Safety Detective interviewed Rebekah Moody, Director of Fraud and Identity, at ThreatMetrix, which develops tools to help businesses prevent online fraud. Here’s what we found out:
Major Shift in Cybercriminals’ Strategy – APAC Now a Hot Spot
SD: We’ve seen an uptick of cybercrime in recent years. How do you think things have become worse for the average user?
Rebekah Moody: We’ve been producing a cybercrime report for four years that follows this closely. We’ve not only seen a rise in overall attack rates, but also a change in the types of attacks cybercriminals are favoring.
In the past, we tended to see lower volume, simpler attacks. Recently, however, we’ve seen cybercrime on a global scale, with that shift fueled by the omnipresent data breaches we frequently hear about in the news. The data criminals harvest from these breaches has acted as the lifeblood of cybercrime, flooding the dark web with stolen identity data. Fraudsters buy this data en masse and exploit it to commit large-scale attacks. This has meant that more countries are taking their place on the cybercrime world stage. To give an example, when we started the report, the top attacking nations for cybercrime by volume would usually be the UK, Germany, France, and usually one other European country. In the last year alone, we’ve seen countries such as Vietnam, Brazil, India, and China making their way into the top 5 or top 10 list. The volume of cyber attacks coming from China and Southeast Asia grew significantly year on year, 157% and 59% respectively. The attack rate from China is higher than any other region analyzed in Q2, at 20.9%. Particularly, Hong Kong is among prime targets for attacks this quarter, which aligns with several reports that suggest it is one of the main focuses for cybercrime in the region due to its status as a key financial hub.
We’re also noticing a rise in the volume of automated bot-executed attacks. In Q1 2018, we saw about a billion bot attacks. By Q2, that figure had risen to 1.6 billion. We’re seeing attacks from places like China and Vietnam that are having a significant impact on overall attack volumes simply because they’re automated mass-scale attacks. These tend to target e-commerce merchants and specifically their login processes.
SD: What industries are most at risk besides e-commerce?
RM: We see media as almost being a testbed for stolen identity attacks. Due to the industry acting as a gateway to digital interactions for a lot of people, it’s an easy first port of call for attacks and has lower barriers to entry than, say, a financial services institution. Generally, some basic credentials are enough to gain access. Sometimes, fraudsters will test stolen credentials using media companies and then move on to higher value attacks like e-commerce merchants or financial institutions.
Telecoms is also interesting. If fraudsters get access to a high-value piece of hardware like an iPhone or iPad or are able to take over a telecoms account, there’s a lot that they can do. For instance, they could change login credentials or order new SIM cards in order to intercept second-factor authentication codes. Telecoms sits in the middle of other industries and has the potential to act as a sort of conduit for further fraud. Furthermore, stolen identity data travels fast. But with a number of high-profile cyber attacks targeting travel industry companies, the challenge of authenticating digital users is becoming ever-more complex. Throughout APAC and beyond, the industry has been under a sustained assault for the last several months. In October, for instance, word hit that a major airline suffered a massive breach that compromised the personal data of more than 9.4 million passengers. The stolen data included a treasure trove for identity thieves—including passenger name; nationality; date of birth; phone number; email; address; passport number; travel histories, and more.
SD: What can individuals and companies do to prevent cybercrime?
RM: Our priority has always been developing the ability to identify the behavior of “good” users not intent on committing fraud and being able to accurately differentiate them from potential fraudsters. The challenge is that digital users are a very diverse group and behave in a lot of different ways. I might travel abroad once a year whereas an international salesperson might do so 50 times. So, it wouldn’t make sense to create a rule whereby if you travel abroad more than a certain number of times per year we assume you’re a fraudster and will block your transaction. The more sensible thing to do is to develop individually tailored behavioral recognition systems.
The second thing they can do is develop layered solutions that suit the customer journey. Our priority as businesses should be to strive towards implementing a friction-less or low-friction authentication and verification strategy. An example would be using the built-in biometrics on a mobile device. We want to make the online customer journey as smooth as possible.
The third thing we can do is develop solutions that work in harmony with one another and not create operational silos. There’s still a lot of legacy systems in use in business that often can’t communicate with one another. This prevents businesses from getting a single, rounded view of the customer and makes it harder to recognize good customers.
At ThreatMetrix, we give businesses the ability to genuinely recognize good, returning customers by piecing together their digital identity from the complex digital DNA users create as they transact online. Leveraging the power of our dynamic Digital Identity Network, we can build up a complete picture of a customer and pinpoint high-risk behavior in real time.
Since our acquisition in early 2018, we can now combine ThreatMetrix digital identity solutions with verification and authentication capabilities from LexisNexis Risk Solutions. This leaves you with a very robust multi-layered defense system, with unparalleled visibility into the true identity of users.
SD: Where do you see cybersecurity in five years from now?
RM: I think things will change sooner than that – more like next year or the year after!
AI is a big buzzword, and it will be interesting to see how “AI versus AI” plays out. What will happen when fraudsters start using AI themselves? Will they be able to execute perfect social engineering attacks automatically? We could get to a point whereby customers will have difficulty telling whether a piece of communication comes from a bank or an imposter. Another open question is what will happen if fraudsters gain the ability to start manipulating chatbots.
The Internet of Things (IoT) will also throw up plenty of challenges. If fraudsters gain access to the information the devices are collecting, or manage to hack into them, the repercussions could be devastating. Information from the IoT devices could also be used to devise better social engineering attacks.
The possible emergence of cybercrime as a service also worries me. Cybercrime is quickly outgrowing its reputation as a cottage industry and becoming a big serviceable industry in its own right. Cybercrime tools will be sold on the dark webs enabling hackers in smaller economies to gain access to them.