In a world of sophisticated hackers, it’s harder than ever to protect yourself and your business from the vulnerabilities that will give them access to your payments. This episode on the Payment Podcast discusses the more modern, adventurous techniques that are being used by fraudsters, and how organisations need to be more aware of how they’re giving access to their systems and personal devices away. This episode features Julien Laurent, Market development manager for fraud solutions at Bottomline.
Rich Williams: The battle between organisations and fraudsters could be compared to the Tour de France, a race through the windy backstreets, or in this case, back systems, to make best of a competitive advantage and take, by deception, as much money and data as possible.
It’s all dependent on who gets to the finish line first. Will organisations manage to roll out more secure processes in time to protect themselves, or will the fraudsters prove too sophisticated to catch?
Hello, I'm Rich Williams, the host of the Payments Podcast, and today I'm speaking with Julien Laurent about the ever-increasing ways large organisations are being impacted by fraud and what this means for them. Thanks for joining us today, Julien.
Julien Laurent: Thank you for having me.
Rich Williams: Earlier this year, our independent report, the Payments Barometer, showed us the average loss of fraud for organisations in Great Britain was around £240,000, with 1 in 5 enterprises even losing more than £1 million. Julien, what's the impact of this scale of attack?
Julien Laurent: There is a multiple dimension to this. There’s obviously the loss of fund which is difficult, can get to critical cash flow issues for some of the businesses. It can be difficult to recoup. It could be hard to get your money back.
I think furthermore, there is the disruption that can happen in a business, and the cost of remediation when it comes after the reputation impact, depending on what business you are in. I think a cyber-attack can be quite impactful.
We’re seeing, sometimes in the press, banks saying that there is an IT glitch, that might cause some disruption. Well, an IT glitch could be a furthermore sinister thing happening in the background, so it’s quite broad in terms of recuperation, and the cost is difficult to put down, even for someone that had a serious event. It would be very hard for them to fully quantify the impact financially and on a reputation point of view.
Rich Williams: Okay, I understand. It’s quite clear from what we see in the media, particularly lately, that many companies are being hit by examples such as this. What are the most common threats that organisations within the financial services industry specifically might face?
Julien Laurent: Currently, we see a lot of APP fraud types, so these are fishing emails, or an email about, pretend to be your CEO asking for money to be transferred, or a more elaborate scam might target also the end-user, so client.
Malware is on the rise, or ransomware, which we see in quite a few cases, that again, can create massive disruption. In some odd situations, we also see an impact where the attack was to use the resources of the company to do some mining on some cryptocurrency, so they were installing a software in order to make money, not actually do anything else but stealing powers and energy bills, so it’s quite broad.
Rich Williams: That’s interesting you mention there about cryptocurrency mining, for example, that brings us quite neatly to the next question. We know the payments landscape is changing constantly and very rapidly and obviously, fraudsters have to become more supplicated to find the latest loopholes. Evidence suggests that they're clearly capable of doing this. What approaches are they now taking that businesses should be aware of?
Julien Laurent: The biggest one is what we call ‘island hopping,’ so it’s if a fraudster has tested your defences and found out that they could not find a way in, they will then look to your supply chain, and find a weak link within your supply chain.
Now, that might sound like, “Oh, that’s difficult,” but if you think about it, if you have a Starbucks coffee or a Costa Coffee shop in front of your building, it won't take long for someone to sit in here, drinking coffee all day, to find out who comes to fix your coffee machine or your plumbing, and then, if they go after that company, their goal is not to make any damage for an institution, it’s to use then as a means to get to you.
We've also seen on our Outlook messages to say, “Do not open this attachment if you do not know the source of it,” and we’re getting quite wise to this, but if you do know the source because someone came and fixed your printer or what have you, and then you open the attachment, that attachment could have a payload on it, which is a malware, and that was the door open to them. They will then move laterally within your organisation until they find a system that is the actual target. They are now willing to go in quite some length in order to get to the end result.
Rich Williams: What about the less widely reported types of fraud, those that are more uncommon, potentially the ones organisations don’t yet know to look out for at all?
Julien Laurent: Yes, exactly. Recently, we had quite a fair bit of PowerShell attack, and PowerShell is an interesting thing. It’s a tool used by most IT departments in order to deploy perfectly legitimate software, or updates to your laptop or company computers, without you having to do anything. As a user, you don’t see anything happening on your screen, but in the background, things get installed and things are happening.
This was alerted by Swift with a message that they sent to all the Swift users, that there were multiple attempts to use that. The sadness we’ve had is PowerShell, when it’s on your right hand, is fantastic, but it can also be use by fraudsters, so these are some of the things that people fail to see.
We notice also a lot of human firewall failure, but that, I mean you might have written great policies on what should be done, not done, in the organisation, but if people fail to apply that on a daily basis, then they expose your company to that.
More phenomenally, we've seen the rise of compromised hardware. I think the most shocking example I've seen lately is the O.MG cable, which is a lead to charge your iPhone, but that lead has a chip on it and a WiFi antenna built in, which you really cannot see from the outside, but if you plug this into your computer, or into your phone, the hacker then, if he is within the perimeter of the WiFi, will be able to gain access and load payloads onto your machine.
Now again, if you have a coffee shop in front of your building, how many of those need to be left around on a table before one of your employees grabs one of them? It’s a really frightening view to see how fast they can evolve, and how sophisticated the attacks are becoming now.
I think another that was very good, and this was in a price, but Acer’s, which is a large computer manufacture, had their server hacked a couple of months ago, when the hackers took the latest update package and inserted their malware onto it, so when the owner of the laptop was loading the latest update, thinking they were keeping their system safe by having the latest update, they were actually loading the malware, that’s quite impressive and audacious from the hackers. This is the level of sophistication we are looking at now, in terms of endpoint penetration.
Rich Williams: I think we always talk about the combination of people, process and technology, and there are clearly weak links in all three of those that could be exploited by these people who are clearly very sophisticated, and clearly will go to great lengths just to get a piece of information that might help them further down the line, if not immediately. Wow, that is frightening.
How should companies best keep up with the fraudsters when they're adapting at such a fast rate?
Julien Laurent: I think a multilayer of protection is essential nowadays. You must have the front door protected, but you must also assume that someone will manage to get through that, and then you need to have other layers to protect yourself along the way.
Rich Williams: Changing the topic ever so slightly, is it enough just to follow regulations, or there are other considerations that need to be kept in mind?
Julien Laurent: No, I think we need to go beyond regulation. The regulators are doing a stellar job, but they are large organisations. They have to look out for big processes, in terms of come up with regulation. I think nowadays, we need to be aware that fraudsters will move a lot faster.
Also, if you think about it, if you issue a regulation saying that within six months, you need to be implementing certain countermeasures, the hackers can read that too, it’s public knowledge, so they have a nice notice and within six months’ time, certain tricks won't work anymore. They're not going to wait until the six months have expired to move on to the next technique.
It’s really a game of chess. You're playing chess and you need to be two or three moves ahead, or your strategy might not work.
Rich Williams: Julien, let’s conclude this podcast on a rather serious topic, looking at some of the examples of what happens if organisations don’t comply.
Julien Laurent: I think the best to do with this is maybe to take an example which is quite public. I think there's a good example that always comes to mind for me, it’s Andy Powell, which was the CISO of Maersk. They experienced a very grave attack, and they paid the consequences.
I think what he said on this is, and I quote, “The way in which our businesses are changing. The attack surface is massively changing. The old fortified front door, 'let's stop them’ approach, must go. We are all digitising and creating one-to-one relationships with our customers, which we need to protect,” and that’s exactly that. Multilayer of have protection, assume that your first defences will be broken, and so what happens then?
Let’s not forget that at the end of the day, these people are after a couple of things, either your data, your money, or your resources. Keep that in mind, and add layers to make it difficult to reach those goals.
Rich Williams: Assume the worst and prepare for it.
Julien Laurent: Absolutely.
Rich Williams: Great. Well, that was all really insightful, if a little unsettling at times, but thanks again, Julien, for joining us.
Julien Laurent: Thank you.
Rich Williams: Unfortunately, that’s all we have time for today. We’ll be back with some more podcasts very soon, and in the meantime, you can listen to more episodes on all things payments at the touch of a button using your preferred provider, and we’ll see you all next time.
PodcastFraud; Is Ignorance Really Bliss
Jack Gianella, Market Development Executive for Risk & Fraud at Bottomline discusses how organisations should be preparing for spot and stop fraud.
PodcastCompliance, Payment Fraud & Sanctions - The Trends of 2019
Bottomline's Head of Market Development for Risk and Fraud James Richardson talks about the statistics discovered in the 2019 Business Payments Barometer.
For Customer Support and Services click here.