Staying Ahead of Cybercriminals by Aligning Security and Fraud

At times, fraud can seem like a game of cat and mouse: The criminals are usually aggressive and are on the offense, while companies struggle to protect themselves and are on the defense. For companies, the game is becoming harder to play. Criminal organizations’ tools are becoming more sophisticated and their attacks more complex. Financial services firms and merchants find it difficult to constantly adapt their security and fraud defenses to keep up with rapidly evolving attacks. And if you are not keeping up, then you are falling behind. The dangers are higher losses, abandoned transactions, and customer dissatisfaction. Losing money and customers—not a good combination.

It’s time to rethink your approach to fraud prevention. But I can hear it now. “I am understaffed and underfunded. How do you expect me to keep up with more nimble and well-funded criminal organizations?” In this challenging environment, it’s time to work smarter, not harder. Merchants and financial services firms that have solved this accomplished it by looking both inward and outward.

Looking Inward

Looking inward, successful companies have admitted their security and fraud mitigation inefficiencies. It is common to have a cybersecurity department protecting computing networks and externally facing applications from infiltration, exploits, and denial of service attacks, and a fraud department focused on online/digital transactions, event correlation, and incident responses. This creates a segregation of responsibilities and two departments with different tools, data sets, performance indicators, staff, and budgets. Let’s look at how this hurts a company.

Data breaches and credential spills have exposed billions of personally identifiable information records, including username/password pairs. In a typical attack, an attacker will perform credential stuffing using highly distributed botnets to test these pairs at scale to identify which username/password pairs are still valid. With a valid pair, an attacker easily becomes a cybercriminal by taking over a customer’s online account—extracting money, laundering loyalty points, or making unauthorized purchases. Depending on the security countermeasures encountered, the cybercriminal may modify the attack using tools that range from network scripts and botnets to those that emulate human behavior or frameworks that can make API calls to human click farms to solve CAPTCHA.

This type of attack spans both security and fraud team responsibilities. If the security and fraud teams or their tools are not communicating, threat intelligence and context are lost, and it is difficult (maybe impossible) to see the entirety of the attack. As a result, fraudsters slip through the cracks, and companies and their customers experience financial losses.

It’s time to break down organizational silos. Collaboration across teams and technology can be the vehicle to convergence, increased revenue, and ultimately the company’s success. In addition, pooling resources and data improves visibility, making it possible to keep criminal organizations out while letting good customers through without friction. In a recent Aite-Novarica Group study of 110 fintech firms, those that have an integrated fraud system are twice as likely to say it is somewhat or very easy to manage fraud, compared to firms with separate and distinct fraud systems.

An integrated platform has the benefit of seeing more of the fraud landscape through the pooling and continuous analysis of data. With a larger data set, and thus more fraud signals, it is possible to create more predictive and precise machine learning models. This can not only lead to more proactive and actionable intelligence but also a better user experience, since the increased precision can fast-track authentication, providing a seamless way for customers to transact without increasing fraud.

Looking Outward

Looking outward is also important to create an effective fraud ecosystem. It is common practice for financial services firms and merchants to purchase tools and manage fraud in-house, with staff configuring the tools to prevent fraud. As fraud attacks morph over time, the company has to adapt its fraud strategies to counter them, tune authentication rules, and investigate false positives. In other words, the company has to experience a new fraud attack (and a financial loss) before it can prevent future ones. This reactive strategy leaves the company exposed while internal departments investigate and remediate the security gap.

Why not be proactive? Vendors offering commercial solutions leverage their breadth of experience and visibility to protect their clients better than an individual client can protect itself. How? Well, a vendor with a large client base across multiple geographies and industries has a very broad view of fraud, especially when threat intelligence is shared across its collective defense network. If a new fraud attack vector emerges, the vendor can quickly modify its fraud defenses to protect all clients.

The Win-Win-Win Solution

Staying ahead of the growing sophistication of criminal organizations and their attacks is difficult, especially with staffing and resources in short supply. It’s time to look inward and outward. Bringing together cybersecurity and fraud management into an integrated team and leveraging external expertise provides three main benefits. Cybersecurity/fraud management is simplified, losses are lowered, and customers have a better online experience. A win-win-win solution.

By David Mattei, Strategic Advisor, Aite-Novarica Group

_____

For additional perspective, read the Aite Report to learn new strategies to minimize fraud loss.