Robocops on the cyber beat

Andrew Cornell

Past Managing Editor, bluenotes

Back in the 90s, the global payment scheme MasterCard prepared to launch a new loyalty card co-branded with a major automobile multi-national. The artwork had been designed, approvals obtained, marketing was being planned – but curiously MasterCard detected the yet-to-be-launched card was already being used.

Click image to zoom Tap image to zoom

Criminals had somehow obtained the code numbers of the proposed cards, managed to authorise them and started spending.

"Criminal actors constantly change their behaviours and tactics. As financial institutions and their partners improve security at one level, criminals exploit another.”

Such criminal opportunism also forced the United Kingdom to move away from traditional magnetic stripe payment cards to chip-based smart cards - not that the move would stop fraud; it would just shift more of it away from the UK to other, less advanced payment markets.

The history of financial crime teaches one major lesson: crime never sleeps. Somewhere, someone, some organisation, some state, is finding a crack in security systems to exploit.

Culture not tech

According to Cybersecurity Ventures, the data show the human and financial cost of cybercrime is expected to reach $US6 trillion annually by 2021.

In Australia, the financial supervisor, the Australian Prudential Regulation Authority (APRA) has introduced a new Standard, CPS 234 Information Security, which took effect on 1 July 2019, to ensure its sanctioned institutions keep pace with threat.

ANZ Chief Information Security Officer, Lynwen Connick, says “a major focus of the new Standard is to make sure that responsibility for information security is shared right across an organisation – not just in the IT or security departments”.

This is very much the emerging orthodoxy: cybercrime is not a tech issue, it is as much a cultural issue.

And because of the increasing recognition of the threat, it is also one of the greatest areas of focus for investment.

According to US-based tech analysts CB Insights, “cybersecurity unicorns (companies valued at more than $US1 billion) are being minted at a faster rate than ever before, and $1B+ valuations are coming through even larger funding rounds”.

In 2018, CB Insights found 617 deals go to private cybersecurity companies — a nearly 40 per cent increase in deals compared with 2015.

“This year, four cybersecurity companies have joined the global unicorn club,” the firm found. “We see the creation of private cybersecurity unicorns at a faster rate than ever before, through even larger funding rounds.

Click image to zoom Tap image to zoom

The threats these companies are focused upon are not, in themselves, surprising. They cover security of devices, security of information networks, network management and back-up, artificial intelligence and machine learning, and unusual behaviours.

Never-ending

CB Insights notes the latest cybersecurity trends, opportunities, and startups to look out for include deepfake detection, armoured email and cloud native security.

Yet those lessons from the 90s - and earlier - still hold true. Criminal actors constantly change their behaviours and tactics. As financial institutions and their partners improve security at one level, criminals exploit another.

In the early days of payment cards, fraud shifted from “card present” - the use of fake cards - to “card not present” - where a transaction was by telephone or eventually online.

Once again, protocols evolved to better ensure the “not present” user was actually the bona fide owner of the card. This included the introduction of safeguards such as the card-specific card verification code (CVC) and multi-factor identification (such as confirmation by text message.)

Financial crime and prevention is a never ending arms race. As financial institutions, networks and regulators close off one avenue, the criminals - increasingly organised, networked and even state-backed - attack on a new front, typically adopting the latest technology for nefarious means.

It’s pertinent that one of the major hurdles facing Facebook’s proposed Libra cryptocurrency is how it can comply with anti-money laundering and anti-illicit funding regulation.

Global issues

In the recent independent review of APRA, cyber risk was deemed an area where greater resourcing was necessary.

The review noted APRA’s capability did not match the risk and indeed APRA’s chairman Wayne Byres said on the release of the review “[regarding cybercrime prevention,] the skills are scarce and the risk is large”.

That is also acknowledged globally. Benoît Cœuré, a member of the Executive Board of the European Central Bank, said recently in a discussion of financial system risk the risk linked to cyberattacks was a new front.

“At the ECB, and elsewhere in Europe, we are paying close attention to this issue,” he said in a television interview. “We can't rule out the fact that the next financial crisis may come from a cyberattack on a big financial institution or a financial infrastructure. It's our priority to prevent this risk.

“Ask any company director; there are thousands of cyberattacks every day. We're being tested all the time, including at the ECB. It's part of being a company. But the financial system has weak points - there are systemic infrastructures that could be targeted by cyberattacks.”

Cœuré noted the bank also experienced “thousands of small (attacks) every day”.

Willing

But the cyber arms race is only one realm of the never ending battle where sophisticated enemy is pitted against sophisticated institution.

There is also an enormous challenge when the conflict is asymmetrical - when the criminals are smarter and better resourced that the targets.

Just as we have seen through the history of financial crime, criminals adjust their attack to focus on weakness. And one of the new areas of weakness comes not when the criminals manage to breach defences; it is when they are invited in.

Why go to the trouble of assaulting better and better barriers when a victim will invite you around to the back door and just let you in?

Thus fraud is increasingly shifting from unauthorised transactions to authorised ones. These include romance and fishing scams - digital versions of Ponzi schemes - a vast and growing front where the victims (until they finally realise what is happening) are willing.

Andrew Cornell is managing editor of bluenotes

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.