11 minute read
United we stand
Collective action is needed to fight the growth of cybercrime. Sarah Armstrong-Smith of Microsoft and Marc Trepanier of ACI Worldwide discuss how to frustrate the fraudsters and maximise the benefits of the Cloud
Cybercrime is the dark side of the explosion in e-commerce and digital financial services. As payments have moved online and become increasingly mobile and diverse, fraudsters have been quick to follow the technology curve and adapt their methods to new opportunities.
Digital acceleration during COVID-19 presented a fresh opportunity, and has provided rich pickings for the unscrupulous. In particular, there has been a spike in authorised push payment (APP) scams, as criminals used fake websites and emails to trick consumers into misdirecting payments. According to UK Finance, which represents hundreds of organisations and describes itself as the collective voice of the banking and finance industry, fraud increased by 70 per cent in the first six months of 2021.
In response, regulators and policymakers are calling for greater cooperation from the banking and fintech communities, and the UK Joint Fraud Taskforce was recently relaunched to combat the worrying rise in fraud during the pandemic.
Against this backdrop, big tech companies such as Microsoft must take the lead to counteract fraud by ensuring they embed security in their technologies and work collaboratively with the financial community to increase protection.
As chief security advisor at Microsoft, Sarah Armstrong-Smith is focussing on the challenges of Cloud adoption and digital transformation, and how to contain the cyberthreat.
“Cybercrime is constantly evolving,” says Armstrong-Smith. “Just think of what’s happened over the last 12 months with the number of digital devices in use, the number of banking apps, the accessibility of online services, and the volume of digital transactions. All that has played into the hands of cybercriminals.
“At Microsoft, we look at ways to provide services for different sectors, and how to address the challenge of transformation and security.
“One of the most important things is to get insights and analytics, to really find out what’s going on, and to scrutinise transactions and look for patterns.”
The scale of the challenge means that organisations must work together, says Marc Trepanier, who is a principal fraud consultant with real-time payments specialist ACI Worldwide. Trepanier has more than 22 years’ experience working in fraud and financial crime, a timespan that mirrors the rise of the internet and concurrent growth in cybercrime.
“The fraudsters, banks and payment service providers play cat-and-mouse,” says Trepanier. “We’re forever trying to stamp out fraud in one area and then it pops up somewhere else.
“In terms of measures to prevent fraud, machine learning (ML) and artificial intelligence (AI) have made big strides, and federated ML, a collaborative approach to fraud prevention, is poised to be the next great leap for payments.”
With traditional ML techniques, datasets are harvested from different devices, such as mobile phones and laptops, and then uploaded to a centralised server. Federated learning is a ML model that doesn’t require large amounts of shared data, which poses risks for privacy and security.
Federated ML promotes collaboration and partnership between enterprises, with data shared in a ‘closed-loop system’ so that there is no actual data exchange.
“Organisations can only keep growing so much horizontally, gathering ever-more data,” adds Trepanier.
“Being united, we’re much stronger, but how do we solve the age-old problem of fraud sharing? Federated learning is privacy by design, as there is no sharing of personal identity information. It’s just fraud patterns, risks and formulas, and it allows a rapid response across multiple attack vectors.”
Trepanier also highlights incremental learning, which is part of ACI’s technology suite – a category of ML where input data is continuously used to extend the knowledge of an existing model. Trepanier explains that AI now learns from incoming data, so that it can self-adjust and recognise fraud patterns, and whether fraudsters are evolving their techniques. Because it auto-refreshes, the robots are slowly learning to do everything by themselves.
When it comes to the overall framework for digital transformation and fraud prevention, Trepanier says the Cloud will make the biggest difference.
“The Cloud is behind the rapid modernisation of legacy fraud systems,” he says. “We’re seeing the growth of super-platforms, such as Uber and Netflix, and subscription services. They scale up and down, from the smallest to the largest organisation, and have true elasticity.
“Lots of people buy a server, run fraud software on it, and only ever use, say, 10 per cent of the server. The other 90 per cent is wasted. Having true Cloud-native systems and elasticity is magical. You can ramp up during the shopping season and dial down when it’s quiet. It allows
Armstrong-Smith says that the new work environment has forced people to access data that they wouldn’t normally be able to, as well as potentially talking about highly-sensitive information on collaboration sites such as Teams and Zoom. This more fluid and open working culture heightens the risk of data leakage and insider trading.
“When we talk about fraud,” she says, “we have to look at it in much broader terms. It’s not just a question of external, consumer fraud; it’s also the threat of insider fraud, so the risk factor is greater and we must use ML and AI capability to understand what’s happening and how fraud is evolving.”
Trepanier echoes the point and says that, in the real-time payments space, ML is the solution because humans can’t make all the necessary decisions in real time. Payments demand ‘timely and contextualised decisions’, he says, and, with real-time payments there is the problem of rising volumes.
“Robotic process automation is the key to delivering better operational efficiency,” says Trepanier, “and the Cloud is definitely the way forward. It means faster time to market, agility, the ability to modernise. Today, you have to pivot and add new channels. In the last 25-to-30 years, there were only one or two and it was pretty stable, but now we’re at a crossroads. Suddenly we need five, 10, 15, and they have to be cross-border and international too. Cloud allows us to do that.“
Trepanier adds that with real-time payments, compared to card rails, the margins are not the same as they used to be. ML has to be present, and providers must be able to stop transactions in real time, which requires tight controls.
payment providers to always have access to the latest technology, in super-secure environments, at a manageable cost, while they would be unable to afford it by themselves.”
Increasingly-clever criminals
The pandemic has had a massive impact on consumers and business models, says Armstrong-Smith. “Suddenly, we had to move to digital and cards, because cash was no longer accepted. Cybercriminals wasted no time in exploiting homeworking, and the change in consumer behaviour and practices. When we went into lockdown, there was real fear about keeping services running, and we became critically dependent on the digital infrastructure. At Microsoft, we identified more than 60,000 malicious messages related to COVID-19.
Marc Trepanier, ACI Worldwide
“Fraudsters were pretending to be the World Health Organisation, your bank, HM Revenue & Customs and other legitimate bodies. And they were creating phishing links and fake domains to take advantage of the fact that people had to go online. We’ve also seen a huge increase in insider threats because banks and other financial institutions had to adapt their working practices at scale, which inevitably introduced stresses and weaknesses.”
Joined up thinking:
Working together, with smart technologies, is the only way to stay one step ahead of fraud
“Real-time analytics are vital,” says Armstrong-Smith. “But it’s not just about having real-time information; it’s what you do with that information that’s important. So, when you’re presented with a welter of transactional data, and volumes keep growing exponentially, you must have decision-making in real time.
“You must determine what is high risk, low risk, medium risk. And you might need the customer to re-authenticate. So, do they need to call in, or should they use a PIN or other type of verification? We’re seeing many more real-time transactions where someone’s in the middle of the process and they’re asked, for example, to go to their banking app and verify with a code.”
That’s the definition of real time, says Armstrong-Smith. And customer experience benefits because transactions are not suddenly blocked at the most inconvenient moments, such as when they’re in the middle of a transaction in a store.
“The Cloud enables analytics at scale and at volume,” says Armstrong-Smith. “And it ensures resilience when data and services are changing. If an organisation is having to refine its products and comply with regulatory changes, the Cloud allows it to adapt.” teams. But the Cloud has changed the landscape and enables them to act more like fintechs, be agile and respond to consumers. If a consumer says ‘I want to make a payment by simply looking at something and pointing my device at it’, that’s a request financial services must meet.”
As for cybersecurity and compliance, Trepanier says the more organisations invest, the fewer returns they’ll receive from that investment. However, they still feel compelled to keep doing so because they don’t want their business to be compromised, and have to stay compliant.
“One single solution may cover 40 per cent of their risk,” says Trepanier, “while a new solution may improve their position by one or two per cent, so the investment is a
Cloud analytics:
Combined with clever use of AI and ML, it can produce the insights needed
Sarah Armstrong-Smith, Microsoft
Trepanier adds that Cloud is particularly useful for mid-sized organisations, and software-as-a-service is the way to go.
“It’s the ticket for them to survive this very aggressive industry change,” he says. “It’s the way to grow revenues and keep up with both fintechs and large organisations that have the capability to scale. Mixing this elasticity with monthly subscription costs, instead of one-time, massive capital investments, is a big win for them.”
Leaving it to the experts
Looking at what consumers want today, Trepanier and Armstrong-Smith agree there will always be a place for traditional banks and their services. However, consumers now want more choice and flexibility.
“The problem,” says Trepanier, “is that, for years, banks and financial services providers have been growing massive, IT-centric ensure they stand out from competitors.
Trepanier says ACI is building this trust with many anti-fraud developments across banking, merchant acquiring and issuing.
“I’m helping to build international ML federated communities across the world,” he continues.
“We have hundreds of organisations that use our software to protect their companies, and we are working on connecting them and creating an international community to stop fraud. Together, we are far more effective.”
“Communication and collaboration are the keys,” adds Armstrong-Smith. “I’m spending a huge amount of time talking to customers, partners and even regulators, just to understand the changing landscape and what the priorities are. I’m sharing insights within financial services, across different sectors and different regions.
“You can expect to see plenty more developments from Microsoft as a result of these shared insights, not just around security and compliance, but also identity.”
diminishing return. Given the scale of investment in Cloud, and the work that Microsoft is doing in Azure, unless you’re one of the largest organisations in the world, you probably can’t beat what it’s doing in that space.
“So, from the cybersecurity and compliance perspective, Cloud is the best option for even the smallest organisations. They’re outsourcing their risk to a third party which has security figured out way better than they ever will.”
“Microsoft has the biggest Cloud platform of any service provider,” explains Armstrong-Smith, “and with that comes a responsibility to ensure compliance and security. Trust is fundamental, and there are several dimensions to that. If you’re a banking institution, used to working on-premise, maybe in a locked-down environment, and thinking about moving to the Cloud, you’ll no longer be solely responsible for the infrastructure and services in a shared-responsibility model.
“Part of that infrastructure – the platform and the networks – is down to the service provider. We are always accountable for our data and what people are doing with it. Microsoft also has the biggest compliance regime of any service provider, with nearly 90 different certifications, local and global.”
Armstrong-Smith says Microsoft seeks feedback from its customers so it can better understand and meet their needs. Because the environment is now so highly competitive, customers can go to many different banking and online services and applications, which is why providers have to inspire trust and confidence to