Why analysing user behaviour is key to addressing cyber fraud
That Nagpur man who never got an SMS that new beneficiaries were added to his account before losing Rs 21 lakh; the Bangalore techie who lost close to Rs 3 lakh after she tried to sell a cot in a reseller platform; and the journalist who never got the Harvard job despite months-long exchanges with an account that mimicked the varsity — are all victims of some kind of cyber fraud. The first two are cyber frauds for financial gain, while the third is social engineering, to defraud or to launch a targeted cyber attack.
Cyber fraud is not unidirectional, where raising a firewall may solve it for you. A fraud is pulled on you in the form of a link, a call to share an OTP, or, in the case of businesses, spoofing everything from the IMEI number of the mobile phone to the geo-location. The bad actors are generally professional hackers, inside actors or fraudsters. Oftentimes, these parties are in liaison with others, reminding us why stakeholders like financial institutions, law enforcement agencies, and cybersecurity professionals should act together. “Cyber fraudsters are just like your real-life conmen. Very resourceful and always ahead of the curve. Often, technology has to do the catching up,” says Harshil Doshi, country director India at cybersecurity firm Securonix.
Tackling cyber fraud is challenging, but not impossible. Ranjan R Reddy’s Bureau is trying to get there. Launched just months before the world went into Covid lockdown, Bureau runs a ‘Trust Network’ for a clientele of fintechs, banks, crypto and gaming companies, and matrimony sites. It is basically a graph database of the behaviour of good actors and bad actors, and is not static. Just as the Credit Bureau knows your credit behaviour, Bureau maps user behaviour. “We understand users first from their digital persona, which is phone, email, device, IP and what they have provided for compliance, which could be the PAN, Aadhaar etc. Behaviour will be mapped to a point where you are identified as left or right-handed, your typing speed, do you copy or type more, etc, based on sensors on your phone screen. Everything is then mapped to a singular identity, which we put behind a phone number,” says Reddy, CEO & founder of Bureau. If anyone tries to impersonate you, the system can instantly recognise that.
OTPs in the form of SMSes are the weakest link and perhaps the most exploited in the fraud ecosystem. SMSes are not encrypted. Also, OTPs are not contained within a bank, as most financial institutions use third party gateway providers, who receive data from various financial institutions, aggregate that data, and then push these packets of data to appropriate mobile service providers. Once the OTP is typed in, the financial company sends back the confirmation via the same gateway again.
“We’ve done investigative work in the past where we found that people in third-party aggregators are able to see OTPs in transition. While a lot of the banks do security audits, the technical infra is the IP of that mobile gateway, and often banks and fintechs don’t get a complete view of how that infra works or whois able to see what,” says Jayant Saran, partner at Deloitte India. Now, depending on the volume of transactions done at any given minute, there could be a queue of OTPs, and hence a lag before the user gets it. If there is a bad actor in the mobile gateway, it’s not impossible to even manufacture an SMS lag and commit fraud.
Tracking the behaviour of employees and vetting their access controls are the two other important steps in bringing down thenumber of frauds. When Varonis, a pioneer in data security and analytics, surveyed its larger customers, they found that on an average, a new person joining one of those businesses today has access to 17 million files on the very first day of their employment. “So, what’s the blast radius?” asks Scott Leach, VP, Apac sales. Often, such unrestricted access leads to data breaches, inadvertently or otherwise, and feeds the network of fraudsters who are scouring the dark web for means to commit fraud.
While Varonis builds solutions that help companies understand where their important data is, and who has access to it, it also provides the capabilities to organisations to monitor usage of data, and predict breaches, and reduce the risk of insider threat. Which is basically behaviour analytics, a solution that is getting increasingly popular with enterprises across sectors, to manage fraud.
Securonix, which has been in the user identity and behaviour analytics space for more than a decade, has also built its technology to understand and analyse users’ behaviour, the interactions of the machines in the network, and thereby help detect threats.
No comments:
Post a Comment