Magnetic stripe, EMV or behavioural AI – when it comes to card theft, are banks barking up the wrong tree? When will we look down at some real wet floors? Centralisation, KYC and privacy. At some new shoe-grips? Blockchain
A prominent Russian Bank – was recently staring wide-eyed at a big data breach of its clients thanks to a couple of vulnerable credit cards.
This may sound familiar to the scenario a few years back when massive thefts happened at retail POS (Point of Sale) footprints in the USA. EMV (Europay, Mastercard, Visa) was supposed to be the fix. But criminals managed to fool that fence too. They began putting together clipped smart-card chips with miniature microprocessors and were soon whipping out fake payment cards for POS swipes. Just look at what Gemini Advisory report unravelled – a whopping 93 per cent of the stolen cards had the new chip technology.
Of course, hope for EMV sustains when we hear what data from Visa (June 2019) tells – over 3.7 million merchant locations accepted EMV card and this shift to EMV has allowed (those that are done with chip upgrade) the joy of an 87 per cent fall in counterfeit card-related fraud dollar losses (between September 2015 to March 2019).
But what about those criminals who are easily applying for and (Phew!) receiving real, legitimate, almost-Real McCoy credit cards with active EMV chips from banks? All they need are synthetic identities (toss in real social security numbers with fake ages and addresses).
McAfee estimates that cybercrime is costing the global economy around $600 billion, or 0.8 pc of global gross domestic product.
Sameer Patil, Fellow, International Security Studies Programme and Sagnik Chakraborty, Researcher, Cybersecurity Studies Programme, Gateway House pointed out recently how the Indian economy has gone from being largely cash-based to one more regularly reliant on digital payment systems. And how this shift has brought financial inclusion and reduced corruption, but has also, enlarged the scope of cyber attacks in the payment infrastructure by organised criminal syndicates and hackers, foreign governments and their proxies.
Indeed, the cost of each dollar of retail fraud losses has moved from $2.94 to $3.13 between 2018 and 2019 (says another report – a LexisNexis Risk Solutions study). As much as 86 per cent of fraud losses that came in the pockets of mid-to-large e-commerce retailers with digital goods happened due to friendly (1st party) and synthetic ID accounts.
Data loss and human tampering – not so hard dots to connect. For credit cards segment – the data loss can happen in many ways. You can see some banks sourcing credit cards Business through their DSA (Direct Selling Agents) or FoS (Feet on Street) contractual workforce at common places – such as shopping malls, retail outlets or at any office campus etc., hence, it is quite susceptible for data loss, because the PII (Personally Identifiable Information) and at times the existing Credit Card details (of other banks) are shared to the bank’s credit cards selling agents or representatives to get new credit from this new bank, explains Dharmaraj Ramakrishnan, Sr. Director- Banking & Payments, FIS.
Turns out that the culprit in the case of the recent Russian bank fraud had access to databases as part of his job.
All keys on one fob, around one finger
Sberbank’s Security Service has finished its internal investigation and Herman Gref, CEO, Chairman of the Executive Board of Sberbank has apologized in a statement that says – “We’ve learned a lot from what happened and we rethought our systems to mitigate the effects of human reliability. I’d like to thank all our customers for the great trust they place in us.”
Yes, customers put a lot of trust in these institutions and technologies. The question is – how impenetrable are they – eventually? What if the very idea of trust and data could change, and shake up the way we look at data breaches?
Let’s start with KYC (or Know Your Customer) hygiene – that is a key part of trust on the bank’s side too. Is the centralized nature of this KYC data a big vulnerable point, somehow?
Any centralised data storage is vulnerable because it gives a single point of the target for malicious actors, aver experts from Gateway House.
Altaf Halde, Global Business Head, PurpleTeam agrees as well. “Yes, at this point of time, we are all in a situation that is forcing us to duplicate key processes and store our personal documents / digital identities across multiple services and across multiple services. This results in a very poor customer experience. But, more importantly, it increases the risk of attacks and data breaches manifold.”
But Ramakrishnan from FIS prefers to differ. “The business framework embedded with the data protection framework is important to safeguard the system. From my perspective, the centralized data verification is the right way to go as it is the single source of truth, provided the centralised database is up to date. As we advance on technology, we should use the right technology for the right use case with the right architecture for fetching and validating the data points.”
He, however, opines the use of new approaches for KYC. “The regulator can request the bank not to collect the PII or credit card details from the potential clients, in turn, collect use technology to validate the data points in real-time by integrating with other options.”
The Pin-Cushion Murder Trick
Banks or financial institutions or payment industry players, there is more than financial damage that unfolds whenever cards are breached. There are data-loss and privacy-intrusion – there is a reason why the black market of identity data is on such a tear.
“Data breach may involve PII, business secrets, financial information or even intellectual property. In the financial segment, the common data breach revelations include personal information of the customers as well as their demographic information. These kinds of breaches can lead to financial frauds, business loss or even customer loss.” Ramakrishnan spells it out.
So if not EMV then what next? News has it that Visa is working on a platform for helping its engineers pick speed in testing advanced Artificial-Intelligence (AI) algorithms that can detect and prevent credit card fraud.
Banks can spend as much as $12.4 billion in 2023 on AI – for initiatives like fraud analysis – as per IDC estimates
But what if the data that AI algorithms crunch still resides on the servers or infrastructure of a financial player? Again, a one-stroke affair for anyone who wants to steal it. Let us also not be blind to the brisk rise of adversarial AI. Attackers are getting even more sophisticated to dupe deep-learning systems as time clicks by.
Halde reminds how we are all witness to the fact that in recent times, these risks are growing by the second. If a breach happens, the entire data or partial data gets compromised that are in the central repository. Hence, it is always advised to make use of upcoming technologies including blockchain to face these upcoming technological threats. Blockchain can be introduced in a phased manner to decentralize the KYC process, Gateway House experts suggest the same.
Ramakrishnan also recommends a technology-based process that can avoid the manual data collection and protect the data points using data encryption at the database level.
As the McAfee report underlined, the financial world needs to move over to open data architectures, standardisation of threat data, means of faster and deeper collaboration among security authorities and players spread all across the globe. The means to a lot of these solutions – even reporting, interestingly, can lie in one place – the blockchain.
It is important to understand that the payment industry does not want data to be stolen, hence in most cyberattack cases, banks and payment solution providers are transparent, as Gateway House experts argue as well. “However, the need is for data breaches and cybersecurity incidents to be reported immediately.”
A policy research paper by Gateway House in collaboration with the Swift Institute also had an interesting recommendation in the same vein: Payment processors should enable consumers to control data through a consent dashboard whereby they can review, modify or delete their personal and payments data on websites, such as e-commerce sites.
Plus, it noted that the payment industry must create an industry-wide platform to share classified, unclassified and open-source information on cyber-attacks and threat vectors.
Like a clever assassin who murders more than one target in the same spot to make it hard to trace who killed someone and why – a clever security strategy can also use this decentralized effect to its advantage. Spread the targets and weaken the force. Make the system trust-less and inject real trust. Give the power of control back to those who suffer the most when big-ticket thefts happen.
The arrival of blockchain makes all this not just plausible but practically-easy now. It is not the only answer, but it can be a good one to start with.
The only thing that makes it tough is the will to let go of data control. It is not an overhaul of technology but of a hard-entrenched mindset.
Not so easy to swipe away. It is not a credit card, after all.