How do you deal with an entity that is so malicious it will use a natural disaster to commit cybercrimes?
It’s happening in the wake of the two hurricanes that hit the southeastern United States as well as severe storms in other parts of the world. As stated in an Oct. 10 post on banking and payment authentication company Entersekt’s blog, these scammers pose as fake charity organizations or create new identities as victims applying for government aid.
It’s the latest example of a battle in the war against the criminals out to steal data, hack into accounts and impersonate legitimate entities and individuals. To counter it, a new mindset and tech-driven buildup of defenses is in order. It’s a world where “good enough” fraud defense and identity verification won’t be enough.
“It can be difficult to quantify what you are up against, but there are best practices out there,” Entersekt Solutions Director Steve Bledsoe told PYMNTS in an interview.
The “good enough” approach has been accepting of the status quo of fraud prevention — and clinging to the hope that current and past solutions and tools will be enough to continue to combat fraud effectively into the future, he said.
It’s not working out that way — and it’s not going to work, either.
As Bledsoe said, “we’re in a perpetual arms race with the fraudsters. And when we build a higher fence, they build a higher ladder.”
The walls that keep out scammers — or try to, anyway — also have the ancillary effect of introducing friction into customer-facing interactions and transactions.
The channels across which we’re being attacked are varied, said Bledsoe, who listed phone networks, mobile networks, email, web channels and call centers as just a few examples.
“When you authenticate using some of those channels, you are authenticating into channels that were never designed with security in mind,” he said.
That means firms relying on those channels and authentication providers are exposing themselves to vulnerabilities — putting all their eggs, so to speak, in the email security provider’s basket to make sure that things go as well as might be hoped.
“Cookies and device fingerprinting have their place, but they are not getting the job done,” Bledsoe said.
One-time passcodes are sent to ostensibly legitimate account holders, he said.
The execs that have that “good enough” mindset may take false comfort in the fact that they don’t “do” OTP via email, that they only “do” it with SMS or voice, he said.
But the OTP can be intercepted, amid the rise of social engineering, or bypassed by someone who’s stolen a device fingerprint or cookie.
Bledsoe said he knows all this firsthand, as he recounted to PYMNTS that he recently found that his phone had been compromised by a criminal who walked into a Target store and wanted to upgrade their phone using Bledsoe’s plan. The unwitting Target employee ported Bledsoe’s number to a SIM and handed that person a new iPhone with Bledsoe’s number.
Against a backdrop where more than a quarter of all account takeover incidents are tied to phishing, OTPs combined with these “blanket attacks” are difficult to counter with in-place tech and strategies, he said.
Financial institutions themselves have been reticent to make the necessary investments and change their mindsets — and indeed many of them have been resource-constrained. For the FIs that have not yet been hit hard, the conventional thinking within the company might be that they do not need to revisit how they battle fraudsters.
But if they don’t do what they need to do, said Bledsoe, “you’re setting up a ticking time bomb for the day when your customers are going to be compromised — and hurt in either a targeted or blanket attack.”
The customer base includes not just the retail side, but the enterprise side too.
Banks can make their security processes a selling point, a way to boost loyalty, Bledsoe said. Consider the case of Bank A, which might have a static approach that routinely steps up friction during a transaction. Then think about Bank B, which uses a holistic approach to introduce levels of friction into the mix that customers want — according to their own directives, such as dollar amount or transaction type.
“Which bank do you think will be used more often?” Bledsoe asked. “Usually, the one that you feel is taking a more proactive approach in protecting the consumer.”
That proactive approach can be designed and implemented through partnerships, such as with Entersekt, which creates a trusted ecosystem of devices that verify identities, rather than trying to build each FI product or service with that customer-driven approach individually. Entersekt can help alert users that someone might be looking to reset their account passwords — and require authentication of that action, he said.
“That is critical information to help me as an end user be an active participant in my own security,” he said.
If suspicious activity is detected, the bank can also reach out to end users in a secure way that helps ensure that an authorized person is making the transaction or financial decision across all channels, from ATMs to call centers.
“That’s a paradigm shift that I think we need to make in the industry,” said Bledsoe, who added that “the expected friction may not happen all the time, but when it does, it lets the customer know that the FI has their back. And that builds trust.”