• Experts at Daily FT-CICRA Cyber Security Summit speaking at “Mitigating Risks in Financial Services” session point out 3DS, e-chips and other advanced technologies coming forth to mitigate cyber threats surrounding banks and financial institutions
  • By Hiyal Biyagamage

    The sixth Daily FT-CICRA Cyber Security Summit 2018 concluded last week in Colombo with huge success. Organised under the theme ‘Towards a Secure Digital Future’, local and global experts on cybersecurity spoke at the premier cybersecurity event of the country, emphasising the importance of securing the future of organisations in a fully-digitalised atmosphere, even though it appears to be an uphill task.

    While exploring different paths towards a secure digital future, speakers at different sessions discussed mitigating cyber risks in financial services and prevention of data leakages, looking at the utmost importance of defensive, preventive measures that need to be taken holistically in the era of Internet of Things (IoT).

    The unprecedented scale of connectedness

    Delivering the keynote address of the first session, titled ‘Mitigating Risks in Financial Services,’ Lakshmi Ramakrishnan – Director, Risk Services, India and South Asia at Visa Inc., said the current change the world was experiencing in terms of innovation and technology advancements was nothing less than ‘an industrial innovation’.

    “If you take a global heat map of mobile internet penetration, there will be areas with no electricity but there will be areas with mobiles. This mobile connectivity will be able to connect global payment systems across different continents.”

    Referring to the rapid pace of connectivity across countries as ‘hyper-connectivity,’ Ramakrishnan said: “Digital commerce is growing and it is helping the growth of digital payments – not only in this region but also across the world. In the early 1980s, when we used a Personal Computer (PC), a modem and an Internet Service Provider (ISP) to connect to the internet, there were about 300,000 connected devices and most of them were PCs. If we had luck in loading the page, we would be able to enter our card details and complete our transaction.”

    “Now, things are changing. In 2015, there were 10 billion connected devices and in such a short period in 2020, we can expect the connected devices to be 20 billion. What can explain this phenomenal growth? Of course, innovation,” she said.

    Explaining that the foundation of different devices and payment modes was security, Ramakrishnan pointed out that more access meant more devices. While the rapid growth of devices means the growth of data streams as well, fraudsters now have many opportunities for exploitation of these data streams.

    “Hyper-connectivity is also connecting new ways to exploit systems and devices. Today’s cyber criminals are very well organised and resourced. They are not working individually from a basement to hack transactions. The operations are running as big organisations. These are high-risk enterprises and they are using high tech information to do these hackings like Artificial Intelligence (AI). They are diversified and using new ways to do this fraud. You could now buy a malware kit just as if you would have a telephone service and take $ 1,000 per month,” opined Ramakrishnan.

Lakshmi Ramakrishnan, Director – Risk Services, India and South Asia Visa, Visa Inc, USA

The rise of e-chips

Fraud has shifted to the e-commerce space from card-present fraud rapidly, said Ramakrishnan, further stating that the percentage of ecommerce fraudin 2015 was 27% and it had increased to 76% by 2017.

“The fraudsters are also exploiting security postures, process gaps and other elements to attack systems and financial institutions; they are trying to do ATM cash-outs, ATM jackpotting and other fraud. When you look at the composition of fraudfrom card-present to Card-Not-Present (CNP), 31% card present fraud has decreased significantly to 18% and Card-Not Presentfraud has risen from 69% to 82%. In the banking and card industries, card present fraud has been dominated by counterfeit fraud.Counterfeiting is duplicating information in a card to create another card to be used elsewhere.”

According to her, Visa is fighting these malpractices with the adoption of electronic chips (e-chips), which is one of the biggest tools they have adopted to fight against card present fraud.

“Chip transactions represent 75% of the total transactions, which is a big number and it has come from US migrants.What this has led to? The decrease in counterfeit fraudby 50% in just two years. If we look at only e-chip enabled merchants, it is much more, which is 76%. How is it happening across the Asia Pacific region? It is 80% at the moment, which is a very good number,” Ramakrishnan said.

Explaining how US migration is helping to change the fraud composition, Ramakrishnan said, “When US merchants migrated to chip, cross border fraudthat people in Asia Pacific were seeing decreased by 40%. That is the fraud rate in comparison to sales. Not only that, the approval rate has also gone up by 40% because there is a trust in the system and people have opened their transactions.”

“We have been saying e-commerce fraud is increasing, fraud is shifting to e-commerce but so is sales. For the past two years, there is a 47% CNP sales growth. A big portion of CNP is e-commerce and that share has also risen by 68%. With sales increasing, products are expected to be increasing but the rate of fraudhas remained flat.”

During her speech, she spoke about some of the biggest technologies, which are being used to mitigate fraudpresently—including 3D Secure (3DS). 3D Secure authentication is a system backed by major card providers, which was originally launched by Visa in 2001, designed to protect customers and retailers during online transactions.

“3DS authenticates transactions behind the scene. It gives an opportunity to ask additional information. Many of the issuers who have adopted 3DS, and cardholders as consumers, would know that you are being asked for a one-time password to complete an ecommerce transaction,” said Ramakrishnan.

She also mentioned that 3DS 2.0 is now available, which offers significant enhancements in e-commerce fraud detection capabilities for issuers and merchants, and can reduce friction for cardholders at checkout.

“The proliferation of connected devices has made it easier for consumers to purchase goods and services online, but has also introduced new challenges for combatting online fraud and providing frictionless checkout experiences. Visa’s 3DS 2.0 program addresses these challenges by supporting transactions across a variety of devices while enabling ten times more data to support advanced risk-based decision-making,” Ramakrishnan explained during her speech.

She also explained about Visa’s Digital Commerce Programme and Advanced Authorisation. Visa Digital Commerce leverages EMVCo’s Secure Remote Commerce (SRC) technical framework that eliminates the need for passwords. It streamlines and standardises the end-to-end digital payments process flow across browsers and devices — existing and emerging.  By introducing this, Visa will bring that experience of using cards in stores into the online space and extend it to any connected endpoint that consumers may want to use in the future to buy something from a merchant. It will also offer the consumer a secure, but more streamlined experience when transacting with a merchant online. The device or browser that consumers are using will recognise them when logging into a merchant site using biometrics or passcodes to authenticate them instead of a password.

An element ofVisa’s sophisticated anti-fraud detection system, Visa Advanced Authorisation, has grown increasingly effective at spotting the tiny percentage of suspicious transactions from the roughly 150 million payments that flow through the Visa network each day. The innovative platform is a neural network with its own intelligence, said Ramakrishnan.

“It starts the moment that you initiate a payment at a merchant, when hundreds of pieces of information about your transaction are gathered and sent through the Visa network. As the data courses through, the model analyses up to 500 unique risk attributes, looking for clues that may indicate fraud. Using this, Visa has been able to bring down the overall fraud rate by 45%.”

Ramakrishnan said that Visa believes in multiple layers of security. “There have to be many layers to protect and a single layer will not be able to solve this rising issue. Protecting data, devaluing data, harnessing data and empowering customers are our most important strategies.”

“In protecting data, we must harden our systemsagainst attackers and must be able to prevent sensitive data being breached. Payment is the only industrywhich only has a data security standard— the PCI compliance. However, PCI alone cannot solve issues; we have to go beyond PCI. We keep talking about perimeter defences, building stronger systems, but why do we do that? If a fraud happens, we have to be able to detect, mitigate and respond to it quickly,” Ramakrishnan explained further.

She also discussed encryption, human factor (insider threats and external threats) and devaluing of data, stating: “Even after protection, if the data goes out, what we do? The data should be useless for the people who are attacking it. That is what we call devaluing of data. Even if it goes away, hackers cannot use them, as they do not have any value anymore. Two of the best examples for devaluing are chip cards and tokenisation.”

Summing up her keynote, Ramakrishnan said, “The success of a transaction and success of payments is purely on partnerships. We know that attackers are taking advantage of many gaps in our product portfolio. It is time to fight back. They may know our vulnerabilities but we have to ensure that teams are very well equipped to fight back and retrieve this intelligence. We need to make use of innovative solutions and take advantage, not only to secure transactions but also to improve customer experience. Most importantly, senior executives need to keep investing for the future and to invest in advanced technologies, which can give you not only short-term but also long-term advantages.”

 

 

Insights from panel members

Central Bank of Sri LankaHead of IT Wasantha De Silva, Commercial Bank of CeylonChief Operating Officer/Executive Director SanathManatungeandLankaClear Deputy General Manager, IT and Operations DinukPerera attended as panellists of the first session’s panel discussion.

Discussing the challenges of moving towards a cashless society, De Silva said people’s confidence about electronic money would be a significant barrier.

“To increase confidence, we have to increase the safety of our financial systems. We have to increase the safety of all the devices that are being used for transactions. All Sri Lankan banks are interconnected through the Central Bank’s RTGS (Real Time Gross Settlement) system. If the device you are using to do a transaction is not safe, your credentials will be stolen and somebody else will take control of your device and do the transaction. In order to move forward into a cashless society, it is essential to increase the security of all systems,” said De Silva.

When asked how companies should approach concerns on cybersecurity when market and economic conditions are tough, De Silva said: “Even if market conditions are not perfect, security should be a priority. It should be a boardroom discussion. Without proper cybersecurity policies, it will tough for modern businesses to move forward with confidence.”

Manatunge said, “When you look at financial institutions, data is more valuable than money. If you consider the dependency of IT infrastructure, financial institutions highly depend on them. If you look at the architecture of a financial institution in terms of IT, every component—from the core banking system to ATM, card networks—depends on a single platform or the dependencies are very much concentrated. A potential attack will then be a huge vulnerable point for a financial institute.”

“Imagine a super market’s system is shut down for a whole day. It could still survive and serve its customers using a manual system. A10-minute system down time of a bank is going to be huge issue for customers. Imagine a customer waiting at a supermarket queue and the PoS (point of sales) machine is not working because the banking system is not connected. That is why cybersecurity attacks have become a huge discussion within the financial sector,” Manatunge explained.

Further explaining the importance of uplifting cybersecurity defences of an organisation, he said: “If you build your risk management processes and the framework, giving CXOs the cover to have a control on IT risks broadly, your organisation will develop a proper risk culture within the organisation. Initiation and execution of this would be easy but sustaining it in a culture, educating your employees and external stakeholders about the importance of using security policies to mitigate internal and external risks is very important.”

 

 

Perera opined that during the last few years, local organisations had given less focus on insider threats. “If you look at people, processes and technologies, my understanding is that organisations have focused on external threats.However, there is less focus around internal threats. You could say insider threats pose a greater risk than external threats as your employees already know where the company’s ‘crown jewels’ are. These crown jewels could include the assets that drive cash flows, competitive advantage and shareholder value.”

“Insiders tend to know what exactly resides on the networks and how to gain access to them for the purpose of theft, disclosure, destruction or indeed manipulation. For example, the leaking and disclosure of critical information could lead to the manipulation of share values. This is a far more effective means of profiting through cybercrime than traditional fraud techniques,” said Perera.

He discussed several risks posed from insider threats, including monetary loss, loss of intellectual property, destabilising and destroying of cyber assets.  “It would take only one disgruntled employee to go and disrupt your whole IT infrastructure. While focusing on outside threats, we should also have clear policies to mitigate risks coming from insiders,” Perera discussed.

Answering a question on whether Sri Lanka is ready for crypto currency and blockchain, Perera said: “For the moment, we are not encouraging crypto currencies in Sri Lanka. However, Sri Lankan banks are ready to embrace blockchain as a technology. During the last two years, the knowledge about blockchain has grown rapidly in the market. Banks will soon initiate some projects with the help of blockchain.”

He also stated that the Central Bank of Sri Lanka had already appointed a committee to further study blockchain and to see how Sri Lankacould collaborate with other institutes across the globe to promote this concept in Sri Lanka further.

The Daily FT-CICRA 2018 Cyber Security Summit was supported by Cisco as the Principal Sponsor, Visa as the Strategic Partner and Infowatch and Tufin as Co-Sponsors. LankaPay is the Official Payment Partner while Dialog is the Telecommunication Partner. Sri Lanka Insurance is the Insurance Partner. The Ministry of Telecommunication and Digital Infrastructure and ICT Agency of Sri Lanka have endorsed the event. Cinnamon Grand is the Hospitality Partner of the summit while Triad is the Creative Partner. The Electronic Media Partners of the event are TV Derana, FM Derana, Ada Derana and Derana24X7.

Pix by Upul Abayasekara

and Ruwan Walpola