- Email: [email protected]
Fifty shades of fraud
Feature awareness throughout the organisation. “The role that an individual plays in an organisation’s overall approach to cybersecurity and risk management is crucially important and our recent ‘Risk:Value 2016’ report indicates there is greater awareness of the criticality of good data management practices at a senior level,” says Stuart Reed, senior director, NTT
Answers to the question: ‘What do you see as the single greatest risk to your business?’. Source: NTT Com Security.
Com Security.3 “This is in contrast to our findings in a previous report where attitudes suggested that one department or individual was responsible for IT security.”
Security Mindset David Emm, principal security researcher at Kaspersky Lab, points out: “You can’t train staff to be secure, in the way that you can train them to make effective use of a word processing or other application. Rather, cyber-security education is about developing a security mindset that conditions how employees think about security in any situation they encounter.” He adds: “It’s vital to find imaginative ways to ensure that security issues are understood by employees at all levels. Security must become part of the company’s wider culture: otherwise,
it’s like doing the housework once and imagining that this will suffice to keep the house clean.”
About the author Tracey Caldwell is a freelance business technology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier.
References 1. ‘Cyber Resilience: Are your people your most effective defence?’. Axelos/ Resilia. Accessed May 2016. www. axelos.com/Corporate/media/Files/ RESILIA_Report-16.pdf 2. ‘Hack Back! A DIY guide’. ‘Antisec’. http://pastebin.com/raw/0SNSvyjJ). 3. ‘Risk:Value 2016’. NTT Com Security. Accessed May 2016. www. nttcomsecurity.com/en/landingpages/ risk-value-2016/.
Fifty shades of fraud John Lord, GBG Cybercrime, and in particular fraud, is a booming business. Every week we are faced with another story of a business becoming the latest victim of cybercrime or shocking statistics about the rising levels of fraud. Just recently, PwC published a report that found that in the past two years, half of UK organisations have been the victim of an illegal act committed by an individual or a group to obtain a financial or professional advantage.1 In fact, cybercrime, it was revealed, is the fastest-growing fraud, with a 20% increase since 2014, in comparison to some of the traditional forms of economic crime such as bribery, asset misappropriation and procurement fraud. The latest scam, dubbed ‘CEO fraud’, has caused UK businesses to be on high alert after increasing reports of losses as a result of criminals impersonating email accounts of chief executives to trick staff into wiring payments to an overseas bank account. The total cost to companies around the globe is estimated to be around £1.43bn.2 Clearly, fraud comes in many guises, whether it be an individual or business applying for and accepting credit with 14
Computer Fraud & Security
no intention of repayment (first-party fraud), having your identity stolen (third-party fraud), duplication of an identity (syndicated fraud) or a salesperson intentionally not running a credit check on a customer when buying a phone, for example (complicit fraud). And the number of incidents of fraud is only rising. According to a report from consultancy firm KPMG, the UK experienced £732m-worth of fraud in 2015, up from £717m the year
John Lord
before. Action Fraud, the UK’s national fraud and financially motivated Internet crime reporting centre, also recorded a 9% uptick of incidences of online fraud compared with the previous year’s statistics.3 With figures like these, it is therefore worrying to read, in the PwC report, that a third of UK organisations have no response plan in place to protect themselves from a cyberattack. It is worrying in the sense that today’s cyber-criminals are not just about targeting a business’s financial information. They have set their sights higher, to now include a company’s ‘crown jewels’, namely its customer data and intellectual property information. June 2016
Feature Once this falls into the hands of those with malicious intent, the consequences can be catastrophic for any company, and its customers.
Fighting data theft with data We call this ‘the butterfly effect’ – the implications that impact an individual or business long after the fraudulent activity has occurred or is discovered. And as fraud increases, so does the butterfly effect of its occurrence. It’s sadly got to a point that you have to assume that your identity will at some point be compromised. It’s now not a case of if, but when. Even the unassuming store card can be a target for fraudulent activity. It is the key to an individual’s name and address, and while this may seem innocuous on the surface, fraudsters can use this data to set up other accounts to do with as they please or sell in an online marketplace. In addition, when your identity is stolen, your details become compromised and often locked down or cancelled, but you still need to pay your direct debits, for travel, food or shopping and so on. Putting a complete halt to your data could cause more harm than good, though – consider the implications for defaulting on your mortgage payments, for example.
“Identity data intelligence has a huge role to play in not only uncovering incidences of data fraud but also preventing fraud from occurring in the first place” For businesses, then, it is incredibly important to have a safety net in place so that when they are victims of a cyberattack, the use of any customer data compromised is prohibited so that its value to those with malicious intent is worthless. It is also crucial that data is utilised correctly to ensure that those impacted by fraud June 2016
do not experience these problems. For example, if a customer who has recently experienced credit card fraud is attempting to make a payment to an online retailer or bank, that organisation should be able to request additional, uncompromised personal information from that customer in order to authenticate a payment, rather than block the transactions entirely. Essentially, companies need to be able to move criminals down the high street, away from their customers. Identity data intelligence has a huge role to play in not only uncovering incidences of data fraud and stopping the butterfly effect of its implications, but also preventing fraud from occurring in the first place. However, while it is important that individual organisations get their house in order and have this ‘data defence mechanism’ in place, we can be much stronger in the fight against cybercrime and fraud if we all work together – on a global scale.
Joining the dots Data transparency can be an incredibly effective way of battling global fraud. In fact, just recently the UK Government launched a new taskforce focused on tackling fraudulent activity.4 The taskforce will try to: spot intelligence gaps that currently exist; improve intelligence sharing between banks and law enforcers; work to identify victims more efficiently; raise awareness of fraud; and tackle systemic vulnerabilities in online systems and processes. This is a move in the right direction for tackling rising levels of fraud. When data is shared freely between the public and private sectors, across geographical and political boundaries and among international bodies, a more accurate picture of global fraud patterns can be established. Those with malicious intent are not static individuals – they move around – and unless free-flowing access to real-time information is possible across multiple countries, their criminal history cannot be effectively tracked
and they’re free to commit fraud again. Being able to use accurate data to connect the dots, predict algorithms and identify behaviour patterns is all crucial to building out an intelligent view of global fraud.
“The more transparent we can be with data, the more it can be used to gather insights and intelligence that will stop the bad guys in their tracks” Therefore one can argue that, in the fight against fraud, data is good. The more transparent we can be with data, the more it can be used to gather insights and intelligence that will stop the bad guys in their tracks. It is very much apparent that fraud, in its many guises, is not a problem we can solve with one simple solution. Fraudsters and cyber-criminals are becoming ever more determined and more sophisticated in their efforts to steal valuable customer data and consequently, we need to bolster our defences. Data can not only educate businesses and alert them to incidents faster, but it can also be that safety net to ensure their customers are protected in the instance of an attack. It would be naive for a company in today’s threat landscape to assume it is immune to the malicious intentions of a hacker. Everyone is a potential target, and only by having the right procedures in place to minimise the risk and the consequences post-attack can we start to fight back.
About the author John Lord was appointed managing director of the Identity Proofing business of GBG, an identity data intelligence company, in June 2009. Prior to arriving at GBG, he worked for one of the world’s largest credit ratings agencies, where he led global sales before heading up the UK business. Most recently he had a period in a PE-backed venture leading Computer Fraud & Security
15
FEATURE a major data analytics business serving both B2B and B2C customer-engagement strategies.
References 1. Davis, Rob. ‘UK business battling huge rise in cybercrime, report says’. The Guardian, 25 Feb 2016. Accessed Mar 2016. www.theguardian.com/technology/2016/feb/25/ cybercrime-uk-businesses-battlinghuge-rise-silver-fraudsters. 2. Boyce, Lee. ‘Beware ‘CEO fraud’ costing British businesses millions:
Workers warned to watch out for bogus requests from bosses to transfer money as one firm loses £18.5m’. This is Money, 1 Mar 2016. www.thisismoney.co.uk/ money/saving/article-3471248/ Beware-CEO-fraud-costing-Britishbusinesses-millions.html. 3. Kirton, Hayley. ‘The UK clocked up £732m worth of fraud in 2015, up from £717m the year before, with crimes committed in London and the South East accounting for more than half the value’. City AM,
19 Jan 2016. Accessed Mar 2016. www.cityam.com/232666/the-ukclocked-up-732m-worth-of-fraudin-2015-up-from-717m-the-yearbefore-with-crimes-committed-inlondon-and-the-south-east-accounting-for-more-than-half-the-value. 4. Viña, Gonzalo. ‘Banks join BoE and police in anti-fraud task force’. Financial Times, 10 Feb 2016. Accessed Mar 2016. www.ft.com/ cms/s/0/93f21a52-cf56-11e5-92a1c5e23ef99c77.html.
The death of defence in depth Steve Mansfield-Devine, editor, Computer Fraud & Security The modern enterprise has no shortage of information security systems. Firewalls, intrusion detection and prevention, anti-malware and a plethora of other systems are now standard elements of today’s networks. But as Matt Alderman, VP of strategy at Tenable Network Security, explains in this interview, the question is whether we have the right security, and whether it is operating in a properly joined-up manner so that attackers can’t slip between the cracks. “I think it boils down to two components,” says Alderman. “One is, do we have enough security? The other question is, are we appropriately leveraging the security that we have? If we look back as an industry, our approach to security has always been this concept of defence in depth.” This concept of multi-layered security solutions has become rooted deep in our thinking about how we protect networks, Alderman believes, and it has led us into the trap of focusing on point solutions. “We said, oh, it’s all about anti-virus, so we went out and we bought anti-virus. And then we said, it’s all about the perimeter, so we went out and bought firewalls,” he says. These layers of security built up, 16
Computer Fraud & Security
with new ones being added every time analysts or vendors focused on a shiny, new ‘leading edge’ technology that was touted as solving the problems of the day, he believes.
“The challenge we have today is that we just don’t know what’s on our network. And so, without understanding, we have no idea how we’re going to protect it. We need the ability to understand the state of security on our devices” Experience shows that none of these technologies is perfectly effective at tackling the issue for which it was
Steve MansfieldDevine
designed – such as intercepting malware or preventing network intrusions. And even if the solutions are, at least, reasonably effective, the valuable information they produce ends up locked inside them, he says. “We’re not connecting it together,” says Alderman. “We’re keeping a lot of this data isolated. So you’ve got all this great information potentially there, but by not bringing it together, it’s really hard to find the needle in the haystack. It’s hard to prioritise all this data that you’re collecting, to really figure out what’s important and what’s not.”
Taking a step back Alderman believes we need to take a step back. And that we should stop thinking in terms of technologies and start thinking about capabilities. In other words, what is it that you actually need? He views these capabilities as falling into six domains, all of which need to be addressed in order to stand June 2016
Answers to the question: ‘What do you see as the single greatest risk to your business?’. Source: NTT Com Security.
Com Security.3 “This is in contrast to our findings in a previous report where attitudes suggested that one department or individual was responsible for IT security.”
Security Mindset David Emm, principal security researcher at Kaspersky Lab, points out: “You can’t train staff to be secure, in the way that you can train them to make effective use of a word processing or other application. Rather, cyber-security education is about developing a security mindset that conditions how employees think about security in any situation they encounter.” He adds: “It’s vital to find imaginative ways to ensure that security issues are understood by employees at all levels. Security must become part of the company’s wider culture: otherwise,
it’s like doing the housework once and imagining that this will suffice to keep the house clean.”
About the author Tracey Caldwell is a freelance business technology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier.
References 1. ‘Cyber Resilience: Are your people your most effective defence?’. Axelos/ Resilia. Accessed May 2016. www. axelos.com/Corporate/media/Files/ RESILIA_Report-16.pdf 2. ‘Hack Back! A DIY guide’. ‘Antisec’. http://pastebin.com/raw/0SNSvyjJ). 3. ‘Risk:Value 2016’. NTT Com Security. Accessed May 2016. www. nttcomsecurity.com/en/landingpages/ risk-value-2016/.
Fifty shades of fraud John Lord, GBG Cybercrime, and in particular fraud, is a booming business. Every week we are faced with another story of a business becoming the latest victim of cybercrime or shocking statistics about the rising levels of fraud. Just recently, PwC published a report that found that in the past two years, half of UK organisations have been the victim of an illegal act committed by an individual or a group to obtain a financial or professional advantage.1 In fact, cybercrime, it was revealed, is the fastest-growing fraud, with a 20% increase since 2014, in comparison to some of the traditional forms of economic crime such as bribery, asset misappropriation and procurement fraud. The latest scam, dubbed ‘CEO fraud’, has caused UK businesses to be on high alert after increasing reports of losses as a result of criminals impersonating email accounts of chief executives to trick staff into wiring payments to an overseas bank account. The total cost to companies around the globe is estimated to be around £1.43bn.2 Clearly, fraud comes in many guises, whether it be an individual or business applying for and accepting credit with 14
Computer Fraud & Security
no intention of repayment (first-party fraud), having your identity stolen (third-party fraud), duplication of an identity (syndicated fraud) or a salesperson intentionally not running a credit check on a customer when buying a phone, for example (complicit fraud). And the number of incidents of fraud is only rising. According to a report from consultancy firm KPMG, the UK experienced £732m-worth of fraud in 2015, up from £717m the year
John Lord
before. Action Fraud, the UK’s national fraud and financially motivated Internet crime reporting centre, also recorded a 9% uptick of incidences of online fraud compared with the previous year’s statistics.3 With figures like these, it is therefore worrying to read, in the PwC report, that a third of UK organisations have no response plan in place to protect themselves from a cyberattack. It is worrying in the sense that today’s cyber-criminals are not just about targeting a business’s financial information. They have set their sights higher, to now include a company’s ‘crown jewels’, namely its customer data and intellectual property information. June 2016
Feature Once this falls into the hands of those with malicious intent, the consequences can be catastrophic for any company, and its customers.
Fighting data theft with data We call this ‘the butterfly effect’ – the implications that impact an individual or business long after the fraudulent activity has occurred or is discovered. And as fraud increases, so does the butterfly effect of its occurrence. It’s sadly got to a point that you have to assume that your identity will at some point be compromised. It’s now not a case of if, but when. Even the unassuming store card can be a target for fraudulent activity. It is the key to an individual’s name and address, and while this may seem innocuous on the surface, fraudsters can use this data to set up other accounts to do with as they please or sell in an online marketplace. In addition, when your identity is stolen, your details become compromised and often locked down or cancelled, but you still need to pay your direct debits, for travel, food or shopping and so on. Putting a complete halt to your data could cause more harm than good, though – consider the implications for defaulting on your mortgage payments, for example.
“Identity data intelligence has a huge role to play in not only uncovering incidences of data fraud but also preventing fraud from occurring in the first place” For businesses, then, it is incredibly important to have a safety net in place so that when they are victims of a cyberattack, the use of any customer data compromised is prohibited so that its value to those with malicious intent is worthless. It is also crucial that data is utilised correctly to ensure that those impacted by fraud June 2016
do not experience these problems. For example, if a customer who has recently experienced credit card fraud is attempting to make a payment to an online retailer or bank, that organisation should be able to request additional, uncompromised personal information from that customer in order to authenticate a payment, rather than block the transactions entirely. Essentially, companies need to be able to move criminals down the high street, away from their customers. Identity data intelligence has a huge role to play in not only uncovering incidences of data fraud and stopping the butterfly effect of its implications, but also preventing fraud from occurring in the first place. However, while it is important that individual organisations get their house in order and have this ‘data defence mechanism’ in place, we can be much stronger in the fight against cybercrime and fraud if we all work together – on a global scale.
Joining the dots Data transparency can be an incredibly effective way of battling global fraud. In fact, just recently the UK Government launched a new taskforce focused on tackling fraudulent activity.4 The taskforce will try to: spot intelligence gaps that currently exist; improve intelligence sharing between banks and law enforcers; work to identify victims more efficiently; raise awareness of fraud; and tackle systemic vulnerabilities in online systems and processes. This is a move in the right direction for tackling rising levels of fraud. When data is shared freely between the public and private sectors, across geographical and political boundaries and among international bodies, a more accurate picture of global fraud patterns can be established. Those with malicious intent are not static individuals – they move around – and unless free-flowing access to real-time information is possible across multiple countries, their criminal history cannot be effectively tracked
and they’re free to commit fraud again. Being able to use accurate data to connect the dots, predict algorithms and identify behaviour patterns is all crucial to building out an intelligent view of global fraud.
“The more transparent we can be with data, the more it can be used to gather insights and intelligence that will stop the bad guys in their tracks” Therefore one can argue that, in the fight against fraud, data is good. The more transparent we can be with data, the more it can be used to gather insights and intelligence that will stop the bad guys in their tracks. It is very much apparent that fraud, in its many guises, is not a problem we can solve with one simple solution. Fraudsters and cyber-criminals are becoming ever more determined and more sophisticated in their efforts to steal valuable customer data and consequently, we need to bolster our defences. Data can not only educate businesses and alert them to incidents faster, but it can also be that safety net to ensure their customers are protected in the instance of an attack. It would be naive for a company in today’s threat landscape to assume it is immune to the malicious intentions of a hacker. Everyone is a potential target, and only by having the right procedures in place to minimise the risk and the consequences post-attack can we start to fight back.
About the author John Lord was appointed managing director of the Identity Proofing business of GBG, an identity data intelligence company, in June 2009. Prior to arriving at GBG, he worked for one of the world’s largest credit ratings agencies, where he led global sales before heading up the UK business. Most recently he had a period in a PE-backed venture leading Computer Fraud & Security
15
FEATURE a major data analytics business serving both B2B and B2C customer-engagement strategies.
References 1. Davis, Rob. ‘UK business battling huge rise in cybercrime, report says’. The Guardian, 25 Feb 2016. Accessed Mar 2016. www.theguardian.com/technology/2016/feb/25/ cybercrime-uk-businesses-battlinghuge-rise-silver-fraudsters. 2. Boyce, Lee. ‘Beware ‘CEO fraud’ costing British businesses millions:
Workers warned to watch out for bogus requests from bosses to transfer money as one firm loses £18.5m’. This is Money, 1 Mar 2016. www.thisismoney.co.uk/ money/saving/article-3471248/ Beware-CEO-fraud-costing-Britishbusinesses-millions.html. 3. Kirton, Hayley. ‘The UK clocked up £732m worth of fraud in 2015, up from £717m the year before, with crimes committed in London and the South East accounting for more than half the value’. City AM,
19 Jan 2016. Accessed Mar 2016. www.cityam.com/232666/the-ukclocked-up-732m-worth-of-fraudin-2015-up-from-717m-the-yearbefore-with-crimes-committed-inlondon-and-the-south-east-accounting-for-more-than-half-the-value. 4. Viña, Gonzalo. ‘Banks join BoE and police in anti-fraud task force’. Financial Times, 10 Feb 2016. Accessed Mar 2016. www.ft.com/ cms/s/0/93f21a52-cf56-11e5-92a1c5e23ef99c77.html.
The death of defence in depth Steve Mansfield-Devine, editor, Computer Fraud & Security The modern enterprise has no shortage of information security systems. Firewalls, intrusion detection and prevention, anti-malware and a plethora of other systems are now standard elements of today’s networks. But as Matt Alderman, VP of strategy at Tenable Network Security, explains in this interview, the question is whether we have the right security, and whether it is operating in a properly joined-up manner so that attackers can’t slip between the cracks. “I think it boils down to two components,” says Alderman. “One is, do we have enough security? The other question is, are we appropriately leveraging the security that we have? If we look back as an industry, our approach to security has always been this concept of defence in depth.” This concept of multi-layered security solutions has become rooted deep in our thinking about how we protect networks, Alderman believes, and it has led us into the trap of focusing on point solutions. “We said, oh, it’s all about anti-virus, so we went out and we bought anti-virus. And then we said, it’s all about the perimeter, so we went out and bought firewalls,” he says. These layers of security built up, 16
Computer Fraud & Security
with new ones being added every time analysts or vendors focused on a shiny, new ‘leading edge’ technology that was touted as solving the problems of the day, he believes.
“The challenge we have today is that we just don’t know what’s on our network. And so, without understanding, we have no idea how we’re going to protect it. We need the ability to understand the state of security on our devices” Experience shows that none of these technologies is perfectly effective at tackling the issue for which it was
Steve MansfieldDevine
designed – such as intercepting malware or preventing network intrusions. And even if the solutions are, at least, reasonably effective, the valuable information they produce ends up locked inside them, he says. “We’re not connecting it together,” says Alderman. “We’re keeping a lot of this data isolated. So you’ve got all this great information potentially there, but by not bringing it together, it’s really hard to find the needle in the haystack. It’s hard to prioritise all this data that you’re collecting, to really figure out what’s important and what’s not.”
Taking a step back Alderman believes we need to take a step back. And that we should stop thinking in terms of technologies and start thinking about capabilities. In other words, what is it that you actually need? He views these capabilities as falling into six domains, all of which need to be addressed in order to stand June 2016