Wash your face. Brush your teeth. Secure your digital payments.
Maybe the last one wasn’t taught in health class, but as the world becomes an increasingly digital space, cyber hygiene is a critical practice that nearly all Americans should implement into their daily routine (perhaps after your mindfulness practices, but before your green smoothie).
In a recent study by Capco, experts discuss disinfecting fraud, where these cyber threats are coming from, and specific examples of some notorious cyberattacks. To further discuss the cyber hygiene PDF, PaymentsJournal sat down with Julien Bonnay, Partner, US Head of Technology and Cybersecurity at Capco, Daniela Hawkins, Managing Principal at Capco, and Tim Sloane, VP of Payments Innovation and the Director of the Emerging Technologies Advisory Service at Mercator Advisory Group.
The path towards cybersecurity for payments
With the current trends and expected arrival of more threats, it is more important now than ever to strengthen cybersecurity for payments. There are a lot of ways to increase these defences, especially in the cloud, which is rather new to some FIs. “Encourage consumer education, and go through campaigns to really make sure both consumers as well as employees are well aware [of] what they could be subject to,” instructed Bonnay.
Strengthening security, increasing defences, and educating consumers and employees about ongoing threats are the “three pillars [in] the foundation of cyber hygiene steps to [help] build a more resilient payments your future.”
Most institutions have taken the “we’ll cross that bridge when we come to it” approach. That is, they will find a vector of risk, seal it up, and move on to finding the next weak point. “There [are] so many vectors now that I don’t know they’ve even catalogued them all,” said Sloane. “Getting a handle on [cybercrime] and understanding all those different areas is really critical.”
Where are new threats coming from?
The answer to this can get a bit complicated. The first place cybersecurity experts look to when seeking out the source of cyberattacks are the artificial intelligence and machine learning space. “Threat actors using this new technology and its sophistication to try to breach the firewalls and protocols that financial institutions and other large companies have in place,” explained Hawkins.
The second kind of attacks are malware attacks. “We see this with phishing, even spear phishing, really targeting very specific people, and getting them to give up information,” continued Hawkins. There are also IT misconfigurations, which can sometimes leave information vulnerable through holes in the software or firewall misconfiguration.
Lastly, there is the infamous Nation-state sponsored cyberattacks. “We’ve even seen this in the news most recently with the solar winds issue where the malware was installed in test code that was just waiting to be installed,” elaborated Hawkins. “With the with the Nation-state attacks, sometimes [cyber hacking is] maybe not that sophisticated in some ways.”
Cybercriminals are going to attempt these attacks any way they can, including things like ATMs, which happened recently where North Korea was suspected of stealing millions of dollars from ATMs in Africa and Asia. “It’s coming from all fronts, and you have to have a multi-pronged approach to fight it.”
Recent case studies on cybersecurity breaches
From the consumer side of risk management, there is always concern of an attacker leveraging an AI solution. They may do this by imitating the voice of the CEO to wire money, or maybe compromising email systems to achieve the same results.
This is exactly what happened to a firm recently, where Chubb Insurance had to pay for nearly $5,000,000 for the fraudulent transaction.
“You can see that with all the big banks:. You receive a text message asking you to connect to your bank for a problem or statement, [and] you need retrieve your transaction to finalize [it],” said Bonnay. “This type of attack leads you to a very similar website, but just aims at collecting your credentials.”
While this scenario doesn’t necessarily put the banks at fault, many people fall for these types of cybersecurity attacks, and then the hackers proceed to the legitimate banking site and process further transactions.
Financial institutions address the challenges of the new day
The payments industry has been working toward the digitalization of its platforms, and COVID-19 certainly accelerated the outcome. While there are huge conveniences that come with online services, there are even more opportunities for fraudulent activity and other cyberattacks. Therefore, the approach to combat such attacks “has to be multifaceted because the attacks are multifaceted,” said Hawkins.
One of the biggest complications that must be addressed is human error and controls. “The first thing we have to do is [provide] training and education for everyone and do what we can to reduce the human error, because we do see human error as a pretty major component of this,” continued Hawkins.
Next, there is the continuation of education, but this time for the consumer. Many consumers are not yet using their mobile wallets, but Hawkins believes that they should be. Consumers are concerned that their mobile wallet payments won’t be accepted by a merchant, or they believe that the card or chip is more secure than the tokenized number on their phone. This is not the case, and educating these consumers will aid in getting merchants to start using these more technologically advanced terminals.
The third and final challenge to address is that companies will have to invest in this technology, and along with it, the cybersecurity to secure their systems. As cybersecurity is not a revenue driving space, it often gets overlooked by leadership and executive teams. But “this is a place where [businesses are] spending money in order to save money, and to prevent reputational risk,” advised Hawkins. Though business owners may not visibly see the revenue coming from these precautions, they can assume that they’re saving millions of dollars in lost fraudulent charges.
“That really is the three prong approach: human error and the controls to stop that, consumer education—got to get that tokenization—and spending money [on] building Red teams and investing in the technology to fight cyberattacks.”