Review: Group-IB Fraud Hunting Platform

Today’s Internet is a hectic place. A lot of different web technologies and services are “glued together” and help users shop online, watch the newest movies, or stream the newest hits while jogging. But these (paid) services are also constantly threatened by attackers – and no company, no matter how big, is completely immune. Take the recent Twitter compromise as an example: the attackers hijacked a number of influential Twitter accounts, including those belonging to … More

The post Review: Group-IB Fraud Hunting Platform appeared first on Help Net Security.

Banks risk losing customers with anti-fraud practices

Many banks across the U.S. and Canada are failing to meet their customers’ online identity fraud and digital banking needs, according to a survey from FICO.

banking fraud

Despite COVID-19 quickly turning online banking into an essential service, the survey found that financial institutions across North America are struggling to establish practices that combat online identity fraud and money laundering, without negatively impacting customer experience.

For example, 51 percent of North American banks are still asking customers to prove their identities by visiting branches or posting documents when opening digital accounts. This also applies to 25 percent of mortgages or home loans and 15 percent of credit cards opened digitally.

“The pandemic has forced industries to fully embrace digital. We now are seeing North American banks that relied on face-to-face interactions to prove customers’ identities rethinking how to adapt to the digital first economy,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO.

“Today’s consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations. Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult.”

Identity verification process issues

The study found that only up to 16 percent of U.S. and Canadian banks employ the type of fully integrated, real-time digital capture and validation tools required for consumers to securely open a financial account online.

Even when digital methods are used to verify identity, the experience still raises barriers with customers expected to use email or visit an “identity portal” to verify their identities.

Creating a frictionless process is key to meeting consumers current expectation. For example, according to a recent Consumer Digital Banking study, while 75 percent of consumers said they would open a financial account online, 23 percent of prospective customers would abandon the process due to an inconsistent identity verification process.

Lack of automation is a problem for banks too

The lack of automation when verifying customers’ identity isn’t just a pain point for customers – 53 percent of banks reported it problematic for them too.

Regulation intended to prevent criminal activity such as money laundering typically requires banks to review customer identities in a consistent, robust manner and this is harder to achieve for institutions relying on inconsistent manual resources.

Fortunately, 75 percent of banks in the U.S. and Canada reported plans to invest in an identity management platform within the next three years.

By moving to a more integrated and strategic approach to identity proofing and identity authentication, banks will be able to meet customer expectations and deliver consistently positive digital banking experiences across online channels.

ATM cash-out: A rising threat requiring urgent attention

The PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention.

ATM cash-out

What is the threat?

An ATM cash-out attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.

Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

How do ATM cash-out attacks work?

An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems.

The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner.

With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.

Who is most at risk?

Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.

What are some detection best practices?

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools.

What are some prevention best practices?

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS.

75% of cardholders prefer contactless cards to other payment methods

Based on responses from 1,000 U.S. cardholders who are familiar with contactless credit/debit card or “tap and pay” technology, a new Entrust Datacard survey reveals that 75% of U.S.-based payment cardholders prefer contactless cards as their primary payment method over chip insert, card swipe, mobile pay and cash.


Contactless cards are here to stay

According to the survey’s results, 83% of respondents believe contactless cards are here to stay and 61% believe it’s at least somewhat of a priority to have a contactless feature on their credit or debit card. This prioritization is most prominent among Gen Z, Millennials and Gen X when compared to Baby Boomers.

In fact, 20% of Boomers reported they never use the contactless payment feature on their debit or credit card when making a purchase while this percentage is less than 10% for each of the other respective generations.

However, while contactless cards are gaining momentum with many in the U.S., the majority of consumers are still unaware of their card replacement options should they not have a contactless chip, or the card is lost or stolen.

Time for banks to educate their customers

With respondents citing sanitation (70%) and speed (67%) as benefits of contactless cards, now is the opportune time for banks to educate their customers on the benefits of replacing their card with a contactless card from their bank.

“As many Americans deal with financial setbacks and heightened concerns around health and safety in the face of COVID-19, the value we are placing on contactless payments has increased markedly,” said Tony Ball, senior vice president for instant payment card issuance at Entrust Datacard.

“Consumers want the ability to shop at their convenience, but also want to minimize personal contact with point of sale devices. Contactless cards are rising in popularity as a result.”

For faster card replacement, visiting a branch is best

Out of the 71% of respondents who cited losing their payment card, 84% notified their bank via phone while only 22% visited a physical bank branch in hopes of getting a replacement card right away.

73% of respondents who notified the bank by phone had to wait 1-7 days for a new card to be delivered by mail. By contrast, 58% of respondents who notified the bank at the branch got a new card instantly.

Instant payment card issuance unawareness

Despite contactless cards growing in popularity, many consumers are unaware of whether or not their banks or credit unions offer instant issuance or replacement of contactless debit or credit cards.

According to the results, 64% of respondents said their banks offer instant card issuance and replacement (63%), yet around one-fourth were unsure of whether their bank offered these options (27% and 24%, respectively) suggesting both an education and marketing opportunity for banks on card issuance solutions.

23% of leading banks had an exposed database with potential data leakage

Reposify unveiled research findings of critical asset exposures and vulnerabilities in attack surfaces of the world’s leading multinational banks.

banks exposed database

Researchers measured the prevalence of exposed sensitive assets including exposed databases, remote login services, development tools and additional assets for 25 multinational banks and their 350+ subsidiaries.

Banks deal with exposed database threat

  • 23% of banks had at least one misconfigured database exposed to the internet resulting in potential data leakage issues
  • 54% of the banks had at least one RDP exposed to the internet
  • 31% of banks had at least one vulnerability to Remote Code Execution
  • Multiple unsecured FTP servers with anonymous authentication were discovered

The myriad of exposures such as RDP, unsecured FTP and misconfigured development tools can be leveraged by attackers to gain unauthorized access to banks’ internal networks and result in data breach attacks. The exposed databases which were discovered place customer and other sensitive data at direct and imminent risk of exposure.

Banking industry DX challenges

In recent years, the banking industry has gone through a massive digital transformation. Alongside the many benefits, the increase in digitization and connectivity have created great security challenges and made the banking industry even more susceptible to cyber-attacks.

“The interconnectedness of IT systems and growth in third-party partners have expanded the external attack surface and potential weak points.” said Yaron Tal, CEO, Reposify.

“Banks’ IT ecosystems are in a constant state of flux and network perimeters are extending well beyond firewalls and control systems. Banks’ actual attack surfaces are simply much bigger than most realize.”

Visibility of internet facing assets inventory

Banks typically have well-established security programs which are heavily regulated by various institutions yet 84% of the exposed assets are likely to be under IT and security teams’ radars and out of the scope of traditional asset management and security tools.

Gaining visibility of the complete internet facing assets inventory is critical. External and continuous view allows teams to know at any given moment which of their known or unknown devices and services are exposed to the internet and to take steps to proactively manage and mitigate the risks.

Maximizing customer engagement when fraud prevention is top of mind

With the number of data records breached in 2019 surpassing four billion, fraud prevention and regulatory compliance are, inevitably, top priorities for financial institutions (FIs).

fraud prevention

A recent report from Javelin, for example, found that FIs are significantly more focused on investing in digital fraud mitigation than companies in other industries. According to the report, 52% of consumer banks plan on implementing additional security solutions to keep customers’ accounts secure, and 46% want to invest in better identity verification measures.

But with attention – and budget – devoted almost exclusively to security and compliance, it’s easy for areas like innovation, customer engagement, and user experience to fall by the wayside. In the report cited above, only 28% of banks indicated an interest in adding support for new channels.

The situation is more complex than simply devoting a larger share of the budget and focus to fraud prevention and security: as companies find new ways to engage with their customers through new features and touchpoints, criminals find new vulnerabilities to exploit.

It’s no surprise, therefore, that more than a third of companies in the study report that “fraud is a significant impediment to digital innovation efforts, forcing them to slow the expansion of their features and functionality as they seek ways to mitigate the new risks these innovations attract”.

Fraud prevention on the spot

Research and experience have showed that fraud mitigation and cutting-edge security strategies can go hand-in-hand with – and even drive – innovation, customer engagement and a great user experience.

Consumers have indicated that they want more information about their transactions and more control over authenticating them. Today, digital channels enable financial institutions to give their customers the insights and control they demand, while making it easy to check all the necessary security and compliance boxes. With the right approach in place, there need be no trade-off between fraud mitigation and customer engagement.

Imagine, for example, a state-of the art in-app messaging solution that combines instant communication with banking-grade security and on-the go self-service functionality. A customer can be alerted when a suspicious activity occurs on their account, with the option of responding immediately by approving or rejecting the transaction before it’s processed. This eliminates frustration and other effects caused by false declines, while putting the customer in control of fraud prevention.

Turn insights into relevant engagements

Many FIs are starting to realize that there’s a missed opportunity when it comes to making the most of insights they already have on their customers. Even though the use of consumer data is a matter of increasing global concern – as regulations like Europe’s GDPR and California’s Consumer Privacy Act illustrate – much can be gained from using insights for good. And in the case of banking, what’s good for the customer is also good for the bank.

Customers demand relevant, personal experiences from their banks. If they don’t get it, they’re not afraid to look elsewhere – a recent report conducted by Capgemini indicated that 63% of consumers are currently using a financial product from a big tech company. But banks that are willing to invest in personalization and tailor advice, loyalty offers, and relevant products to customers based on their profile, will reap rewards. BCG reports that one bank that reinvented its personalization strategy saw a 20% increase in revenues over three years.

Use engagements to build trust

Apart from gaining revenue, banks can also use relevant, meaningful engagements with their customers to build trust and foster lasting relationships. In the U.S. today, the most-used functionalities of mobile apps have been checking account balances, managing card controls, and depositing checks.

With peer-to-peer payments becoming an increasingly popular and familiar function in banks’ mobile apps, banks have introduced another touchpoint through which they can engage with their customers, increase loyalty and provide an alternative source of revenue.

While introducing faster payments services ticks a big box when it comes to addressing customers’ needs, fraud and security remain crucial considerations – and potential roadblocks to adoption. Traditionally, banks have used the lapse in payment completion as time to examine transactions and respond to suspicious activity.

Now, the pressure for speed has impacted the time available to ensure accuracy. But by implementing a truly customer-focused omnichannel authentication strategy, FIs can offer customers a one-touch in-app authentication experience that engages them in real time, all while eliminating fraud and providing a great user experience. The bank can rest assured that it has digitally signed proof of consent of the transaction, while the customer feels secure, in control, and on the way to transacting more.

Opportunities moving forward

It is more important than ever for banks to remain competitive and innovative, but it should not come at the cost of customers’ security and increased fraud rates. Preventing fraud and delivering the best in digital security comes down to identifying the customer and engaging with them securely, when and where it matters. Keeping them engaged and building loyalty is a matter of trust, built by offering consistent, relevant experiences regardless of when and where a customer chooses to interact with their bank.

Cryptocurrency crime losses more than double to $4.5 billion in 2019

Cryptocurrency users, exchanges and investors suffered $4.5 billion in crypto-related losses resulting from thefts, hacks, and fraud, a CipherTrace report reveals.

cryptocurrency crime losses

Cryptocurrency crime losses

The lion’s share of those losses stem from the staggering growth of Ponzi schemes, exit scams, and misappropriation of funds crimes, the value of which rose 533 percent year over year.

Also, traditional financial services have become increasingly infused with crypto assets. For instance, results of an extensive analysis of the blockchain found almost all U.S. banks harbor illicit virtual asset related money service businesses (MSBs), including cryptocurrency exchanges.

Of additional concern for banks, 66 percent of dark market vendors sell stolen financial products and compromised accounts for cryptocurrency. And virtually all (97 percent) of ransomware attacks use bitcoin as the payment rail.

“Our research revealed some surprising trends in 2019,” said David Jevans, CEO of CipherTrace. “First, there was a dramatic shift away from outright thefts and exchange hacks and toward Ponzi schemes, exit scams, and other con games.

“Second, like them or not, banks have a lot more virtual assets lurking in their accounts and payment networks than most in the industry had previously thought. Banks need new capabilities to ferret out illicit MSBs, terrorist financing, and other major sources of risk.”

The report also provides an overview of regulatory moves throughout the world. This includes a comprehensive chart of anti-money laundering (AML) regulations by country, an update on the respective blockchain-related enforcement authority of the SEC, FinCEN, and the CFTC, and detailed reports on major regulatory and eCrime developments in various countries.

Trends in theft, fraud, hacks and misappropriation of funds

Cryptocriminals had a banner year in 2019. Total cryptocurrency crime increased 160 percent from 2018. However, as the report suggests, if 2019 had a Person of the Year, it would have been The Malicious Insider.

The culprits behind most of the losses were fraudsters operating inside everything from seemingly legitimate blockchain projects that were actually exit scams to crypto Ponzi and pyramid schemes. Ultimately, all that $4.5B worth of illicit cryptocurrency needs to be laundered.

Crypto-asset blind spots expose banks to risk

The typical top 10 U.S. bank unknowingly facilitates approximately $2 billion in illicit cryptocurrency transactions each year. Stealth MSBs using accounts and payment networks expose financial institutions to significant AML and counter terrorism financing (CTF) compliance risk.

Further research revealed banks paid record AML fines globally in 2019—more than $6.2 billion. This number could increase in 2020 as crypto-related money laundering and sanction evasion enforcement ramps up.

“As crypto-assets become increasingly entangled in traditional financial services, AML and CTF compliance risks are on the rise,” said Stephen Ryan, COO of CipherTrace.

“Virtual assets are now pervasive in bank accounts and payment networks, and banks must find ways to deal with the risks. Effectively mitigating cryptocurrency risks requires equipping compliance officers with the best tools and intelligence to gain visibility into this new asset class.”

Darknet markets

The report also outlined a multi-year research project into darknet markets and other illicit vendors, which revealed that of dark market vendors:

  • 40 percent hawked compromised bank account or credit card credentials for as little as 1 percent of face value
  • 24 percent offered compromised payment services accounts
  • 2 percent sold stolen cryptocurrency private keys

These findings further highlighted the issues banks and financial institutions face with regards to payment fraud and virtual asset laundering risks.

The research also showed that bitcoin is the payment of choice for cyber extortionists. During the last year, they demanded BTC as payment in 97 percent of ransomware attacks. All of this extorted bitcoin will need to be laundered before criminals can use the funds.

cryptocurrency crime losses

2020 will be a year of intense regulatory changes

The research team identified varying levels of maturity and sophistication in AML/CTF regimes around the globe. For instance, AMLD5 went into effect across the European Union early January regulating crypto-fiat exchanges for the first time in most EU countries.

Additionally, CipherTrace described urgency among its customers and industry players around pending FATF Travel Rule legislation.

Exchanges and financial institutions in the G20 have less than six months to find a solution for dealing with this major compliance conundrum—how to comply with the requirement to share sender and receiver information before executing cryptocurrency transactions, while protecting confidentiality.

In the US, financial institutions including virtual asset service providers (VASPs) have been reminded by FinCEN that they must meet their funds Travel Rule obligations under the BSA or face enforcement actions.

More authentication and identity tech needed with fraud expected to increase

The proliferation of real-time payments platforms, including person-to-person (P2P) transfers and mobile payment platforms across Asia Pacific, has increased fraud losses for the majority of banks.

identity tech

FICO recently conducted a survey with banks in the region and found that 4 out of 5 (78 percent) have seen their fraud losses increase.

Further to this, almost a quarter (22 percent) say that fraud will rise significantly in the next 12 months, with an additional 58 percent saying they expect a moderate rise in fraud.

“While the convenience of real-time payments is great news for customers, increasingly, banks have zero time to clear a transaction or payment. AI can’t slow down the clock, but it can help create systems that are radically quicker to recognize a transaction that smells likely to be fraudulent,” said Dan McConaghy, president of FICO in Asia Pacific.

“Banks will need to move beyond passwords and OTPs and add biometrics, device telemetry and customer behavior analytics to keep up with the changing payments landscape.”

Authentication and identity tech

When asked which identity and authentication strategies they used, the majority of APAC banks have a strategy of multi-factor authentication (84 percent). They increasingly use a wide range of authentication methods including: biometrics (64 percent), normal passwords (62 percent) and in last place behavioral authentication (38 percent).

Interestingly, nearly half of the respondents (46 percent) are currently only using 1 or 2 of these strategies, potentially leaving them more exposed to attack vectors such as identity theft, account takeovers, cyberattacks.

“Why try to crack a safe when you can walk in the front door?” explained McConaghy.

“Criminals are trying to fool banks into thinking they are new customers or stealing account access by tricking people into making security mistakes or giving away sensitive information. When they are successful, criminals are making use of real-time payments to move funds quickly through a maze of global accounts.”

The survey bore this out with 40 percent of banks naming social engineering as the number one fraud concern when it comes to real-time payments. Account takeovers were ranked second, with false accounts and money mules also rated as problems.

New forms of biometric, multi-factor and behavioral technologies allow banks to stop payments being made, even if an account appears to be using the correct but stolen password or entering the right, but intercepted, one-time-password.

“Beyond this type of account take over, we also have authorized push payment fraud, such as when a customer is tricked into paying what they think is a legitimate invoice like a fake school bill or payment to a tradesperson,” said McConaghy.

“This type of social engineering is harder to stop but better KYC, link analysis to find money mule accounts and behavioral analytics to flag new accounts for a regular payee, are all examples of how to tackle it.”

Mitigating criminal behavior

Further to stopping fraud in real-time payment platforms, crimes such as drug trafficking, human smuggling, tax evasion and terrorism finance are also attracted to the irrevocable nature of instant payments.

The lack of visibility between jurisdictions has seen regulators encouraging banks to move quickly in this cross-border payments space to ensure payments are compliant and secure.

In terms of mitigating this criminal behavior, more than 90 percent of APAC banks surveyed thought that convergence between their fraud and compliance functions would be helpful in defending transactions on real-time payments platforms.

“We estimate that there is about an 80 percent overlap in software functionality between legacy fraud and anti-money laundering systems,” added McConaghy.

“To tackle fraud and money laundering schemes that exploit real-time money movement you need to leverage all the available technologies, automate as much as you can and introduce models that can identify outlier transactions and customer behavior so your teams can spend their time investigating the riskiest of the red flags.”

Key security priorities for financial services: Preventing fraud and data leaks

The banking and financial services sector is struggling with a skills shortage along with the sheer volume of threats and alerts as it continues its ongoing battle against cybercrime, according to Blueliv.

security priorities financial services

With financial organizations a prime target for attacks, preventing fraud and data leakages is key to the sector’s security strategies – but it is getting harder as cyberthreats become increasingly diverse, sophisticated and malicious.

Rise in banking Trojans

Roughly a third of respondents are concerned about the impact banking Trojans (31 percent) and mobile malware (28 percent) will have on financial services organizations and their customers in 2020.

Tracking the latest evolving threats, researchers observed a 283 percent increase in botnets relating to Trickbot as well as a 130 percent increase in Dridex botnets. These botnets are linked to the distribution of banking Trojans and other malware families targeting the financial services sector.

The report also highlights that malware targeting mobile apps is one of the most rapidly developing threats to the financial services sector, with functionalities that allow criminals to gather user credentials as well as steal funds from mobile users’ bank accounts.

This is partly driven by the fact that cybercriminals can now easily buy malware builders in underground forums, and that these often include advanced evasion techniques so the malware remains undetected on infected devices.

Key security priorities for financial services include fraud prevention

While the financial services sector – by its very nature – has some of the most mature cyberdefense strategies and is ahead of many other industries in detecting and preventing economic crime, weak spots remain in some organizations’ fraud risk assessments. This is underlined by the fact that 35 percent of poll respondents named fraud prevention the most crucial element to an ongoing cybersecurity strategy.

Unauthorized transmission of data from within an organization to external recipients is another key concern, with 31 percent of respondents considering the prevention of data leaks the most important.

Just under a quarter (24 percent) would focus their security strategy around regulation and compliance requirements such as GDPR. In contrast to this, the same number of respondents (25 percent) named regulatory issues as the biggest challenge for financial services institutions developing ongoing security programs.

Visibility of threats is a challenge

According to the poll, financial services organizations encounter a range of issues as they build their security programs – the most pressing being a shortage of skills (28 percent), followed by the high volume of threats and alerts (26 percent) and a lack of visibility into cyberthreats (20 percent).

This is hardly surprising: as financial services institutions (FSIs) embrace digital processes and new customer interaction channels, so their attack surface grows, making it harder to keep on top of threats ranging from Point-of-Sale (PoS) to ATM malware, mobile apps malware to card skimmers.

“Organizations in the financial sector face a constantly changing threat landscape,” commented Daniel Solís, CEO and founder, Blueliv.

“Business priorities have shifted and digital risk management is now central. Because they are such high-value targets for cybercriminal activity, it is imperative that financial services organizations enhance their security priorities, and monitor what is happening both inside and outside their networks in real-time to create effective mitigation strategies before, during and after an attack.”

Solís continued, “FSI security teams can be easily overwhelmed by the number of threat alerts they receive which can very quickly result in alert fatigue and desensitization to real, preventable threats.

“Threat intelligence can address the cyber skills gap through continuous automated monitoring combined with human resource to provide context, helping FSIs develop highly-targeted threat detection, prevention and investigation capabilities.”

Top compliance and risk management challenges for financial organizations

Notable regulatory compliance and risk challenges remain high in a number of key areas for U.S. banks and credit unions, according to the results of a Wolters Kluwer survey.

risk challenges financial organizations

Rising risk challenges for financial organizations

This year’s survey generated a Main Indicator Score of 95, a 10-point increase from the 2018 score, that was influenced by concerns about the impact of Home Mortgage Disclosure Act (HMDA) rules; cybersecurity, credit and compliance risks; and an increased level of regulatory agency fines.

The calculation of the Main Indicator Score is based on several factors, including the number of new federal regulations, number of enforcement actions, and the total dollar amount of fines imposed on banks and credit unions over the past 12 months, together with additional information provided by survey respondents.

“Respondents indicated more confidence in their ability to maintain compliance, keep track of changing regulations, and demonstrate compliance to regulators, reaching the highest confidence levels in the survey’s seven years,” said Timothy R. Burniston, Senior Advisor for Regulatory Strategy with Wolters Kluwer’s Compliance Solutions business.

“These findings suggest a strengthening of lenders’ compliance program management practices. That said, relatively high levels of concern across a range of areas remain, reinforcing the reality that regulatory compliance and risk management issues continue to significantly challenge financial institutions.”

Among top obstacles cited in implementing effective compliance programs, 47 percent of respondents ranked manual compliance processes as a seven or higher concern on a scale of 10, and 45 percent cited inadequate staffing, both slight increases over 2018 levels.

Concerns about managing increased HMDA analysis and reporting obligations jumped significantly among reporters, particularly in their ability to analyze newly collected HMDA data—moving from 21 percent in 2018 to 35 percent in 2019—and in reporting those expanded data to regulators, moving from 15 percent last year to 40 percent in 2019.

Regulatory compliance challenges

Over the next 12 months, respondents’ most pressing regulatory compliance challenges include: managing and implementing residential mortgage regulations; keeping current with changing regulations; complying with the forthcoming Current Expected Credit Loss (CECL) accounting standards; deposit account regulations; and compliance program management.

Respondents also expressed a high level of concern about their ability to comply with BSA/AML requirements, fair lending laws and regulations, UDAAP standards, new URLA forms and, to a slightly lesser degree, state regulatory requirements.

From a risk management perspective, cybersecurity continued to rank as the top risk with 78 percent of respondents anticipating escalated priority over the next 12 months, followed by compliance risk at 47 percent and credit risk at 45 percent of respondents ranking them as a seven or higher. It’s clear that risk challenges are rising on the agenda for financial organizations.

risk challenges financial organizations

Looking forward

When asked about enhancing elements of their compliance management systems, 48 percent of respondents anticipate higher future investments in strengthening their risk assessment capabilities, followed by updating compliance policies and procedures (47 percent), and expanding compliance control testing processes (43 percent).

Looking forward, economic factors the institutions are monitoring as potential concerns include interest rate fluctuations (87 percent), data privacy issues (85 percent), and recession fears (76 percent).

Only 22 percent of respondents view regulatory relief over the next two years as either very likely (three percent) or somewhat likely (19 percent), a drop from 48 percent who viewed regulatory relief as very likely (15 percent) or somewhat likely (23 percent) in the 2018 survey.

CPoC: New data security standard for contactless payments

The PCI Security Standards Council (PCI SSC) published a new data security standard for solutions that enable merchants to accept contactless payments using a commercial off-the-shelf (COTS) mobile device with near-field communication (NFC).


PCI CPoC Standard

Using the PCI Contactless Payments on COTS (CPoC) Standard and supporting validation program, vendors can provide merchants with contactless acceptance solutions that have been developed and lab-tested to protect payment data.

“The PCI CPoC Standard is the second standard released by the Council to address mobile contactless acceptance. Specifically, the PCI CPoC Standard provides security and test requirements for solutions that enable contactless payment acceptance on a merchant COTS device using an embedded NFC reader,” said PCI SSC Standards Officer Emma Sutcliffe.

“Contactless, or tap and go, payment adoption is on the rise globally, and merchants want affordable, flexible and safe options for contactless payment acceptance that allow them to best serve their customers. In addition to PCI Software-based PIN Entry on COTS (SPoC) Solutions that enable contactless payment acceptance with a dongle attached to the mobile COTS device, the PCI CPoC Standard and Program now provide merchants the option to use validated solutions that require no additional hardware to accept contactless transactions,” said PCI SSC Senior VP Troy Leach.


Standard security requirements

The PCI CPoC Standard includes security requirements for vendors on how to protect payment data in CPoC Solutions and test requirements for laboratories (labs) to evaluate these solutions through the supporting validation program.


The central elements

The primary elements of a CPoC Solution include: a COTS device with an embedded NFC interface to read the payment card or payment device; a validated payment acceptance software application that runs on the merchant COTS device initiating a contactless transaction; and back-end systems that are independent from the COTS device and support monitoring, integrity checks and payment processing. Software-based PIN entry is not permitted in a CPoC Solution.

Through a combination of the security controls built into the merchant application and ongoing monitoring and integrity checks performed by the back-end systems, merchants and consumers can have confidence in the security of the CPoC Solution and the contactless transaction.

How can financial institutions prevent shopping season fraud?

Black Friday and Cyber Monday are two of the years’ busiest shopping days. For consumers and retailers alike, it marks the beginning of the winter holiday shopping season, as well as a time when organizations have to do their best to prevent shopping season fraud. It’s also a busy time for hackers, who look to capitalize on seasonal spikes in transaction volume to try and evade fraud detection processes and con innocent customers out of … More

The post How can financial institutions prevent shopping season fraud? appeared first on Help Net Security.