Is “fraudster” a title or job description of some kind? Perhaps it should be, because when shopping or sending money online, you’re never totally sure who’s on the other end. It could be someone you know — or it could be a bad actor who stole the right username and password.
The level of digital fraud is rising along with the legitimate digital shift, putting identity security on the hotseat to reinforce customer experience. Cybersecurity firms are hitting back.
As Dewald Nolte, chief strategy officer at Entersekt, told PYMNTS, “When it comes to the fraud side of digital channels, it comes down to return on investment. If you’re a cybercriminal … and you’re quite successful at it, then surely that becomes quite a lucrative job for you.”
In fact, fraud is becoming a day job in a very real sense. Nolte related instances of fraud operations occurring on weekdays between 8 a.m. and 5 p.m., with breaks seen over holidays and weekends. And this emerging professional fraud industry, for want of a better description, is having a field day with the confusion that normally attends big technological shifts in business and life.
Saying that attacks today “are opportunistic by nature,” Nolte told PYMNTS, “Let’s say there’s a new technology that’s being rolled out. Usually there’s confusion and users are still being trained. There are some guys that will take that opportunity and strike.”
He used non-fungible tokens (NFTs) as the example du jour. They’re a popular target because they’re so little understood, and many “users are vulnerable and gullible.” That means a potentially huge consumer base for well-informed cybercriminals to exploit — and potentially huge pay days.
It’s plain as day in government data. A first-quarter report from the Federal Trade Commission said, “consumers reported losing more than $5.8 billion to fraud in 2021,” a 70% rise over 2019.
“Every single time there’s a bit of a market change, you’ll see that fraud follows,” Nolte said.
See also: 8 in 10 Consumers Worry Their Personal Info and Data Are Being Looked at Online
The Dangers of Static Data
Opportunistic attacks betting on big pay days occur even in the safest places to store money — banks.
Nolte said that many banks find fraudsters shifting focus from channel to channel as security improvements are rolled out in phases. “You put in some good authentication measures for digital channels, let’s say the digital banking channel, then you find that fraud moves maybe to the card channel. Then you fix that and they go to another bank who hasn’t done that yet. Typically, what you’ll find is that they’ll go for the path of least resistance,” and such paths are plentiful right now.
Noting that it’s easier to pick up on fraud cues in face-to-face transactions, with the global digital shift and gold rush to cross-border for even small businesses, the old ways of authentication are short-circuited, demanding digital solutions to cyber-problems.
The digital economy, he said, is still too heavily reliant on static data — usernames, passwords, authentication questions like “What was the make and model of your first car” — for its own good.
“A Social Security number gets issued once, and if someone gets it, you’re in trouble. It’s required many times when you sign up for new services,” he said. “So, this very sensitive piece of information that’s static floats around, someone gets a hold of it, and it’s fairly easy to do all kinds of bad stuff with it.”
Reports estimate that 100,000 data breaches between 2018 and 2021 resulted in more than 15 billion compromised credentials now available to — or in the possession of — cyberthieves, which clearly means that the time has come to lose the static approach to digital identity.
“What we’re trying to do, and what we need to do as an industry, is move away from the reliance on that static data,” he said. “One of the ways to do that well is multifactor authentication. I’d say for users to protect themselves, multifactor authentication is something that you have to set up.”
It’s also important that modern authentication measures not only protect the consumer, but also that they don’t ruin a customer’s digital experience. In the digital age, experience is almost as important as what consumers are buying, and a poor experience can cause them to abandon a transaction and even slow adoption of security measures in general.
Nolte is encouraged by moves from entities like the FIDO Alliance (Fast IDentity Online), Apple, Google, and others introducing Passkey and related developments as a big step toward creating a world where users can log on and transact without having to use passwords at all.
See also: Two-Thirds of US Digital Banking Customers Choose Security Over Convenience
Passwords too Costly, in Many Ways
With the pandemic having accelerated digital transformation in the financial industry for nearly two and half years now, many are wondering why fraud is still advancing rather than retreating.
Nolte is familiar with all the justifications and rationalizations for institutions putting off these projects, and he sees this reasoning as mostly misinformed, not a lack of willingness to protect consumers.
“There’s maybe a comfort zone if you haven’t been hit yet,” he said. Also, “a lot of organizations might think it’s a big implementation, it’s going to be costly. It’s actually the opposite. These technologies are quite easy to implement. There’s a lot of work being done to make it easier.”
As an example, he mentioned a client case where — from the demo to the deal — “it was within one day that they could [use multifactor]. It’s a relatively light way that you can do it.”
He mentioned a recent World Economic Forum report on the price of managing username and password authentication, saying, “If you look at the cost of managing passwords, users having to enter it, then forgetting it, calling IT staff to help them reset it, all of that comes down to about $70 USD per incident. That’s quite a big cost.”
“If you think about $70 per incident [because] someone’s forgetting a password, the business case is there” for multifactor authentication.
As Ringo Starr famously said in the vintage Beatles film “Help!” there’s a certain amount of hurry-up involved, as Big Fraud is acquiring these digital tools, even if legitimate businesses are not.
Nolte told PYMNTS, “In the same way the tools are available for us to go passwordless, the tools are also available for fraudsters to do more targeted attacks at scale. That’s driving a reality check that organizations are just getting.”
He added, “There’s the joke saying there are two organizations in the world: those who have been breached and those who don’t know it yet.”
This is where zero trust models are making a difference in authentication. “Zero trust … says, well, whenever you’re doing anything, irrespective of where, if it’s a high-risk thing, we’re going to do all the checks and balances. You really start to look at the user journey and you’ve got context about that journey [that] is crucial in the modern world.”
Pulling it all together are platforms like Entersekt, so that “If you have a user that’s trusted and you’ve got all the signals behind the scenes silently [telling] you this is a trusted user, you don’t have to challenge them. What you want to be sure of is that you use something that lands the user in a good place to have a good experience.”