This is an excerpt from Finextra’s report, ‘The Future of Digital Identity 2022: Inclusive, secure, fit for purpose.’
The Covid-19 pandemic has proven that digital accessibility and digital provisioning must be seamless, and services must be able to scale at a rapid rate. Servicing must not be at the expense of security and risk-based decisions must always be made, even
in times of economic volatility.
Speed does lead to riskier decisions, and in turn, less secure or more risky outcomes overall. But this is a concern that needs to be addressed and monitored as we move into a more sustainable world, where digital accessibility is expected. Delivering barrier-free
banking is key and security must always be real-time and contextual, particularly where identity is concerned.
Identities must be safeguarded as well as payments.
Ignatius Adjei, director, forensic data analytics, KPMG UK, highlights that fraud prevention has taken centre stage in a world where rapidly evolving technology is creating new attack surfaces for cybercriminals.
“Technology has been and is continuing to evolve fast. Customer interactions were already on a steeped trajectory of becoming digital and what Covid-19 has done is just accelerate the process by three years or so. During the pandemic, we’ve seen transaction
volumes increase by 29% globally and there has been specific growth in online banking registrations across web and mobile during lockdown.
“The rise of new payment channels and digitalisation has given fraudsters ample opportunity to commit crimes – and they have taken it,” Adjei says. According to
UK Finance, £754 million was stolen from bank customers during the first half of 2021 - a 30% rise from 2020. Adjei also calls out that there has been continual growth in automated bot hacks and synthetic identity fraud has skyrocketed, as bad actors continue
to use stolen identities to open fake bank accounts.
“What has become clear is that as businesses have quickly adopted digital payment and customer interaction methods, the sheer speed of rollout of such technologies has outpaced the fraud risk assessments which should be carried out to manage and mitigate
potential fraud threats. Criminals too have evolved their technologies used to support their criminal activities.”
Eric Duflos, consumer protection lead - senior financial sector specialist at Consultative Group to Assist the Poor (CGAP), also reveals that research conducted by CGAP in 2022 identified 66 consumer risks and found that some risks are increasing so rapidly
that they are outgrowing consumer adoption rates.
5 new risks that were identified in 2022 and since CGAP’s research in 2015:
- mobile app fraud,
- biometric identity fraud,
- authorised push payment scams,
- synthetic identity fraud, and
- AI risks.
While the rest of the risks are more familiar, such as SIM swap fraud, data breaches and Ponzi schemes, Duflos states that “they have been evolving due to the dynamic nature of financial technology, becoming more complex. Evidence suggests some new and existing
risks have become more prevalent during the Covid-19 pandemic, such as social engineering scams and fraudulent transactions via mobile apps.”
Biometric identify verification, although useful for risk mitigation, if fraudsters obtain copies of fingerprints or high-resolution pictures to access customer accounts, biometric data storage can be breached, and legal limitations can lead to data misuse.
Similarly, with synthetic identity fraud - when new identities are created by blending information from multiple individuals - uncovering fraudulent transactions is made more complicated and it is difficult to identify who exactly has been impacted.
In addition to this, while AI may help detect and mitigate fraud, autonomous learning in AI has introduced newer risks for digital financial services users such as algorithmic bias, discrimination, mis-selling, privacy intrusion, and opaque decision-making,
according to Duflos.
Further, as Duflos explores, if these risks are ignored, it could “undermine the delivery of financial services to underserved and low-income consumers, especially women. Nonusers of digital financial services may be discouraged from adopting them while
users may suffer financial loss and other harm that erode their trust and confidence in the services.
“The risks can even contribute to over-indebtedness, especially when consumers borrow from unauthorised digital lending apps and peer-to-peer platforms, which may practice exorbitant interest rates, abusive debt collection or social shaming,” Duflos adds.
He also advises that urgent action must be taken by those in the digital finance ecosystem, including regulators and supervisors, financial service providers, funders and donors, consumer groups and researchers.
The arrival of 5G
While fraud prevention has always been a priority for these organisations, a proactive approach must be taken to keep pace with rapidly evolving technology and in turn, fraudsters that are doing the same.
This has proven to be increasingly difficult with the arrival of 5G. Although this technology has been welcomed due to its ability to help applications run faster and leverage massive volumes of complex data, it has created a new attack surface for cybercriminals.
Adjei agrees with this sentiment and continues to say that that in the future, “more devices will ultimately lead to a larger attack surface for fraudsters to hijack IoT devices. It will also be easier for bad actors to hide within an environment with so
much data! Therefore, it’s critical that digital authentication solutions of the future are versatile enough to keep up.”
Alongside this, traditional digital identity fraud prevention techniques will not work in the era of 5G. Adjei explains: “Imagine in the future, typing a password once to access the hundreds or thousands of devices you will interact with at every location
you go. It would be incredible in terms of reducing customer friction. In this 5G era, traditional fraud prevention techniques will not be able to keep up.
“The number of devices, speed, and low latency of 5G technology will require more advanced methods of fraud detection to keep up with bad actors. Banks will need to leverage multidimensional biometric procedures that combine elements such as facial recognition
and geo-location in real time to keep customers safe.”
While it is evident that fraud prevention is far more effective than reconciliation, it is difficult to achieve this at the scale and speed of 5G. According to Adjei, “5G will result in transactions executed nearly instantly, but the same processing speed
that creates this customer experience leaves banks with less time to identify fraud. This is where the machine learning and AI models come in as these solutions organically increase the accuracy and speed of detection.
“To benefit from this, financial institutions will need to significantly upgrade their underlying technology and data management platforms to ingest the new forms of data from multiple channels at near-zero latency and automatically apply the machine learning
in real time (i.e., under 10 milliseconds) to prevent fraud. This will be expensive, highly complex and will take time to get right.”
However, the benefits of 5G cannot be ignored. “Digital identity authentication and verification is happening already in the telecommunications market. By authenticating users via 5G-enabled smart devices that are protected by encryption keys, companies
are able to provide a streamlined and secure digital authentication process that can keep up with the many positive and transformational changes 5G is bringing to the world.
“Customers are being onboarded efficiently through the ability to authenticate customer information from national databases and integrate with more than 20 systems, whilst at the same time avoiding duplication of customer data.
“It’s also worth noting that digital onboarding has been taking place in the 4G world, with one telecom able to onboard 2.5 million subscribers a day, and this trend will continue in the 5G world, but it will be even faster and better,” Adjei states.
David Flower, president and CEO of VoltDB, wrote in his
Forbes article: “When considering the power – or potential power – of 5G, we need to think about it in the context of the Internet of Things.
“The problem isn’t so much the fifth generation of the mobile network and its ability to support up to a million devices per square kilometer (compared to 4G’s 100,000 devices per square kilometer) as it is the proliferation of IoT-based device networks
that will be using 5G to communicate with each other,” Flower said.
His view is that with the increase in connected devices and sensors, there will be increased opportunity to capitalise on data and intelligence around data, but this also provides hackers with a larger attack surface to hijack IoT devices and run DDOS attacks.
“IoT devices are hacked into with staggering frequency to make fraudulent purchases and launch DDOS attacks,” Flower reiterated. Adjei takes this one step further and explains how this will in turn result in an increase in payments fraud.
“The proliferation of 5G and IoT will result in a surge in the number of devices and sensors which connect at speed which will undoubtedly provide a larger attack surface for fraudsters. Fraud in the 5G and IoT era will therefore be faster, and on a much
larger scale.
“The payments industry will be among those impacted most by the widening adoption of IoT. This is because many of the technology’s use cases rely on payments to deliver value. More connected devices means more points of entry for fraud in payment systems.”
Dr Asma Adnane Asma, a lecturer in the Computer Science department of Loughborough University, provided her expert view.
“IoT devices have recently invaded our lives, from connected lighting, connected fridges/kettles to connected cars. New IoT devices with different features and prices are made available every day on the market because of the huge consumers’ demand with very
competitive prices. Although this might be seen as advantageous for consumers, it comes with huge privacy and security concerns.
1. First, those devices are developed so fast and put on the market quickly with little tests/checks, some come with huge vulnerabilities, basic errors that could be fixed if the software development cycle was respected, with security by design in mind.
Many examples of recent coding vulnerabilities in the news show how big and established companies are still making development errors that cause data breaches.
2. In addition, the IoT tech world is developing so quick, which is not giving enough time for standards and regulation bodies to catch up and setup adequate requirements and specifications for IoT development and security measures (which causes the first
point).
3. IoT devices became an excellent target for hackers, with their huge proliferation in our houses and their poor design, they are easy to find (shodan.io is a web search engine which can help find IoT devices) and easy to exploit. It is important to point
out that IoT devices can be exploited in two ways:
a. As the final target: which helps to get easily private and critical data, for e.g., smartwatches help you track a person moves, health and many other critical data. Connected fridge where you upload the grocery list and it will make the order automatically,
or a connected printer which will order the ink automatically when the cartridge is almost empty. If those devices are vulnerable, hacker can easily access the private data, payment data. If for example the devices are not using SSL or a strong authentication,
hackers can get your login details, and make orders on your behalf (without even having the need to access your payment details). As we can see here, the lack of encryption or the use of weak encryption design can make it easy to hacker access your data. The
example of the Tesla App vulnerability shows the consequences of poor encryption design in the mobile app. Other data breaches have been caused by design errors, as was demonstrated by the Strava fitness app. Another issue which makes personal IoT an easy
target, is the lack of security awareness of end-users, who often keep their purchased devices with default configuration...and forget/ignore the updates which often fix security flaws. Recent vulnerability in TeslaMate, allowed unauthorized access to Tesla
account with Anonymous access, default config and unchanged password. Although the vulnerability was not caused by Tesla, the company should do more to strengthen its security, such as removing a customer's API key when their password is changed, as is industry
norm. In general, the system manufacturers provide updates, but the user ultimately decides on the most suitable time to implement the change.
b. They can be exploited to perform a bigger attack toward another target easily creating a DDoS attack (distributed denial of service attack) as was the case in the mirai attack. Mirai is a malware which infected millions of IoT devices and tuned them into
bots (also called zombies) waiting to get order from the master node (attacker/hacker) to start an attack towards a target.... imagine millions of devices sending simple web request to a target server at the same time. The code of Mirai was released by the
hackers and was replicated by many cybercriminals. Some IoT botnets have been used for crypto-mining (cryptocurrency mining is resource-intensive, botnet miners use IoT devices to mine cryptocurrencies without the knowledge of the owners).
4. Compliance: this is another important point, for consumers it is very hard to check for example if the IoT vendor is compliant with data privacy Act for example, which data is stored about them and how it is used, and for how long it will be stored? again
the lack of regulations makes it hard to check the compliance of certain devices. There are also many data security and privacy concerns when it comes to IoT design, where huge amount of data is gathered, processed, and stored with little transparency on how
the data is handled.
5. IoT devices invaded our homes so quickly while users’ lack of educationon how to set them up in secured and safe way. People can’t imagine theirconnected kettle can be an attack surface for hackers to access their home network and get critical private
data.
What can be done?
- Create and enforce regulations
- Security awareness for users before buying and for configuring/using IoT devices
- Secured IoT design:• MFA (multifactor authentication)
- Strong encryption for stored and transmitted data
- Transparency regarding data usage