In the urgent global response to the “cyber scamdemic”, new regulatory frameworks and industry initiatives could finally compel greater stakeholder vigilance
Cybercriminals have repeatedly foiled financial institutions’ use of biometric authentication measures in the past few years.
Through a mix of deepfake content, phishing, social engineering and other scare tactics on their selected prey, the criminals have managed to cause sharp interventions by regulatory bodies worldwide to compel the industry to offer even more protection and pro-active measures.
Explaining the sequence of events leading to these much-needed initiatives is David Chan, Managing Director, Adnovum…
CybersecAsia: Many earlier measures by financial and financial services organizations have been foiled and circumvented in the past. What do you think are the main factors facilitating cybercriminals and scammers in successfully outwitting such cybersecurity and authentication measures? What can the financial industry learn from these mistakes?
David Chan (DC): Cybercriminals have become increasingly sophisticated, employing advanced technologies such as AI/automation to execute attacks that are more efficient and challenging to detect.
The rise of 5G and IoT use has also expanded the digital landscape, creating new entry points that cybercriminals can exploit. Meanwhile, traditional, manual detection methods are no longer adequate, underscoring the need for the financial industry to adopt equally advanced, real-time detection capabilities.
We have been seeing an increase in critical infrastructures being targeted by criminals, which is likely why financial institutions and services, are being targeted, because this industry is linked to other industries and sectors.
Learning points from the high profile scams and data breaches include:
- The need to employ a holistic security approach that considers not only the financial industry’s systems, but also the interconnected ecosystem in which they operate. This will include cross-industry collaboration and shared threat intelligence — to form a comprehensive, resilient defense against complex, multi-sector threats.
- The financial sector must also advance beyond static security measures, to adopt adaptive frameworks that adjust to evolving user behavior patterns and risk profiles. Dynamic authentication processes, which continuously assess user activity, can significantly reduce vulnerabilities, providing an agile defence against unauthorized access.
- Also important is building an industry culture of continuous cybersecurity awareness across all levels of an organization. By integrating security into the organizational mindset, financial institutions can better mitigate human error — often a primary entry point for cyber threats.
- Finally, embracing AI-powered threat detection tools, securing emerging technologies, and fostering cross-sector collaboration empowers financial organizations to transform past oversights into actionable insights, fortifying their defenses in an ever-evolving threat landscape.
CybersecAsia: With the latest slew of tightened measures such as face verification and digital tokens to bypass the now-compromised SMS 2FA, where are the risks associated with biometric data security both from a cyber threat and data storage perspective? How can governments make sure that the industry balances biometric data storage and usage with priority on data privacy and accountability?
DC: With stricter security measures like face verification and digital tokens now supplementing SMS 2FA, new challenges will arise around the secure handling of biometric data — related to data privacy and security.
This falls into the domain of each country’s data protection laws that enforce stringent regulations on the collection, use, and storage of such data to ensure that privacy and accountability remain central.
However, the advancement of AI-driven deepfake technology introduces the potential to compromise biometric authentication, raising both security and ethical concerns around surveillance and misuse.
To balance security with privacy, governments can prioritize robust regulatory frameworks that uphold data privacy while guiding industries on safe storage and ethical usage practices.
CybersecAsia: Playing the devil’s advocate, how do you envision fraudsters and even state-sponsored threat actors can foil the abovementioned types of tightened authentication? In that vein, what future measures do you think are needed to keep biometric implementations constantly outpacing evolving formidable threats driven by AI technologies, social engineering and human error?
DC: Cybercriminals are, and will continue to become increasingly adept at outsmarting cybersecurity measures like face verification and digital tokens. Some of the ways that they exploit AI is by leveraging its capabilities to mimic or replicate biometric data, creating fake facial profiles or even deepfakes that bypass face verification systems.
In the near future as well, quantum computing will pose a potential threat when it is abused to break current cryptographic algorithms, rendering biometric data vulnerable.
Additionally, cybercriminals leverage social engineering tactics, such as phishing or spear-phishing, to manipulate individuals into sharing sensitive information or bypassing security protocols unwittingly.
To counter these tactics, adopting a zero trust security model is essential. Continuous monitoring and response plans must also be enhanced to detect any suspicious activity early. Also:
- Biometric implementations should evolve to incorporate multi-modal authentication—combining face verification with other factors such as voice recognition or behavioral analytics to provide a layered defense. Other aspects should also include behavioral biometrics that analyze user behavior patterns such as typing speed and mouse movement — for an added layer of protection.
- Staying ahead of AI-driven attacks requires similar advancements in AI for defense: security systems can employ AI to detect patterns that suggest impersonation or manipulation attempts in real time.
- Beyond just training the AI programs, international cooperation in sharing threat intelligence will be crucial. By collaborating with global partners, financial organizations and cyber specialists can access a broader set of threat data and strategies, which bolsters resilience against complex state-sponsored attacks.
CybersecAsia: Governments and industries have had to devise frameworks (such as the Shared Responsibility Framework of Singapore and other mandates by the CFPB [US] and the European Commission) to apportion accountability to all parties in any incident. Just like insurance co-payment schemes that put some of the liability on the insured entities, such frameworks can simplify the sometimes complex processes needed to achieve quicker financial closure to large-scale scam incidents. Can you share any insights on how such frameworks will encourage consumers to be more conscious of their obligation to avoid being scammed, or catalyze more regulations and industry practices to start showing positive results in stemming scam/threat uptrends?
DC: Such timelyframeworks reflect a growing recognition that cybersecurity must be a shared effort that extends beyond just the organizational responsibility.
By educating the public on cybersecurity threats, such frameworks and initiatives make it clear that consumers are not just passive users but active participants in their own digital safety, with a concomitant obligation to take responsibility for their online interactions/activities.
From an industry perspective, such frameworks also encourage collaboration and partnerships between the public and private sectors, for organizations to integrate best practices and align with regulatory standards that aim to minimize risk exposure for everyone involved. This approach not only sets a precedent for proactive security measures, but also fosters innovation within the cybersecurity landscape.
As these frameworks continue to evolve, we are likely to see more industry-driven solutions that align with governmental standards, resulting in an upward trend of regulations that will standardize security expectations across sectors. Over time, the compounding effects of these efforts are expected to yield stronger resilience against scams and cyber threats, as consumers and organizations alike come to understand the interconnected responsibility in securing our digital ecosystem.
CybersecAsia thanks David Chan for sharing his firm’s cyber insights on biometric security with readers.
