The Biggest Concerns within the US Financial Sector in 2022

October 13, 2022 The value of digital payment transactions is growing as the world’s payment environment moves more and more away from cash. Over the past few years, BFSI (Banking, Financial Service, and Insurance) firms have continued to be a top target for hackers. In fact, the Sixth Annual Bank Survey found that more than 70% of fintech companies named information security as their top issue.According to VMware’s Modern Bank Heists study, since the COVID-19 epidemic, there have been 238% more cyberattacks on companies in the financial sector. Artificial intelligence (AI) and self-learning malware are making cyberattacks more sophisticated. While ransomware assaults are the most profitable for cybercriminals, phishing attacks prey on unsuspecting and defenseless consumers. Thus, it should come as no surprise that 39% of financial industry executives think that the overall network security threat to BFSI sector companies has increased significantly.

Financial and banking firms in the US must put cybersecurity first above all else given the volume of sensitive data that the BFSI sector must manage. Leading analytics company GlobalData predicts that rising demand for cybersecurity would cause worldwide security revenues in the retail banking industry to climb from $7.9 billion in 2019 to $9.8 billion in 2024.

What are the biggest concerns facing the financial sector in the United States for 2022?

Reimbursing cyber scams

As banks are under pressure to compensate their scammed consumers, rising cybercrime rates translate to rising costs for the industry. More than half (58%) of those who conduct their banking online encounter scams via email or SMS at least once per week, and 23% report having fallen victim to a cyberattack.

Banks currently reimburse authorized push payment (APP) fraud at an average rate of 46%. Although many banking institutions are refusing reimbursements for online fraud, this is due to change soon, or else the situation will backfire. For example, measures supported by the UK government will require banks to reimburse everyone. This is only one illustration of the fact that if banks are to secure their consumers and their business line in 2022, they must prioritize cybersecurity more highly.

To exchange efficient strategies, banks will need to collaborate with governments and industry organizations. The public must continue to get education on preventative measures, but ultimately it is the banks’ responsibility to establish security models that will give them and their clients the greatest level of safety.

Maintain compliance with strict privacy regulations

The use of social engineering and account takeover fraud will increase over the next years. Financial institutions must not only conduct comprehensive data checks beyond document verification at account opening to fight this but also keep track of customer identities throughout the customer lifecycle.

Banks must decide how to manage sensitive personal data like biometrics as GDPR and other privacy regulations are being established throughout the world. As a result, many institutions believe that finding a partner that can protect this sensitive personal information is more practical than modernizing internal systems and processes.

Finally, the public is becoming more concerned about how technology corporations utilize personal data. More difficult questions will be raised as a result, and any responses must pass a strict ethical standard. The application of AI to compliance and fraud will need to be explained by banks. Ascertaining whether their partners and vendors have complete control over the technology they provide will also have an impact on vendor onboarding. Every bank will need to be able to justify decisions made to regulators and the broader public.

Leveraging AI to combat cyber fraud

Instead of being a subset of financial crime, banking fraud now coexists with ransomware, phishing, and other types of cybercrime. Fraudsters are functioning methodically, getting more skilled at spotting loopholes in the automated systems that financial institutions are putting in place, and getting better at learning through repetition.

For example, banks and mortgage lenders have started to link more of their fraud charges to the fact that their clients are doing more transactions using mobile banking apps. According to a LexisNexis survey, more than half of the respondents who worked for US banks and credit lenders say that mobile channel fraud has increased by 10% or more this year.

Today’s fraudsters collaborate with criminal gangs that provide crime as a service. As a result, frauds and forgeries become increasingly sophisticated, making them impossible for humans to detect without artificial intelligence (AI) to support their decision-making.

Decentralized currencies are at the center of attacks

Meanwhile, cryptocurrency has become a primary target of cyberattacks. Huge sums of money are frequently present on cryptocurrency exchanges and wallets, making them a powerful attraction for attackers trying to make money from their attacks.

These are sometimes straightforward social engineering attacks, and other times they are far more sophisticated technically. We expect to see more cyberattacks on decentralized currencies given the amount of money that can be stolen in a single successful attack (possibly reaching millions of dollars). For example, in December 2021 criminals stole nearly $200 million from the crypto trading platform Bitmart.

However, we should anticipate law enforcement and governments to become more actively involved in both the investigation of cryptocurrency assaults and the use of cryptocurrency vulnerabilities. For example, government agencies like the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) may try to regulate cryptocurrencies more strictly as they regulate traditional currencies.

Attacks bypassing MFA

Although multi-factor authentication is a prerequisite for enabling strong customer authentication, the latest attacks against Cisco and Uber have profoundly demonstrated that fraudsters can bypass MFA. Using sophisticated tactics and tools like auto-diallers, criminals have managed to intercept one-time passwords (OTP) and compromise banking accounts. Automating the process and creating what is known as MFA fatigue they force customers to give up OTPs to malicious bots.

OTP interception is now trivial compared to what it has been historically, and that innovation fundamentally shifts the economics in the favor of the attackers. The LexisNexis report highlighted this concern saying that balancing fraud detection with customer friction is a top challenge for banks. Banks need to embrace phishing-resistant MFA methods that eliminate the risk of being defrauded while offering a superb customer experience for all possible use cases and authentication journeys.

A bigger attack surface and higher attack sophistication levels are a result of the rising use of complicated technologies and interaction with third-party systems. Today, maintaining a strong cybersecurity posture entails more than merely defending sensitive systems and data from damaging external attacks. Additionally, it entails better data privacy, identity protection, and vulnerability management. Banks and financial institutions can outsource part of the burden of staying compliant with regulations and securing customer financial data by partnering with a trusted managed services provider. These companies aggregate experience and expertise to help banking institutions stay one step ahead of their adversaries.

Courtesy of  Anastasios Arampatzis This blog was written by an independent guest blogger, featured on ATT.com

Google is offering a new tool to anyone who doesn’t want their phone number, email or street address and other personal information to be found online: People can ask for their contact details to be stripped from search results.

“The availability of personal contact information online can be jarring,” said Michelle Chang, Google’s global policy lead for search, as she recently announced the change. She noted that the data could result in “unwanted direct contact or even physical harm.”

The new policy sharply lowers Google’s bar for removing data from search results. While it previously offered to scrub personal and financial information in cases of a real or potential threat — such as doxxing or identity theft — the company says people can now ask for their information to be removed even if there’s no clear risk.

You can fill out a form to take your contact info out of search results

Anyone wanting to submit a removal request can use a special online form that walks users through the process. It asks for things like the URL of any webpages displaying your personal data, along with the search terms and URL of the Google search you used to find those pages. It also recommends including screenshots.

“It’s important to remember that removing content from Google Search won’t remove it from the internet, which is why you may wish to contact the hosting site directly, if you’re comfortable doing so,” Chang said.

Even with the changes, there are still a few reasons Google might deny a removal request. They mainly deal with information that is deemed “broadly useful” or part of the public record, such as newsworthy data or material that’s posted to government sites or other official outlets.

Along with contact information, you can ask Google to remove results that include login credentials and other sensitive data.

Google also recently changed its policy on photos of minors

Google is expanding its policy around protecting personal information because users requested the change, Chang said. Noting the chance for malicious use of such data, she said the service is evolving along with the internet.

The new search policy comes six months after Google made another change to allow minors or their caregivers to request their images be removed from its search results. That shift came as Google and other tech companies faced criticism over their policies toward children and minors.

One of the largest early adjustments for Google’s search tools came from Europe, where a Spanish man’s case established the “right to be forgotten” in 2014. In the four years that followed, Google said, people made more than 650,000 requests to remove specific websites from its search results.

Click here to listen to the article “You can now ask Google to take your personal data out of its search results”
Courtesy of Bill Chappell, NPR

(Nov. 25, 2020) Model privacy forms from the CFPB that many credit unions and banks use to disclose their information-sharing practices to their members and customers should be updated, according to a report issued this week by the Governmental Accountability Office (GAO).

The report, requested by Senate Banking Committee Chairman Mike Crapo (R-Idaho), said the current model form provided under the Gramm-Leach-Bliley Act (GLBA) for required disclosures gives consumers only a limited understanding of institutions’ information sharing. The GAO specifically recommended that the CFPB update the model privacy form and consider including more information about third-party sharing.

Noting that the GLBA-related model privacy form, providing a safe harbor under the law, was created more than 10 years ago, the report states it thus provides a limited view of what information is collected and with whom it is shared. GAO said consumer and privacy groups interviewed by the GAO cited similar limitations.

The proliferation of data-sharing since the form’s creation in 2009 “suggests a reassessment of the form is warranted,” the report adds.

The bureau, in response to the report, said it would consider doing updating the form, adding that it would require a joint rulemaking with other agencies.

LINK:
CONSUMER PRIVACY: Better Disclosures Needed on Information Sharing by Banks and Credit Unions (GAO-21-36)