The escalating incidence of fraud may be driving financial institutions to ramp up their data-protection efforts with automation and orchestration tools, but one security executive has warned that many organisations risk exposing themselves if they open themselves too quickly to manage fraud and malicious attackers.
That risk was escalating as financial-services companies – including flexible, innovative fintech providers – extended their online activities with API-based cloud services that enabled far more casual outside access to their core services.
Tight back-end connections into core financial-services systems means these APIs need to be not only carefully checked and managed during development, F5 Networks APAC security specialist Shahnawaz Backer told CSO Australia, but operationally managed and protected using Web application firewalls that monitor their usage and block exploits such as distributed denial of service (DDoS) attacks.
“The banking and fintech community has to take a certain amount of responsibility for building security into these applications,” he explained, “and the APIs need a certain amount of protection.”
“They can’t just open the API floodgates; to automate something you first have to look at the size of the data pool you have to make a decision. If the data pool is not sufficient and you try to automate based on that data pool, you may end up creating a lot more false positives than just doing the job manually.”
The risk would be escalated by the New Payments Processing regime, which in February will go live to speed payment transfers – and require faster fraud detection and management as a result.
Such anti-fraud protections have become even more pressing given reports suggesting fraud rates continue to rise – but in unexpected ways. A recent analysis of fraudulent behaviour, compiled by payments provider Stripe, showed that fraud rates tend to surge not during heavy shopping days like Black Friday or Cyber Monday; rather, fraud tends to spike on days like Christmas Day, when people aren’t shopping.
Fraud rates are also in opposition to shopping trends, with shopping peaking during workday hours but fraud peaking late at night and flattening during the day. And, the analysis found, fraudsters are often discovered because they make additional charges at the same businesses, using the same credit card, ten times faster on average than legitimate customers.
“While there are some consistent patterns to fraudster behaviour, we've found that the predictive strength of these patterns varies widely depending on the location of the business and the fraudster,” Stripe engineering manager for payments intelligence and experience Michael Manapat said in a statement.
“Because of this, we recommend using anti-fraud tools based on machine learning trained on large amounts of data to ensure businesses are making the right tradeoffs between battling fraud and maximising profits.”
Stripe’s findings reinforce new fraud figures reported by identity-verification provider Jumio, which noted a 17 percent drop in fraudulent transactions during 2017 that included a 33 percent annualised drop in fraud over the Black Friday-to-Cyber Monday shopping weekend that just passed.
The lower fraud rates observed this year suggest either that fraud patterns are changing, or that financial-services institutions are – motivated by trends that Jumio said included a 57.4 percent spike in fraud during last year’s Black Friday shopping weekend – getting better at detecting and blocking it. Either way, businesses must remain vigilant for fraud outside of peak shopping times.
“Recognising that the incoming and outgoing flow of funds must be protected at the highest level,” Ian Mirels, CEO and co-founder of payments provider EFTsure, said in a statement, “implementing systems, procedures, and processes that promote a sound internal and external control environment to minimise the risk of payments fraud is critical – acknowledging that such fraud can be perpetrated both within and external to an organisation.”
While anti-fraud tools seem to be having some effect, extending their use across new financial platforms “depends on the comfort level to which we want to automate,” F5’s Backer warns.
Improving that comfort level requires a concerted effort that spans from back-end APIs out to cloud-based applications and the client devices handling payments processing: “Applications should stack in security so that when they’re rendered on a device it has intelligence about where it is running, and what it is running on,” Backer explained.
The security layer should be encapsulating it tight from the server side as well as the client side, he added – noting that change is reinforcing the need for strong security practices.
“People are getting more and more ways of achieving things, and we have to open ourselves up to more APIs to have more collaboration with fintech providers,” he said. “Threats are coming not just physically, but as automated threats through back rooms. When you shift to the cloud, security becomes a shared responsibility.”