Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/8/2021
10:00 AM
Amelia Ahlgren
Amelia Ahlgren
Commentary
50%
50%

An Answer to APP Scams You Can Bank On

Financial institutions' usual fraud-detection methods can't detect most authorized push payment (APP) scams, putting customers and banks at risk.

A coalition of organizations recently penned an open letter urging the UK government to include scams in its new Online Safety Bill.

Related Content:

3 Classes of Account Fraud That Can Cost Your Company Big Time

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

From the letter: "Online platforms play a pivotal role in enabling criminals to reach and defraud Internet users through the hosting, promotion, and targeting of fake and fraudulent content on their sites, including adverts that they make significant profits from."

The coalition's heart is absolutely in the right place. Consumers deserve better protection, and anyone who distributes, proliferates, or worse, profits from scam advertisements or content should indeed be held accountable.

But the unfortunate reality is that scam ads, emails, text messages, and phone calls continue to penetrate even the best-designed defenses.

When this happens — and it happens a lot — the communication, purportedly coming from a bank or government official, the police, or even a tax authority, drives an emotional response from the recipient.

Motivated by this emotion, as well as a sense of urgency and an inherent trust in the authority of the other party, duped consumers are spurred to act — often logging in to their own financial accounts to execute a transfer that "remedies the crisis." Banks call this authorized push payment (APP) fraud since the authorized user is the one making the transfer. For the layperson, it can simply be characterized as account transfer fraud.

In the United Kingdom alone in 2020, £479 million in losses reported by customers were attributed by banks to APP fraud, according to UK Finance.

The Challenge for Banks
The amount of losses is not a surprise. Just think about it: A bank's security stack must be able to decipher within milliseconds whether it's you or someone else knocking on the door to your online account.

But in the case of an APP scam, money is being transferred by the actual bank customer, who has been tricked into making a financial transaction, often transferring funds to accounts set up by scammers for this specific purpose in faraway places. In an APP scam, all of the bank's traditional modes of fraud detection — a trusted device, geolocation, IP address, and network — fall short.

What's worse, all the crucial elements of the setup occur outside the bank's purview — in places both online and offline that they can't track. They are completely blind to the scheme.

It's an incredibly confounding challenge for the banks (or anyone, frankly) as they try to stem losses and protect their customers.

Fining content distributors for taking in advertising dollars from scammers is a good place to start. But to protect vulnerable consumers, the banks also need a way to recognize that a scam is occurring, even though their anti-fraud systems are accurately detecting the legitimate customer operating within the account. The banks need a last line of defense at the spot where APP fraud occurs and traditional methods of security fail.

One such detection method that is rapidly being deployed to defeat these scams is behavioral biometrics. The technology got its wings confirming that the person behind a screen is who they claim to be — by continuously tracking swipes, taps, keystrokes, mouse movements, and other behavioral characteristics throughout an online session, and comparing them with preexisting customer profiles — all without interfering with the user's journey around the bank's website.

But beyond providing this kind of real-time, continuous authentication throughout a session, the latest advances in behavioral biometrics have enabled banks to recognize when a legitimate user is behaving as if under the influence of a scam, generally by deviating from their existing norms while navigating their websites.

A Challenge to Regulators
Given the effectiveness of such newly emerging technologies, regulators should also consider something more comprehensive than what the coalition proposes. For example, in addition to fining the content distributors, regulators could reward banks that adopt proven, innovative solutions, rather than relying on limited or outmoded security methods that have largely been compromised.

One way this could work is to require banks to disclose their APP fraud losses, with governments providing tax credits or other financial incentives where loss rates meet a predefined standard. The revenue lost to these incentives could be offset by fines generated from leaky content creators.

The Answer for Boards
Thanks to financial and logistical support from malevolent nation-states, today's fraudsters are becoming ever more resourceful and behaving more like criminal enterprises. Nefarious networks are rapidly replacing the standalone hacker, creating an arms race of sorts between cybercriminals and the banks whose defenses they seek to exploit.

This escalating threat has put cybersecurity front and center on corporate board agendas. With top-level responsibility now a fact of corporate life, it is hard to understand why any bank board would fail to adopt innovative technologies to achieve a secure and seamless online experience.

Amelia Ahlgren is EVP, Strategy and Operations, at BioCatch, where she is responsible for corporate strategy, development, and the BioCatch Client Innovation Board, a collective of forward-thinking banks seeking to leverage the unique attributes of behavioral data to solve ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-42258
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...
CVE-2020-28968
PUBLISHED: 2021-10-22
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
CVE-2020-28969
PUBLISHED: 2021-10-22
Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
CVE-2020-36485
PUBLISHED: 2021-10-22
Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
CVE-2020-36486
PUBLISHED: 2021-10-22
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.