Digital ecosystem in India is giving criminals a potential goldmine for cybercrime-related activities, says Richard Booth of security firm RSA

Digital financial fraud is all around us. Everyone knows someone or the other who have faced issues such as credit card frauds, ATM skimming, phishing, voice call scams and much more. With India getting increasingly digital, the field is ripe for fraudsters who are looking at the prospect of so many people getting online.

Post demonetisation, the use of digital wallets has been on the rise. Online e-commerce has taken off like no other business in the recent past. We are paying for our cab rides, buying grocery, shopping for clothes, shopping for gadgets, hiring home help, booking flight and train tickets — all in the online environment. This certainly brings in a lot of convenience for many users. But if you are not careful with online transactions, you are leaving yourself vulnerable to be cheated off of your hard earned money.

Cybercrime is on the rise in India. A recent survey found that around 48 percent of Indian online users were hit by fraud. There’s a prevalence of identity theft, frauds in areas such as telecommunications, retail as well as financial services.

We spoke to Richard Booth of RSA Security, who leads the fraud and risk intelligence business in RSA for Asia Pacific and Japan regions, on the current trends in the sphere of online fraud. The Dell Technologies-owned RSA helps credit card companies, online shopping merchants and anyone with a customer-facing business to protect their customers from financial fraud, especially in the digital channels.

Could you let us know about your work profile at RSA

I have been with RSA for nearly 12 years, most of which were spent in the UK. So I have a fair bit of experience with European banks and the frauds and challenges there. I am here to study the effects of demonetisation and Digital India , which aims to move everything online. While this digitisation has made things such as bill payments and shopping online easier, it has also made the fraudsters smarter and they have started taking advantage as well.

What are your learnings from the last one year after demonetisation, in the way Indians behave online and protect themselves from online fraud?

There may have been a few surprises in the speed and scale at which it (demonetisation) happened, but most likely the trends we predicted were followed. India isn’t the first country in the world to go digital, and every country going through the same suffers from extraordinary attention from cybercriminals.

Within the RSA Fraud and Risk team, we look at cybercrime through the context of three aspects: volume, variety and velocity of fraud. So for instance when you consider the Unified Payments Interface (UPI), fraudsters are now able to get access to money much quicker than before. When you combine the UPI environment with demonetisation and transformation, it creates a perfect storm for criminals to focus on Indian institutes and consumers as they can easily get access to the money, as it’s all online. Once you have access to the accounts, it does not leave much time to review what happened.

What according to you are the challenges that online service providers have cut out for them?

The challenge is to strike the right balance for online services to provide ease for its customers while ensuring that their environments are safe. We have been in this field of enterprise security for quite a while now. Our fraud legacy is through our acquisitions. In that regard, we have acquired two companies back in 2006. So for more than 10 years we have been learning lessons on how to fine tune the banks’ requirements and customer expectations. Between usability and security. For us, we try and understand the fraud ecosystem, because if we can understand that, then it becomes easier to decide what to do.

When we think about the life-cycle of a fraud event, it breaks down in four critical areas.

• The fraudsters compromise the credentials — they steal the login details and other details about the consumer
• The second state is to check if the information they’ve stolen is valid. We call it credential-testing. They either go to an online store or try to login to the online banking environment to test the credentials. They do this at scale, as they are stealing tens of thousands of usernames and passwords. They are testing them in batches
• Once they have a list of valid credentials, the third step is a combination of taking over the customers account or creating a new account with stolen identities to act as a mule. So that the stolen money can be transferred to the mule or third-party account
• The final step is cashing out, wherein it involves taking the money out of the victim’s account. Typically this involves someone standing at the ATM to withdraw the money or they will use an overseas money movement service to transfer money internationally.

A lot of banks have security measures in place, such as PINs, two-factor authentication or ways to log in. Is it still easier for the cyber fraudsters to bypass these measures?

In the fraud business within RSA, we look at controls. So if fraud is the financial risk, the OTP would be a control that you put in to prevent the risk from happening. We talk about visible and invisible controls. The challenge with visible controls is that the fraudsters know what they need to get past. So in the case of SMS OTPs in the banking world, criminals have figured out that if they can’t attack the credentials, they go after the next weakest link which is the human interface.

Increasingly in India, social engineering is becoming a far more prevalent form of fraud attack. This is where they will use SMS or voice-based attacks to get the details after convincing the gullible victims that they are calling from the bank or service provider. They will tell the customers that there is a code coming to their phones. So the fraudster is sitting on the online bank, ready to log in. It is more labour intensive and cannot be easily automated. And then there are the more intense attacks where the hackers infect the customers’ phone with malware which will redirect the SMS with the OTP back to the fraudster.

So while I would say that the banks are doing a great job today, it is not that everything is under control. There is a continuous fight, where the banks have to evolve as quickly as the fraud evolves.

Do these trends travel across geographies or have a lifetime in a market before moving to another market?

Most fraudsters will try and reuse the same technique in different geographies. We conducted a study involving the underground cybercriminal world. Over a period of 6 months, we were observing the fraudsters over fraud forums. We found social media groups dedicated to fraud evangelisation across some of the most popular social media sites, across geographies including India. Sharing stolen credentials, trading secrets on how to be a better fraudster to even training courses on ‘How to be a Fraudster?’ were widely discussed on these forums. Within these 500 or so social media groups, we also observed around 300,000 members and in the last six months, we have observed the memberships of these groups rise by 70 percent. So fraudsters have definitely become more braver. Two years ago, everything was quite secret. Fraudsters were operating from the Dark Web sitting behind Tor networks. But as the scale of cybercrime has grown, we now see fraud forums operating on the public internet, on social media sites and so on.

Could you elaborate on the aspect of behavioural profiling

Behaviour monitoring can be the most effective in the second step where the credential testing is being done. RSA was able to observe the techniques that fraudsters are using to test credentials in an automated way. They are using scripts and tools to take username and password files, and then very quickly run them against login screens — banks, online shopping sites and so on.

When you talk about behaviour monitoring, to give an analogy, when you look at the CCTV footage of a break-in at a mall, you notice that the burglar has striking behaviour. He or she will not behave like the rest of the shoppers, they will just barge in, take whatever they want and be on their way out, lest they are detained by the police. In the same way, a fraudster stands out online, if you know what you are looking for. We notice the robotic nature of the scripts and bots, and even if there was a human being behind a computer, the speed at which they click, their navigation path on the site, the activities that they perform are different from the genuine customers.

So when we think about some of the previous detection methods such as IP address, device profile, the fraudsters have mastered how to overcome that. One of the things they are struggling to overcome is behaviour monitoring. So we believe that by looking at certain aspects, we can easily identify criminal behaviour.

How big of a component are artificial intelligence (AI) and machine learning (ML) in fraud detection?

We utilise a lot of ML in our techniques. Machines can only take you so far just as it is with humans. The current state that we are in, it works best when it’s a human and machine partnership. ML provides speed, scale and automation whereas people are needed to interpret the signals and point the tech in the right way. An AI system may be able to tell you, “I think that there is a 90 percent degree of certainty that this is a fraud”, but coming back to that balance of security and usability, would you let AI block the transaction? Chances are that with customer experience at the back of the mind for many of the banks today, there will still be some human intervention. It could be programmed according to each individual institutes policies, such as defining the threshold up to which AI can take decisions and when humans should take over.

Where does India stand on the global map in terms of security preparedness?

When we look at a geographical heat map of fraud, it depends on how you measure the different criteria. So clearly, economies like the US, UK, Australia — since the currencies are stronger — they get attacked frequently. In India, for instance, the size of the economy and the volumes is very different. So in certain areas, India is ahead of other countries, and not so great in others.

So far, we were talking of financial industry, but now you have FinTech industry in India and other countries. Even Europe is debating about the feasibility for banks to open their interfaces to third party service providers. As the bank starts to lose the direct connection with the customer, as they are now coming through another app or intermediary, where does the attack surface move to? Who is responsible? As more third parties want to access bank data, do they become the weak link as the fraudsters will attack these third parties instead of bank security fortresses? Supply chains’ security breaches are growing as the criminals realise that if they can’t attack the actual target, they will find a weaker link.

Chatbots, automated assistants, programmed to address certain queries — there is a risk of bias setting in, how do you tackle that?

The risk lies at the level of trust consumers are willing to share with these chatbots or virtual assistants. Authentication has to be a two-way street, just like a bank authenticates who I am before letting me do a transaction online, there should be methods to authenticate if a particular chatbot is real or fake. It’s like some hacker getting access to my social media account — now yes, there is value in my account, but there is an even more value in a hacker impersonating me and getting data of and from my friends or contacts. My friends will trust that it is me operating the account and could share some important details without realising that it is a fraudster managing my account.

Data breaches such as Equifax, although not relevant in India, still leave a lot of concern that if such a huge organisation can be hacked where are the safe havens? Fraudsters are getting more advanced, so is there any way out of this?

RSA’s business-driven security strategy is trying to help customers bridge the gap, we call it as the gap of grief, between the business objectives and the security risks. So these businesses are trying to grow their customer base, keep them happy, and ultimately grow the top line and bottom line to grow more money. Different companies will take different risks in order to achieve that. For instance, startups are more willing to take risks and larger organisations may have a lower risk profile. The challenge is that the bigger companies have a lot more data and so the reputational risk of a breach is much higher. Some companies never fully recover from the reputational damage.

On the other side, you have the security risks. We help our customers not only understand the risks but also respond to them in the appropriate way. I think breaches will continue. As long as there is value in data that companies hold, criminals will be targetting them. There is no specific vertical that will be targetted more than others. The lines are being blurred between hacktivists, industrial espionage to even state-sponsored terror attacks.

India has a terrible shortage of skilled resources in the security sphere. How do you think that issue can be tackled?

Skills shortage in the security space is not unique to India. As security becomes a high-demand industry there is a shortage of professionals trained well in security practices. Universities are starting to offer more cyber-security specific courses to train people. I don’t want to comment on Indian govt policy specifically, but whether it is national identity or a social media identity, more data is being attached to consumers’ digital footprint now. What we need to avoid is that a single breach can compromise all these online identities.

There should be some form of tokenisation or encryption and compartmentalisation of identity data is pertinent. I think at a national level, protecting citizens is tough as there are so many of them. In a company, the policies are set by one chief technology officer (CTO) or one chief security officer (CSO) and that is adopted by everyone. In a government, you have multiple agencies and you have identities with different agencies, and you may want all of those linked to each other. Now each of these agencies may have its own policy which it may be trying to implement, so there has to be a lot of collaboration between the different agencies. This is true not just for the govt but for enterprise as well. Collaboration on security policies is critical.

Technology is just one part of solving the cybercrime problem, a lot of it also depends on the people, the processes, the collaboration on policies and so on. You may have the best technology at your disposal, but if the people are not on the same page in terms of implementing policies, then the technology will not add much value.

Using machine learning in fraud detection. Fraudsters are also getting intelligent over the years. Is there a fear of them pre-empting your solutions?

It all comes down to behaviour monitoring. For genuine users, we are able to determine a pattern to their usage, almost like a fingerprint, thanks to the data available. With the smartest technology available to us, I don’t think any machine can replicate that usage pattern. When you look at the advancements in AI, there’s a big gap between saying that the AI system can mirror a generic human behaviour and be repeating that as against mirroring a specific human’s behaviour. That’s a huge gap that needs to be bridged if criminals are going to use machine learning to fool our systems.

I think Big data is not just about the size of it but also about the speed and variety. You can analyse the same data in a different way. I think its more how broad or wide your analysis can be on the same set of data, and how quickly you can do it.

With the privacy battles going on around the world, the amount of data banks will have to be dealt with will be huge. General Data Protection Regulation (GDPR) in Europe, for instance, will be challenging. For instance, things such as ‘Right to be forgotten’, now what does that mean in the context of a bank? Does it mean that only your details will be deleted from the bank’s database? Because the bank employees may remember you as a person, so how do you delete memories?

Privacy legislation is important and there should be guidelines on how personal data should be collected, treated, stored and how it should be destroyed. If we look at GDPR, it is leading in a way in that field, both as an employee and as a consumer. For us, it provides an opportunity to innovate on coming up with safer and secure ways to analyse the data in a way that provide the same business outcomes that our customers seek.