Professional cybercriminals put the heat on fintech
Like the sophisticated and meticulous gang in the engaging 1995 movie Heat, cybercriminals are showing a greater degree of professionalism.
In the European Payments Council’s (EPC) “2018 Payment Threats and Fraud Trends Report”, it provides a bleak and very lengthy overview of the most important threats in the payments landscape.
There is a lot to mention, but the EPC raised some main conclusions concerning threats.
These include the organisation and sophistication of recent cyberattacks have shown the aforementioned competence; and that the main attack focus has shifted slightly away from malware to social engineering attacks, except for attacks aimed at companies.
Its report notes that social engineering attacks and phishing attempts are still increasing and they remain instrumental often in combination with malware, with a shift from consumers, retailers, SMEs to company executives, employees, financial institutions and payment infrastructures.
Pretty much everything is in a bad state. Malware remains a major threat and advanced persistent threats (APTs) have remained persistently threatening.
In addition, more and more mobile devices are becoming an attractive target, the number of DDoS attacks are still growing, and the adoption of cloud services and big data analytics brings new risks.
With it all looking about as pleasant as a dingy pub in North London, a few stats to demonstrate the current state of affairs may be in order.
In terms of social engineering and phishing attack trends in 2018, and according to a release by the FBI in July 2018, business email compromise attacks continue to grow and evolve, targeting small, medium, and large business and personal transactions.
Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses. The scam has been reported in 160 countries, with monies transferred to 115 countries.
Based on the financial data, Asian banks located in China and Hong Kong remain the primary destinations of fraudulent funds.
Initial coin offerings (ICOs) have been getting some bad press recently – just think of the US Securities and Exchange Commission making two people in/famous on that subject – and the EPC report is no different.
It says cybercriminals are exploiting the interest in cryptocurrencies and ICOs. Potential investors are targeted and sent fraudulent messages prior to official ICO starts about the start of pre-sales with a list of crypto-wallets to which money should be transferred.
But the EPC states that virtual currencies are here to stay as ICOs have raised more than $6.2 billion during the first semester of 2018, compared to the $969 million in the same period of 2017.
It comments: “Another phenomenon that is appearing in the market is ‘Cybercrime-as-a-Service’, causing huge challenges to companies. It appears to be a business model that is continuously growing as threats are evolving, which is also increasingly efficient.”
When it comes to card payment fraud, the council reckons “as long as the mag-stripe is needed for international transactions, skimming will remain an issue”.
It adds: “Criminals are changing their approach to fraud. Not only by changing to more high-tech frauds like APT, but also a part of the criminals is reverting to old school types of fraud such as lost and stolen. This has already become in some EU countries a higher cost driver than skimming. As ecommerce is still on the rise, card not present (CNP) fraud remains a significant factor for fraud losses.”
The EPC has a few ideas and points to make to improve all this.
The European Commission is reviewing and extending the legislation on combating fraud and counterfeiting of non-cash means of payment. The 2001 Council Framework Decision on combating fraud and counterfeiting of non-cash means of payments “no longer reflects today’s reality, such as use of virtual currencies and mobile payments and was focused on card-fraud only”.
The European Union is also discussing an e-evidence regulation to make it “easier and faster” for law enforcement and judicial authorities to obtain the electronic evidence they need to investigate and eventually prosecute criminals and terrorists.
Although this regulation will only cover the member states there is “still a need to increase the international scope”.
The EPC concludes: “Furthermore, it is vital that the pressure increases on those countries that are not being diligent with cybercriminal prosecution. Even though there is also a cyber diplomacy toolbox under discussion, this tool is initially targeting critical infrastructure issues such as large cyberattacks and other cyberspace conflicts. It does not address the essential need to prosecute ongoing minor cybercriminals’ fraud acts that although not seen as a single big attack, are overall causing a huge amount of economic impact.”
As with all these cybersecurity reports, it’s the same old story of be vigilant and understand the threats – and that more needs to be done for the cyber battle to be won. Some things never change.
You can read the 91-page report from the EPC here.