Tales From the Botnet #2: Can Companies Bank on AI to Stop Cyber Fraud?
This article is the 2nd in a series which explores the intersection between Artificial Intelligence and Cybersecurity. It dives into a variety of cyber attacks financial institutions are prone to, then digs into the pros and cons of integrating AI into cybersecurity measures at these institutions.
Picture this: You’ve just come home from a long day at work and can’t wait to unwind with your favorite pastime — baking. You pull up your favourite baking blog and whip up a batch of decadent chocolate brownies. Suddenly, you get a text message from your roommate asking to e-transfer them 10$ for the groceries they bought you last week — rats! Embarrassed that you hadn’t paid them back yet, you quickly open up a new tab and log into your bank account, e-transfer them, and then switch back to the brownie recipe tab.
Fresh out of the oven, the brownies look incredible, and you, being your altruistic self, decide to post a nice comment on the blog thanking the author for the wonderful recipe. You click the “Post Comment” button.
Suddenly, a wave of nausea crashes over you and your heart starts thumping in your chest. You quickly log into your bank account and you feel lightheaded when you see your most recent transaction: $30,000 transferred to an account you’ve never seen before.
You slam your laptop closed. What have you done?
This seemingly mechanical action of switching tabs cost our ill-fated baker all of their bank information. Some blogs, and other unsecure websites act as a perfect decoy for Cross-site Request Forgery Attacks (XSRF).
XSRF attacks are the 3rd most common cyber-security attack, and can compromise not only one’s bank account information, but also your email, social media accounts and other highly sensitive personal information. In the past, majorly popular services such as Netflix, Youtube and even McAfee Security have been vulnerable to XSRF attacks. In layman’s terms, they are a vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform.
As a high level overview using our example, XSRF attacks work as follows:
- A hacker-controlled or compromised site is visited by a user
(In our case, the baking blog)
2. The user then switches tabs to a site with sensitive information
(In our case, a bank account)
(Then, the hacker intercepts the user’s login credentials)
3. The user then switches over to the malicious site, and performs an action
(In our case, writing a comment)
4. The hacker uses the form as a mask to perform an action in a hidden page
(In our case, the user thinks they are just sending a comment, but once they press “Post Comment”, they are actually pressing submit in a hidden page which is logged into the user’s bank account using the compromised credentials from before to transfer money to the hacker’s account)
These attacks don’t just happen on blogs — XSRF and phishing go hand in hand as well:
As seen in our example, XSRF attacks are one example of a threat that targets financial institutions. In fact, a plethora of cyber threats including phishing, DDoS attacks, malware, ransomware and ATM cash outs all attempt to breach financial institutions. As per Business Insider, cyber attackers are relentless:
“According to the Boston Consulting Group, financial firms are 300 times more likely than other institutions to experience cyberattacks … In 2019, Mastercard reported that they experience over 460,000 intrusion attempts each day, which is an increase of 70% from the year prior.”
It seems like attackers will try anything as many times as possible in order to penetrate financial institutions’ fortress-like defenses in order to strike gold — whether that be unsuspecting customers’ bank account details, or ATM cash outs (where “crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours”). Evidently, financial institutions (with a 6.2 trillion USD market cap in the third quarter of 2020 alone) need to turn to the latest, most innovative technologies to help combat the thousands of attacks that occur every day and protect their reputation and their customers’ trust and assets. How can these institutions show their customers that safe-guarding their information is their top priority? How can they instill trust in their customers and ensure that they are never susceptible to vulnerabilities like XSRF attacks?
Enter Artificial Intelligence.
Financial institutions and large companies, such as MasterCard, have started harnessing the power of AI to help evaluate cyber risk throughout their systems and stop breaches from occurring. These systems have been more than effective as they’ve saved MasterCard’s stakeholders from $20 billion in fraud in 2019 alone. MasterCard’s newest AI-powered cyber fraud detection system, Cyber Secure, released a couple of weeks ago, is yet another layer in their ever-growing cybersecurity strategy that not only allows MasterCard’s customers, commercial banks, to identify vulnerabilities, but also prioritize them in order to have better control over their data and cybersecurity posture, or strength.
Since Cyber Secure is MasterCard’s proprietary software, there isn’t an in-depth explanation of the algorithm available. Though, at a high-level, the AI software compares data gathered from risk assessment evaluations against 40 security and infrastructure points. Each effect and importance of each detected vulnerability factors into a cyber fraud rating for each vulnerability. Ajay Bhalla, president of Cyber & Intelligence at Mastercard emphasizes the importance of AI in this particular situation: “With Cyber Secure, we have a suite of AI-powered cyber capabilities that allows us to do just that, ensuring trust across every experience, for businesses and consumers”.
Financial institutions also utilize AI to prevent payment fraud, which is “any type of false or illegal transaction completed by a cybercriminal. The perpetrator deprives the victim of funds, personal property, interest or sensitive information via the Internet”. Payment fraud-based attacks take on a variety of forms, and in today’s ever-growing threat landscape, hackers continually fine-tune and evolve their complex attacks. Thus, a set of rules or metrics makes detecting these attacks impractical (this is a situation where MasterCard’s Cyber Secure would probably not be the most suitable solution, as it relies on a set of security ‘rules’ which would need to be constantly updated).
One reason why AI is being used to combat payment fraud is its rapidity. AI’s blazing fast speeds and scalability allow for real-time data analysis of credit card transactions or transfers. AI’s precision also allows for more accurate risk assessment, consequently eliminating false positives or negatives caused by human error because of its restricted scope of analysis. Companies like Kount, an AI-powered fraud prevention company, calculate risk scores at a 250-millisecond rate, a rate imperative for real-time fraud detection at a company like PayPal, which is seeing upwards of over 5 million transactions a day — some of them potentially fraudulent.
Additionally, AI’s predictive analysis and machine learning techniques are trained on an extremely large amount of customer data in order to create complex, sophisticated models that accurately depict a company’s cyber posture. This breadth and depth of information (on a scale of billions of transactions across hundreds of regions) was previously inaccessible and unfathomable to humans, but thanks to AI is now a reality.
The most important takeaway is that financial institutions rely heavily on trust for retaining customers, and the more protection and assurance they can offer their customers in ensuring their private data stays private, the better. After all, would customers rather perform transactions at a MasterCard partnered institution which utilizes Cyber Secure, or at a company like Equifax, Inc, which in 2017, fell victim to the largest Financial Services breach in history?
Should all banks and financial services convert their cyber security strategy to be fully AI-powered? Steve Holt, a partner at EY, raises an important point: “One of the big concerns, especially at the regulatory level for the future, is ultimately the underlying data integrity… so, if the attackers don’t do big enormous payouts immediately but attempt to alter the underlying data, how would that be spotted?”
AI is an exciting, emerging technology, and hundreds of companies are jumping on the opportunity to harness its power in their cybersecurity efforts, but at the same time, must be cautiously optimistic and gradually integrate AI, rather than all at once. Holt concludes, “When talking about the potential of machine learning, I think we shouldn’t forget everything we achieved to date without it”.
In other terms, while it may seem like AI has taken the upper hand against human hackers and its future in helping battle cyber attackers seems bright, we shouldn’t instill all our confidence in it. It needs to be integrated into our applications slowly and in a controlled manner. This way, we’ll be able to reap all the benefits we can get from this exciting technology.
Tales From the Botnet to be continued…
