“When I was a kid, criminals robbed banks and had guns. Now they’re not even in the same country. They sit in Eastern Europe on a computer and they make large sums of money,” said Richard Clarke, former national coordinator for security and counterterrorism, during a recent talk with Karen Webster.
And the threat and scope of cybercrime have only gotten worse.
The reality is stark and it’s clear that the traditional lines of defense — one-time passwords and SMS sent by banks and other firms — are not effective.
As Nok Nok Labs CEO Phillip Dunkelberger said during the conversation, biometrics are among the best lines of defense against an evolving threat that crosses borders, targets consumers, threatens businesses of all sizes, and disrupts supply chains.
The T-Mobile hack earlier this month is but the latest example of ransomware attacks that are making headlines. Cyber raids on cryptocurrency exchanges are also growing in number and sophistication, all at a time when $9 billion was invested into cybersecurity startups in the first half of 2021 alone.
“I don’t trust any of the estimates for what a cybercrime costs,” he said. “All I know is it costs a lot.”
Funding The Fight
There are several ways to make it difficult enough so that cybercriminals abandon or at least reduce their efforts, including through political pressure on the nations that serve as safe havens where cybercriminals can ply their schemes unimpeded.
Although the Budapest Convention on Cybercrime was the first international treaty aimed at battling this problem, Clarke maintained that governments must get tougher on digital crimes and criminals.
“If we had the will to do that as a group of nations, I think we could put an end to cybercrime,” said Clarke. But that’s a long road, a process that requires coordination among nations, which is no easy feat.
Dunkelberger and Clarke said anything that can reduce the monetary rewards, or so-called return on investment (ROI), will disincentivize cyberthieves and help keep the attacks at bay.
Cyber Defense As Competitive Advantage
Dunkelberger noted that since small- and medium-sized businesses (SMBs), cumulatively, account for the “biggest link” in supply chains and networks, they should receive the benefits of private/public partnerships that will help them combat attacks.
“They don’t have money to deploy solutions … some of them barely have firewalls. They barely have port controls on their network, let alone anything more sophisticated than that,” he said, noting that smaller companies need managed security providers, where security is essentially a service or utility.
The Evolution
All the technologies that are needed in the toolkit are there, Dunkelberger and Clarke said. We’re a long way past the introduction of chips on cards, which at least helped to reduce card-present fraud. But now, of course, amid the digital shift, all commerce has moved online.
That means, as Dunkelberger said, we need new ways of assuring each other — individuals and companies alike — that we are who we say we are. We have that assurance through the FIDO standards that use tactics and tech such as biometrics and voice recognition to give those assurances.
There are headwinds in place, he said, which need to be overcome. There must be a force of will to take action, to kill the perception that security is someone else’s problem.
Data breaches and theft, after all, have ripple effects up and down supply chains in terms of lost productivity and the costs (to individuals) of re-establishing credit and even the usability of devices. Consumers, of course, vote with their feet, so companies lose their installed bases and top lines, too.
PYMNTS data, as a matter of fact, has shown that two-thirds of consumers will leave a merchant after a single security-related event.
See also: Report: Two-Thirds Of Digital Shoppers Will Bolt If They Feel Unsafe Online
But, as Dunkelberger said, we’re descending deeper and deeper into the abyss of more passwords — with “fragile systems” in place that are not up to the challenge. Telcos and other large firms have built SMS protocols into their operations. Stepped-up challenges on mobile devices can be intercepted by hackers, luring unsuspecting victims to financial ruin or revealing sensitive data.
There’s some inertia as companies figure that at least a little bit of crime is part of the cost of doing business — but as Dunkelberger said, if that assumption is removed, and the cost of breaches is removed, these firms’ bottom lines immediately improve.
As he said, “the cost of implementing a fraud proof system is less than one year’s cost of cybercrime and the cost of employment.”
Clarke pointed to biometrics and geolocation, combined, as effective ways of identifying people in the middle of transactions or various interactions as payments are made or information exchanged. Tokens can help supplement security — and as he said, the more expensive a transaction is, the more factors must be introduced (that can’t be faked) to authenticate users.
Read more: Nok Nok CEO: Online Customers Give Better Identity Signals Than Fraudsters
As commerce goes ever global and companies of all sizes, especially smaller ones, gain entry to new markets, they’ll have to consider embracing those new technologies. Dunkelberger said that countries and markets in Latin America and elsewhere have already leapfrogged other nations (the U.S. included) in embracing mobile devices and biometrics in the service of commerce.
Not Paying Up
Another leg of an effective strategy against cybercrime, said Dunkelberger and Clarke, involves simply not giving in to the criminals’ demands, specifically ransomware. Clarke has maintained that it should be illegal to pay ransomware, thus reducing the ROI the bad guys get for their efforts.
In the bid to protect the data that is at risk, he said, companies should be able to architect their networks so that if someone does get in — and they’re spreading encryption algorithms to leverage their capture of sensitive info and demand money to “de-encrypt” it — that “micro-segmentation” requires authentication to access the information in the first place.
Paying ransomware, said Clarke, is ultimately self-defeating for the companies that pony up: they may not get their data or operations back even after they pay, and at least some of the ransom is used by the criminals to reinvest back into their own technologies used in their attacks.
Clark said geopolitics plays a role against the fraudsters — governments can “take down” an attacking country’s systems and infrastructure, or at least threaten to (we’ve seen a bit of this saber-rattling from the Biden administration toward Putin’s Russia).
As the threat landscape evolves, so too will the partnerships and technologies massed against those threats. As Clarke told Webster: “We, as an economy, as a country are only as secure as our weakest link. You can get into a supply chain provider who has weak security — and then spread the damage out to thousands of companies. We need to make everybody secure — and the way to do that is through a new mindset.”