The world is becoming digital and risks are getting multiplied. At RSA India Summit in Bangalore, Daniel Cohen, Head of Products, RSA Fraud & Risk Intelligence, RSA Security, talked about the digital risk and how it could be managed through emerging technologies. Excerpts:
DQ: The fake mobile app fraud tripled in the earlier half of this year. What’s your way forward in trying to mitigate this global crisis?
Daniel Cohen: If we take a step back and think about the fraudsters and how they’re evolving, the growth in the mobile app is a vector that has been considerable. We see the fraudsters tricking users, and this is not going to go away as they are always going to keep coming after the users. It’s the psychological play on social engineering and not really a migration, but we’re seeing more attacks that are happening now as mobile devices growing. We’re still seeing a lot of stuff happening on phishing as well. Phishing has doubled in India in this past quarter.
But, this movement into mobile applications is obviously because we’re more connected, as individual users, to more applications. The fraudsters understand that this is a great vector to target users. That’s kind of where the growth comes from and mitigating that growth is a more complex answer. You need a lot more partnerships across the industry, and across the entire chain, in order to completely make it go that way.
At RSA Security, we are much targeted. We identify an app and bring it down from the store. What compounds that problem is that the app is then put on another store and gets duplicated on many different stores.
First off, we are working on improving the detection of such applications. Secondly, we are working with the industry to improve the security of how the ecosystem treats these applications. It starts with how mobile phone manufacturers such as Google, Microsoft, and Apple will make more secure phones, how they better secure the apps and how these apps move into the app store,and, how quickly we detect that.
To be honest, we can’t 100% mitigate it but working together as an industry is one way to reduce it. The second point is increasing the awareness, and that’s really where the consumers better understand how the bad guys are trying to trick us. We should understand that it’s out there so that we can be more aware of these apps that could be very famous. It is very important to look at the permissions that the app is asking for. If you’re downloading a flashlight app, it should not ask you for your location or access to your contacts. Just being more aware and vigilant as to what you’re clicking on can be really helpful when it comes to dealing with these fake apps.
Users, at all times, should keep their phones up-to-date. With Android, it’s a little more challenging because the updates aren’t pushed, as in the case of Apple, which pushes the updatesproactively.If you’re installing a software, make sure you install the software from stores that you know. And, if you know that there’s an app that costs you money, and suddenly you find it in a store for free, it’s not the right app. No free lunches, so, be aware of that.
DQ: How will digital transformation affect financial Institutions (FIs)? How can FIs manage digital risk and increase their opportunities?
Daniel Cohen: When we think about the digital and financial industries, particularly with regards to consumers, we want easier access to our money. We want to easily spend our money and we don’t want to fill out forms or send faxes. The world is becoming a lot more easy to use. For e.g., PayTM, that’s an easy way to send money without cash or going to the bank and making a transfer.
As consumers, we’re putting a lot of pressure on the banks to deliver these frictionless, easy services. Now, if the banks don’t do it, then it is the fintechs companies that are doing it. That’s putting even more pressure on the banks because they are starting to lose the touchpoint with the customer. Earlier, when you wanted the money, your first option would be to go to the bank. Now you don’t have to; you can go to somebody else. So, there is a chance that banks will miss opportunities.
One more factor is that of the regulators. We see the regulators also forcing the banks and driving them to allow third parties to access your financial information. For example, in the US, there’s a company called Mint. Usually, on an average, an American will have five credit cards. Sometimes, that would mean five different bank accounts. Now what Mint does is, it aggregates the information from the five accounts and presents it in the form of a nice dashboard, showcasing all the information about what was happening in each of the accounts. But, in order to do that, it has to ask users for their passwords and login details. Users have to give Mint access to the financial information, a programmable automated access point. This is how digital transformation is forcing banks to open up all these new channels.
At the end of the day, even if you use any fintech application, e.g., PayTm, it’s going to charge your bank account. It’s going to hit your bank account at some point. If it’s a fraudster, you’re going to get upset that the bank even allowed this transaction. The concept of a bank is to keep our money safe. Then why did they let this transaction happen? So, as all these channels open up, whether the banks like it or not, they still have to provide their customers with a safe online payment experience. That’s primarily how the banks are being impacted by the digitization – the fact that more and more channels are opening up that they have to now protect.
The opportunity for them really is not to stay in their old ways, but to proactively offer more chance. At the end of the day, when we look at all these different channels that are opening up, and where we come from also as an anti-fraud vendor, as we’re seeing all these channels provide us better visibility into how the consumer uses his money, so we can better understand what fraud looks like. This allows us to better understand consumer’s interactive behavior – how he spends his money, when does he spend his money, where and how much money he spends, etc. We can then do better fraud assessments and identify the fraudsters. The banks have to look at this as an opportunity to better interact and engage with their customers and also use all these opening channels in order to deliver improved anti-fraud experience measures.
DQ: IoT and API economies are opening up the financial industry’s closely guarded monetary systems to the world. How can we protect our money?
Daniel Cohen: IoT is a big part of the previous question. But, IoT specifically for consumers, is a very big part of the digitization trend. Because we have these 24 hours, we’re doing a lot more in the time and we’re expected to do a lot more throughout the 24 hours. And, we look at the technology to help us, take care of a lot of the tasks, and give us to automate a lot of the stuff that we have time to work on what matters to us.
When you look at the IoT, and when you look at Alexa, what it’s really trying to do is save you time. It listens to the fact that we’re having a conversation about a vacation and that we want to go to Thailand. Suddenly, you start seeing all these offers for vacations. It might be searching for the best offer for you and it’s saving you the time to search.
It’s going to go to the next level where youwould just need to say ‘let’s go to Thailand next Friday’, and Alexa will buy the tickets. It’ll search the Internet and buy the tickets and say, ‘hey, I managed to grab these tickets for you. They were the cheapest and I grabbed them for you.’ You didn’t tell Alexa to buy the tickets! Alexa understood that you were planning to go on a vacation for the next month, it understood that you were getting serious, and it decided to buy the tickets. So, the impact of IoT in our world, the financial consumer world, is that it’s going to decide to buy stuff on our behalf. Now, these technologies, they all exist, and Alexa exists. Buying tickets online exists, these APIs exist. It’s just a matter of putting this workflow together, which again, is going to happen in the next couple of years.
The challenge again, for the banks is, who is ordering that transaction. Because you didn’t, you were just talking about our vacation in Kenya, or Vietnam, or Thailand. And suddenly, Alexa decided. But, how do you authenticate that transaction? How do you know that it is actually legitimate? That’s very much a big challenge. It comes back to the same concept of the bank. The bank has to look at it from a strategy perspective. We have to look across all these channels that we’re now interacting with, to understand what is good and what is bad, especially now that Alexa is doing stuff for you, or maybe your smart fridge is ordering fresh milk after detecting that the milk has turned sour.
Because I’m seeing this activity across all the different channels, I can better assess the risk that has made better decisions on fraud. From a consumer perspective, it still comes back to being vigilant and understanding how technology can spend your money, where you put your credit card, or your ATM barcode, etc. It’s also about understanding that at the end of the day, the bank is looking out and protecting or has to protect your money.
DQ: How are you helping companies embed security into their organizations?
Daniel Cohen: I represent the fraud risk intelligence suite, which is a product portfolio within RSA Security. For me, when I talk about customers, it is primarily financial institutions. What we offer them is the ability to look at fraud, not just in a single channel, but across all the different channels. When we do so, we have very powerful ML and risk assessment engines. Having this amount of data allows us to make better decisions. That’s what we bring to our customers.
Coming to your question about the opportunities, we say to them – we will handle, we will take care of detecting the fraud, you go ahead and open up these channels, that’s where you know your customers are going.We have to be able to provide the customer with that digital service. That’s where we come in with the fraud detection, again, across the channels, very advanced risk analysis. The second thing is around the digital strategy. This is where banks also have to understand that we, as consumers, don’t like friction. What does friction mean? It means that you know that when you buy something, you don’t want to be challenged. You don’t want a one-time password or a telephone call from the bank. What you want is frictionless user experience, one-click shopping.
I always like comparing it to the airport. The airport is 100% friction where you’re trying to get on the plane but they’re going to check your bags, put you through the body scanner and all of that. I’m a legitimate guy, and I just want to fly home and for me, it’s just that it’s not a nice experience. So we are capable, our solutions are capable and this is how we help the banks. We are capable of protecting 98% of fraud, and only challenge 3% of the population. That means most of the people walking through this airport, nobody’s scanning their bags, nobody’s patting them down. They simply walk through the airport and get on the plane. We’re still successfully preventing 98% of crime from happening.
Being able to provide frictionless abilities is critical in the digital age where we don’t have time and we want to get things done quickly. If you’re going to call me or if you are going to ask me for a one-time password, that’s creating friction in my experience. So, that’s another thing that we do to help our customers.
DQ: Tell us about the importance and benefits of identity and access management.
Daniel Cohen: In the consumer fraud world, identity and fraud are overlapping. At the end of the day, I want to make sure that the person who’s transacting is the real person that’s transacting. So, identity is still critical. I believe that the behavioral analysis of how are you interacting, in my world of fraud, is more critical because my physical identity in this consumer digital world, is not just the physical Daniel. It’s my smartwatch, my smart house, my smart car, etc. These are all devices and things that are operating on my behalf which makes the concept of identity becomes very fuzzy.
You think about me, there’s like a mesh of all these things that are connected to me and are doing things on my behalf. So, Google Duplex, for e.g., is Google AI. What it does is, suppose I don’t have time and I needed a haircut, I asked my AI assistant to book me a hairdresser’s appointment. The robot, the API, calls the hairdresser and talks to the human. The human doesn’t know that he is talking to a robot and it books me a hairdressing salon.
There’s another demo where this assistant calls up a Chinese restaurant to book a table. It’s a very complicated conversation because one, the accent is heavily Chinese and even I can’t understand what she was saying. The bot is trying to book a table for four people. But the person is saying that they only book tables for more than five people and above and the AI bot manages this conversation and says, “Well, if I come at seven, is the restaurant going to be busy?” This is a bot that’s working through the conversation like a human, it’s incredible.
Coming back to your question on identity, as digitalization takes over and as we use more and more technology, each and every one of us will have this personal assistant that does stuff on our behalf, it’s going to become very challenging to lock down the identity. That’s where the behavioral elements become more critical.
DQ: What, in your opinion, needs to be done in order to strengthen India’s data privacy regulation?
Daniel Cohen: In every country in the world today, and again, it’s an impact of digitalization, we’re moving so quickly and I think the younger generations don’t understand the ramifications of what they do. They post something on Instagram and it’s no big deal for them but that has ripples.
The governments of the world are scrambling to try and figure out how they protect all this data that’s being made available because of the digitalization trend. It’s a very complex topic and I’m not a data privacy expert. I can’t offer any suggestions or recommendations, except to say that it’s very complicated. At the end of the day, in cybersecurity, we seehow we can help protect the data and give privacy.