According to estimates from leading analytics firm GlobalData, increased demand for cybersecurity will lead global security revenues in the retail banking sector to rise from $7.9bn in 2019 to $9.8bn by 2024.
As the world’s payment environment becomes more cashless, the growth in digital payment transaction value increases. In GlobalData’s view, this translates to a growing opportunity for providers of cybersecurity products and services. To fend off cybercriminals, banking and payment providers are looking to utilise newer and more advanced security infrastructure and services.
Cyberattacks are becoming more sophisticated thanks to artificial intelligence (AI) and self-learning malware. Phishing attacks meanwhile prey on vulnerable and naïve customers, and for cybercriminals, ransomware is the most lucrative type of attack.
In addition to keeping consumer data safe, providers themselves are at risk of attacks from cybercriminals. GlobalData argues therefore that in the modern payment market, it is vital that banking incumbents and fintech disruptors maintain a robust cybersecurity strategy for 2022.
Being foolproof is one thing. For the strongest cybersecurity strategies, financial entities will need to be futureproof as well. Verdict therefore presents banking cybersecurity predictions for 2022, talking to various experts from companies such as Akamai, Fourthline and KPMG UK about biometrics, deepfakes and more.
The buck stops with the banks
Richard Meeus, Director of Security Technology & Strategy, Akamai
Rising rates of cybercrime mean rising costs for banks as they face pressure to reimburse their defrauded customers en masse. Our recent research revealed that most consumers (67%) expect their bank to foot the bill for successful scams, regardless of the total amount lost. Over half (58%) of those who bank online are receiving scam attempts via email or SMS at least once per week, and 23% say they have been a victim of a cyberattack.
Currently, banks are reimbursing authorised push payment (APP) fraud at an average rate of 46%, but government-backed plans will soon force them to reimburse everybody. This is just one example of why banks need to push cybersecurity higher up the agenda in 2022 if they are to protect both their customers and their bottom line.
Banks will need to work collaboratively with governments and industry bodies to share effective strategies. There also needs to be continued work to educate the public on preventative measures, but ultimately the buck stops with the banks who will need to ensure they implement security models that ensure maximum protection for them and their customers.
Biometrics and beyond onboarding
Various predictions from Krik Gunning, Fourthline CEO
Social engineering and account takeover fraud will become even more prevalent next year. To combat this, financial institutions not only need to conduct holistic data checking beyond document verification at account opening, but also monitor customer identities throughout the customer lifecycle. Money mules, for example, appear to be perfectly legitimate people at onboarding, but transfer access to the account to money launderers after the account is opened. Banks and other financial institutions must adopt technology that can confirm the account user is the account holder throughout various points in the customer lifecycle.
Secondly, GDPR is quickly becoming the global privacy standard. Companies that are not set up to handle the most sensitive data (e.g. biometrics) at the very highest standards will have two choices (i) delete the data, as we have seen Facebook (View Company Profile) do with biometric data on over 1 billion users; or (ii) find a partner that does meet the bar.
As banks are required by law to store sensitive data it implies that (i) is not an option and we have already seen the first banks concluding that (ii) is a more attractive option than upgrading internal systems and procedures.
Finally, society at large has become increasingly interested in and vocal about how personal data is used by technology companies. This will lead to more tough questions asked and answers must meet a high ethical bar.
Banks will have to be able to explain how AI is applied to compliance and fraud. This also impacts vendor onboarding as it requires understanding whether their partners and vendors have full control over the technology they offer. Every bank will need to be able to explain both to regulators and the general public how and why a decision was taken.
Brett Beranek, VP & General Manager, Security and Biometrics at Nuance Communications
In order to ensure that their customers are protected, whilst still delivering a human-like experience, many FS organisations will turn to modern AI-powered technologies such as biometrics next year.
Voice biometrics can use sophisticated algorithms to analyse more than 1,000 voice characteristics – from pronunciation to size and shape of the nasal passage – to authenticate a user. Meanwhile, behavioral biometrics can measure the most minute details, such as how an individual holds their phone, how they type and even whether they pause once they finish a task.
Both technologies can be used by FS organisations to validate whether someone is who they say they are immediately based on how they sound. In fact, biometric engines need as little as half a second of audio to authenticate and start personalising a customer engagement. This means that agents can identify a customer immediately and start personalising the interaction from the outset.
Biometrics will also enable FS organisations to enhance security. Customers don’t need to remember something specific and worry about that information being stolen. There is no longer even a need to be authenticated using a specific passphrase such as ‘my voice is my password’. Instead, biometric technologies are enabling organisations to validate a person’s identity through natural utterances.
Banking cybersecurity and fraud
Martin Rehak, CEO of Resistant AI
In 2022 I see fraud no longer being a subset of financial crime but sitting next to ransomware, phishing and other forms of cybercrime. Call it the ‘spam’ moment for financial services.
Fraudsters, or shall we say hackers, are operating systematically to find holes in the automated processes financial services are putting in place, and they are learning by iteration every bit as quickly as startups are. According to a report by Lexis Nexis, digital lenders are seeing a 143% year-on-year increase in monthly fraud.
Executioners of fraud are now just customers of the same hacking professional classes that have been plaguing IT professionals for years. The outputs are ever-more sophisticated frauds and forgeries that human eye-sight and capacity simply cannot catch without the help of AI to augment their decision making.
Bots and cryptocurrency in 2022
Matthew Gracey-McMinn, Head of Threat Research at Netacea
As bots become an increasingly advanced and popular form of attack, we expect to see them exploiting business logic vulnerabilities in other industry verticals that may not have seen extensive bot attacks in the past.
As an example, we have found more and more bot developers offering their skills to those who want to profit from NFTs. Sniper bots, similar to those that frequent eBay, are being developed and employed to rapidly purchase and resell NFTs. We expect to see bot attackers trying to further diversify their attack vectors over the coming year, in order to maximise their profits.
Cryptocurrency meanwhile will become a focal point for cyberattacks globally. Cryptocurrency exchanges and wallets can often contain huge amounts of wealth that can be a great lure to attackers looking to profit from their attacks. Over the latter half of 2021, there has been an uptick in the number of attacks related to cryptocurrencies.
Sometimes these are simple social engineering attacks, and other times much more technically advanced. With the amount of money that can be stolen in a single successful attack (potentially running into the millions of dollars) we expect to see more attacks on decentralised currencies.
However, we also expect law enforcement to become increasingly involved in both investigating cryptocurrency attacks and exploiting cryptocurrencies weaknesses in order to investigate and interfere with crime. Governments may seek to crack down on cryptocurrencies or seek to regulate them more severely in response to this trend.
The dark side of BNPL fraud will emerge
Armen Najarian, Chief Identity Officer at Outseer
Use of Buy Now Pay Later (BNPL) services, such as Klarna or Clearpay, skyrocketed in 2021. Shoppers racked up £4.1bn in outstanding debt with these companies, which certain sections of society may never be able to repay. In 2022, the dark side of BNPL will emerge, with the trend re-named “Buy Now Pay Never”. Expect to see cash-strapped individuals try and get away with more and more first-party fraud – using the service and collecting the merchandise with no intent of repaying the loan.
While merchants and card issuers may prefer to write-off lower value transactions than accuse customers of lying, the lines are blurred with BNPL providers whose entire business model relies on repayment. As the industry enters 2022, tackling all types of BNPL fraud will be critical, as this type of borrowing will face more regulation. Improving fraud detection will help these services look more attractive to regulators, as well as help BNPL providers protect their bottom-line. Data-centric fraud solutions can help, crunching thousands of data points – like age, buying habits, and previous fraud claims – to determine the likelihood of fraud having taken place.
Deepfakes and auto-diallers: a dual threat
Matthew Roach, Head of i-4 at KPMG UK
A rise in deepfake attacks is expected. The technique of using AI to emulate corporate leaders’ signatures will become a more mainstream attack vector in 2022. Financial institutions have been increasingly reliant on voice analysis as a security measure and the threat actor community has already cottoned on.
This method was used successfully at the end of 2021, with a $35m theft from a bank based in the UAE. Banks and global investment houses need to take note and ensure their security methods are not over reliant on any single technology solution.
Kevin Gosschalk, Arkose Labs CEO
An interesting trend is we’re seeing really interesting ways of scaling attacks that previously took a lot of human effort from the fraudster’s side. Thing like intercepting one-time pins or one-time passwords (OTPs). They’ve now built tools that automate that process. Fraudsters use auto diallers where you type in the bank that you’re trying to pretend to be, and it will automatically call that person and say “this isn’t automated”. So you have an 85% hit rate of people actually giving over OTPs to bots.
That tech removes the human element necessary to commit these kind of attacks. OTP interception is now trivial compared to what it’s been historically, and that innovation fundamentally shifts the economics in the favor of the attackers and we’re going to see a whole bunch of pain.
Read our full interview with Kevin about metaverse security and the future of cybersecurity in general for 2022.