Story image

Interview: RSA Security decodes digital fraud and its effects on APAC

05 Jun 18

The internet is a minefield of malware and fraud, with some fraud-based websites lasting only hours in order to commit crimes and then vanish into thin air. 

I quizzed RSA Security’s business lead for Fraud and Risk Intelligence across Asia Pacific and Japan, Richard Booth, about the overall threat landscape, fraud prevention, and what everyone can do to keep themselves safe.

Booth’s role as a business lead enables him to work with banks, card issuers and ecommerce businesses to secure their customers’ accounts and transactions.

“I love being on the forefront of fraud-fighting technology and seeing our products make a tangible, positive impact within digital channels.”

In general, how is the threat landscape evolving in Asia Pacific – what is really driving those threats and driving defence?

The current threat landscape in the Asia Pacific region is no more, or less, sophisticated than in other parts of the world, such as Europe or the Americas. However, the greatest difference in Asia Pacific is the scale of the market and the rate of change. The Asia region has an enormous consumer population, which is a potential goldmine to fraudsters, and rapid advancements in digital payments means Asia is becoming a hotspot for digital fraud attacks.

The Q1 statistics from RSA’s quarterly Fraud Report seem to suggest the lowest number of attacks since Q2 2017, yet it’s still a minefield of phishing, Trojans, brand abuse, and mobile apps. What is it about mobile apps and how people use these apps that make them so vulnerable to fraud?

The average consumer doesn’t associate potential fraud risks with a new app they download from an online store. Consumers have become so accustomed to online threats (such as phishing and viruses) that the caution exercised when installing a new mobile application is very low.

There is a sense of ‘it won’t happen to me’, which is hugely dangerous. I think there is still a big education job to be done around security. Consumers need to better understand that although an app may appear legitimate on the surface, that doesn’t necessarily ensure it has originated from a safe source.

We have countries like Australia and China that are highly-placed in terms of hosting fraudulent websites (phishing, etc). Are Australia and China-based web hosters knowingly taking on dodgy websites, or are criminals getting better at spoofing IPs?

There are some ISPs that willingly operate fraud operations and are most likely connected to organised crime syndicates. They are known in the fraud underground as “bullet-proof hosts”, meaning they cannot be taken down or disrupted.

For the legitimate web hosts and ISPs, I believe the issue is with the sheer volume of fraudulent websites, as opposed to being criminally complicit. Therefore, many of these new sites are created automatically with scripts and only last for a few hours at a time. That makes it very difficult to track and trace.

With every fraud transaction value being $306 - 47% more than a standard transaction value, this is still far lower than figures from the EU, Americas and UK. Why is this the case?

At the moment, we have no specific data to back this up, but I would hazard a guess that the general population in Asia have less disposable income than those in other global regions, as a result, there is simply less value per victim to steal.

Are there any other relevant APAC stats you can share that highlight fraud?

Last year, card-not-present fraud on Australian-issued cards reached a record level bypassing AUD$400 million for the first time ever, according to the Australian Payments Network.

The report mentions that Reddit is banning fraud subreddits, and in more general terms we’re seeing the likes of Facebook, Google, and Twitter clamping down on cryptocurrency fraud.  What else are global internet companies doing to stop fraud?

As you can imagine, the largest effort to stop fraud is being undertaken by the payment giants such as Visa, MasterCard and PayPal. However, my greatest fears are emerging fintech and cryptocurrency companies that may have a less mature approach to third party consumer fraud, compared to the traditional payment companies.

A good example of this is how many fintech and cryptocurrency companies continue to rely on static credentials for authentication access to consumer services. This approach leaves them ripe for attack from old school phishing techniques.

What initiatives does RSA have around fraud prevention?

RSA’s Fraud and Risk Intelligence portfolio consists of four key capabilities:

  • Fraud Action Services – detecting and shutting down phishing, malware and rogue mobile application attacks
  • Adaptive Authentication – assess login and payment risk in real-time with the potential to invoke a step-up risk-based authentication challenge
  • Web Threat Detection – monitors digital user behaviour from the beginning to the end of the session, similar to CCTV for digital channels flagging abnormal user behaviour
  • 3DSecure Authentication – protects online shopping transaction on behalf of card issuing banks by analysing the fraud risk at the point of check-out and invoking a dynamic authentication challenge depending on risk status

All fraud begins with compromised consumer credentials or devices and reveals itself through abnormal user behaviour during logins, on web and mobile sessions and payments.

RSA’s fraud prevention portfolio focuses on the entire breadth of the fraud ecosystem by detecting and shutting down fraud attacks in the wild (phishing, malware and rogue apps), as well as detecting and mitigating fraud as it happens during login and payments.

What advice would you give to both global enterprises and individual consumers about protecting themselves against fraud?

As mentioned above, all fraud begins with compromised consumer credentials and devices. The number one priority for any consumer is to protect their data. With the number of data breaches increasing in volume and velocity, it is more important than ever before for consumers to ensure they maintain strong passwords that they change regularly.

The new GDPR legislation has made the world sit up and take note of just how important privacy is. Consumers should take the opportunity now to shut down dormant accounts, clean up their social media profiles and review their privacy settings on all digital services.

Global enterprises should (and can) do a better job of disrupting the fraud ecosystem. This includes fraudster communication channels, such as the various social media platforms. It is obviously pleasing to see Reddit leading the way in this regard.

GDPR will hopefully do more to make enterprises consider what types of consumer data is retained, why they need it and how they can secure it. Businesses should only capture the bare minimum of personal data and it should be secured to international best practices. If the data is breached, they should notify consumers as quickly as possible.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
GCSB welcomes Inspector-General's report on intelligence warrants
Intelligence warrants can include surveillance, private communications interception, searches of physical places and things, and the seizure of communications, information and things.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."