Fraud is as old as financial services itself. What’s new is who is doing the defrauding and how they are doing it. The banking and payments industries should keep a close eye on these new threats coming from several primary areas.
Financial institutions had it relatively easy when they were battling individual fraudsters and teens with too much time on their hands. Now they even have to go up against rogue state-sponsored attackers.
In particular, North Korea is believed to target payment systems and banking to raise funds to support weapons development. The country was implicated in the theft of millions in bitcoin and “cryptojacking” computing resources to mine bitcoin. North Korea was also suspected of stealing millions from ATMs in Asia and Africa, and possibly made off with $81 million in a fraudulent SWIFT network transaction.
Other state actors suspected of supporting cybercriminal activity include Russia, Pakistan, and China. Between March 1 and March 13, 2020, for instance, the largest number of targeted spear-phishing campaigns originated in China, according to cybersecurity operator Intsights.
Crime in the cloud is also a challenge. The consolidation powers of the cloud mean that minor mistakes in the configuration of one area can amplify into a catastrophic loss. Even the most sophisticated cloud defenses may not be up to the challenge to fend off a criminal who uses psychology to fool employees to hand over the keys to the gold room. Most breaches can be tracked back to human error.
Capital One and the $72 million misconfiguration error is an example. Capital One was considered an anti fraud poster child—until it was hit in 2019 with one of the largest cybersecurity crimes on record. A 33-year-old software engineer wormed her way into credit card applications left vulnerable by a misconfigured software firewall, allowing her to access a server where the credit applications were stored. The breach affected 100 million U.S. consumers, compromised 120,000 Social Security numbers, and exposed credit monitoring, offset by $34 million in insurance recoveries.
It was thought (or maybe just hoped) that the prevalent use of card chips in the United States would curtail POS breaches. But security surrounding these transactions remain vulnerable to skimming and other forms of attack. Sophisticated cybercriminals have learned how to suck out the purchase data and even record PIN entry at the store counter. Another approach is for fraudsters to infect a retailer’s payment system with malware, collecting transaction data. That’s what happened at a breach at Saks Fifth Avenue and Lord & Taylor in 2018, affecting up to 5 million customers. The criminals used a phishing expedition to gain access through an employee’s computer.
On the B2B payment front, increasingly sophisticated adversaries are going after high-value transactions such as wire transfers. In one of the more innovative attacks, pretexting was combined with AI to mimic a CEO’s voice with a slight German accent to authorize a quick wire transfer of $243,000 to a fraudulent location. This type of fraud will increase as adversaries hone their technical skills and add emerging technologies into their toolkits.
Most FIs offer mobile applications for customers to access their assets remotely. This trend has been reinforced during the pandemic when many banks shut their lobbies. According to the FBI, a 50 percent spike in the usage of banking apps has been observed since the start of the year.
“The FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps,” the agency announced in June. While mobile apps might appear to be secure on the surface, they are, in truth, vulnerable because they lack critical security features. Criminals have noticed, responding with fake banking apps and banking trojans, including MazarBot, BankBot, LokiBot and Anubis.
These new threats are taking their toll on FIs. Fraud losses—including losses linked to credit and debit cards—cost U.S. banks, merchants and cardholders $16.9 billion in 2019, up 15 percent from a year earlier and the highest amount since 2013, according to Javelin Strategy & Research. Companies reporting the highest costs related to payment card and bank account breaches since 2013 were Equifax, $1.7 billion; Home Depot, $298 million; and Target, $292 million, according to Audit Analytics.
But the ramifications for FIs and businesses targeted by payments fraudsters go way beyond money loss. Shockwaves exploding from a breach can cause lasting damage in loss of investor confidence, brand damage, recovery burden, and liability issues.
Fintech-Insight is dedicated to delivering unbiased and dependable insights into cryptocurrency, finance, trading, and stocks. However, we must clarify that we don't offer financial advice, and we strongly recommend users to perform their own research and due diligence.