Back to Blog

BioCatch and the Unfinished Business of Cybersecurity

BioCatch and the Unfinished Business of Cybersecurity

From fears of a cyberspace-based New Cold War between Russia, China, and the U.S., to emerging fraud threats to financial services companies, small businesses, consumers, and work-from-anywhere employees, the issue of cybersecurity is likely to loom large over all technology discussions in 2021.

To this end, we caught up with Uri Rivner, Chief Cyber Officer of BioCatch. Headquartered in Tel Aviv, Israel, and a Finovate alum since 2014, BioCatch offers an AI-driven behavioral biometrics-based platform that enables online identity verification and reduces fraud by providing account opening and account takeover protection, as well as defense against social engineering scams.

I would be remiss if I didn’t take this opportunity to ask a cybersecurity expert about the massive breach involving SolarWinds and, allegedly, Russian hackers. How do you think about this incident as a professional and how should we think about it as individuals, consumers, etc.? 

Uri Rivner: This is the broadest, deepest cyber espionage campaign in a decade; the last wave of this magnitude was attributed to China, which launched a massive industrial espionage campaign some 10 years ago against hundreds of major U.S. and global corporations. I was on the receiving end of that attack during my time at RSA, which was breached in March 2011, and it was a watershed event with far-reaching implications. It galvanized the U.S. intelligence community to action, brought cyber awareness in Corporate America to the Board level, and injected a real sense of urgency to the cyber security industry.

The SolarWinds campaign has a similar effect. When FireEye – the gold standard in endpoint protection and cyber intelligence against state-sponsored attacks – is itself breached, people take notice. When dozens of high-security networks deploying every imaginable combination of state-of-the-art tools and security procedures are compromised, everyone raises an eyebrow. Those who wonder whether the cyber security scene is growing into a new “bubble” received a very clear message: listen, folks, let’s get something straight – cyber security is still unfinished business.

What was the big theme in cybersecurity in 2020? Do you believe this trend will remain as strong in 2021?

Rivner: The big theme in cybercrime in 2020 was the impact of the global pandemic on fraud and identity management. Fraud teams worldwide had to operate from home, resulting in deficiencies that fraudsters were quick to exploit. Online account opening and account takeover fraud surged, and potentially billions of dollars were scammed through government stimulus package fraud. When the dust settles in 2021, we should see the financial sector adopt new, automated fraud controls to close those gaps. 

With banks accelerating their mobile-first strategy and releasing new, high-risk functionality available only for mobile platforms – e.g. P2P payments – we should expect 2021 to feature more mobile-based social engineering and malware attacks. Mobile authenticators such as fingerprint and selfie biometrics will suffer from the same fate as any other “strong authentication” technology – they’ll be circumvented using end-users as “moles” to tunnel below the security fences.

You have outlined a variety of cybersecurity trends you think we will face next year. You talk about the rise of “mule detection” as a priority for fraud detection teams. Can you elaborate on how widespread this has become and what is being done to fight it? 

Rivner: Thousands of bogus U.S. bank accounts are opened each day online for the purpose of serving as “mules”. Opening a fake bank account is easy as identity records are traded in the dark web, and it’s cheaper to create your own digital mule account than to recruit a living-and-breathing collaborator to funnel your funds. Fortunately, banks use new, next-generation technologies. Device reputation highlights compromised devices used by criminals, while behavioral biometrics can identify when a genuine user uses long-term memory to enter personal information; whereas fraudsters are not familiar with the victim’s personal data and can’t type it the same way. 

Outside the U.S., “work from home” mule recruitment is surging given the constant lockdowns and economic crisis caused by the pandemic. But consider this: say a user normally holds their device in a certain way, has a certain typing cadence and finger press size. All of a sudden you spot a different personality inside their account, with new habits and gestures, and the “guest” always checks in shortly after money is received… You just detected a mule, sharing their account with a “controller.” Often these “mule herders” control dozens, or even hundreds of mule accounts.

You’ve also noted that regulators worldwide are taking greater notice of social engineering scams. We’ve known that these are some of the most powerful ways that systems have been penetrated. What are regulators doing to help fight social engineering scams? 

Rivner: Social engineering isn’t new, but deep social engineering is a new and dangerous mutation. This is when cybercriminals convince the user to log into their bank account and simply move money to another account belonging to the fraudster. This is done so cleverly that it has become a real epidemic – first hitting U.K. banks a few years ago, and then spreading to mainland Europe and Australia. It’s likely to reach North America in 2021, and banks are far from being ready to deal with this massive problem.

Global regulators are paying close attention to what’s happening in this front. They’re likely to demand strict and immediate measures to protect the vulnerable population from such scams using a combination of traditional transaction monitoring and next-gen capabilities such as detecting signs of hesitation, duress, distraction or being guided based on subtle behaviors measured on the user’s PC or mobile device.

On the technology front, you’ve pointed to the growing attention fraudsters are giving to fintechs and the emerging industry of mobile-first banks. What are the vulnerabilities here and what can fintechs and neobanks do to fix them? 

Rivner: The mobile transformation in the financial sector is not evenly spread geographically. In Europe and Asia, mobile-only banks, payment apps and fintech are old news. In North America, the revolution is much more recent, and revolutions are always the best drivers for financial crime. Many U.S. banks offer Zelle, a peer-to-peer payment service, only through mobile apps and not yet via online banking. Additionally, the number of mobile-only financial services, loan providers and other fintechs is skyrocketing.

Crime rings that have focused their online fraud strategy solely on web applications have to adapt fast. Expect to see heavy showers of Mobile RATs and help desk scams, mobile-focused social engineering, mobile overlay malware, rogue apps, mobile emulators and other nasty fraud schemes. Fintechs and neobanks use a risk-based approach in which passive, frictionless device and behavioral biometric controls trigger active biometric controls in case of an anomaly.

You’ve said that one interesting development in fraud technology is the greater role they are playing in “trust and safety.” What do you mean by this and why is it happening now? 

Rivner: The banking industry has been using advanced device and behavior analysis to fight fraud, but those technologies are also poised to play a major role in trust and safety. The problem is not stopping cyber criminals, but rather identifying genuine end-users who misuse the system, circumvent controls, gain unfair advantage over other end-users in, say, a marketplace or a gaming site, and generally breach trust and safety controls.

The global pandemic accelerated digital transformation and exposed many of these risks. For example, remote workers who have been vetted and background checked can share their accounts with others who haven’t so they can punch in more hours, creating new security exposures for the company that employs those workers. Once something like this happens, a company can lose things that are sometimes more important than actual money: accountability, fairness, trust and reputation.

Photo by eyeball3000 from Pexels