Fraud Fighters Eye Info-Sharing DeficitUK Fraud Surges, But Banks Fail to Crowdsource Defenses
Fraudsters continue to make inroads against financial services institutions and retailers based in the United Kingdom - and beyond - in part because targeted organizations aren't working together and sharing information about the attacks they see.
See Also: Stopping BEC and EAC
That was one of the dominant, recurring messages delivered at Information Security Media Group's London Fraud Summit on Sept. 23.
"You need a network to fight a network," Alisdair Faulkner, chief products officer at online fraud prevention firm ThreatMetrix, told attendees. His message was repeated by presenters throughout the day.
"This lack of willingness to share information is endemic in financial services and retail organizations," said John Lyons, CEO of the International Cyber Security Protection Alliance.
That assessment is based on early findings from BankInfoSecurity's European "Faces of Fraud" survey. One of the biggest takeaways from the study, so far, is that most banks still aren't sharing threat information, and they have no immediate plans to do so. Respondents said the reasons for not sharing varied, but often included their legal departments not sanctioning information sharing, except in response to a court order or regulatory requirement.
The U.K.'s fraud problem, meanwhile, continues to intensify, according to Financial Fraud Action UK. The financial services industry organization reports that in the United Kingdom last year, Â£301 million ($494 million) was lost to "card not present fraud," which was an increase of 22 percent from 2012, while Â£41 million ($67 million) was lost to online banking fraud, up 3 percent from 2012.
Barriers To Sharing
Some financial services firms still see their information security practices as a competitive advantage, and one in which they've invested heavily. "I thought we had got over the notion that this is a competitive advantage, that actually if we can share attack information, that it's not a competitive issue," CSPA's Lyons said. "But only last week, one large financial institution mentioned [to me], 'Well you know, if we've invested many millions of dollars putting in a great system and we're trapping fraud and reducing our risk, why should we share that methodology and that information with others who aren't wiling to invest to the same extent?' I guess you can understand that type of thinking."
Another concern harbored by banks, according to the Faces of Fraud survey preliminary results, is that they don't want to be publicly outed as the source of any particular piece of threat intelligence, lest it undermines their security reputation with customers. "From inquiries - not just in the U.K. but from around the world - we're getting the impression that if you're going to share information, you're going to have to do so anonymously and confidentially," Lyons said. "We haven't got a mechanism established within the U.K., certainly, that would enable that information sharing to take place anonymously and confidentially."
Role of Law Enforcement
To address that requirement, one possibility is that a U.K. law enforcement agency might maintain a threat-information-sharing platform. But such an approach would also pose risks, for example, if the source of any piece of threat intelligence leaked.
"The biggest problem comes down to trust," Detective Inspector Steve Strickland of the City of London Police, who's an expert in fraud and anti-corruption, told attendees. For example, in an investigation, "the financial loss might be what we want to investigate," he said. But if details of the investigation were to be publicly leaked, that "could be far more damaging to the corporation than the crime we're investigating."
Currently, much financial fraud goes unreported. According to the preliminary fraud survey results, 53 percent of surveyed banks and retailers say they always report information security incidents - including attacks with fraud repercussions - to law enforcement agencies, while 13 percent never do. And 35 percent only report losses when they reach a predetermined financial threshold.
Overcoming institutional barriers to sharing information about threats - as well as incidents in which banks were successfully breached - will take time. Lyons said that back in the early 2000s, Britain's National High-Tech Crime Unit, which has since been supplanted by the National Crime Agency, managed to get 82 U.K. financial services firms in the same room to discuss ways to coordinate their fraud-fighting efforts. "That took us about two years to get to that point, but eventually trust was established and built up over time."
Strickland, meanwhile, noted that the City of London Police are helping to teach commercial organizations - including financial services firms and retailers - new ways to battle fraud via its Economic Crime Academy, which he helped found. But he said the academy also serves to build new relationships between private businesses and law enforcement agencies. The goal is to lower the barriers to businesses reaching out to law enforcement agencies for advice, and to facilitate better sharing of information on threats and attackers not just inside industries, but across sectors.
First, however, the required relationships between businesses and law enforcement agencies' fraud investigators must be fostered. "In this world, more than any other - the world of fraud - you need relationships, you need that trust, " Strickland said.