Why Cyber-Fraud Teams Are the Next Big Thing in Payments Security

The growing interconnectedness of digital systems, combined with the alarming ingenuity of financial criminals, has led to a convergence between payment fraud, cybercrime, and AML. As financial transactions increasingly occur online and real-time payments have expanded to over seventy countries, cybercriminals exploit these trends by developing sophisticated schemes to target vulnerabilities in digital payment systems. As a result, payment fraud has become more prevalent and more challenging to detect.

A profusion of new tools available on the Dark Web makes it easier than ever for cybercriminals to steal millions through a combination of social engineering, malware, cyberattacks, identity theft, stolen credentials, and mule accounts. These attacks expand vectors beyond traditional payment fraud methods, including cybersecurity breaches and money laundering techniques. For example, a typical attack may include:

  1. The theft of a bank employee’s credentials.
  2.  Malware is installed on the bank’s network.
  3.  Funds are routed from the bank’s account to a third bank in another country.
  4.  Withdrawals are made through multiple transactions.
  5. Millions of dollars are stolen.

This is not a new problem. As far back as 2013, the Carbanak crime group launched sophisticated attacks that showcased the merging threat vectors of cyberattack, payment fraud, and money laundering. The organization infiltrated a bank employee’s computer via phishing and infected the video monitoring system with malware. The infiltration enabled them to capture all activities on the screens of personnel handling money transfer systems. The criminals successfully manipulated international e-payment systems to move funds to offshore bank accounts and make withdrawals. In a separate attack, the gang hacked into banks in Kazakhstan and stole over US$ 4 million. They transferred the funds to 250 payment cards that were distributed throughout Europe. The stolen money was then cashed out at ATMs in a dozen countries. By the time the gang was finally caught by Europol in 2018, their thefts had approached US$ 1 billion.

The Carbanak modus operandi is an excellent example of an advanced persistent threat (APT). These threats are notoriously sophisticated, characterized by their stealthy tactics and long-term presence in a network. Unlike ordinary cyber threats focusing on quick gains, APTs are used by patient fraudsters, often lurking undetected in networks for months or even years. They carefully mine valuable data or set the stage for a large-scale, potentially ruinous attack. They get into financial systems by installing malware on a banking system, using social engineering to secure login credentials, or buying them on the dark web. Insider fraud or spear phishing attacks can also install network malware. It could be as simple as a bad actor leaving a USB device on a table at a workplace with an executable virus on it. Even though we all know better than to plug in a random USB device, people, being people, will make mistakes and plug in them anyway.

Highly-skilled, well-funded criminal organizations or state-sponsored actors often orchestrate this sort of multi-pronged attack. Fraudsters using APTs often have access to significant resources, allowing them to innovate their attack strategies continually.

The primary goal of these sophisticated attacks is to penetrate the network without detection, maintain access over a long period, and siphon off sensitive data related to financial transactions. Their approach is leisurely. Over time they collect data, redirect funds, and create fake beneficiaries. Once they infiltrate a network, they establish a strong foothold, employ various techniques to maintain their presence, and continually evolve methods to bypass security measures. They don’t initiate actions that could alert cybersecurity teams to their presence until the final attack when it’s often too late to detect them or prevent the loss of funds. Removing them can be difficult if you can find them at all. When the attack is eventually launched, it can include the theft of customer and financial information, the launching of ransom attacks, making fraudulent transactions, and laundering the funds.

Another example of a multi-vector attack occurred at a large bank in Africa. A spear-fishing email inserted malware into the bank’s ATM switch. Transactions then bypassed the host and were automatically approved. The crooks forged the bank’s credit cards and distributed them to over one hundred people in Tokyo, who then used them to withdraw money from 1400 ATMs in convenience stores. Social engineering, cyber attacks, and payment fraud vectors converged to steal US$19 million in just three hours.

Once the criminals are ready to extract the data or cash out, whether that is after a few days or a couple of years, fraudsters will often employ a diversion tactic, such as a DDoS attack, then proceed with the main attack while IT and cyber security teams are distracted by the diversionary attack.

Over time, the finance industry has seen the sophistication of attacks continue to increase, and there is no reason to expect that this trend will slow down. Early forms of attack were blunt and brute force, so organizations took the mentality of protecting the perimeter. But as attacks have become sophisticated, this approach isn’t sufficient. Today’s threats are advanced, persistent, polymorphic, and evade detection. They span all levels of the OSI stack, in particular at the network and application levels, and they result in ever-increasing losses. New forms of old attacks, such as Distributed Denial of Service attacks (DDOS), are increasingly driven by bots, with AI that mimics humans and evades detection.

Traditionally, AML is about compliance, cybersecurity focuses on preventing IT threats, and fraud programs are for detecting and preventing payment fraud. Within these organizational silos, a card-skimming fraud event would not ordinarily capture the attention of a CISO, while a fraud manager doesn’t make decisions about firewalls.

These traditional organizational silos within companies make tackling this convergence a challenge. Fraudsters exploit the gaps between information security, fraud, and risk teams. For example, in an e-commerce setting, a fraudster could run a credential-stuffing campaign using leaked data, take over accounts, check for stored payment information or add a stolen credit card, and purchase expensive luxury items.

This type of fraud affects both the retailer and its customers. The fraudster transfers stolen funds to mule accounts, which are often used for money laundering. The fraud and risk team is alerted to the situation through customer complaints or monitoring system alerts. Still, by the time the fraud, cybersecurity, and anti-money laundering (AML) teams have come together to compare notes on the attack, the fraudster has already achieved his objectives and absconded with the funds.

Given the prevalence of these converged threat vectors, the boom in digital transactions, and the growth of real-time payments, it should come as no surprise that organizations are starting to leverage the synergies to be had by eliminating organizational silos. The idea of converging cyber intelligence, AML, and fraud prevention activities to eliminate gaps in financial crime risk management has been discussed for years. Still, increasingly, organizations are moving to make this a reality.

Leading financial institutions are establishing robust financial crimes centers that bring together cybersecurity, anti-fraud, and AML teams to converge their data and processes for a more holistic view of the threat landscape. This helps financial institutions identify financial crimes across the spectrum and stay agile in their preventive operations and response.

Some large banks have already implemented a fraud fusion center to identify and defend against financial crimes and ever-evolving threats. For example, the Bank of Montreal established a fraud fusion center in January 2019, while TD Bank opened its fusion center in October of the same year. But as criminals introduce new, sophisticated techniques, banks are revamping their fusion centers and looking for improved technology to keep up.

Gartner anticipates an increase in the number of organizations implementing cyber-fraud teams over the next several years. As the initial step in the convergence program, PwC recommends that financial institutions examine their existing enterprise-wide structure and identify points where streamlining it will give senior management a centralized view of financial crime risk. Clearly documented structure with roles and responsibilities will help detect and eliminate duplicate tasks and will ensure better data visibility across departments.

McKinsey & Company suggests that strategic prevention should be key to improving the protection of the bank and its customers when working on convergence. To achieve their goals, financial institutions need to think like the criminals. Cybercriminals are looking for systems’ weak points, so when planning the defense, organizations should trace the flow of crime in order to come up with an optimized internal structure.

Access to the right data at the right time is the foundation of efficient convergence programs. Instead of collecting data and tackling crimes in the silos of compliance, fraud, and cybercrime, data fusion provides a single source of data to multiple teams. This enables a complete view of the payment transactions journey and enables faster, more effective responses to threats.
Criminals don’t make a distinction between AML, fraud, or cybercrime departments. They act based on whatever gaps in the system they can find. Information fusion is the best weapon against fraudsters. If fusion centers leverage raw payment data in real-time, captured at the network level to avoid data loss, they can derive trends and patterns that let them distinguish legitimate customer transactions from fraudulent ones.

Artificial intelligence and machine learning (ML) also support financial institutions in their privacy compliance by helping prevent data breaches. They can cut through the noise by flagging suspicious activity with precision, blocking fraudulent activities, and letting legitimate transactions complete.

Faster payments and open banking require organizations to quickly identify and respond to emerging fraud and cyberattack patterns without creating negative friction for their real customers.

At INETCO, we’ve anticipated these needs and designed INETCO BullzAI, a real-time, ML-powered software solution that addresses the converged attack vectors of payment fraud, cyberattacks, and money laundering. It provides the real-time data that fusion teams need and gives them the power to prevent cyber- and fraud attacks while reducing false positives. Get in touch to find out how we can help you implement your fusion strategy.

Author

  • Christene Best

    Christene Best, VP, Marketing & Channel Development, INETCO Chris has led marketing, sales, customer success and tech support teams for companies ranging in size from startup to Fortune 500. She launched her career with Xerox Canada in Toronto where she developed a solid foundation in sales, leadership, customer-focused process development and general management. Moving to Vancouver, BC in 1999, she shifted to enterprise software, working as sales and marketing leader for Fincentric Corporation, Klein Systems Group and Beanworks. Prior to joining INETCO, Chris served as VP Sales for AMPD Technologies. Chris has been a mentor with New Ventures BC since 2010. She also mentored for EMBERS Ventures, served on the boards of MOSAIC and Junior Achievement BC, and on the United Way of the Lower Mainland Cabinet. Chris has a B.A. (Hons) in Political Studies, and an MBA from Queen’s University in Kingston, Ontario.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.