How to Adapt Financial Services to The Online Space Securely – And Still Sleep at Night

Financial institutions, like eCommerce industries, are leading today’s fast, pandemic-driven transition to the digital space. A change that will become a norm.

By Robert Capps, VP of Marketplace, NuData, a Mastercard Company

Branches have now reopened, but many customers will continue to transact online and enjoy the convenience of banking in pajamas. In a recent NuData webinar with Aite Group’s Julie Conroy, she shared that, “one bank’s public investor filing says that 75% of their servicing transactions are now digital in the wake of the pandemic.” In addition, for many financial service employees, the period of remote work that began in the spring is still ongoing, with no clear end in sight.

Few would disagree that this digital transformation is a positive development that makes financial services more accessible to everyone, but it doesn’t come without risks. When evolution is rushed, the established technologies and processes may leave vulnerabilities that bad actors can take advantage of. To support a streamlined, consistent digital customer experience while also ensuring security, your organization may need to add additional layers of protection.

Add a pandemic to fraud prevention

One-third of finance login attempts within the NuData client network are high risk. This is not a negligible proportion of the average financial institution’s online traffic.

As Robert Capps explains during the same webinar with the Aite Group, “even when those login attempts are unsuccessful, they hurt your bottom line by raising operational costs.” He also added, “You’re paying for more bandwidth, more servers, more licensing fees to run software on those servers, more space in a data center, more power — and so on — all to process transactions that have zero to negative value for your company.” For many companies, these expenses run into the double-digit millions or more. By getting top-of-funnel fraud attacks under control, you could reduce your fraud losses but also impact your bottom line.

Fraud prevention was already a mind-bending challenge, but the pandemic has made it even worse for many financial institutions. With many offices closed and travel restricted, users log in from fewer locations on fewer different devices, making them, at first sight, easier to identify and differentiate from fraudsters. But financial customers have also changed their habits in sometimes unpredictable ways. They complete different types of transactions and transact more frequently, at different times of day, compared to before the pandemic. These behavioral changes thwart some financial institutions’ existing fraud risk models, increasing false positives, while still letting fraud through.

It doesn’t help that cybercriminals are adopting ever more sophisticated tactics to bypass financial institutions’ defenses. According to NuData research, in the first half of 2020, 96% of attacks against financial institutions were sophisticated. These are attacks that tried to mimic human behavior in an attempt to blend in with legitimate traffic. Some attacks take it one step further and solve bot challenges such as CAPTCHAs by sending them to human farms — essentially call centers for fraudsters. Human-farm workers are paid to process as many requests as possible, manually. Financial institutions need to understand how these attacks happen and how they behave, to tell them apart from legitimate users.

WFH-ing safely

Remote work poses another growing challenge for financial institutions, as it may increase some types of fraud risk. Many cyberthreats start at home — for example, a personal device on the home network infected with malware can be an entry point. Bad actors can use that back door to infect a corporate asset on the same network. It’s increasingly common for the initial attacker to sell such access to a third party, who then exploits the breach to compromise user data or perform any number of malicious actions.

5 steps to lose the fear of cyberthreats

When shoring up your cybersecurity protections, prioritize solutions — both internal and external — that enable an uninterrupted customer journey. As mentioned during the Aite Group webinar, 22% of consumers left their credit or debit card issuer because of a poor experience. Here are a few ways to tighten security without adding too much friction.

  1. Tighten permissions for administrative users. Lessen the risk of internal fraud or data leakage by reducing the amount of sensitive information that employees can access, for example, by anonymizing personally identifiable information (PII). Behavioral analytics tools (see #5 below) can also help identify anomalous behaviors, such as an employee accessing datasets that aren’t necessary for their work.
  2. Use a VPN to enable access to internal tools. This is a best practice when people are working from home networks that are generally less secure than networks at the operational center.
  3. Employ a bot detection tool to block automated attacks. While bot detection is often placed as a protection for customer accounts, during COVID-19, we’ve seen an increase in bots directed at employee services in the work-from-home environment. Protect both sides to minimize your risk.
  4. Use behavioral analytics and passive biometrics to validate identity. A worker at a human farm cutting and pasting stolen personal information from a spreadsheet doesn’t interact with an online form the same way as a “good” user who is inputting their own information they know by heart. And your trusted employee doesn’t use a mouse quite the same way as their roommate who’s borrowing their computer. Understanding baseline behavioral and passive biometric signatures for employees and customers lets you quickly flag anomalies that call into question who’s actually sitting in front of the screen, even if they had all the right credentials.
  5. Educate both employees and customers. In any system of cyber defenses, humans are usually the weakest link. Strengthen it by teaching both customers and employees to look out for threats in their everyday environment, especially social engineering attacks. On the employee side, it’s especially important to educate call center workers who may be focused on delivering great customer experience more than looking out for social engineering threats.

The strongest cyber defenses are not one but many at once. If accelerating your digital transformation efforts during COVID-19 didn’t leave time to add the necessary protections, now is a good time to start catching up. By setting up the infrastructure to make remote work more secure, educating employees and customers about cyber threats and using advanced tools to continuously validate user identity, you can make your new normal more secure — without sacrificing customer experience.

About the Author

Robert Capps AuthorRobert Capps, VP of Marketplace, NuData, a Mastercard Company. Robert is NuData Security’s Vice President of Marketplace Innovation. He is an industry-recognized technologist, thought leader, and advisor with over twenty-five years of experience in retail, payments, financial services, and cybercrime investigation and prosecution. Robert brings his industry insight and vision to drive market-leading products and services for NuData Security and is the public spokesperson for the organization.

He is passionate about bringing safety to the digital world in the shape of cutting-edge technologies, so companies and end-users don’t have to worry about risks from cybercrime.

In previous roles, Robert served as the Global Head of Payments, Security and Fraud for StubHub, as the Head of Consumer Security for Wachovia and Golden West Financial, and continues to advise early-stage startups.

Robert Capps can be reached online [email protected],

November 26, 2020

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...