Social Engineering And Its Consequences.

While the media highlight increasingly sophisticated cyber-attacks, decision-makers could easily forget that humans are one of the main weak links of IT security. According to the latest IBM – Ponemon Institute report published in 2016, 25% of data leaks are due to human error or negligence.

Social engineering is about exploiting human weakness to obtain goods, services or key information.

Social engineering existed before the digital era. For example, during the 2000s, organized scammers used personal information available in Alumni directories to impersonate alumni of a prestigious university and extract money from their fellow classmates.

There is no need today to use malware or ransomware to access personal information: it is readily available on social media such as Facebook and LinkedIn. A white paper published by Alban Jarry in 2016 shows that 43% of people accept strangers on their LinkedIn network[1].

The president of a French bank recently showed us the Facebook profile of an individual allegedly working at the bank and trying to get in touch with clients: fake profile, fake identity obviously … In the same manner, how do you know who is behind the LinkedIn profile inviting you?

These “simple” techniques allow fraudsters to deceitfully obtain key information about a payer, a supplier… and subsequently impersonate them to initiate fraudulent wire transfers.

According to Grand Thornton, at least 3 out of 4 companies were targeted by fraud attempts over the past two years. If 80% of all attempts are failures, successful attacks can cause damages upward of $10 million.

$2.3 billion were stolen from businesses between 2013 and 2016, according to the FBI, and the number of victims identified in 2015 increased by 270%[2].

The phenomenon is significant, and companies have begun to build walls to contain it, implementing behavioral measures (e.g.: paying attention to corporate data published on personal social media, refraining from clicking on suspicious e-mails originating from unknown parties…), business processes to improve internal controls, etc. But these measures are not sufficient, even if correctly applied, because they still rely too much on the humans. This is the reason why new solutions are emerging, based on machine learning and big data processing. They automate more and more effectively the process of detecting attacks and fraud, in addition to human activities and processes.

You will find out more by reading our next post!

[1] https://fr.slideshare.net/AlbanJarry/livre-blanc-612-rencontres-sur-les-reseaux-sociaux-partie-2-etude

[2] https://www.lesechos.fr/08/04/2016/lesechos.fr/021827593152_le-boom-inquietant-de-la—fraude-au-president—.htm


Fighting Fraud : From Big Data To Fast Data.

Credit card fraud is the most visible type of consumer fraud: According to The Nilson Report, global damages caused by credit card fraud reached 21 billion dollars (18.4 billion euros) in 2015. Less known to consumers, wire transfer fraud (see https://www.bleckwen.ai/2018/05/31/social-engineering-consequences/) catches the attention of banks seeking to protect their customers, as one single such attack may siphon millions. It is important to realize that the system managing wire transfers is critical to the proper operation of the economy of a country. This system cannot be subjected to major breaches.

Traditional protection methods involve the implementation of expert rules and manual controls to identify and verify the most suspicious operations, but negatively impact the customer journey.

Machine Learning is a good candidate to improve the level of protection while reducing friction and manual processing during this journey.

During the design phase, creating models requires cold data analysis, in particular to build and choose variables that will reveal specific fraud patterns. Machine learning train on the model using data history. This step uses technologies that are specific to cold processing (batch).

If this part is essential, it is also necessary to consider very early on how the model will be deployed and used on “hot” data. To be effective, fraud fighting tools must be implemented on large data streams but must also be able to minimize processing delays for each wire transfer. New legislation related to instant payments further increases the requirements as to processing speed (less than 20 seconds to fully process a wire transfer[1] and a few hundred milliseconds to detect fraud). Fraud detection systems must operate in this context, which therefore requires designing a specific architecture, supported by appropriate technologies.

The main challenge of implementing a fraud detection system is the operational capacity to manage the flow of wire transfers, during peaks in particular. A fraud detection system must therefore meet at least the following requirements:

  • Comply with delay limitations per wire transfer and debit operation
  • In case of failure, switch to a second system (simple rules or automated approval) so as to not disrupt the complete chain
  • Maintain the integrity of the wire transfer chain (no duplicates or missing wire transfers)

The below diagram provides a macro view of the processing chain required for credit scoring.

The processing chain indicated in red must be completed in less than 20 seconds. To ensure this, some of the calculations must be performed offline.

  1. Fetching data history: Variables identifying fraud must be able to distinguish between “legitimate” and fraudulent wire transfers. Based on customer habits, old and recent history, these variables are therefore often queried. Old data history can usually be pre-calculated since it characterizes phenomena observed over long periods of time, with little variation. Recent data history must sometimes be calculated on the fly, depending on the observed time scale.
  2. Querying the pre-trained model: The time required for the prediction is generally negligible compared to the time required to train on the data model. This training is therefore also performed upstream.
  3. Interpretation: Analysis and decision assistance is an essential part of an effective fraud detection system, as an effective control call is characterized by precise indications given to the customer, because the risk of authorizing a detected fraud is real. Identity theft associated in cases of social engineering sometimes places the payer in a situation of trust (usual supplier, request from management), even when the alert is given.

To implement this processing chain, the requirement for streaming technologies (Fast Data) is added to existing big data requirements. There is a real technological challenge to providing tools that meet the level of reliability required by the banking industry, and support for recent innovations such as instant payments.

Our next blog post will take an in depth look at these technologies!

 

[1] https://www.europeanpaymentscouncil.eu/what-we-do/sepa-instant-credit-transfer