake-Off Challenge. "Fraudsters are becoming smarter and more collaborative in trying to get round those systems with the weakest links to commit their fraudulent crimes," he said. "We wanted to ensure payments and wider financial services businesses have all the right ingredients to stop fraud."

Pashley told The Green Sheet that the Bake-Off Challenge was intended as a novel way to highlight the power of available technology and information that companies may be missing. We're confident our solutions provide complete and accurate KYB insights, which is why we wanted to put existing systems to the test in a bake-off, he stated. Our advice is to audit the people and companies with whom you're doing business, he added.

"If you look to the market, there are providers that can complete a full audit of companies within seconds, [using AI to connect the dots] in a way that would take human professionals weeks," Pashley said. "This allows you to audit the companies you work with in a faster, more thorough way, giving you the best possible [defense] against fraud."

Payback is tough

After gaming the system for years, fraudsters may find themselves on the receiving end of being "pwned," a term that originated in video gaming when a player utterly defeats and compromises an opponent. Credential stuffing, account takeovers, social engineering and endlessly creative attack vectors have inspired proportionate responses from the infosec community. And there's a palpable thrill and monetary reward in bringing down bad actors, security leaders have noted.

Gosschalk mentioned he has met energetic, creative people on both sides of the fraud prevention industry. "We have a bug bounty program, and fraudsters will report a bug when the bug bounty is higher than the profit they would make by exploiting the vulnerability," he said. "Occasionally, a black hat will tell us where they sell accounts, how much money they made and what they spend on a daily basis to attack us. These are interesting metrics."

Gosschalk further noted that fraud prevention is never boring because the adversary is very creative and every company has a different way of monetizing stolen data. In the gaming industry, it may be game currency, and with financial institutions, it may be a more traditional approach of exfiltrating money; then there are romance scams that aim to convince people to transfer money and social media spam and phishing that entice people to click on links that install malware. These schemes are endlessly fascinating, because there are so many ways to do these attacks, he noted.

AI is the future

Security leaders agreed AI is a formidable weapon for cyber exploiters and defenders, citing the following benefits:

  • Efficiency: Gosschalk noted it would be far too expensive and time-consuming to hire people to manually test server usernames and passwords. "Bad actors use bots and scripts to carry out attacks, and Arkose Labs uses AI to set up challenges, similar to multifactor authentication, that require attackers to write specialized code, which in most cases is just not worth doing," he said.
  • Accuracy: Winslow pointed out that in addition to outpacing humans, AIs have self-learning capabilities that drive "hyper-accuracy," enabling them to continuously improve with every identity, risk and compliance decision. Socure uses these advanced functionalities to enable clients and partners to automate new account onboarding and decisioning, reduce manual reviews, fraud losses, and operational overhead and grow more rapidly. "Fraudsters are smart, but Socure's AI can outsmart those fraudsters while instantly approving the legitimate individuals accessing services at incredible scale, which is why it's so important to adopt a centralized identity strategy that meets your needs across the user lifecycle," he said.
  • Agility: Smith-Taylor noted that ThetaRay's SONAR leverages AI and machine learning to detect anomalous activities. The solution applies these technologies across SWIFT traffic and real-time and automated clearing house schemes to instantly unlock hidden insights and reveal suspicious transaction profiles. "SONAR ingests data in all major formats, including RJE, API, CSV and XML," he said. "It offers user-friendly APIs and flexible architecture to simplify integrating, maintaining and running a diversity of fintech applications, all backed by flexible global support."
  • Scale: Pashley cited AI's ability to reconfigure databases on the fly as another competitive advantage and mentioned that Kompli-Global recently launched Kompli-Investigate, a research utility designed to detect corporate entities and staff. The solution collates and reconfigures corporate structure data to keep new and changed information up to date and remaps the entire database every night, he stated, adding that this enables in-house experts to overlay known fraud characteristics and suspicious scenarios to protect users and alert stakeholders to hidden criminal activity.

Join the fight

On June 2, 2021, Anne Neuberger, deputy national security advisor for cyber and emerging technology, urged corporate leaders to be vigilant in detecting and preventing ransomware attacks by implementing the following five best practices:

  1. Back up data: Ensure that backups are regularly tested and stored offline.
  2. Update systems: Maintain updated operating systems, applications and firmware.
  3. Test incident response: Test incident response plans to confirm operations are sustainable.
  4. Check security teams: Use third-party penetration testing to assess system security.
  5. Segment networks: Separate business functions and manufacturing/production operations to ensure that networks can continue operating if isolated.

"The private sector also has a critical responsibility to protect against these threats," Neuberger wrote in an open letter. "All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location."

A free copy of the CISA/MS-ISAC Ransomware Guide is available at: www.infosecinstitute.com/wp-content/uploads/2021/05/IQ-Whitepaper-CISA-MS-ISAC-Ransomware-Guide.pdf.

end of article

Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. She can be reached at dale@dsldirectllc.com and on Twitter at @DSLdirect.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing