One common
question that I get asked from time to time is what do Cyberattackers like to
prey on? In other words, who do they like
to target? To be honest, about anything and
anybody can be a prime target. But it
all comes down to one key motivating factor:
MONEY, AND LOTS OF IT.
Wherever
there is a backdoor is open and $$$ is easy to smell, the Cyberattacker will
make its prey. It can happen in a lot of
diverse ways, such as Social Engineering, Phishing (Business Email Compromise
is a big one here), finding vulnerabilities in a web application, etc.
But one thing
I can answer for sure is that an industry which is heavily targeted is the banking one.
After all, once the Cyberattacker has access to the login info of the victim,
all heck can break loose. For example,
they can initiate a fake transaction, open a fake debit card, or just do things
the old-fashioned way: just steal whatever
money is in the victim’s account.
In response to
this, most of the financial institutions based here in the United States have done
an excellent job implementing safeguards to protect their customers. I can even vouch for this for myself. One time, I got a letter from my bank stating
that my debit card got hacked into.
I never even used
it, but the moment they got whiff of a potential, fraudulent transaction, they cancelled
it immediately. Then one time, I logged
into my checking account from my iPhone (which I hardly ever do), the bank
blocked my access later, because a different IP address was detected.
But another
area in banking which needs more attention paid to is that of the mobile apps that
they create and deploy for their customers.
Consider these stats:
*Fraudulent
activity will exceed $40 billion by 2027, which is a staggering 32% increase.
*Banking as a
Service will also witness a 20% increase in attacks.
(SOURCE: How
Banks Can Adapt to the Rising Threat of Financial Crime)
In fact, the mobile
app can be viewed as Banking as a Service tool.
After all, you can download it from an app store, such as Google or
Apple. In these cases, one of the easiest
ways for the Cyberattacker to get into is to try to find a backdoor in the
source code, especially in the API.
As I have written
before, many software developers use ones that are open sourced primarily
because they are free to download and use, with no licensing fees involved. Also, there are plenty of forums online in which
help, and resources are available.
But the software
developers who make use of these kinds of APIs do not check them to make sure that
they have been updated. Because of this,
many backdoors can be left open for easy penetration by the Cyberattacker. From here, they can manipulate the mobile app
or even heist the source code to create a fake, this tricking and luring in
their victims.
So how can a
bank avoid this situation. In a theoretical
sense, the easy answer is that they should use their own IT Department to
create it. But, this can be a costly proposition,
so many banks choose to outsource the development of it, in the name of saving
money.
While this
can be a good thing, it also poses grave risks as well. For example, what if they have hired a web
development team, such as in India, and they are not properly vetted?
In this regard,
the banks must take the vetting process very seriously. They need to make sure that whoever they hire
must meet strict security requirements that are at least on par or even greater
than what the bank has in place.
Further, the right
controls must be put in place, in case any customer information and/or data is
given for testing purposes. In fact, the
bank should take the initiative and responsibility to create a set of best practices
and standards for their vetting process.
Another avenue
that banks are looking at to further protect they are as a Service offerings is
the use of Generative AI. One of the best
ways that this has been used is to quickly detect any form of abnormal behavior
that falls out of the baseline profile of the customer.
Once this has
been captured, the Generative AI model will trigger the account to be blocked
almost immediately. Generative AI is
also great when it comes to halting a wire transfer that looks fishy, such as
the in the case of a Business Email Compromise Attack.
But with the good
comes the bad. For instance, a Cyberattacker
can easily heist one of these models and modify it in a way that it will not
detect fraudulent activity for a certain period of time. Or worse yet, they can not only create a fake
website, but they can also Generative AI
to create a Deepfake, which is a replication of a real person.
They can use
this to create a Digital Personality that the customer can interact with, but Social
Engineering can be embedded here, so that a trusting dialog can be
developed. Once this has come to
fruition, Digital Personality can then be manipulated to prey upon the vulnerable
state of mind of the customer and con them into giving out their personal information
and data.
My
Thoughts on This:
IMHO, banks,
no matter what their size or their geographic location is, there must be a fine
line drawn as to how much Generative AI should be used. Perhaps creating a set of best standards and
practices would be great here, as to where it can and cannot be used.
In the end,
it is extremely easy to get swept away by the glamor that Generative AI brings
to the table, but it is especially
important to keep in mind, as in the case of the banks, that the human side is
needed as well.
Back to my example
again of my account being blocked.
Suppose the only way that it could be unblocked was by having a
conversation with a Digital Person. But
for some reason, no matter how much I tried to convince it that it was me that was
trying to log in, it still does not unblock it.
But luckily after
waiting for a few minutes, I was able to reach a real, live customer assistant
to whom I explained the situation. The
next second, it was unblocked.
The equation
for having a great level of security is to have a balance between technology
and the human element.
No comments:
Post a Comment