In Steven Soderbergh’s 2001 movie, Ocean’s Eleven, there’s one specific moment when the head of the Bellagio Casino, Benedict, realizes he has no way of stopping the heist.
When he goes down to inspect the vault in person, Benedict glances down at the floor and notices a crucial detail. The Bellagio logo is imprinted there. But on the camera footage of the robbery the attackers had shared with him earlier, there was no logo.
He suddenly understands that the attackers have manipulated the camera feed. Instead of seeing the true live feed of the casino vault, he was seeing what Ocean’s team wanted him to see. A tape of a staged robbery recorded in a duplicate of the Bellagio vault.
It’s a classic scene that has been repeated in various bank heist movies over the years.
And, as it turns out, it’s also the perfect metaphor to explain how some modern-day cyber attacks happen in the financial sector.
In this article we’ll explore one attack scenario in fraud detection and protection services. And we’ll explain why it hints at the need for strong endpoint security.
The changing face of financial fraud
Financial fraud detection and protection services were already hugely important in banking. But regulations such as PSD2 have made them a necessary requirement.
The only problem is that fraud detection is a lot more complicated today than it used to be. 10 or 15 years ago, it was centered around an individual’s location. In other words, where the card was used - such as at an ATM, a hotel, or a restaurant. A classic red flag moment back then would have been if a bank account was accessed once in London, and then again in New York three hours later. This operation would have been physically impossible for the same person to carry out. And so a bank would be immediately informed that something untoward had occurred.
These days, it’s different. The proliferation of digital mobile payments and the use of virtual cards has somewhat blurred the view of what banking fraud looks like. It’s a lot trickier to know for sure what is genuine and what is bogus.
A user’s location is a guaranteed and trusted metric. It’s something that can be confirmed accurately. But with mobile payments, a user might use a VPN proxy to make it look like they’re somewhere they’re not. And there are examples in recent years involving Tinder and Pokemon Go where users have manipulated their device’s location using rooting tools.
If location used to be a stationary data point that a bank could lock onto, there are now thousands of data points dancing around in the ether. That’s why there’s now a recognition in banking that humans alone probably can’t monitor so many of these moving parts.
That’s where AI comes in.
How AI can help
AI can help banking systems to analyze big data points and improve - or even generate new - fraud detection algorithms.
But to collect the data in the first place, fraud systems need to use sensors that are connected to mobile apps. Typically these sensors are included in mobile SDKs that are integrated into applications. These can identify and verify transactions linked to a specific account.
The danger with relying on SDKs for this task, though, is that you don’t always know how secure they are. As we covered in a recent article about stopping software supply chain attacks, there have been plenty of examples recently of malicious code within libraries and dependencies helping hackers to infiltrate some of the world’s biggest tech companies.
Then there’s the threat of an attacker using a banking application with a rooted device, or using social engineering to get end users to install a fraudulent app.
Strong endpoint security secures the vault
Let’s go back to the Ocean’s Eleven comparison at the beginning of this piece for a second. If you were planning an attack on a bank or a casino, then the security cameras would be a logical target. After all, your main goal would be to trick security staff into thinking an attack wasn’t happening.
Now imagine that instead of a physical bank, your target was a bank’s mobile app. In this case, the SDK is the sensor (or the camera).
In the same way that a bank’s security would be categorized as circumspect if its cameras were easily manipulated without the security team knowing, a mobile banking app’s security would fall well short if it wasn’t able to recognize a fraudulent SDK.
It’s for that reason that strong endpoint security is so important. A bank can choose to invest in smart cameras that recognise someone moving close to them. And they can also choose to invest in user interface protection, anti-tampering technology, and the ability to check for existing vulnerabilities in SDKs for their mobile banking app.