Combating online financial fraud

Now, with just a few clicks, we have the ability to transmit thousands of dollars to a foreign country or perform an online transaction and other banking activities.

This is the new normal – where relationships with consumers are increasingly in digital form.

In order to constantly deliver new features to not only capture new customers but to retain existing one, financial organisations are in a race to roll out applications quickly.

This pressure to differentiate services with new application functionality has brought into question the overall security positions of organisations.

Australians and mobile banking

According to a survey conducted by Bain & Company, mobile banking in Australia is now more common than online banking.

The survey shows 38 per cent of Australian customers’ interactions with their bank occurred via a smart device.

As we continue to plug into the digital realm, this trend is a cause for worry as there are huge risks lurking in the corner.

For as long as digital technology has existed, there have been people who sought to exploit it for criminal gains.

What once started as opportunistic email scams has evolved into highly complex, targeted operations that generate billions of illicit dollars every year.

The result is a sharp rise in threats such as cyber-espionage, web fraud, distributed denial of service (DDoS) attacks, and point-of-sale (POS) intrusions that threaten to destabilise organisations across the Asia-Pacific region and beyond.

According to the Australian Cybercrime Online Reporting Network (ACORN), more than $234 million of financial loss was reported in the first quarter of 2015.

Forty-one per cent of loss resulted from online scams or fraud.

The figures demonstrate how cybercrime has grown in sophistication and gumption.

From ransomware, to malware exploiting weaknesses in systems, applications and browsers, techniques are varied and constantly challenging the status quo.

Digital paradox

The reality of the new normal is that economic crime has, to a certain extent, gone digital and it has the ability to compromise a financial organisation’s digital landscape in a plethora of ways.

In the first three months of this year alone, new variants of financial trojans Tinbapore and new Gootkit campaigns were found to target banks and financial organisations across New Zealand, Singapore and Indonesia, just to name a few.

These developments point to the rapid evolution they undergo.

For example, Gootkit preps by using video recording functionality before launching actual attacks on financial institutions’ websites.

This means fraudsters now have the ability to study the internal processes of financial transactions within a bank and look for gaps in approval processes without having to be in the bank.

This is an example of the creativity that the cyber criminals of today possess and the effort they are willing to put into refining the process by which they approach their victims.

Herein lies the paradox: A bank’s hybrid, multi-channel approach to acquire more customers and increase value to market has provided criminals with newer vantage points that could be vulnerable and limit a bank’s potential.

Technology is becoming the new leveller, and the digital paradox is becoming the new business conundrum.

Hybrid approach to security

As financial institutions deploy more enterprise-grade applications and services across data centre and cloud environments, the need for a balanced and holistic security strategy has never been greater.

Financial institutions that depend on their digital presence for competitive edge need a holistic security strategy.

They need a system that not only protects the organisation, its employees, customers and end-users against attack vectors, but is also able to react quickly to attacks in order to minimise damage.

One common misconception held by many is that a firewall is sufficient to guard an enterprise’s networks. However, that no longer holds true.

Organisations need to make concerted efforts to actively invest in security at the application level instead of just grandstanding at the network level.

For example, web application attacks are often tuned and created for a particular application, and are missed by traditional security measures.

The truth is, organisations must look at other technologies, such as web application firewalls, to protect their networks.

Careful planning and prompt action can make the difference in ensuring technology is on your side instead of sleeping with the enemy.

Accordingly, financial institutions need to strike an equal balance between protective postures – between pure defence and mitigate-and-react approaches. If the balance is tilted in one direction, the security strategy will not be as effective.

While we live in an always-on digital economy, it is prudent to remember that the gates are always open.

What will define a bank’s legacy in the years to come will no longer be the ability to deliver new services, but to deliver them safely and securely.

To achieve this successfully, we need to re-look our security investments. Do we have a real time threat intelligence system in place to detect everything from malware to phishing attacks?

Do we have complete visibility across platforms and at the application level? Are our security protocols cross-device and cross-channel?

That’s the hybrid approach to securing your business and reducing risks.

It’s time to discard archaic principles of protection and safeguard the gateway to applications and services because it is always open in the digital world.