“Security cocktail”: protection against financial scams
Recently, industry experts demonstrated a new approach to the protection of financial transactions in remote banking systems based on real-time user session risk assessment. The combination of SafeTech PayControl and Group-IB Secure Bank products provides adaptive user authentication, electronic transaction confirmation, and device confidence scoring to detect signs of financial fraud and respond immediately to suspicious events. The integrated solution provides comprehensive and continuous protection for individuals and legal entities using remote banking systems, reduces the load on call centres and anti-fraud systems of the bank, and also makes payment transactions as convenient as possible for users.
Pavel Krylov, Head of Secure Bank/Secure Portal Product Development at Group-IB, sb@group-ib.com
Daria Verestnikova, Commercial Director of SafeTech, d.verestnikova@safe-tech.ru
On October 10, Group-IB Telegram channel announced: “The largest financial forum FINOPOLIS’2019 has started. Our field agents report that this morning bartenders appeared at Group-IB and SafeTech booths and started actively mixing cocktails: would you prefer “Adaptive Authentication” or “Secure Remote Banking?”. That marketing event masked a product presentation by two cybersecurity vendors. Ordering a cocktail mix through a special application initiated scoring of a mobile device using Group-IB Secure Bank. If everything was fine, the application authorized the operation with PayControl’s digital signature. The whole procedure took a split second, and as a result, the customer received a glass with a sticker containing a QR code. By scanning it, customers could see information about their devices and daily statistics on suspicious alerts: whether the smartphone is rooted or not if there is a remote access software on it if it is infected with a mobile trojan. This approach made it possible to present an integrated solution based on Secure Bank and PayControl products. According to market experts, this is the most effective weapon against bank fraud.
Relevance of the security cocktail
Securing remote banking services (RBS) is still one of the most important issues of the modern banking industry in Russia. According to the Survey of Unauthorized Money Transfers for 2018 issued by FinCERT Bank of Russia [1], the number of bank fraud attempts in this segment is growing from year to year. This is especially true for RBSs of legal entities since successful attacks on those allow fraudsters to steal larger amounts of money. In 2018, the Bank of Russia registered 6151 unauthorized transactions from legal entities in the total amount of 1.469 billion rubles. At the same time, compared with the previous year, there was an increase in the number of theft attempts by 631% (7.3 times!). Almost half of the thefts (46% in 2018) occurred as a result of attackers gaining access to RBSs using malware designed to compromise desktop software.
The Report of the Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sphere of the Information Security Department of the Bank of Russia (September 1, 2018–31 August 2019) identifies malware and social engineering methods as the main causes of theft in RBSs of individuals [2]. According to FinCERT of the Bank of Russia, in 2018, fraudsters committed more than 97% of thefts from individuals’ accounts using social engineering techniques. The situation worsened in 2019: cybercriminals adopted a new way of scamming. According to experts of FinCERT of the Bank of Russia, the technology of replacing the outgoing telephone number with numbers identical to the call centres of credit organizations allowed attackers to successfully impersonate bank security officers and receive the necessary information from victims themselves. Possessing such personal data [3], attackers can easily imitate a customer’s dialogue with an employee of a bank, an insurance company, government agency, or other organization. Based on the assumption that the sensitive data can only be known to the organization’s staff, the victim falls for the fraud, ultimately disclosing verification words, confirmation codes, and other information that provides fraudsters with the opportunity to withdraw funds from customer accounts. All news feeds, radio and TV programs are full of messages about successful attempts to obtain user data by cybercriminals introducing themselves as “bank employees”.
The experts of FinCERT of the Bank of Russia named “…comprehensive cross-channel solutions that allow … to track and prevent attacks on the user side at the preparation stage through device identification, behavioural analysis, and malware detection” among the best security solutions for remote banking systems. Regarding the social engineering problem, experts recommend implementing payment confirmation mechanisms that exclude the possibility of making payments other than by customers themselves on their mobile devices. Of course, this comes along with administrative measures of the regulator, traditional recommendations of “increasing the cyber literacy of people”, and “information campaigns”. This means total disuse of any confirmation codes sent in SMS or PUSH messages and transition to mobile digital signatures.
Right for these problems, the two companies created the “Security Cocktail”, a solution based on Secure Bank and PayControl.
Universal protection: against “bank employees” and against malware
What is the idea of a comprehensive solution? The companies proposed a new approach to the protection of financial transactions in RBS systems based on real-time user session risk assessment. The combination of SafeTech PayControl and Group-IB Secure Bank products provides adaptive user authentication, transaction confirmation with a single digital signature, and device confidence scoring to detect signs of financial fraud and respond immediately to suspicious events.
Thus, the solution provides comprehensive and continuous protection for RBS customers. Integration of the proactive banking fraud detection system on client devices (Secure Bank) and the mobile authentication and digital signature platform (PayControl) prevents a whole range of potential issues associated with fraud in remote banking systems while making remote service channels more user friendly.
Adaptive authentication: the higher the risk, the more verification factors
What is meant by adaptive authentication? Group-IB’s Secure Bank scores the smartphone, tablet, or any other device which the user uses to log into a mobile banking application or personal account on the bank’s website. Secure Bank scans the device in real-time to detect signs of socio-technical attacks, cross-channel payment fraud, suspicious user behaviour, attempts to steal or use unauthorized credentials, banking trojans, or web injections.
According to Group-IB, at least 70% of the banks in the top 100 use transaction analysis systems, while the rest banks implement such systems locally, for example, only at processing. However, despite the widespread use of transaction payment systems, it is not enough to simply analyze a transaction based solely on its typical or atypical nature to counter social engineering fraud, since there can be many such atypical transactions. As a result, the bank simply will not be able to handle all this. Here we need additional data from behavioural analysis systems analyzing user interaction with the bank through various RBS systems: mobile banking, online banking, etc. At the same time, we need to adopt a more flexible approach to session analysis and further user authentication.
Atypical transactions (with large amounts, to unknown accounts, or from atypical devices) require additional scoring, operation risk assessment, and confirmation with a digital signature. Thus, each operation requires its own set of control factors allowing it to pass verification. When signing a specific financial transaction, PayControl obtains transaction data from the RBS and the scoring result from the Secure Bank, i.e., an assessment of the session risk level to create and sign the transaction. Based on this data, PayControl “decides” how many key access factors to request from the user, and only after entering this data PayControl signs the operation with a digital signature. This guarantees the authenticity and integrity of the payment document.
If a financial transaction raises suspicions at the session analysis (Secure Bank) or transactional analysis (anti-fraud system) stages, PayControl will certainly ask for an additional factor to generate a digital signature (e.g., biometric verification or a PIN code). The system will not confirm a transaction if the device has not passed scoring or the system identified obvious signs of fraud.
These features are based on the automatic risk assessment of user sessions, client device status monitoring, and a mobile digital signature that assures the integrity and authorship of the document being verified (see figure).
What do RBS users get from this? The new comprehensive solution implies ensuring the highest possible level of security when performing any operations in digital channels without compromising the mobility and user experience. Integration just allows achieving a combination of these requirements. Now, bank customers either need to enter a password, or present Touch ID or Face ID to sign a transaction. Otherwise, a digital signature will be generated without any user action, if an operation is trusted.
A comprehensive solution: benefits for banks
The integrated solution developers paid special attention to ease of implementation: banks get a ready-made tool for risk assessment and digital signing of specific financial sessions. No less important is the reduced load on anti-fraud systems: there is no more need to compare scattered data on a user’s transaction from the RBS and data on the user’s device and events related to the payment.
Advantages of adaptive payment confirmation also include a direct cost reduction related to telecom services (SMS costs), savings due to the complete mutual integration of systems, their technical support, and operation.
The complex solution by Group-IB and SafeTech offers banks a turnkey solution not only for detecting fraud in transactions but also for responding to the document signing process. This expands the application range of the proactive banking fraud detection system since scoring is carried out in real-time in all the bank communication channels with customers. For example, if a payment was initiated by a remote control system on a mobile device, then the transaction signing will be rejected as a socio-technical attack. Thus, no matter how many fraud attempts using social engineering methods fraudsters perform against a particular user, even if the user believes the fake “employee of whatever”, such a transaction will be rejected by the bank.
[1] https://cbr.ru/Content/Document/File/62930/gubzi_18.pdf.
[2] https://cbr.ru/Content/Document/File/84354/FINCERT_report_20191010.PDF.
[3] An analysis of the means and methods of social engineering by FinCERT of the Bank of Russia indicates that the main objective factors contributing to the spread of social engineering is illegal access to the following personal data: surname, name, and other names, as well as phone number.
