Innovation Is a Double-Edged Sword…
Just as we thought we could all settle to a nice, quiet hot summer break, cyber security and fraud news were intent to keep us on our toes.
- First of all, July was dominated by the news of two very large fines for breach of data protection regulations (British Airways at £183M and Marriott at £99.2M, affecting 500,000 and 339 million customers respectively) and then we welcomed August with the news of the Capital One data breach, putting at risk the personal information of 106 million individuals across the US and Canada.
- Secondly, the fraud statistics turned out to be alarming: the volume of online payment fraud loss is on the rise worldwide, projected to more than double by 2023, compared to 2018. In the UK alone, more than half of fraud losses on card purchases in 2018 were attributed to e-commerce. Furthermore, the number of consumers hit by financial malware is significantly rising - over a third of being corporate users, double from last year – with mobile banking trojans one of the most rapidly-developing pieces of malware.
- Thirdly, over the last decade, we notice the increased usage in online and mobile banking worldwide, and particularly in the UK
When we analyse the facts, we can come to the following conclusions:
- The British Airways and Marriott breaches were attributed to the Magecart threat actor, and clearly targeted payment data through the usage of very well designed clone websites designed to fool users into thinking they were engaging with the legitimate companies. This is very much an information security issue, and could have been prevented. An excellent article on how to do this can be found here, thanks to Scott Helme. However, one could be forgiven for thinking that this is probably a bit too detailed. What is not acceptable however, is that in both breaches, payment card information, including CVV (Card Verification Value ) were illegally harvested. The PCI DSS (Payment Card Industry Data Security Standard ) has been around since 2006, and one of its fundamental principles is the prohibition of storage of sensitive cardholder information, which includes CVV. So all this time, both organisations could not have been PCI DSS compliant. Those who have said that PCI DSS is on the wane or taking a back seat to current privacy regulations worldwide might want to reconsider and realise that it is based on sound security principles for all those involved in payments. As we know, the regulators have already fined those companies, and we can expect litigation to follow.
- The Capital One data breach however, is different. The exposed data included names, addresses, dates of birth, credit scores, transaction data, social security numbers and linked bank account numbers. Capital One were insistent on pointing out that “that no credit card account numbers or login credentials were revealed in the hack”. Furthermore, we now understand that the cause of this breach was AWS cloud misconfiguration, which can be easily avoided with the appropriate security practices. Unfortunately, it seems that cloud misconfiguration is the new black...but given the continued increase in cloud usage, this type of problem will not go away anytime soon, unless attitudes change. Given the magnitude of the loss (106 million accounts), we can expect that criminals would have already harvested the data in order to commit fraud (e.g. identity theft, phishing, etc.) further down the line. This places this breach firmly in the camp of data protection and privacy, and we can expect regulatory involvement and much litigation.
- It is unsurprising to see the alarming increase in online payment fraud, as it obviously correlates to the increase in online and mobile payments usage worldwide. The relentless advances in new technologies have made it possible to change the world for the better, with applications of artificial intelligence, machine learning and the Internet of Things facilitating, for example, further financial inclusion and better consumer experiences. However, this is a double-edge sword as technology has also enabled criminals and fraudsters to become even more innovative and efficient. The financial services industry is particularly at risk, either from nation state actors or from opportunistic cyber-criminals.* I have previously written in more detail on this topic. And to quote from that specific article: “Common sense should prevail when developing a working cyber security and fraud detection strategy where the basics are covered first, and the risks specific to the organisation are managed.”
Given this threat and technological landscape, we can clearly see that more and more personal information is being dumped on the black market due to the substantial data breaches of late. And what stems from security failings invariably leads to identity theft and fraud, as has been demonstrated time and time again. Indeed, BEC (Business Email Compromise ) fraud is on the rise, and APP (Authorised Push Payment Fraud ) fraud, due to the advent of Faster or Real-Time Payments, is rapidly becoming the scourge of the financial services world.
And as always, when something becomes enough of a problem, the regulators react. This is why the Strong Customer Authentication (SCA) requirements were mandated as part of PSD2, features such as Confirmation of Payee (CoP) are being mandated on banks, at least in the UK, and why AML (Anti-Money Laundering ) rules are becoming more stringent worldwide. But let’s not get complacent, whilst regulators are trying to address the issues, regulations alone will not make things better overnight. As with all established ecosystems, change takes time. Indeed, SCA implementation dates are being delayed, CoP implementation is being delayed, and AML rules are still deemed insufficient (in the UK in particular, the Law Commission report led to the UK government publications of its Economic Crime Plan for 2019-22).
In order to fight fraud and cybercrime effectively, businesses must take information security and fraud prevention seriously, not only because these present increased regulatory risk, but to enable innovation to thrive and consumers to feel safe. Managing the extended supply chain, especially with the proliferation of cloud services is now crucial, as well as understanding how new technologies can streamline operations (after all, criminals do this very well…).
So while we wait, let’s take the common sense approach: cooperation is key, not only within or across industries, but also within organisations, particularly between fraud/ risk departments and information/cyber security departments. After all, these are two sides of the same coin, and the failure to address cyber risk invariably leads to fraud.
For further insights into the payments industry and beyond, subscribe now and stay up-to-date on the latest tips, trends, and topics.
*Additional articles referenced: