There has been a concentrated effort, particularly within the UK, of implementing more stringent SCA checks to help combat fraud attacks during the customer journey.
Payment Expert spoke with ThreatFabric Founder and CEO Han Sahin, discussing the new SCA checks in the UK and its early impact, implementing new methods to prevent fraud and what ThreatFabric are doing in their efforts to help the cause.
Payment Expert: In the UK, more stringent SCA checks have been made to help try and tackle fraud. With your experience, do you believe more stringent SCA checks will help or hinder the shopping experience?
Han Sahin: It depends on how things are implemented. With truly frictionless solutions the customer experience is not harmed, but unfortunately this is not the standard approach yet, as most organisations still embrace Two-Factor Authentication/Multi-Factor Authentication.
However, SCA using apps like Google Authenticator, Microsoft Authenticator, OTP (One Time Password) such as Bank of America or Metro Bank authenticator, are insecure against banking malware threats.
All Android Banking malware running on the victim’s device can retrieve this OTP in an automated way and send it to its server. Hence, SCA using OTP as a secondary app on an infected device is insecure against fraud by malware. These fraud attacks scale better for fraudsters than using voice fraud (vishing attacks) and hence have potentially a bigger impact.
Therefore SCA using a second app or its own app for 2FA is insecure against fraud by malware or as we call it On Device Fraud scenarios.
PE: Has ThreatFabric seen positive results when it comes to lowering fraud cases not just in the UK, but other countries who may apply the same checks?
HS: Yes definitely. Banks running our proactive Client-Side Detection solution have experienced a great decrease in mobile fraud. Other clients are benefiting from our Mobile Threat Intelligence to understand how fraudsters operate.
The only way to become proactive is to have fraud intel as your standing point (forecasting threats) in combination with a fraud solution that has multiple (or layered) fraud sensors. This approach avoids a cat and mouse game, because when fraud tactics change at least one of the sensors will kick in.
PE: In 2022, has online fraud taken over practical ‘over the phone’ fraud and what have been the challenges to help mitigate this?
HS: Most forms of fraud are actually a sophisticated hybrid combination of various techniques, for example, by combining a Remote Access Tool (RAT) with voice phishing (social engineering). Detecting these kinds of frauds require a holistic omni-channel detection approach.
PE: How will ThreatFabric properly analyse and track malicious behavioral patterns in attempting to stop a fraud attack before it has happened?
HS: It starts with gaining a deep understanding of how fraudsters operate (fraud intel as a standing point). After many years of researching fraud and working within banks, we have reached points where we understand the high-level patterns that all fraudsters have in common. By creating layers of detection for those patterns, we can catch fraud attacks, including the unknown ones.
A good example is mapping fraud by malware prevention inside the customer payment journey. Our solution first detects if there are malicious malware related events on an endpoint such as a key logger or malware capabilities that, inside the behavior of the victim, change the beneficiary account number. This is alerted separately to banks.
In our layered fraud sensor stack the behavioral analytics sensors such as your key flight (sometimes also called passive authentication or behavioral biometrics) will have in this attack a limited accuracy because the fraud is happening by malware in the behavior of the victim – in the way he or she types, in his or her flow of the mobile banking app. This is why we believe that the only way to be proactive is to have multiple technologies to fight the ever-changing fraud vectors.
PE: Pertaining to real-time fraud alerts before the attack takes place, how quick and avoidable will this reduce fraud attacks?
HS: Our technology runs on the end-user’s device, which enables us to measure a continuous trust level of the device. If the trust level drops for whatever reason, we can already warn the bank before the actual fraud takes place.
Inside the customers’ journey there are important risky moments from online banking perspective such as login, changing address book items, changing day limits, make a new transfer to a new beneficiary, the scoring of the trust of the device and the user with multiple detection sensors needs to happen before the transaction is signed so it can be parked by banks automatically.
We believe that this approach enables banks to perform any risk-free payment and reduce any friction introduced by security controls such as SCA MFA. In 2022, you can be in-control of fraud from a proactive standpoint.
PE: Moving on into the future, do you predict there to be new and intricate ways of fraud and if so, can you describe how challenging that is when the method is so new?
HS: Fighting against ever-changing fraud vectors is why we believe the only way forward is proactive fraud prevention strategies and solutions. If the technology implemented by financial institutions (including crypto wallet providers) has layered detection sensors with fraud threat intel to forecast new threats, any new fraud can be detected proactively. Hence the layered (omnichannel web & mobile) approach allows us to adapt to new threats.