The competition between cybercriminals and the fraud and security teams at banks, tasked with stopping their attacks, is incredibly lopsided. The fraud and security teams have to get it right 100 percent of the time to maintain their position of trust across the financial services ecosystem. The cybercrime gang, on the other hand, only has to get it right once; one crack, one mistake, one piece of spaghetti code that doesn’t do its job right and they are in — and in to wreak havoc.
The cybercriminals — Johan Gerber, executive vice president of security and cyber innovation at Mastercard, told Karen Webster — are working 24 hours a day, seven days a week, hammering away at those systems until a crack makes itself known. Particularly popular as of late (and a good stand-in for the problem as a whole, he noted) is the sharp increase in BIN attacks. BIN attacks rely on combining a single, valid card number and a piece of number-generating software to create many potential card numbers. The attack relies on probing card-authorization systems to see which ones are valid numbers. From there, Gerber said, once they know that, it’s all a matter of automating attacks on the valid card numbers until they are shut down.
“What we are seeing with these attacks and account takeover crimes, and a host of other problems, is criminals are always going to find the ways in if they are there,” Gerber said. “They are probing the networks on a constant basis, testing for what weaknesses are there,” adding that once they find one, they will literally create code to automate attacks until the weakness is shut down. “And it all moves very quickly.”
The attacks, Gerber noted, are going to keep on coming. According to the Boston Consulting Group, cyberattacks hit financial services firms 300 times more often than companies in other industries. That reality is why Mastercard launched Threat Scan today (Oct. 3), a new global service for its banking partners, designed to proactively identify potential vulnerabilities in their authorization systems.
A Shift From Reactive To Proactive
What banks need — and what Gerber noted the company hears about most often from its clients — is a way to stay ahead of the threats out there. That’s a tall order for any individual issuer because, despite having excellent security systems and authorization machinery, their opponents on the dark web are constantly evolving and modifying new attacks.
Mastercard, with Threat Scan, has the benefit of a worldwide view, and nearly real-time insight into fraud patterns as they emerge. The Threat Scan application essentially stress tests banks’ systems against an evolving array of scenarios — some 500 of them to start, derived from Mastercard’s global insights into crime behaviors. The system simulates known fraudulent attacks against issuers’ systems to get an idea of what frauds they are repelling, and what exactly runs the risk of slipping through a crack.
It is not quite a flip-switch-easy interface for issuers to sign on with, Gerber noted, but it is far from a heavy integration either. It essentially requires running some software, installing a terminal and allowing Mastercard access to some dummy card numbers to probe the system as though it were criminals looking for an entry point.
The system is smart in that what it sees appearing in one part of the world, it knows to add to its matrix of testing scenarios for issuers globally. Cybercrime, he noted, is truly a global industry, and once something appears in one place, it is certain to be everywhere if it proves successful. That means the Threat Scan system is, first and foremost, built to do what its issuer partners are most centrally concerned with it doing: staying ahead of the constantly, malignantly evolving world of digital fraud.
What Mastercard has also seen as it’s been piloting this program in preparation for launch, he added, is that the cracks and holes in issuer security systems run the gamut of causes.
“From Threat Scan, we have been able to issue as many as 500 different vulnerability alerts to issuers. Some of them are very complex, some of them are as simple as they did a security upgrade at some point, and someone forgot to switch back on a cryptogram they had switched off to do the upgrade. Or we will see cases where an attempt to fix a vulnerable part of a system inadvertently broke a different part of the authorization system, but in a way that wasn’t obvious,” Gerber said.
The problem, he noted, is that the cybercriminals are on the lookout for all security holes, big and small. No matter how tiny, once they find that hole, they’ll find a way to use it as a wedge for their own, larger gains.
The Multi-Tiered Fraud Fight
There is not a single silver bullet to be found to stop all fraud now and forever, Gerber told Webster. If there were, it would have been found. Instead, Mastercard’s theory of the war on cybercrime is to keep pushing fraudsters back on multiple fronts. It is basically, he noted, a four-pillar fight.
The first pillar is prevention with technology like Secure Remote Commerce (SRC) or tokenization. The second is defense with innovations, such as Threat Scan. The third is identity — all the things that go into digital identity and making sure everyone involved in the transaction is exactly who they say they are. The fourth and final is the experience, so that everything is both secure and seamless to the end user.
Those pillars are important today, he explained, and going to be even more so in the not-too-distant future when things are transacting commerce as often as human beings. The Internet of Things (IoT) brings in its wake a tremendous opportunity when it comes to enhancing the commerce experience, and redefining consumer ease and convenience.
However, anything that can be used to make a consumer’s life easier, he noted, runs the risk of offering the same upgrade of service to a potential fraudster. It means there is still a lot of thinking and standards development to be done so that, when machines are transacting commerce, they are operating on clear and comprehensible security rules that make it run well for the right user, and not at all for the wrong one.
“Ultimately, it comes down to a consumer knowing that they can use their card, and know they are safe,” Gerber said, “There [are] a number of layers, but in the big picture, that trust is what makes all digital commerce possible. If we want to stake our future on a world beyond cash, it is all dependent on consumer trust and the integrity of our systems.”