While the essence of fraud is constant, criminals are constantly finding new methods and tools. People across all three of the main fields represented at the International Association of Financial Crimes Investigators’ two day Cyber Fraud Summit—law enforcement, finance, and information security—might be familiar with the Red Queen’s race. Originally from Lewis Carroll’s Through the Looking Glass, the Red Queen explains to Alice that “it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that.” Similarly, anti-fraud agents often find that it takes all their time and resources just to respond to fraud that is already happening; if they want to get the jump on fraudsters, they somehow need to run at least twice as fast.
The summit keynote speaker, Mathias Sundin, began with the subtitle “why the good guys will win.” While we admire his optimism, we would adjust the title to better sum up the content of the conference: why the good guys can win. We should say the good guys can win instead of the good guys will win because there are some sobering trends on the horizon.
Like many events at the intersection of cybersecurity and fraud, many of the case studies presented to attendees were grim: thousands of synthetic identities being created, vulnerabilities in technologies implemented to make accounts safer, so many compromised credentials that credential databases are now subject to “password rot.” While no speakers came with silver bullet solutions, there were plenty of suggestions that could make measurable differences in combating fraud by eliminating the easiest targets.
Coral Springs Police Department’s Detective Jason DeLuca walked attendees through a detailed case study of synthetic identity fraud , a new form of identity fraud that can evade long term detection by using the inactive financial identities of children or by creating new identities disconnected from any real person. Researchers and law enforcement are only just beginning to tackle synthetic identity fraud and no one truly knows how big of a problem it will become in the future. How many children are going to come of age burdened with ruined credit and no clear path towards fixing their situation? We became even more concerned about this trend when we discovered a listing for infant full identity packets, or fullz, on the dark web marketplace Dream. Although the publicity around our find caused the user to take down the listing, this incident is a symptom of a growing trend. Even if financial institutions and law enforcement find a way to mitigate future synthetic identity fraud, the industry has a problem of unknown scale and impact on its hands.
Many of the problems and exploits discussed during this conference have simple solutions. What they do not have is easy solutions. Lawrence Baldwin of MyNetWatchman presented a comprehensive look at the security vulnerabilities of SMS-based two factor authentication (2FA). A number of simple exploits that can spoof SMS, combined with the millions and billions of credentials that have already been leaked, makes SMS-based 2FA vulnerable to bad actors and leaves even more accounts vulnerable to takeover. There is a straightforward solution to this problem: sites and services need to deliver 2FA over a channel that they can be sure they have complete control over. While that solution is simple, it is not easy. Rates of 2FA adoption remain low—fewer than 10% of Gmail users have activated 2FA—and sites have little motivation to force users to adopt more complicated security measures if users will not use existing measures.
The summit also hosted success stories and some real opportunities for collaboration between financial institutions, law enforcement, and cybersecurity practitioners. Edward Chang’s case study of the U.S. government’s takedown of the Coreflood botnet highlighted the role governments can take in protecting users from widescale fraud. A presentation about ATM jackpotting—a technique relatively new to the U.S. that involves using malware and/or hardware to spit out the contents of an ATM’s vault—co-led by representatives from Diebold Nixdorf, a major ATM manufacturer, and the U.S. Secret Service showed that stopping fraud is possible. In the case of ATM jackpotting, simple techniques like ensuring machines are given different physical and digital keys can go a long way to reducing risk. The challenge, as always, is encouraging institutions to invest time and energy in these preventative measures before fraud occurs.
Cyber-enabled fraud will keep running the Red Queen’s race for a long time, but the opportunities presented during this summit—from cooperation between industries to education programs and certifications focused on cyber-enabled fraud—can provide the boosts the good guys need to take “can win” to simply “win.”