Financial crime chooses hi-tech guile over guns

Director Steven Soderbergh’s 2001 crime caper, Ocean’s Eleven, told a tale of how a gang of thieves robbed a casino vault boasting state-of-the-art security, by posing as employees, policemen and casino customers.

Closer to reality, cybercriminals recently posed as bank officials to siphon US$81m from an account held by Bangladesh’s central bank at the Federal Reserve Bank of New York in February this year. If not for an alert employee, who spotted a typo in the routed fraudulent transaction and carried out an investigation, the damage would have been approximately US$1bn. As it was, the heist still led to the resignation of Atiur Rahman, Bangladesh’s central bank governor.

The cybercriminals carried out the attack under a cloak of legitimacy afforded by stolen credentials and mimicked behaviour, just like in Ocean’s Eleven. However, unlike the movie, the crime took place on the digital front, eliminating the need for a physical presence.

The Bangladeshi heist is the latest example of criminals obtaining insider access to compromise financial networks. Often, most imagine insider threats to stem from disgruntled employees – as in the case of Edward Snowden – or from employee collusion with criminals. However, a recent PwC report found that naïve or negligent employees and third-party vendors are reported to be the most likely causes. Today, sophisticated cybercriminals will look to benefit from inadvertent actors, who set a breach in motion with something as seemingly innocuous as a click.

The magnitude of insider threat is compounded with the rise of social media and the so-called ‘Internet of Things’ (IoT). With 2.3bn active social media users and a projected 6.4bn connected “things” worldwide in 2016, according to research and analysis group Gartner, every single connection is a potential point of entry. Adversaries now have infinite opportunities to infiltrate networks, or hoodwink users into granting access. For instance, a bank in Italy detected large-scale exfiltration of sensitive data to unidentified computers via Facebook.

Employees are the weakest link

Reports such as that issued by PwC indicate that organised criminals are collectively pooling resources and skills to finetune their attack on financial organisations. With the financial sector assessed as 300 times more vulnerable than other industries to cyber-attacks, these organisations are taking countermeasures by recruiting their own cybersecurity experts. However, the heightened vulnerability has created immense demand for qualified professionals. This in turn has given rise to a cybersecurity talent drought and financial organisations are still scrambling to fill the shortfall.

Furthermore, given the proliferation of data in today’s digitised financial services environment, it is not just unproductive but humanly impossible to sift through the vast amount of information and identify potential threats passing through networks in real-time. Even if the most talented cybersecurity team was assembled, it is highly unlikely that it would have full visibility on every network end-point.

Financial organisations must also remember that cyber vigilance is every employee’s responsibility. The Ocean’s gang succeeded because they targeted specific people, such as the casino owner. Similarly, insidious malware, such as phishing emails, can easily fool even the most prudent employee. For example, 20% of JP Morgan Chase employees still failed a fake phishing email test just weeks after the bank experienced the disastrous breach of summer 2014.

Fighting back with Artificial Intelligence (AI)

How then can financial organisations address this worrisome threat? By incorporating AI, or machine learning. With today’s volumes of data to sieve through, using machine learning helps process to make sense of the information.

Machine learning is not foreign to the financial sector. For instance, AI is used in algorithmic trading and credit risk modeling. However, such technology relies on prior knowledge of potential, pre-programmed outcomes, and is considered a supervised form of machine learning.

Supervised machine learning is similar to traditional cyber-security approaches, which are also based on prior knowledge of previously known attacks. As today’s malware is engineered to mimic constantly evolving viruses that cannot be picked up by preset outcomes, both the supervised machine learning and traditional approach are less than ideal.

Instead, consider incorporating unsupervised machine learning, which operates on an ongoing ad-hoc basis, instead of preset outcomes. Using complex algorithms and a mathematical framework, the network’s so-called ‘pattern of life’ is studied – everything from the connected devices, how they communicate with one another, to network traffic and user behaviour.

Once baseline behaviours are established, unsupervised machine learning is able to process the deluge of data in real-time, before making logical, probability-based decisions against external and insider threats on behalf of system administrators*. This means that previously unidentified threats can be detected, even when their manifestations fail to trigger any set outcome or signatures.

In an era where even Facebook and iMessage or network-connected coffee machines and biometric sensors can be compromised, cybercriminals can easily infiltrate networks from any vector and wreak serious havoc on the financial sector. Unsupervised machine learning, with its ability to handle big data and make vast calculations on the fly, can counter such intrusions and therefore be a valuable tool for financial organisations.

In fact, had machine learning been employed in the movie, Ocean’s Eleven might have a different ending and the writers might have had to rewrite the script for Ocean’s Twelve!

380 views

Related reading