Interview: RSA Security decodes digital fraud and its effects on APAC
The internet is a minefield of malware and fraud, with some fraud-based websites lasting only hours in order to commit crimes and then vanish into thin air. I quizzed RSA Security's business lead for Fraud and Risk Intelligence across Asia Pacific and Japan, Richard Booth, about the overall threat landscape, fraud prevention, and what everyone can do to keep themselves safe.
Booth's role as a business lead enables him to work with banks, card issuers and eCommerce businesses to secure their customers' accounts and transactions.
"I love being on the forefront of fraud-fighting technology and seeing our products make a tangible, positive impact within digital channels.
In general, how is the threat landscape evolving in Asia Pacific – what is really driving those threats and driving defence?
The current threat landscape in the Asia Pacific region is no more, or less, sophisticated than in other parts of the world, such as Europe or the Americas. However, the greatest difference in Asia Pacific is the scale of the market and the rate of change. The Asia region has an enormous consumer population, which is a potential goldmine to fraudsters, and rapid advancements in digital payments means Asia is becoming a hotspot for digital fraud attacks.
The Q1 statistics from RSA's quarterly Fraud Report seem to suggest the lowest number of attacks since Q2 2017, yet it's still a minefield of phishing, Trojans, brand abuse, and mobile apps. What is it about mobile apps and how people use these apps that make them so vulnerable to fraud?
The average consumer doesn't associate potential fraud risks with a new app they download from an online store. Consumers have become so accustomed to online threats (such as phishing and viruses) that the caution exercised when installing a new mobile application is very low.
There is a sense of 'it won't happen to me', which is hugely dangerous. I think there is still a big education job to be done around security. Consumers need to better understand that although an app may appear legitimate on the surface, that doesn't necessarily ensure it has originated from a safe source.
We have countries like Australia and China that are highly-placed in terms of hosting fraudulent websites (phishing, etc). Are Australia and China-based web hosters knowingly taking on dodgy websites, or are criminals getting better at spoofing IPs?
There are some ISPs that willingly operate fraud operations and are most likely connected to organised crime syndicates. They are known in the fraud underground as "bullet-proof hosts", meaning they cannot be taken down or disrupted.
For the legitimate web hosts and ISPs, I believe the issue is with the sheer volume of fraudulent websites, as opposed to being criminally complicit. Therefore, many of these new sites are created automatically with scripts and only last for a few hours at a time. That makes it very difficult to track and trace.
With every fraud transaction value being $306 - 47% more than a standard transaction value, this is still far lower than figures from the EU, Americas and UK. Why is this the case?
At the moment, we have no specific data to back this up, but I would hazard a guess that the general population in Asia have less disposable income than those in other global regions, as a result, there is simply less value per victim to steal.
Are there any other relevant APAC stats you can share that highlight fraud?
Last year, card-not-present fraud on Australian-issued cards reached a record level bypassing AUD$400 million for the first time ever, according to the Australian Payments Network.
The report mentions that Reddit is banning fraud subreddits, and in more general terms we're seeing the likes of Facebook, Google, and Twitter clamping down on cryptocurrency fraud. What else are global internet companies doing to stop fraud?
As you can imagine, the largest effort to stop fraud is being undertaken by the payment giants such as Visa, MasterCard and PayPal. However, my greatest fears are emerging fintech and cryptocurrency companies that may have a less mature approach to third party consumer fraud, compared to the traditional payment companies.
A good example of this is how many fintech and cryptocurrency companies continue to rely on static credentials for authentication access to consumer services. This approach leaves them ripe for attack from old school phishing techniques.
What initiatives does RSA have around fraud prevention?
RSA's Fraud and Risk Intelligence portfolio consists of four key capabilities:
- Fraud Action Services – detecting and shutting down phishing, malware and rogue mobile application attacks
- Adaptive Authentication – assess login and payment risk in real-time with the potential to invoke a step-up risk-based authentication challenge
- Web Threat Detection – monitors digital user behaviour from the beginning to the end of the session, similar to CCTV for digital channels flagging abnormal user behaviour
- 3DSecure Authentication – protects online shopping transaction on behalf of card issuing banks by analysing the fraud risk at the point of check-out and invoking a dynamic authentication challenge depending on risk status
All fraud begins with compromised consumer credentials or devices and reveals itself through abnormal user behaviour during logins, on web and mobile sessions and payments.
RSA's fraud prevention portfolio focuses on the entire breadth of the fraud ecosystem by detecting and shutting down fraud attacks in the wild (phishing, malware and rogue apps), as well as detecting and mitigating fraud as it happens during login and payments.
What advice would you give to both global enterprises and individual consumers about protecting themselves against fraud?
As mentioned above, all fraud begins with compromised consumer credentials and devices. The number one priority for any consumer is to protect their data. With the number of data breaches increasing in volume and velocity, it is more important than ever before for consumers to ensure they maintain strong passwords that they change regularly.
The new GDPR legislation has made the world sit up and take note of just how important privacy is. Consumers should take the opportunity now to shut down dormant accounts, clean up their social media profiles and review their privacy settings on all digital services.
Global enterprisesshould (and can) do a better job of disrupting the fraud ecosystem. This includes fraudster communication channels, such as the various social media platforms. It is obviously pleasing to see Reddit leading the way in this regard.
GDPR will hopefully do more to make enterprises consider what types of consumer data is retained, why they need it and how they can secure it. Businesses should only capture the bare minimum of personal data and it should be secured to international best practices. If the data is breached, they should notify consumers as quickly as possible.