How the credit card industry set the tone for cybersecurity
For much of the last decade, credit card companies and issuers have fine-tuned security to the point where if any suspicious activity occurs on a cardholder account, that cardholder will receive an alert.
That same sort of transaction and behavioral analytics is starting to come into other business sectors and walks of life, and at some point in the future, cybercriminals are going to find many of their current paths blocked, said Ryan Stolte, chief technology officer for the cybersecurity firm Bay Dynamics.
"We're at the very beginning of applying this stuff, but 10 years from now, we will have a pretty good grip on this, and it is going to become much more difficult for a bad guy to steal my credentials, walk a mile in my shoes and get away with it," Stolte said. The "stuff" includes machine learning, neural networks, collaboration with other data centers and a generally more aggressive approach to spotting behavior not typical of the personal or payment data being presented.
Bay Dynamics thinks the same type of security scrutiny that the credit card companies have exercised should eventually be at work in all businesses, especially those now being targeted — the health care, insurance and hospitality industries. If an employee falls for a phishing scam and a criminal takes on their identity within the business, that business needs machine learning technology to recognize unusual behavior.
In many ways, the same technology that allows a Netflix or Amazon to recommend certain products to a consumer based on their past behavior is the same as the type of analytics being applied to security at Bay Dynamics and other providers.
"It's becoming common for someone to hack an executive's email account, then start sending emails to employees to go ahead and send a $5,000 payment to a certain account number, then that money is gone," Stolte said. "If you look at any of the breaches that have occurred in the past few years, there was some kind of credential used inappropriately, whether it was an outside attack or an inside attack. The comparison is that the credit card industry got good at stopping this and had to do so before enterprise at large did."
It created an early stage of fraud protection in payments in which the assumption was that every credit card was compromised. "If you were going to make a credit card transaction, you had to prove it was you on the back of the card, through a PIN or through past behavior," Stolte said.
Early on, consumers would get upset if a regular transaction were blocked or questioned, but the number of false positives is dwindling as technology advances, Stolte added. So much so, the payments and banking industry is at a point now where if an issuing bank doesn't alert a consumer about a strange transaction, that consumer would be upset about it, he said.
The challenge that lies ahead is that cybercriminals are finding other data of more value to them, such as personal credentials that would allow them to infiltrate a business and disrupt the payments or payroll of those companies.
As such, it is not particularly relieving to hear executives at a breached company stating that no credit card credentials were stolen, but possibly some personal information or passwords were exposed. Such a heist, or one like the Equifax breach with Social Security numbers lost, is potentially far more damaging to consumers and commerce.
The concept of having artificial intelligence or machine learning in play for security in all walks of life "is not a far-fetched notion" when considering so many aspects are now digital, said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research.
"Similarly, much of how we conduct business has gone digital," Pascual said. "And at the center of it all are technology providers for whom analyzing vast swaths of data is their lifeblood."
In addition to Bay Dynamics, which has recently partnered with Symantec to bolster its analytics of sensitive data to thwart insider threats, major technology companies are also strengthening security measures.
"Think about Google or Microsoft, both of whom are already protecting some of their customers using these technologies, whether that is in the cloud or on mobile devices," Pascual said. "You could argue that they really are the largest security companies in the world."
Advanced analytics has already made its way into some of the newer payments technology, with risk-based authentication having a big role in the new 3-D Secure 2.0 and the Strong Customer Authentication technology of the Payment Services Directive (PSD2) regulations in Europe, Pascual added.
"It's everywhere, if you just know where to look," Pascual said.