It’s hard to overestimate the importance of cybersecurity and data protection in any financial institution. In Indacoin, we always follow the “safety first” approach, and today we want to give you a little tour behind-the-scenes to learn more about fraud prevention and advanced security technologies from Claire Hatcher — Head of Business Development for Kaspersky Fraud Prevention.
In this interview, we’ll talk about:
- Main security threats every business should be aware of;
- Newest updates in the fraud prevention field;
- Who’s most at risk to suffer from a cyberattack;
- How to combine security checks and data protection;
- Key rules for self-protection in the online world.
I’m sure 90% of our readers already know about Kaspersky and its awesome products, but could you say a few words about Kaspersky Fraud Prevention specifically?
Kaspersky Fraud Prevention provides session-based anti-fraud solutions for enterprises interacting with customers via web and mobile digital channels. It helps cut costs on alternative authentication methods, closes gaps in security, and has a web interface to provide visibility of incidents and anomalies.
All of this is done in real-time and underpinned by machine learning to analyze over 150 different parameters, including passive biometry and device and environment analysis.
The fintech market is all about innovation, and we’re thrilled to see new fraud detection tools and strategies. Can you tell us about your most recent products?
Kaspersky Fraud Prevention continues to innovate its core product to increase efficiency for current customers. For example, we recently re-launched our web console. In upcoming versions, we also increased social engineering detection, which is critical in the fight against fraud. In addition, we launched a version designed to be installed directly on the customer’s infrastructure, as some APAC and META countries are unable to use traditional cloud-based fraud prevention tools because they don’t meet local regulations prohibiting sensitive data from leaving the country.
We’ve also been working with other verticals that are becoming increasingly targeted, such as our collaboration with Polys to support a secure online voting platform for businesses, universities and political parties, and also help us enhance our fraud detection capabilities in the blockchain.
You’re a pioneer in fraud prevention solutions for businesses, so what do you think is developing faster: fraud schemes or anti-fraud solutions?
Fraud schemes and scams are continuously adapting and innovating in step with the market and consumer trends. There’s even something we call the “Fraud as a Service” market, where specializations and web interfaces have been developed to provide hackers easy access to what used to be the complex programming skills required to extort money from individuals on a “commercial” level.
Historically, fraud prevention has taken a siloed approach, perhaps looking to see if an end device was infected, or if a device is trusted or not. Due to the complexity of these attacks, a holistic approach is required that doesn’t just look at the transaction or login, or even if the device is trusted. Instead, we need to consider the entire session and analyze hundreds of attributes related to the user, account and their devices in order to detect suspicious patterns, robotic behaviour and, of course, traditional methods. It’s also crucial to monitor sessions continuously, as a fraudulent activity may first be detectable at any stage of user sessions. Only when you look at the big picture can you see patterns emerging that indicate an attack.
Many clients are still afraid that their data might get stolen, so they prefer not to share sensitive information online. In your opinion, has online verification already reached the level where these fears can be put to rest?
Consumers are protected anywhere in the world by a number of regulations, such as PSD2 and GDPR, which safeguard their data and help protect against cyberthreats.
When it comes to fraud prevention, all of our solutions analyze fully anonymous attributes, so speaking from a fraud prevention company’s perspective, we don’t see any of the underlying data or personally identifiable information (PII).
That being said, consumers should always be mindful of who they share their data with, and do their best to ensure they don’t accidentally give away private and personal information, e.g., by clicking on phishing links or sending data to unverified parties.
Do you have any stats about who suffers from cyberattacks the most? Which business fields should pay close attention to cybersecurity news?
Financial service companies are historically the most targeted, but we’re seeing a shift to other verticals, for example, online retail is number one in terms of growth rates for fraud. Here’s a recent fraud case that Kaspersky Fraud Prevention detected:
“One of the most striking cases of cross-organizational cyberfraud exposed recently was the discovery of a network of 3,029 fraudulent accounts. The main goal of the criminals was to receive bonus points by creating a large number of accounts on an online portal. The criminals bought codes to replenish their accounts in a gaming store and then sold them online on social media and marketplaces. We noticed that all of the criminals performed their operations manually, and our research detected 14 devices showing mass login attempts (10 to 65 unique users). During our research, user accounts and devices were combined to analyze user activity, and we detected an enormous cluster of 11,256 unique users.
Another fraud technique is related to the abuse of welcome bonuses in loyalty programs. The scheme is straightforward: scammers register accounts with a marketplace en masse, receive their welcome bonus points and buy goods at a reduced price. One such abuser bought up diapers and candy, subsequently selling them on classified ad websites at a profit. The accounts were later abandoned, their average lifespan being just one or two days.”
What’s the most impressive case or high-level fraud scheme Kaspersky has ever detected?
Below is an excerpt from our Fraud Report with a detailed description of a money-laundering scheme we detected in 2019.
The diagram above contains only part of a chart that illustrates the core algorithm of the fraudulent scheme’s “launch” phase:
- Detected drop accounts are coloured black. What’s important here is separating the attacker’s account from the victim’s. The drop account, or presumed attacker, can be identified using session anti-fraud solutions or by analyzing transactions initiated by the account.
- Once a drop account has been identified, the capabilities and technology offered by the session anti-fraud solution must be put to use. Key elements that helped identify interlinked drop net users by using session anti-fraud data are coloured red in the chart.
Money laundering is a serious issue plaguing financial services, as well as cryptocurrency and exchanges. For complicated money laundering schemes that normally include the placement of illegally obtained funds, layered distribution and integration or withdrawal of funds, criminals use automated tools, proxy servers, remote administration tools and TOR browsers to cover their tracks and remain anonymous.
Kaspersky Fraud Prevention has an outstanding client portfolio. Do you think these partnerships contribute a lot to your own development?
Absolutely! Historically a lot of risk models in fraud prevention companies have been tailored purely to the financial services industry. This meant that vendors didn’t have direct access to other vendors, such as retail, e-commerce or e-government, who were starting to see an increase in fraudulent attacks.
Here is a real use case with a major marketplace in Russia:
“The cost of implementing a pilot of Kaspersky Fraud Prevention with machine learning technology and setting up the system for the company’s needs was minimal, and the solution quickly demonstrated its effectiveness. Switching Kaspersky’s protection to full-fledged operations allowed the information security specialists to halve the number of fraudulent transactions and achieve an 87% match between the verdicts of Kaspersky Fraud Prevention and internal analytics data.
Thanks to the implementation of Kaspersky Fraud Prevention, the marketplace was able to provide its customers high-precision protection against the theft of user accounts and accumulated bonuses, while protecting its own systems from malicious users.”
By partnering with key companies across all verticals and geographies, we can monitor trends and keep ahead of emerging patterns, which allows us to develop our technologies further. Thanks to the support of these companies and their expertise, we can fine-tune our models and continue to innovate our technologies to protect against emerging fraud.
I firmly believe that it’s only through collaboration and sharing expertise across clients, partners and vendors that we can grow our collective knowledge base and understand threats as they emerge in order to mitigate threats effectively.
It’s a common belief that only big corporations suffer from fraud attacks. In your opinion, how big does a client base or company need to be before an advanced fraud prevention system is crucial?
All companies, regardless of their size, can fall victim to fraud attacks and scams looking to extort money, so it’s important to think of your cybersecurity strategy at an early stage. As a company grows, more sophisticated tools and monitoring systems will be required, so the technology, processes and software you rely on should continue to be evaluated to ensure it’s upgraded and adjusted to meet new business needs.
Fraud prevention doesn’t have to be a cost-prohibitive technology for small businesses either.
It’s often the case that cybercriminals test new fraud technologies on large companies to see how anti-fraud and security solutions block their attacks. Once they get information about possible breaches and scripts, they switch their focus to small and medium-sized companies, which are usually less prepared for attacks and use less expensive and simpler security solutions than their larger competitors.
However, in the end, anyone can be a victim.
Can you share some tips on how to protect yourself against cyberattacks?
For companies:
- Always inform your customers and employees about vulnerabilities, detected fraud methods and other risks
- Track suspicious activity in user online sessions
- Always analyze the results of detected fraud on your digital services, and adapt your business logic accordingly
- Use multi-factor authentication, secure password encryption and other protective mechanisms
- Be prepared for incidents! Develop a plan for customer communication, reputation recovery and media response
- Regularly review your company’s cybersecurity policies and your software to ensure it takes into account the latest forms of cyberattacks
- Ensure that data meets regulatory requirements (for example, the GDPR), and all sensitive client information is encrypted.
- Consider adopting fraud prevention technologies, such as Kaspersky Fraud Prevention, which raises an alarm when it detects suspicious activities on your websites and mobile apps so they can be stopped before an attack takes place
- Educate your consumer base and internal employees about the dangers of clicking on unsolicited links in emails or text messages (phishing and smishing) and offer regular training to keep them updated on the latest scams and threats as they evolve
For individuals:
- Use strong, unique passwords for different online services. Don’t use a password for mobile banking that you use on other online platforms
- Regularly check your savings and loyalty program status. If you see an unusual change in the balance, contact the company providing the service
- Be careful with public Wi-Fi networks. If possible, don’t use them at all, but always use protective antivirus tools on your devices
- Avoid phishing emails and fake websites. Even if you get an email from a famous brand, it might still be a professional fake. Don’t enter your information, including your login and password, on sites you’re not 100% sure are real
I think these recommendations will be very useful for our audience, thank you very much for the great interview!