By: Mark Gazit, CEO of ThetaRay
Financial institutions are learning the hard way what can happen when criminals get their hands on the latest technology. Gone are the days of robbing tellers at gunpoint; today’s sophisticated criminal networks and nation-states use machine learning and artificial intelligence to target institutions remotely, quietly and through many channels at once. They have figured out banks’ vulnerabilities and exploited them mercilessly through a combination of malware, ATM jackpotting, money mules, money laundering, e-payment/cryptocurrency fraud and more, stealing untold millions to finance terrorism and profit from human and drug trafficking.
So, what exactly is “cross-channel fraud”?
A perfect example can be seen in the tremendously successful Carbanak campaign, which used cross-channel methods to steal more than a billion euros from over 100 banks in 40 countries. It went undetected for four years.
Here’s how they did it:
- They began by purchasing databases of bank personnel and targeted each employee with a spear-phishing email, encouraging them to open malicious attachments.
- Once clicked, the software allowed the hackers to remotely control infected machines, giving them access to the bank’s internal network and servers controlling ATMs.
- They then transferred money through e-payment networks or artificially inflated hundreds of accounts.
- To withdraw the money, they used software to remotely instruct the ATMs to dispense cash at a predetermined time. Bagmen (often members of local gangs) were hired to collect the cash.
- The money was then laundered via prepaid cards linked to cryptocurrency wallets.
Because of the cross-channel methods used by these criminals, Carbanak went undetected for years and required multiple countries and companies working together to bust the ring.
Banks are fighting back, and we are seeing an increased push from regulators, consumers and the banks themselves to invest heavily in technologies that can fight off these evolving attacks. However, the technology they’re using isn’t necessarily up to the task. Many organizations have implemented supervised machine learning. This means that humans must tell it exactly what to look for. When you get down to it, classic machine learning isn’t much different than traditional rules-based risk detection solutions –which can catch scams and red flags that have been seen before, but are unable to detect new types of threats.
Here are the three main problems with traditional machine learning, and why banks must institute a better way of catching the “unknown unknowns” to outsmart cross-channel fraudsters:
It can’t recognize new types of attacks: While it’s heartening to see more financial institutions waking up and realizing they need to implement technology that helps catch cyber criminals, supervised machine learning simply won’t cut it. Criminals will always evolve and find ways around security system. If you’re only looking for attacks that have already happened, you’ll miss all the new ones that are evolving.
Cross-channel fraud is extremely difficult to track: Banks used to know all the ways that attackers could physically access their money. However, now that everything has become digital, the attack surface is larger, and attacks are constantly evolving and hard to pin down. There are so many ways criminals can defraud a bank, and many fraudsters employ more than one method. A little money laundering, a pinch of hacking, a dash of phishing, and voila! Money in their account. Traditional machine learning can’t keep up.
Attacks are growing in sophistication: Today’s fraud schemes have grown dramatically in sophistication to elude not just humans, but technology as well. Criminals are using AI and social conditioning to create gambits that have never been seen before. For example, after breaching a bank’s system via spear-phishing, hackers sometimes monitor the executives’ communication before becoming a ‘man in the middle’ and pretending to be one of them. In other words, if a hacker learns that a C-suite bank employee is leaving the country on vacation and that he’s a cycling enthusiast, the fraudster could email a bank colleague: “John – great riding through Costa Rica. I just got an invoice from the production company who worked on that cryptocurrency documentary. We’re late in paying it –and by contract we’ll pay a 50% fee if we don’t pay it now. Could you wire payment to this account asap?” At face value, it seems like an email that would come from the executive, but once the money is transferred into the fraudulent account, there’s no getting it back!
The next big thing in cross-channel scams has not yet been found, but you can be sure it is happening as we speak. The financial sector is facing a constant escalation of internal and external unknown threats. The diversity of service channels that mix physical and cyber access, like branches, ATMs, online services, and mobile banking, are affected by unique risks tied to each, growing the complexity of internal operations. Along with increasingly rigorous regulatory requirements, managing and mitigating operational risks effectively becomes a major challenge.
Luckily, there are emerging technologies that are making it easier for banks to connect the dots and stop cross-channel fraudsters in in their tracks. Some companies are developing machine learning solutions that point out anomalies with laser precision and the exact parameters by which they are triggered. With next-gen machine learning, fully automated detection is seamless and swift, no matter how much data needs to be analyzed, and more importantly, there is no need for the machine to be ‘taught.’ Banks are overwhelmingly responding to this high computational efficiency, as it allows them to recognize risks immediately, respond, and mitigate the risk and its impact.