The best way to predict the future is to study the past,
and while cybercrime is a relatively new criminal endeavor,
it has been around long enough for the experts at Cyxtera
to look into their Magic 8 Ball™ and make some well-
informed predictions about what’s in store for 2019.
Better Not Tell You Now: Spam Gets Personal
Thanks to geolocation services, phishers can easily target people in a given area with fraudulent offers designed to appeal specifically to them. Ian Breeze, Director of Product Development for Threat Analytics, states that in 2019 phishers will increasingly combine various tactics to create advanced campaigns, for example, Google Ads aimed at Atlanta men aged 18-24 offering Super Bowl volunteer work. We’ve seen geo-specific email, advertising, and social media posts combined into advanced campaigns in 2018. Phishers are seeing results and continuing to craft more intricate geo-targeting messages. Read email carefully in 2019.
It Is Decidedly So: Digital Trust Is Make or Break for Financial Institutions
With nearly two-thirds of global consumers worried about the chance that their bank accounts or bank cards will be hacked, building digital trust has to be as much about culture as it is about anti-fraud technologies. According to Maria Lobato, Vice President of Marketing for Secure Access and Fraud at Cyxtera, the cultural shift is yet to happen. What’s more, fraud prevention education is normally treated as an afterthought. Even if it weren’t, the truth is that a set of educational projects will not create a customer-centric and trust-driven culture.
In 2019, financial institutions will have the opportunity to engage their customers by developing services that reach an equilibrium between solid security and minimal friction. Organizations need to have a unifying vision and employ anti-fraud technologies that are effective in the short and long term as it is the only way to realize the business value of building digital trust.
Financial institutions that fail to make this shift will grow largely irrelevant as millennials continue to live their lives in an on-demand, Instagram-worthy, Amazon Prime-fast fashion.
Cannot Predict Now: Who Is Artificial Intelligence Working For?
We already know that artificial intelligence (AI) can be created and used by fraudsters to enhance cyberattacks. But, in 2019, attackers won’t be relying on their own AI.
Cyxtera’s Chief Data Scientist, Dr. Alejandro Correa, predicts that “attackers will become so sophisticated that they will be able to poison our training data in such a way that it has a significant impact on how a fraud-detection algorithm learns.” In layman’s terms? Fraudsters will create a huge amount of fake attacks, such as phishing or malware, that skew an algorithm’s learning, causing it to believe that this is how attacks are working now. Then, they will be able to send a highly targeted attack that is not flagged by the newly-poisoned AI algorithm thereby avoiding detection and raking in profits.
As I See It, Yes: Passwordless Authentication Promises Greater Security…If You Do It Right
As an increasing number of organizations and end users realize the risks of relying on username and password combinations, the coming year will see a rise in the use of passwordless authentication. Though the password will not disappear completely, increasing numbers of online platforms will move towards eliminating its use. When done right, passwordless authentication can be a powerful and secure tool.
But what happens when it is done wrong? Ricardo Elena, Director of Operations at Cyxtera, asserts that “organizations that use unencrypted channels as alternate authentication factors will inherently face many more vulnerabilities.”
Take SMS one-time passwords, which have long been known to be highly insecure. Incorporating them into a passwordless authentication process opens it up to be easily intercepted by cybercriminals. In 2019, when adopting alternate authentication methods, organizations must ensure that they are doing so in a secure way.
Reply Hazy, Try Again: App Stores Are a Virtual Playground for Malware
Third-party app stores provide the perfect environment for malware, giving users a false sense of trust to the point they are willing to download applications without knowing if they are legitimate. Felipe Duarte, Malware Analyst, points out that not even the Google Play Store is immune. Though Google has security measures in place to prevent malicious code from being uploaded to the official store, fraudsters have recently started to use non-malicious Android Packages (APK) as entry points to download external payloads and perform malicious actions on users’ devices. In 2019, he predicts that there will be a sharp increase in malicious applications making their way to users’ phones through legitimate app stores.
Without a Doubt: Credential Stuffing
Fraudsters know that most people reuse username and password combinations across a variety of sites, meaning that a single set of user credentials can be a goldmine.
Credential stuffing attacks provide a quick and simple way to validate which usernames and passwords are still good. This can be used to either focus attacks on specific groups, or allow them to jack up the price for black-market user info after validation. According to Mike Lopez, Vice President of Secure Access, “We’ve seen major international banks hit by a wave of attempted credential stuffing attacks, and there’s no reason to believe that the momentum will slow down in 2019.”
You May Rely on It: Enterprises Follow in Banking’s Footsteps
As enterprises shore up their security strategies, “modern authentication techniques such as push, biometrics— which banks are already quite happy with—will be adopted by enterprises, too,” says Paul Wilson, Product Manager for DetectID and DetectTA.
Most Likely: IoT Risks
The security community has been warning about the risks of Internet of Things (IoT) devices for a while, and this year, it moved to the top of the list of concerns. However, most IoT devices still remain highly vulnerable, and as more and more devices connect to the internet, 2019 will likely see a sharp increase in cybercriminals taking advantage.
Beatriz Cleves, Product Manager for Digital Threat Protection, says, “The risks are greater than ever before, especially in terms of authentication processes. Companies need to take control of these risks by establishing identity assurance requirements, implementing effective security systems, and developing metrics and tracking tools.”
It Is Certain: Fake Political Posts for Real Profits
A hot topic over the past few years has been the political influence of fake accounts, or “bots,” on Twitter and other social media sites, where they have been used to manipulate public perception and opinion of current events. Now, fraudsters are starting to notice that they can take advantage of escalating tensions and political divisions within countries using social media as an attack vector.
“It’s accepted that social media is commonly used by many people to discuss politics. As a result, fraudsters post pieces that appear to be in that same vein, and then trick the public into following certain accounts or posts that will eventually fool them into parting with their money or credentials,” say Cyxtera researchers. As more criminals realize the profit potential of these easily-spread attacks, they will definitely increase in both scope and frequency.
Outlook Not So Good: When “Secure” Doesn’t Mean Security
Everyone sees it when they navigate on the internet – the small icon stating “secure” or “not secure.” But unfortunately, many users falsely believe that this symbol, which signifies whether a website uses encrypted communications, means that a website cannot be malicious. Fraudsters are already using seemingly legitimate web certificates (which cause the browser to display the “secure” icon) to hide their phishing and malware attempts.
“In just one year, we saw the use of web certificates to disguise malicious traffic double. There is no sign of this increase slowing down, as certificates provide an easy way to trick users into trusting a website and giving up their credentials,” reports David Camacho, Lead Data Scientist at Cyxtera.
Outlook Good: Fraud Resolutions for 2019
With all of these changes to the fraud landscape coming up, here are our recommendations to organizations looking to improve their security plans in 2019:
- Expect fraudsters to step up their game and create more intelligent and powerful attacks than ever before. Implement a fraud-prevention solution that harnesses the power of adversarial learning and stays a step ahead of cybercriminals, instead of retroactively defending against them.
- Don’t expect a single solution to protect your organization from every attack – deploy a multi-layered solution that looks at threats holistically, not individually.
- Implement strong, modern multifactor authentication.
- Ensure that your fraud security plan covers threats from inside and outside your perimeter; you can’t control what the fraudsters do, but you can control how you proactively defend against them.
Will fraud lessen in 2019? Our sources say no. But if you follow these basic steps, are you greatly improving the odds that your organization will be safe from cyber attacks? Signs point to yes.
Interested in learning more about the most recent and upcoming fraud trends?