 | Issue: | North America I 2015 |
| Article no.: | 2 | |
| Topic: | Cybercrime evolution | |
| Author: | Nick Mothershaw | |
| Title: | Director of Fraud & Identity Solutions | |
| Organisation: | Experian | |
| PDF size: | 192KB |
About author
Nick Mothershaw is the Director of Fraud and Identity Solutions, Experian.
Nick has been with Experian for over nine years. Previously Nick was a director of a company providing global solutions within the broader Criminal Justice arena. Here he architected the Scottish Intelligence Database: the only cross force intelligence sharing and matching solution in the UK. He also exported best of breed UK crime management systems to Australia and the US. Nick has also worked for IBM in the healthcare and utilities sector, and began his career as a mainframe systems analyst with a large UK brewer and pub company.
Nick holds a degree from Staffordshire University in Computer Science
Article abstract
Hundreds of thousands of cyber-security incidents occur every single day, company boardrooms have been obliged to respond. Security reviews are standard practice. The C-suite is also now largely fluent in the language of cyber-security, while information security officers are pretty much guaranteed the board’s ear at any given moment.
Full Article
There was a lot of debate around 2014 being the year of the data breach. But in all likelihood it will get worse before it gets better – so more big names are likely to fall foul of mass hacks this year, writes Nick Mothershaw, Experian’s Director of Fraud & Identity Solutions.
The proliferation of malware and routes to hack are relentless and show no sign of slowing. The tenacity and inventiveness of fraudsters never ceases to amaze either. Recent ‘innovations’ include Samsung-lookalike smart phones being sold with malware already embedded and infected e-cigarettes that can steal a PC’s data if they are recharged via their innocent looking USB plugs.
But the numbers speak for themselves with high-profile data breaches affecting nearly all of us in some way – almost on a daily basis in one form or another – be they Heartbleed, the Bash bug, Shellshock, or as a result of any of the millions of Trojans and unique strains of malware that are out there.
The US Justice Department estimates identity theft affects around 17 million consumers and accounted for more than US$25 billion in losses. But as technologies evolve and information security tightens, the savvy-nature of fraudsters becomes more sophisticated.
At the same time, digital technology and consumer trends are diversifying and changing at an incredible rate – again pretty much by the day. They’re also constantly informing the way we interact with our customers and key stakeholders.
Of course this quite rightly, is driving an increased focus on the consumer – particularly the digital customer – and their journey and experience. It’s a trend that’s going to continue given our increasing reliance on smart phones, the continued proliferation of tablets, hand-held devices, related apps and numerous on-line channels.
Clearly fraud management must offer a comprehensive view of the customer. In order to achieve it, authentication processes need to be seamless and straightforward to allow both the consumer and the business to feel confident in any transaction’s legitimacy, while safeguarding a positive customer experience at the same time.
But with hundreds of thousands of cyber-security incidents every single day, company boardrooms have been obliged to respond. Security reviews are standard practice. The C-suite is also now largely fluent in the language of cyber-security, while information security officers are pretty much guaranteed the board’s ear at any given moment.
It means cyber-security is now at the top of boardrooms’ agendas around the globe amid a constant drive to protect the consumer, seamlessly improve efficiency, while reducing companies’ exposure to risk – from fraudsters and ID thieves – as well as safeguarding and growing commercial positions.
Behind the scenes we’re fighting a sophisticated, interconnected, resourceful and growing army of digital fraudsters. They’re fast, inventive, enjoy online anonymity, constantly have the advantage of surprise – and they’re happy to exploit any route to fraud.
On average, a cyber-attack takes around six months to detect and deal with. So adopting a pro-active stance to get ahead and stay ahead of the fraudsters with a multi-layered detection strategy is critical.
Consider the waves of cyber-attacks and data breaches on both sides of the Atlantic during the past 12 months. Millions of consumers had their identity data exposed. Millions more were put at risk. The instant a breach hits the headlines – and thanks to our accelerated culture of 24-hour rolling news it doesn’t take long – credibility, loyalty and consumer trust simply evaporates.
But regardless of how stolen data gets used, breaches pose serious dangers to all consumers, retailers, ecommerce outlets and financial intuitions alike. It’s clear banking and ecommerce are often at the thin end of the global threat. They can be the richest source for financial, payments and identity data and also offer legitimate-looking opportunities to quickly monetise, move and cash-out any ill-gotten gains. Sadly, many organisations are still to deploy effective defences against this unseen, unregulated and networked enemy.
As soon as a data breach is spotted, it is critical for organisations to complete a forensic review of the attack, identify and clarify their points of vulnerability, analyse precisely what data was stolen and how the fraudsters got away with it. As with recent breaches, the initial scope of investigations quickly expands into something much larger – especially if the regulators and politicians decide to wade in. Complete visibility of all customer data and transactions across all channels is critical. Keep drilling-down until the root cause can be identified, analysed and protected against any repeat attacks – because if fraudsters get away with it once you know they’ll be back for a second go.
For many companies this level of deep and consolidated insight rarely exists. Do you really know who is actually logging into customers’ accounts? Often without realising there’s been a data breach, consumers can fall prey to phishing attacks and unwittingly disclose the virtual keys to their online kingdoms. No one wants to turn away legitimate or sizeable transactions that are evidently from loyal customers – but with revenue, reputation and brand at stake, the potential risk simply cannot be ignored.
Of course data breaches are nothing new. Recent examples have highlighted how we’re creatures of habit and shown our prevalence in favouring repetitive online identities often based on a single e-mail address, username, or password combination.
It means that any well-designed phishing e-mail which comprises a recognisable brand logo, a well-known network administrator or legitimate looking address, can quickly open the door to a goldmine of customer payment and identity data. Once the stolen identity data is out, the fraudsters are away and off into the ether. Armed with stolen personal details, criminals have the opportunity to fraudulently open additional accounts, submit bogus applications for credit cards, bank accounts, store cards – often on an industrial scale and in the names of thousands of unsuspecting victims.
But being forewarned is as good as being forearmed. Knowing and spotting the enemy early offers a huge advantage. As attackers grow increasingly sophisticated, it is virtually impossible to identify fraudulent online transactions without being able to accurately identify the device behind the transaction. Clear visibility into fraud attacks is difficult given the relative anonymity of the web, but transactions underpinned by reliable device intelligence combined with real-time risk analysis helps provide far greater protection.
It’s also always worth considering manual reviews of transactions as and when appropriate. Re-tasking and moving staff away from the demands of their day-to-day roles may seem like a costly burden and waste of resources, but it is often invaluable to have fraud investigators review a higher percentage of transactions during periods of heightened risk. In all likelihood, as the number and sophistication of fraud attacks rise, the periods of heightened risk are also likely to increase.
It’s always worth trusting the fraud team’s instincts. It’s in the frontline in the fight against fraudsters and during periods of increased activity will have a sound sense of erratic or irregular transactions and trading patterns. It’s also worth pro-actively contacting customers if fraud is suspected, if transactions look suspicious, or reflect any unusual payment patterns.
Informally collaborating with other companies in your sector whenever a new threat emerges is also worth considering. What goes around comes around. While it may be your turn this week, there’s no doubt the fraudsters will switch attention to any perceived soft targets elsewhere. Other companies which are successfully blocking potential data-breaches are likely to be an excellent source of ideas and best practice around fraud prevention. Also be willing to leverage industry networks and specialist fraud providers wherever possible.
Don’t skimp on investment in your entire online estate. It’s your shop window and particularly given the exponential rise in demand for mobile channels, it’s likely to be a cost-effective and lucrative income stream for the foreseeable future. Account creation, profile management and loyalty programs are soft targets for attackers, with most fraud prevention controls focused on transaction systems. Online defences can be shored up by ensuring that all points of account entry and management are equally protected from fraudulent access.
Even after a fraud attack has happened, risk can still be managed. Getting armed with a layered security strategy that includes device intelligence to block compromised card use, fraudulent enrolments, phishing attacks and attempted account takeovers, will always be worth the investment.
