By Dale S. Laszig
Post-pandemic commerce presents more choices and threats to merchants, consumers and service providers than ever before. While abundant checkout options delight consumers and merchants, they create a buffet line for bad actors who are focused on stealing our data, identities and money, according to recent reports. Statistics show attackers return to their victims and reenact the same crimes, impacting businesses, careers and costs of goods and services.
Government and private agencies, jointly combating fraud, urge businesses to engage with the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC) and other information sharing agencies. CISA and MS-ISAC published a free ransomware guide in September 2020, with tips on preventing and responding to ransomware attacks. Businesses that maintain offline backups have no need to pay ransoms for readily accessible data, researchers noted.
The Green Sheet sought advice from cybersecurity leaders on how to deal with ransomware and other types of cyber threats. Experts interviewed herein serve on the frontlines of cyberwarfare and use advanced, automated technologies and artificial intelligence (AI) to address increasingly automated and distributed criminal attacks. Following are highlights from our discussions.
Kevin Gosschalk, chief executive officer and founder at Arkose Labs, observed payments professionals can both underthink and overthink cybercriminals. It's a mistake to view all hackers as evil geniuses, he noted, adding that most are low level functionaries who use prepackaged tools. Reacting to attackers who infiltrate your network is not an effective security posture.
"Our strategy is more deterrence than mitigation, because even if you block 95 out of 100 attacks, one of the remaining five can fund another 29 days of attempts," Gosschalk said. "We think about solving fraud by asking why it happens. Most attacks are financially motivated, so we apply adaptive friction and challenges to bad actors to increase their cost and effort. Attackers will go elsewhere if they can't make money."
Gosschalk also observed that ransomware would disappear if people stopped paying for it. "The reason ransomware is even a thing is because we're paying these ransoms, because the pain to a business is too high and shareholders say, yeah, just pay the bill," Gosschalk said. "It all comes back to the incentive structure. When people are willing to pay the fee, there's blood in the water, and criminals will keep doing it."
Anthony Winslow, vice president of product marketing at Socure, recommended making AI part of a centralized identity strategy. "AI can outsmart fraudsters while instantly approving legitimate individuals accessing services at scale," he said. "Socure's predictive analytics platform applies artificial intelligence and machine learning with trusted online/offline data intelligence from email, phone, address, IP, device, velocity, and the broad internet to verify identities in real time."
Acknowledging that AI is only as good as the data that powers its decisions, Winslow noted that Socure uses AI-driven models to curate online and offline data for a multidimensional view of identity. He explained that these models seek to understand holistic identity across different data sources and elements while contributing to an ever-growing customer feedback loop, and as they learn to tell good identities from bad, the AIs get smarter with each decision.
"Our self-learning models constantly incorporate customer feedback into our data set and employ new, innovative machine learning technologies," Winslow said. "We experiment with external data sources and model features, measuring performance against existing models; if we see something works better and is more accurate, we deploy it."
Shaun Taylor-Smith, senior director and global head of solutions at ThetaRay, agreed AI models are becoming more agile and responsive. ThetaRay models test multidimensional behavioral patterns against normalcy in an ongoing, automated manner, classifying potentially suspicious events into anomaly clusters to evaluate root causes and severity and then sharing any unusual patterns with customers for further review, he stated.
"Model Drift is an important measurement of our continuous system monitoring of analysis chains," Taylor-Smith said. "As new data batches are analyzed, we signal the Admin user when model drift is detected."
In June 2021, ThetaRay released SONAR, an SaaS solution designed to enhance the company's anti-money laundering solution for correspondent banking. SONAR's AI models monitor cross-border transactions to protect payments from money laundering, human trafficking, and terrorist and narcotics financing, Smith-Taylor noted.
Martin Pashley, chief commercial officer at Kompli-Global, was fed up with fraudsters gaming the system and exploiting vulnerabilities, activities that inspired the Great Kompli-Global KYB Bake-Off Challenge. "Fraudsters are becoming smarter and more collaborative in trying to get round those systems with the weakest links to commit their fraudulent crimes," he said. "We wanted to ensure payments and wider financial services businesses have all the right ingredients to stop fraud."
Pashley told The Green Sheet that the Bake-Off Challenge was intended as a novel way to highlight the power of available technology and information that companies may be missing. We're confident our solutions provide complete and accurate KYB insights, which is why we wanted to put existing systems to the test in a bake-off, he stated. Our advice is to audit the people and companies with whom you're doing business, he added.
"If you look to the market, there are providers that can complete a full audit of companies within seconds, [using AI to connect the dots] in a way that would take human professionals weeks," Pashley said. "This allows you to audit the companies you work with in a faster, more thorough way, giving you the best possible [defense] against fraud."
After gaming the system for years, fraudsters may find themselves on the receiving end of being "pwned," a term that originated in video gaming when a player utterly defeats and compromises an opponent. Credential stuffing, account takeovers, social engineering and endlessly creative attack vectors have inspired proportionate responses from the infosec community. And there's a palpable thrill and monetary reward in bringing down bad actors, security leaders have noted.
Gosschalk mentioned he has met energetic, creative people on both sides of the fraud prevention industry. "We have a bug bounty program, and fraudsters will report a bug when the bug bounty is higher than the profit they would make by exploiting the vulnerability," he said. "Occasionally, a black hat will tell us where they sell accounts, how much money they made and what they spend on a daily basis to attack us. These are interesting metrics."
Gosschalk further noted that fraud prevention is never boring because the adversary is very creative and every company has a different way of monetizing stolen data. In the gaming industry, it may be game currency, and with financial institutions, it may be a more traditional approach of exfiltrating money; then there are romance scams that aim to convince people to transfer money and social media spam and phishing that entice people to click on links that install malware. These schemes are endlessly fascinating, because there are so many ways to do these attacks, he noted.
Security leaders agreed AI is a formidable weapon for cyber exploiters and defenders, citing the following benefits:
On June 2, 2021, Anne Neuberger, deputy national security advisor for cyber and emerging technology, urged corporate leaders to be vigilant in detecting and preventing ransomware attacks by implementing the following five best practices:
"The private sector also has a critical responsibility to protect against these threats," Neuberger wrote in an open letter. "All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location."
A free copy of the CISA/MS-ISAC Ransomware Guide is available at: www.infosecinstitute.com/wp-content/uploads/2021/05/IQ-Whitepaper-CISA-MS-ISAC-Ransomware-Guide.pdf.
Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. She can be reached at firstname.lastname@example.org and on Twitter at @DSLdirect.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next