Over the past two years that we have lived with the pandemic, the world has changed dramatically. Those changes provided financial criminals with great opportunities to take advantage of many businesses when they were at their most vulnerable, trying to adjust to a new reality. Remote working environments, the ongoing digitization of services, COVID-19 restrictions – all have contributed to the development of new cyber threats and techniques.
As we head into 2022, the fight with cybercrime and payment fraud is not going to be easier, but we can be better prepared. We’ve put together a list of payment security challenges and trends that we expect to be strong in the next 12 months and added resources to help you improve your resilience to financial crimes.
1. Withstand the Rise of Cyberattacks in the Financial Industry
In 2021, as financial institutions had to quickly expand their digital services due to the pandemic, cybercriminals immediately jumped on the opportunity to breach security gaps. Ransomware and distributed denial of service (DDoS) attacks caused a lot of pain for issuers and payment providers last year, and they will bring a lot more disturbance in 2022.
In the first half of 2021, global ransomware attacks increased by 151% when compared with the first half of 2020. The financial industry was not the only one taking the hit: criminals targeted local businesses, municipal governments, chain retailers, and healthcare organizations. The most famous of them was the Colonial Pipeline ransomware attack resulting in a six-day shutdown and payment of a US$4M ransom.
If earlier ransomware attacks were limited to a single attack (extortion: payment in exchange for decrypting files), now there is a new trend – a triple extortion. Criminals encrypt files, threaten to publish the stolen data, and launch a DDoS attack as part of one criminal operation.
A report from Netscout showed that in the first half of 2021 threat actors launched 5.4 million DDoS attacks, with more than 50% of those being DDoS extortion attacks in the financial industry. If a card processor has a capacity to service over 5,000 transactions per second, even a few minutes of downtime can mean losses of millions of dollars, not to mention the reputational losses. Tools for DDoS attacks are easy to find online and don’t require a lot of know how. In the UK, kids as young as nine years old have launched DDoS attacks on their school’s networks.
There are a few trends that we expect to continue in 2022:
- Increase in phishing attacks and scams. Ransomware attacks very often start from phishing attacks. For example, email phishing tricks employees into providing sensitive data to criminals, which is then used to launch a ransomware attack. The Anti-Phishing Working Group (APWG) reported that in Q1 of 2021 phishing attacks were the most prevalent in the financial industry.
- A much shorter timeline for paying the ransom. We live in the era of instant digital payments and it isn’t only customers who expect faster payments. Criminals may threaten to publish confidential data in order to speed up payment, as happened in the case of the JBS attack last year.
- The rise of Ransomware-as-a-Service (RaaS). The tools for ransomware attacks are becoming so numerous and easily available, that they are offered on inexpensive subscription model or flat-rate fees.Threat actors offer malware, ransomware, phishing kits, and other products to other cybercriminals.
2. Secure Payments in the Metaverse
Last year, when the term metaverse became mainstream, we all got a glimpse of what the future might look like. While it’s hard to find a consistent definition of the metaverse, a good description is that it is a network of three-dimensional, virtual environments, interconnected and built upon the internet, where social connections and interactions can happen, like they do in the real world.
Why should financial institutions and merchants care about this emerging concept? Well, just like in the real world, users in the metaverse can perform financial transactions. And fraudsters go where the money is.
Some banks have already noticed great opportunities for improving customer engagement and interaction in the metaverse and launched new programs and services. For example, BNP Paribas offers their customers a virtual reality app to access their account activity and transaction details. Citigroup uses holographic workstations for financial trading. Major Korean banks participated in the metaverse by creating training experiences for bank executives and organizing events to support the 2020 Tokyo Olympics within virtual platforms, when in-person gatherings were prohibited.
The metaverse era is already here and it offers exciting opportunities for financial institutions, while its interconnected nature threatens us with entirely new crimes. Identity management, data security, data privacy, and compliance will need to be reconsidered as more companies and organizations enter the metaverse.
In these interconnected environments, account takeovers will continue to be a major pain for many financial institutions. If years ago credit cards were the major attraction for criminals, in the digital era, accounts themselves have great value for fraudsters as transactions happen virtually. The reliance on external devices in the adoption of the metaverse (such as VR headsets, for example) gives criminals extra opportunities for hacking and stealing data.
3. Sensitive Data Protection
To stay competitive in today’s digital economy, many financial organizations and merchants invest in the development of open banking solutions to delight their customers. With more data stored on the cloud and available through 3rd party apps, it’s getting more and more challenging to ensure the security of sensitive personal, health, and financial data.
The Payment Services Directive (PSD2) that went live in 2018 enables customers to grant permission to third-party applications to access their banking information and complete payments on their behalf. With the customer’s consent, the third party has access to the customer’s account, transaction details, and can also use this data for analysis and service improvement. The more applications have access to customer data, the more opportunities for fraudsters to interfere. The growing risk of data breaches or the misuse of data requires strong controls over data in real-time, as many payments now are instantaneous.
Artificial intelligence (AI) software solutions with supervised and unsupervised machine learning (ML) will help secure Big Data initiatives as part of a comprehensive payment security program. As financial institutions leverage cloud platforms, AI, analytics, and ML, they will also make changes to their operations to increase data protection and regulatory compliance.
In 2022, expect to hear more about the development of DataSecOps as an agile approach to keeping data simultaneously available, well-governed and secure. DataSecOps puts security at the forefront of data operations. It will help organizations balance continuous development with resilience to future threats. While data breaches are here to stay, the holistic approach to managing data and its privacy will be key for staying competitive and profitable.
With all the threats looming on the horizon, here are a few key steps that you can take today to protect payments and sensitive customer data:
- Check if your team is prepared to fight fraud and cybercrime in real-time with the list of questions we put together in this blog post.
- Move fraud detection earlier in the process to avoid a progressive loss of data along the transaction journey. Check out our new whitepaper on details.
- Consider a convergence program for your cybersecurity, AML, and fraud prevention teams to avoid fragmented data management.
- Make good use of innovations in AI and Machine Learning.
- Learn from other industries. For example, lessons learned from the attacks in the gaming industry can be successfully applied to ensure the future security of banking VR solutions for customer engagement.
Need more support in protecting your data and securing payments? Schedule a free consultation with one of our experts.