Know Your Enemy: How banks can identify and beat the evolving threat of financial crime
We know that criminals will often use any means to achieve their end – and in financial crime, the smarter ones are making the most of a world of new technologies and the opportunities they present.
This blog is about some of the tactics used to target individual customers’ accounts, so I won’t be talking about two of the biggest existential threats any institution faces just now: Insiders and Nation State Actors.
One of the key difficulties in knowing the enemy is that criminals are always going to be 10 steps ahead of financial institutions, says Ryder: “Laws are always going to be reactionary, as are policies, so it’s like fighting a fire with a small garden hose.” Prevention and early warning systems are key.
Insider threats (both malicious and unintentional) can lead to widespread issues, and organised, often nation-state backed, actors have recently moved to staging large scale attacks targeting infrastructure like payment systems, and away from individual account compromise. But that forgets one thing: hacked customers are vocal, angry and sometimes betrayed customers, and it really is in the best interest of an institution to ensure their security is maintained.
Mobile technology allows customers complete control over their banking security via their smartphones, however recent fraud cases have seen criminals virtually hijacking mobile phones to intercept alerts and texts.
“Phones were never intended to be verification devices, so they are now the weakest security link in a lot of ways,” explains Richard Graham, Head of Business Solutions (Americas) at BAE Systems Applied Intelligence. He adds, “If you change your password, your bank will send a verification message. If you log into your online banking account from a new computer, you get a text sent to your phone.”
Clever hackers are now able to compromise identities to log into existing mobile phone accounts and convince phone companies to port the number to a new device. Some use insider intelligence in the phone store or strategically placed call-centre employees to facilitate the takeover. However they do it, says Graham, “Your phone no longer works and someone else has been able to send fraudulent payments out of the bank through your account with their device getting all of the authentication messages.” Moreover, this mobile technology is affording criminals the type of anonymity they used to only dream of: “You can walk down the street and use your neighbour’s Wi-Fi or go to a coffee chain,” he says.
We are seeing that video is increasingly becoming an appealing device for social engineering and phishing, with social-media users being told to watch a video message from a “friend” and then entering their login details to proceed.
Banking biometrics, developed as a security measure, could mean that criminals resort to more violent means – physically forcing their victims to comply with checks. While biometrics is a boon to financial security, it could also provide criminals with another technology to exploit. Graham believes that we might see criminals using increasingly high-powered cameras to take photographs: “If you can get a person’s fingers at a great enough resolution, you could ‘print’ their fingertips, rendering fingerprint biometrics useless for certain people in the long run.” New opportunities for crime will always present themselves, with every new technology: “Where there’s a will, there’s a way.”
To find out more, get the full report at https://content.baesystems.com/banking-know-your-enemy
BAE Systems will collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal information, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to the relevant sections of our Privacy note at www.baesystems.com/en/cybersecurity/privacy
Please consider the environment before printing this email. This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately. Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. The contents of this email may relate to dealings with other companies under the control of BAE Systems PLC, details of which can be found at http://www.baesystems.com/Businesses/index.htm.