Cybersecurity: computers or humans – where does the threat lie?
Commerzbank HQ, Frankfurt
Digitalisation plays a key role in the fight against payment fraud. Yet Commerzbank’s cybercrime specialists in cash services show that even in this technologically advanced environment, security threats persist. Companies must take steps to ensure that human beings – as well as computers – are protected against crime.
Cybersecurity is a top priority in the modern corporate sphere. Companies can now count on an arsenal of tools – including digital signatures, paperless invoices and powerful new methods of authentication – to keep their cash management and payment transaction infrastructure more secure than ever.
But there’s a catch. As fraudsters find these highly advanced computer security systems ever more difficult to penetrate, they are instead turning their attention to attacks at the human level. The digital age has presented the challenge of “social engineering”: that is, the deception of companies’ staff members with confidence scams in order to garner sensitive information used to siphon funds.
If companies are to mitigate the risk of social engineering, they must remain aware of the threats before they materialise, and check that their everyday behaviour and business practices do not offer scammers an easy way in.
But companies must also make sure they communicate, and remain well-connected, with their banks – those able to help in the event that fraud strikes.
Corporate security has ramped up in the digital age
Digitalisation has contributed greatly to corporate financial security over the past years. This is largely because sensitive personal and financial information is better safeguarded by ever-stronger digital systems.
Electronic invoices and digital signatures, for example, have been vital in combatting financial crime. While a written signature is easily forged, it is far harder to copy a digital signature. And whereas a stolen password poses a considerable threat, use of two-factor authentication (a combination of two separate pieces of evidence, i.e. a password and a single-use code created based on the transaction data) better protects against unauthorised access when signing off transactions. For instance, new authenticating smartphone apps can scan an encrypted barcode-like image to keep identities secure.
The digital age also brings faster communication flows, which reduce fraudulent outside interference by shortening the time window in which a crime can be committed. For instance, with agile, web-based multi-banking applications, corporate customers can swiftly manage accounts and payments – all the while protected by the international encryption standards set by the Electronic Banking Internet Communication Standard (EBICS).
In fact, according to some estimates, those businesses now using digitally-secured payment and transaction infrastructure are now ten times less likely to be hit by fraud than those still using paper methods.
Risks are still out there
Corporates may feel relatively safe behind these walls of digital security. But threats still remain. Often, the weak link in security is not digital, but human.
The reason is that, in the face of diverse, complex and robust security systems that are increasingly difficult and expensive to hack, fraudsters are turning their attention away from companies’ computers and towards their employees.
This means that the most common risk faced today is what is known as “social engineering”, which involves a scammer working as a so-called “man in the middle” – deceiving staff employees to glean sensitive financial information, and manipulating them to unwittingly perform fraudulent transactions.
Social engineering in practice
So, how does it work? A range of known types of social engineering attacks can help explain…
This is an excerpt. The full article is available in the February 2017 edition of Banking Technology.
