Security and Fraud Prevention in the Era of Real-Time Payments


The digital world is becoming a vast network of interconnected nodes. It can be difficult to manage security in this increasingly complex environment. This article encapsulates the trends of digital payments security, factors that influence the penetration of digital channels in the market, and the security measures used in digital services. Also, we will look into the transition happening in the introduction of the new technologies, some monitoring principles and key challenges that the banking industry is presently facing, and the security measures that are in focus.

The digital world is becoming a vast network of interconnected nodes. It can be difficult to manage security in this increasingly complex environment. This article encapsulates the trends of digital payments, factors that influence the penetration of digital channels in the market, and the security measures used in digital services. Also, we will look into the transition happening in the introduction of the new technologies; some monitoring principles and key challenges that the banking industry is presently facing; the security measures that are in focus.


According to the Central Bank of Bosnia and Herzegovina, only 32,000 users of internet banking, including individuals and legal entities, were recorded in 2008, but by the end of 2018, the figure rose to 667,551 users, which is approx. 2086% increase.

The year 2018 logged an evolving trend of mobile banking, which was booming in the market. In 2018, the number of electronic banking users increased by more than 600,000, compared to nearly 425,000 in 2017. In line with this, banks have also started to change their strategies and are moving from traditional branches to online digital channels by offering various kinds of services to their customers. Mobile banking services increased by 61% and internet banking decreased by 39%. In 2020, the pandemic highly intensified the usage of mobile banking. Furthermore, not only mobile banking but also other online payments such as e-commerce or direct internet sales are expected to grow extensively in the next decade.


Related: Banking CEE Expo | 3-4 November | Prague

This resulted in new security challenges. A few of the security techniques are Public Key Infrastructure (PKI), Two-factor authentication (2FA), Transaction Signing, and a Web Application Firewall (WAF).

  • Public Key Infrastructure (PKI) is used to manage security through encryption, and the most common form of encryption involves a public key, which anyone can use to encrypt a message, and a private key (also known as a secret key).

  • Two-factor authentication (2FA) is a security mechanism that necessitates the use of two unique forms of identification in order to get access to anything. It is used to reinforce the security of an online account, a smartphone, or even a door with AI.

  • Transaction Signing is a security process that manages and validates transaction credentials by using a Digital Secure Key to generate a one-time confirmation code for a specific transaction. It also improves protection against potential fraud attempts perpetrated by malicious software on a mobile device.

  • Last but not least, a Web Application Firewall, often known as a WAF, protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It generally protects online applications against cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection, among other things. These opponents are using new approaches such as mobile banking and other internet payment options. As a result of this shift, an increase in the security keys most commonly associated with APIs has been recorded, and the security dangers of open APIs are not restricted to hackers and malware.


Belma Ohranovic
Belma Ohranovic

According to Belma Ohranovic, the Head of Security/CSO at Raiffeisen Bank, the financial sector marks the WAF as an unsecured device, and unlike any traditional firewall, they are now relying on cloud web applications and API protection services that are revolutionizing, expanding the scope and security depth. Also, Web Application and API Protection (WAAP) is required for users to utilize a multi-factor authentication mobile app. The primary goal of multi-factor authentication is to lessen the danger of account takeovers while also providing greater protection for users and their accounts. More than 80% of computer breaches are caused by weak or stolen passwords. As a result, multifactor authentication can add levels of protection to safeguard users and their data. If one of the elements, like a user's password, is compromised, the other factors will provide an extra layer of protection and assurance of the user's identity. The banking sector also relies on other protocols, such as 3D security solutions, which are meant to offer an extra degree of protection to online credit and debit card transactions. The 'three domains' that communicate via protocols are referred to as the "main three": the merchant/acquirer domain, the issuer domain, and the interoperability domain.


Even if transactional threats remain constant, new risks and emerging technologies must be considered in order to improve mobile security. It is critical to enable device security, and according to Belma, it is suggested to utilize only controlled devices for personal use since if something goes wrong, clients will not feel safe and will no longer use the services supplied. They will switch to a different service provider. It is critical to implement all steps in light of the new danger. A customer should be informed that a new secure environment must be reviewed, as well as PCI, or Payment Card Industry, security requirements, and that identical transaction hazards must be adequately addressed. Another aspect to consider is Runtime Application Self Protection (RASP), which should be implemented into mobile apps to prevent complicated assaults away from mobile applications.


In a nutshell, it is difficult to keep the balance, but there are some security measures recommended when using digital or online payments, such as the financial service providers' checking the financial statements on a regular basis, as well as turning on two-factor authentication to verify the payment recipient and dedicate payment method for online transactions. Banks can also use biometric authentication to check for QR codes and take advantage of one-time passwords.


Account Takeover and Online Threats
Kaspars Briska
Kaspars Briska

Kaspars Briska, the former CISO / Head of Cyber Security at Citadele Banka, elaborates on the ‘new reality, after the COVID-19 pandemic. The year 2020 recorded a large number of individuals switching to digital channels. Many would not have even thought of doing business or transactions this way prior to the pandemic throughout the globe. However, the users adopting this fully-fledged using these channels without experience and much knowledge, and this led to an increase of 100% online frauds amongst the most popular are Self-Initiated and Account Takeovers.


The most obvious is account takeover fraud (ATO), which occurs when a cybercriminal obtains access to the victim's login credentials in order to steal money or information. Fraudsters use a number of ways to get into a financial bank account and take control of it, including phishing, malware, and man-in-the-middle assaults, among others. Because of the financial damage and mitigating measures required, ATO is a major danger to financial institutions and their clients. Account takeover fraud is continually evolving and comes in different forms. Some account takeovers begin with fraudsters harvesting personal information from data breaches or purchasing it on the Dark Web. When an account takeover attack is successful, it can lead to fraudulent transactions, credit card fraud, and unauthorized shopping. Account takeover is often referred to as a form of identity theft or identity fraud. As a result, there is some immediate pressure to provide online banking information. Victims are more likely to be people who are unaware of such schemes.


The pandemic also observed a high rate of unemployment, leading to job hunting online as per the set trend. Scams were also recorded in regards to the vacancies online, whereby personal details of the candidates were collected and misused. Fake investments in cryptocurrencies and forex were also recorded, which led to a loss of investment for many individuals.


Moving on to the most common type of communication fraud, phishing emails, which is losing way to other techniques, such as SMS, WhatsApp, Viber, and other social networks, which might be more effective from the attacker's standpoint since they contact individuals more directly. Hackers have also developed new capabilities to falsify phone numbers and other identifiers via messaging apps and voice calls. The complex and advanced technique of fraud is email system hacking with the objective of carrying out invoice fabrication, company email compromise, and other high-yield frauds. What we need to realize is that these are not random phone calls, but rather organized gangs and call centers that speak many languages and target practically everyone. They simply steal money from anyone.


Citadele Banka has its own proactive detection system and has developed several ways to proactively detect those phishing sites, according to Kaspars. The first step is to monitor the TLS certificate, which allows the bank to identify possible phishing sites before they are set up. In addition, takedown procedures are initiated much earlier, which means that the success rate for bad actors has diminished quite significantly which forces them to move to easier targets. Furthermore, continuous analysis of the most common fraud scenarios enables the development of new detection mechanisms as well as the fine-tuning of existing detection mechanisms. It should also be noted that multi-layer detection algorithms and


device recognition technology should be improved continuously to detect new fraud schemes. Another important element is security awareness for those who do not live online. Because the vulnerable are more likely to become victims, communications must be spread through traditional channels such as newspapers, radio, and television.


How to strengthen your security in the era of rising fraud

In terms of accounts breached in 2020, 37 billion accounts were breached during the year. This is the quantity of information that has been lost. This is significant since much of the data leaked was invoked by banks and employ statistical data such as name, date of birth, email address, and phone numbers in either the application or recovery process. In 2020, an estimated 10% of the world's population will be compromised in terms of identification.


According to Kaspersky research, malware has increased during the first quarter of 2020. In the first quarter of 2021, Kaspersky discovered 1,451,660 malware installations. Overall, there is a decline, which is excellent to see from Q4 2020, but the tendency is growing and will continue to increase. There is a 25% rise in malware from Q1 2020 to Q1 2021 and mobile accounts for 91% of all internet traffic. As a result, attackers have more options to target that media, and new internet users will naturally gravitate toward mobile. In addition, the growth of Crime-as-a-Service (CaaS) is increasing. As Crime-as-a-Service (CaaS) evolves, the barrier to entry for attackers lowers as more tools become accessible on the market.


Greg Hancell
Greg Hancell

Greg Hancell, Director, Product Management - Data Strategy at OneSpan, goes into detail about the Evil Emulator assault. An assault that was able to intersect a One-Time Password (OTP) that was being provided over SMS, which is one of the key reasons why the banking industry desires to consider moving away from SMS. When banks consider securing mobile banking consumers, they can employ the device's inbuilt security and cryptographic hardware. This is a critical feature for both virtual wallets and virtual currency. Advanced application security, such as app shield, can also be used in conjunction with strong authentication over a secure channel.


Identity theft is pervasive. Static credentials should not be utilized for registration, login, transaction, beneficiary, or user creation authentication anymore. There are emulators that can duplicate a user's digital fingerprints at scale. Bankers must be aware of this since it may be jeopardized. Crime-as-a-Service (CaaS) generates significant revenue for organized crime groups (OCG), so they will invest and demand more. In the absence of acceptance and social engineering, authorized and push payment (APP) fraud will persist. Financial institutions, such as banks, must take a data-first strategy to defend and assess how interoperable the data is across multiple product lines.


Building micro machine learning models that are interoperable across products is critical, and doing so allows us to generalize them more across products because there is a lower data requirement to build those types of models. Thus, it’s important to think about the data points that are consistent across all channels and how models can be built with them. Utilizing multi-factor authentication with context is crucial for the user as well as for the banks. Emphasis should be laid on how to connect E-fraud Security Operation Centre (SOC) with products. To add to that, a company needs to make use of those processes, people, and technology to defend the products, share the data and experience, and also simulate different types of attacks to prepare itself better. Everyone involved should know how to defend against all types of attacks.


To summarize, it is critical to provide simple multi-factor authentication. If SMS and OTP are to be used, it is important to build safe and trustworthy connections with consumers, as well as to leverage contextual and behavioral authentication and mobile app shield technologies.


Related: Banking CEE Expo | 3-4 November | Prague
 

Resources: