Fighting fraudsters is a cat-and-mouse game
In conversation with Finextra, Beate Zwijnenberg, information security manager at ING, found new trends in cybercrime and how the banking giant works against phishing and fraud for its customers.
Zwijnenberg has a background in fraud management in the Netherlands and Belgium, and is now responsible for cyber security at ING. She expresses that cyber security is one of the fundamental characteristics of the bank, and that maintaining the trust of their customers is at the forefront of their priorities.
Fraudsters try to scare or help customers through fraud, one of the techniques they use is what Zwijnenberg calls “social engineering”. The bank aims to educate customers about the various methods fraudsters use, so that they can avoid them. Strategies ING uses to combat fraud include allowing people to set limits on their transactions, establishing strong customer onboarding and app registration processes and other fraud detection measures.
Zwijnenberg notes that there are always different peaks and trends behind the causes of fraud, with one of the most prevalent causes of late being phishing: “Different types of phishing campaigns emerge depending on vulnerabilities in the market or environment. For example, if you refer back to the pandemic, there were a lot of phishing campaigns centered around Covid-19, working from home or going back to the office.”
Open banking has opened new avenues for phishing scams and scams; with the simple built-in economy, available banking app services and online banking, there is a greater need for people to be aware and aware of the risk of being scammed. However, Zwijnenberg expresses that open banking is not the root of all fraud risks:
“I think the risk and impact of fraud has increased, but I don’t think it’s directly related to open banking. If you look at PSD2 [the second Payment Services Directive], there have already been many discussions about what kind of additional measures companies (including ING) should take, and ensure that these fraud risks were properly taken care of. I think digital transformation makes it a bit more complex and challenging to have the right fraud monitoring in place, but it’s not impossible.”
When asked how regulation has affected efforts to combat fraud, Zwijnenberg observes that a proposal for Europe to harmonize their regulations would make a significant difference. Especially for organizations that operate in multiple jurisdictions, having standardized compliance will benefit efforts to combat fraud and cyberattacks.
“What helped PSD2 was the enforcement of strong customer authentication. If standardization is implemented, it will be much clearer for everyone to comply with the regulations, as there is a lot of differentiation of the levels required in the Asian region compared to England, the Netherlands or Belgium, for example.”
Especially in the Netherlands, there are many digital channels in use. Zwijnenberg mentions a recent collaboration between many Netherlands-based banks to launch a fraud awareness campaign so customers can learn to recognize different patterns from fraudsters and avoid them.
Reduce cyber security risks
New digital paths and the opening of virtual platforms can also increase the risk for customers and entities or companies that, for example, switch to the cloud. Zwijnenberg notes that by doing so, they “introduce new attack surfaces, and therefore there are more opportunities for threats. The more dependent a device becomes on digital services, the greater the chance of threats materializing.”
Zwijnenberg observes that new technologies have encouraged the use of advanced AI and machine learning models that can be applied to cybersecurity monitoring, making it more efficient and able to protect workloads based on data.
Zwijnenberg notes that addressing resilience from a customer-centric perspective is critical, and that current moves to improve operational resilience aim to be preventive, responsive and detective. A key strategy for her team is to always try to attack themselves and bypass their own security systems by putting themselves in the mindset of a hacker to find out where they are failing.
“People make mistakes, so you have to make sure you have the right quality assurance in place. That’s why we always test – real-time testing where we try to attack and hack ourselves. If you look at the upcoming legislation of DORA [the Digital Operational Resilience Act] or TIBER-EU, resilience testing, is going to have such an explicit role, so it is crucial that we do this well.”
Zwijnenberg argues for the transition from pure rule-based detection to advanced models and machine learning. She emphasizes that rules-based detective measures simply do not scale and create too many false positives, while machine learning and AI models that are based on a mix of different sources and data are much more effective at detecting incidents.
Zwijnenberg concludes that the small trends that have occurred in recent years have focused on specific vulnerabilities in the market, and the influx of digital transformation has limited the institutions’ ability to protect: “There is a shortened time window between the moment when various vulnerabilities are discovered. and when these vulnerabilities are exploited; so the time frame within which an organization can still apply mitigation measures is shrinking.”
She continues: “We’re seeing more criminals targeting public open source software repositories. Fraudsters are adjusting their tactics to circumvent certain new technologies. What we do to adapt to these advanced tactics is to implement new measures. It’s a cat-and-mouse game; we build more protective barriers and they try to break in.”