Experiential Security & Risk
At Finnoviti 2022, the annual innovation conference by Banking Frontiers, risk, security and technology experts shed light on emerging challenges and solutions to safeguard the financial systems:
Karthik: You can either create a Fort Knox, where you put in so many controls that there is no risk, but then it poses a lot of inconvenience to the customer. So how do you actually deal with this paradox?
V It is a very difficult situation for the bankers to meet the security aspects as well as the needs of the customer. Customers get angry and annoyed when we do a lot of validations in the backend. So, there is a challenge for the banks to introduce any kind of technology, especially in the payment ecosystem where there are a lot of attacks being faced by banks today. We can’t bring a knife when we are facing a gunfight. The biggest challenge that we have is to prevent fraud attacks from happening. So, the technology is improving and to prevent or mitigate the risk. Payment is the space where most of the innovations have happened in the last few years. Even before the covid hit us, customers had a huge choice in payments. During covid, what really picked - both from the issuance and acquiring side – was that tremendous amount of uptake happened automatically. While many of us were ready with the technologies, the users who were coming to that game were completely new. And even though many of us already had fraud-based rule engines, we all moved into the adaptive mode of identifying risk and that’s where this new profiling of customers started to pose a challenge, because a lot of customers were coming first time to digital. This meant that whatever personas that we are already identified for frauds, had to be redone at a frantic pace. The second is to nudge the customers to understand that there is always a balance between security and convenience. So I don’t think it’s a technology challenge today. I think RBI has been very careful to introduce prescriptive measures. The problem is the gullibleness of customers coming on board, which has to be matched by the banks, because at the end of the day, even if a customer loses money as a part of fraud, the bank is liable unless it can prove that the customer is at fault - which is a very tricky game. So the onus of identifying a fraudulent or unauthorised transaction is on the bank. We also have a similar digital transformation in the insurance industry. We get complaints from gullible people who get defrauded. When I did the research on our review on what are the new controls that I could come up with, we came up with at least 40-50 minimum checks and additional checks that need to be performed. So that’s the change that you do in order to ensure that your customers are safe. When I encounter or come across new-age technologies being implemented, the first thing that I consider is the overall design. Sometimes in this rush
of implementing something which is more tech-driven, we forget the basics. So, when we implement, we take care of the design part holistically from end-to-end. The other important thing I ask as a process architect is why do we to do risk analysis after the solution is implemented, why not do it prehand? One must have a mitigation plan. While there will always be unknown, 80% of the time the data about the frauds that have happened will indicate what kind of frauds can come up. I see data science & analytics playing a very important role along with typical technology implementation.
Kar t h i k : How h a s y o u r response mechanisms or your framework or Target Operating Model changed?
Thanks to RBI, we have a cybersecurity framework already defined. So, we have to fall in line to ensure the compliance and that addresses majority of the issues. Beyond that, we need to conduct regular health checkups internally as well as ethical hacking, to ensure that our systems are in the workplace or in sound is healthy. We need to understand that the traditional model of a post-mortem cannot work anymore. Of course, that is required to understand the pattern, but immediate actions are required to ensure that we are safeguarding the customer’s data and also the financials. For that, the pattern of the transactions will always have to be monitored in real-time and we need to throw more and more challenges to the transactions, so that the authentication is much more perfect. I strongly feel customer awareness is the key here. We need to educate and train our customers so that whenever they identify or even if they suspect anything, they should immediately inform the bank. Awareness is a big problem. If there is no time to implement preventive controls, then you have to quickly get into the mitigation and detect detection mode, and then think of prevention later. So, you might have a rising list of budgets and tools and checklists, but we’ ll have to catch up with a budget problem. To be honest, when it comes to risk or fraud, I think a hybrid way of working works best. While there is a technology and controls in place, not all frauds are caught as they know how to surpass the system. In such cases, it is difficult to have only a system in place to fight the fraudsters. It needs manual intervention. To mitigate risks, you may just not always have a solution, you may also have manual way of doing it. Typically, the problems of the past have not gone anywhere; I mean, we’re still looking at confidentiality, integrity, and availability being maintained intact. The only thing that is that at times when you are on a mission mode, you probably may have to loosen the strings in one of the security layers. But the key thing that we all discuss internally is to always remember the Swiss cheese example, where you don’t ensure that all the holes are aligned because then we are done. I think that’s the kind of dynamic reassessment of risk that all of us are now doing almost on a daily basis, to be very honest.
V When we look at 10-20 years back, when we look at the implementation of core banking, we just look at the business aspects. Now we need to look at the cyber aspect as well as security by design, especially when banks are moving towards cloud. There are a lot of vulnerabilities and risk where we need to factor.
Karthik: Which are the top 3 risks you have seen emerge; probably new risks?
More and more sophisticated targeted attacks are there. Patterns are new, for example, you will feel that an attack is happening from Delhi or Allahabad but the actually the attack might be happening from a different country altogether. And they are all targeted, which means they are timely precision-made attacks. Another problem is the exploitation of the landscape of systems - every bank will have hundreds of applications with thousands of servers, and even a small loophole anywhere in the entire landscape can be exploited easily which we may not be aware of, but a targeted attack can find that. All this can all be prevented only by a disciplined approach and properly analysing the health check of our systems and the immediate mitigation plans that we create. Availability of systems and information - that’s one of the most critical aspects that all of us are very keen to maintain, and any disruption to any of the services is definitely bound to bring in a lot of flak and monetary losses for the bank. In terms of state actors coming in, the scale of the attacks, and the entry barriers for attackers being low, these are all increasing manifold in the last few years, especially post covid. At the same time, we also understand that from a business standpoint, there is a huge amount of disruption that is happening. Five years back, our data centers were our perimeters from the security point of view. Today, the perimeters are extended across the globe as we partner with a lot of fintech companies and large companies. This is bringing in a new dimension of risk. We were all keenly worried about financial fraud and probably data as a source of fraud. Today, we should be wary not only about financial fraud, but also about the data that we hold from the customer. Attacks are happening on both fronts, and we have to be smart enough. In insurance, identity fraud still continues. While KYC and video KYC are mitigating those frauds to a level, we
still see a gap. In general insurance, a lot of business is done through brokers. Ghost broking is something that I’ve seen come up. You sell policies to a set of 100-200 people and then suddenly the money is taken and gone. Obviously there are ways to mitigate that as well. Ransomware attacks have gone up. So, what the hackers have done is they’ve known vulnerabilities and then they slowly intruded the system, and then take over the data and then blackmail for ransom - I’ve seen that a lot. In identity theft. identities are falsified and attackers get hold of data because of multiple process handouts and multiple players being involved. When data is being handed off to the vendor and vendor to subcontractors happens, then we lose the outsourcing checks that we have set up in the company.
Karthik: We have Aadhaar which is supposed to be very robust for verification. Why do we still have issue?
The opportunity for an actor or a fraudster to use the wrong identity and perpetrate fraud in the new digital world is much more. But the opportunity that occur now gets by perpetrating identity and then ensuring that he is able to manage the SMS. And when the mobile gets hacked, the bank sends some message to the mobile, but the mobile message goes to the hacker and not to the customer that is blocked.
Karthik: So, is there a fundamental breakdown in our processes?
: We need to integrate data identity. Aadhaar is there and is a very important criteria, but it’s not mandated legally. We just did an analysis of the data collected from the industry and find that Aadhaar still has not made inroads into the customer base – it touches at most 60-70 million customers. We still have people who have 5-6 Aadhaar cards and the integration at the backend that the players need to do is still an issue. We have fundamental systemic issues that are there and those will continue, at least for some months or years, until we plug all this. All these risks and frauds were also present when technology was not present. I think it’s more of when we have explored the information regarding the consumers - advertisements, social media, product benefits, awareness of risks, etc. I feel that those kinds of risk always existed, and it was just not always a technologydriven risk. When you spoke about processes, most of them are working in silos, they hardly fall under one value chain. So there is a need to document the risk, which is involved in each of those journeys, which is still lacking. So, we’ve never considered all the risks under one umbrella. When such digital technologies are brought in, are our backend systems ready or equipped? Backend systems are being upgraded to tune with the digital systems, but the challenge is what do we do to protect these digital technologies and devices. The point that we have to consider is whether it is a problem or a lacuna in the process. For example, today in banking with the help of the regulator, there are umpteen number of digital options through which you can onboard a customer. So, the onboarding part probably would be done as a digital or in a hybrid process. But do you leave the whole process at that stage, or do you move to the next stage? Since there are a lot of money mule cases coming up, and having done the first part of the journey, the second, third and fourth part are all potential candidates for things going wrong. So, it is a constant process, because at the end of the day, a fraudster needs to just get lucky just once. And we have to be lucky 100 times.
Karthik: Since you’ve seen so many frauds, you must have also investigated and found a lot of the culprits. So, do you have a profile of people whom you believe when you look
at it could be a profile of a fraudster?
Fraudsters are not using traditional models anymore. Their attacks are sophisticated and there are no human faces required even for such attacks or frauds to happen. They can be instigated, aimed, propelled and injected from anywhere in the world. So only the pattern is important, not the person. The fact that digital identification is limited the personality, but we do try and see profile, employees, customers in personalities. We look forriskoriented customers and deal with them carefully. You can still profile fraudsters by l ooking at transaction patterns, background, behavior in office, etc. These could help bracket into high risk, medium risk, low risk categories.
Karthik: In the last two years, have you seen any innovative way of actually dealing with fraud risk management using technology or any other method?
Innovation – it could be doing something as simple as doing a small task in a different way, which can be replicable. From an insurance point, when it comes to fraud or risk, I think, right from the time the customer is on boarded, there are different roles that each of the function may play. For example, an underwriter who underwrites a particular case will have a set of his own parameters that he would want to convey to the customer, that’s also one way of mitigating risk of fraud. Claims is a very important function in insurance, because it acts as the exit toll gatekeepers. If the customer has on boarded with an intention of any form of a fraud, a robust stop gate, viz claims processing, okay, plays a very important role. In my experience,
there is not just one innovation or one improvement that I have seen, but I have seen those in silos at different functions.
Karthik: Who is more prone to fraud when using digital technology? Is it the older generation or the newer generation?
V Both are prone actually. So, it is more about the awareness more about the intention of their making the transactions online, whether they’re consciously doing it without compromising their own data. In many of the cases we came across, the older generation is sharing the devices with family members. Finally, they come to know that the fraud has happened within their family. So, without knowing, within the family the frauds are happening. I think the problems are slightly different on the younger and elderly folks. The latter have never been digitally native, and at some point, obviously, they’re very gullible. And they choose to remain outside the digital ecosystem, which makes it all the more difficult for anyone to really reach out and tell them about the challenges that they could face. For the younger generation, the problem is there is a little bit of pampering that has happened in the form of rewards, cashbacks, etc, which is making them quite aggressive about jumping into the next thing that comes their way. And that’s the other type of problem that we’re facing - there is a little bit of carelessness about security being important, because they’ve come up with that culture of being digitally native. So, there are two set of problems that we’ll have to solve.