IBM & John Chaplin talk data security and fraud in the Open Banking era

IBM’s X-Force Incident Response and Intelligence Services (IRIS) team recently uncovered an active Business Email Compromise (BEC) campaign targeting Accounts Payable personnel at Fortune 500 organisations. The campaign, IBM revealed, was being executed by criminals in Nigeria and has successfully stolen millions of dollars from organisations in a major uptick in BEC scams. The campaign is focused on credential harvesting, phishing, and social engineering to steal financial assets via wire transfer from Fortune 500 organisations.

In 2018, it’s estimated that BEC attacks will result in over $9 Billion in losses. At the end of 2017, X-Force IRIS predicted that attacks both targeting and from Africa would be on the rise in 2018. This active campaign reinforces that attacks from Africa will be important to watch in 2018.

With data being the hot topic of 2018, given the wealth of legislative change bringing about revolutions-per-minute in the data sphere, these findings beg the question – how safe will financial data be from such attacks from hereon in?

I spoke to Alexandrea Berginger, Security Intelligence Analyst, IBM X-Force IRIS, and John Chaplin, formerly a Senior Executive at Visa and First Data, now advising the Emerging Payments Awards 2018, and sitting on the board of a number of payments companies in Europe and Africa, about these types of scams in the payments space, and the future of digital fraud in payments.

What is a BEC scam, and how do they work?

Alexandrea Berginger: A business email compromise scam typically involves a threat actor taking over or impersonating a trusted user’s email account either through stealing email credentials or creating domains with slight typos and generating email addresses similar to the legitimate user’s email address. Threat actors involved in BEC scams often target companies that conduct international wire transfers with the goal of diverting payments to an attacker-controlled account. We have also seen BEC used to target organizations to share employee information such as tax information. These attacks are relatively simple, involving little to no technical knowledge, malware, or special tools. The can often be carried out almost entirely based on phishing and social engineering.

Once the attacker takes over a victim’s email account, he or she creates a false sense of reality for the employees involved in the accounts payable process by mimicking previous conversations and copying the victim’s typical signature block to appear legitimate. The threat actor will request international wire payments to a new account and impart a sense of urgency, often sending multiple follow-up emails. In some instances, the threat actor will impersonate several layers of the supervisory chain to make it appear that the supervisor approved the transaction.

What can organizations do to protect themselves from this kind of attack?

Alexandrea Berginger: There are two complementary approaches an organization can take to protect themselves from this kind of attack, employee training and enhanced technical security features. Employee training should focus on providing information on the threat of business email compromises and guidance on what to look for. Employees should scrutinize sender email addresses and look for email address domains with typos such as adding an extra letter. Since the attacker will also send emails directly from a compromised email account, employees should watch for emails with unfamiliar grammar or word choices, that are from personnel who seem suspiciously uninformed of internal policies and company structure, and emails which make urgent requests for international money transfers. Finally, organizations can implement strict international wire transfer policies, for example, setting a time delay requirement for payment processing or requiring employees to verify any bank account changes via a phone number tied to the older and verified bank account.

There are also key technical security features that a company can implement to help reduce the risk of falling victim to a business email compromise. Most importantly, companies should implement multi-factor authentication for account logins. Adding an additional authentication measure would diminish the attacker’s ability to access email accounts — we have only observed the attackers targeting accounts they can access with a user ID and password alone. Additionally, creating banners that identify emails from external email addresses and blocking the ability to auto-forward emails outside the organization can increase the likelihood the attack is identified and mitigated before any fraud can occur.

How has digital fraud of this nature changed in recent times? How do you predict it to change in the near future?

Alexandrea Berginger: Digital fraud of this nature appears to be increasing in both number of attacks and amount stolen over the past couple years and due to the relative success an attacker can have with very little investment. I expect BEC scams to continue to increase in the near future. In 2014, about $215 million was reported stolen via BEC and now we are expecting to see over $9 billion of losses in 2018, according to reporting by Trend Micro and the FBI. The important thing to note is this is a global campaign that does not discriminate by size of business or industry.

With the advent of PSD2 and GDPR, banks are going to have to expose their systems to a much greater extent. Are the banks prepared for this potentially dangerous data exposure?

John Chaplin: The readiness of banks to provide API access to their core systems varies widely and they are not all moving at the same pace. The biggest contrast is between the banks who are positively embracing the changes forced by the regulators and those that see it as a compliance requirement. The positive embracers see it as an opportunity to partner with the new generation of service providers that will spring up and because they are actively engaging with the market development, they are more likely to be on top of the risks that the new models will undoubtedly bring. The reluctant compliers will do the minimum and are more likely to be exposed to the risks.

Another effect of this legislation is that a great deal more consumer data is going to be held by smaller third-party providers. Do you think this wealth consumer data will be safe in the hands of challengers and fintechs?

John Chaplin: The reality is that the more consumer information is distributed, the greater the risk that the wrong people will get hold of it. So far, most of the significant information security breaches have occurred in large financial institutions or payment processors. But that’s because they have the data so they are the obvious targets. In the future, if sensitive data is held more widely then there are more potential points of compromise. In a GDPR environment, we will see much more onus on firms to manage access to customer data in an auditable way but that doesn’t solve the data security issues. To some extent, Open Banking and PSD2 represent a step into the dark and we won’t see the real data security impact from fintechs and service providers holding more data for some time. Fraudsters unfortunately are sophisticated business people, so they won’t make large attacks on the new business model until there is sufficient volume to make it worthwhile.

Blockchain technology is looked to as almost ‘impossible’ to hack, except with enormous computer power. Do you think it’s the safest choice for companies to protect their data from hereon in?

John Chaplin: I think there is a lot of unclear thinking about how blockchain technology can protect data. Retail financial services and payments are all about finding the right balance between security and value. A highly secure system that drives up transaction costs may not be what the market wants or can afford. Bitcoin is the biggest blockchain use case so far and true processing costs are estimated at $15-20 and can take minutes. In the retail payments world where transaction costs of sub 1 cent are now seen and processing times are measured in milliseconds, it is hard to see that bitcoin has a viable business case. We also need to be cautious about assuming that blockchain is impossible to hack. The bitcoin processing environment may be virtually unhackable, but we have already seen that there can be fraud and security issues in the wider bitcoin ecosystem. And I think it is always wise to be cautious about believing prophecies of a fraud-free world. So far every major technical advance has only delivered against that promise for a period of time before faltering and eventually being superseded.


Related reading