Over 12 years ago, I came across this new online security solution that let me look at my entire set of web and mobile transactions in real time, as the traffic came across the network. As the manager of online security, this was the best data I had ever seen. And I found out I could create real-time alerts against anomalous transactions for any transactions I had — no coding required. And it made a difference immediately. We were effectively stopping unauthorized wire transactions before the money left the bank.
As we fast forward back to today, we are in a totally different world in 2024 and with a need for totally new solutions to prevent digital fraud in banking.
Although we have seen an explosion in social engineering for consumer financial scams (“authorized” transactions), we are also seeing a growing set of new and more challenging attacks against banks and their customers via the web, mobile and even APIs accessing customer data. So, what do I need to help with this environment? But first, let’s look at the new threats.
The New Threats
In March 2024, the Wall Street Journal reported, “Banks and other financial firms are facing a barrage of cyberattacks that aim to temporarily disrupt their websites and apps, primarily driven by a surge in hacktivists who target companies in geopolitical hot spots.” In the article, a DDoS vendor reported an increase of 154% in 2023 amongst its customers.
And earlier this year there was a cyberhack against Change HealthCare. According to The Washington Post, this company is responsible for processing 50% of US medical claims. As a result of this attack, many customers could not get their critical prescriptions on time.
Even major Internet companies are not immune. One major vendor has been in an ongoing effort to fight a nation state cyberattack within its data centers. Their critical source code is at risk. And we find Apple, long considered a safe operating system, doing security updates several times a month.
What we are seeing are cyberattacks that target crippling companies including financial institutions. With banks, there are several goals of these hackers (hacktivists as mentioned above, the old-fashioned cyber crooks and now nation states):
- Disrupt/shut down banking
- Steal bank data
- Gain control of bank data center environment
- Facilitate financial crime (e.g., establish money mule accounts)
- Make money from bogus activity
The bad actors’ solutions are evolving from individual attackers creating bots and using fraud farms to cybercrime-as-a-service (CaaS), with teams of smart programmers developing attack code that is then purchased as a service. So, the attacks become more complex. Over time this will grow in complexity with the use of Generative AI models.
What Solutions Banks Need to Have
There has already been much discussion around protection for high volume DDoS attacks. Where less has been said is around lower volume smart (think Generative AI) attacks to gain access to applications, create bogus transactions and more. Much of this can be done by targeted automated bot activity. This is known by many.
But the more difficult part is to understand the bad guys are constantly trying new approaches to defeat the target sites — and rather frequently.
So, what I am noticing now are vendors who are focused on quickly identifying these changes in attack vectors and being able to modify their “solution” more so on the fly. For this to work, the vendor needs a broad variety of customers that catch the attention of the bad guys (think banks, large internet vendors, Gen AI vendors (the new hot target today), health care, etc.) So, a new attack vector is spotted going after one company and the vendor can pivot a solution to its other customers quickly.
Kevin Gosschalk, founder and CEO of Arkose Labs, was telling me a story where “recently an attack hit one of our Internet customers. We learned from it and quickly deployed a solution across our customer base. This capability is a real differentiator for us.”
What concerns me is that with fraudsters having relatively free access to Generative AI models (they are constantly hijacking the Gen AI prompts to get bad outcomes created), we will see a stream of “bad” attack innovation take place. It could almost be non-stop at a point. And there is no meaningful way to contain the bad guys from using Generative AI models.
So, the only good software solution to stop this is one that can constantly learn from the initial attacks. And share the updated solution quickly across the customer base. So, here, a bigger customer base is essential for this “on-demand” software update capability.
When you think of this, it is almost like a consortium process. Normally, when we think of a consortium and sharing data, it is the customer sharing data (e.g., a known money mule account number). But in this case, it is the vendor sharing the data associated with the attack involving the transactions. It is shared indirectly, with protection updates. It is also shared as raw data points with explanation to help customers protect channels that the vendor is not directly involved with.
To make this type of solution work really requires a vendor with a 24/7 operations center and live system staff with “eyes on the glass” to constantly monitor customer traffic. The obvious reason is the bad guys want to attack when the security team is off work — so evening, weekends and, yes, holidays.
In talking with Arkose Labs Chief Customer Officer Patrice Boffa, he said, “The way our operations centers are set 24/7, we can immediately detect the attack, understand how it works by identifying the attack signals and adjusting our defenses to mitigate the attack.” He also said,“Part of our solution involves using our challenge technology and the use of Generative AI to create/modify our challenge technology, quickly, as part of the defense.”
In the future, Boffa sees an acceleration of bad guys using Generative AI to mimic human behavior when executing these automated bot attacks to bypass defenses.
Summary
At the beginning of this blog, I talked about my cool fraud detection solution I found over 10 years ago and how it made such a difference. Today, I think I would be talking about these constantly changing threats that affect my account opening, my logon and my other web and mobile transactions. And how I need a vendor watching for these changes real time and working to quickly update my defenses.
The people attacking banks want to shut us down. There is no better way than to disrupt the digital channel activities. So, I need an always-on solution that catches new attacks and protects me as soon as possible after detection.