Felicity J Singh is a model citizen. Forty-five years old, she earns $250,000 per annum as a pharmaceuticals executive, she is PTA president at her son’s private school, and has paid off the mortgage of the home in Austin, Texas, where she has lived since 2003.
Except Felicity does not exist. She is a synthetic avatar composed of multiple individuals’ data to create the perfect bank loan candidate. Welcome to today’s world of financial crime — and a challenge that is escalating as Covid-19 pushes our lives increasingly online.
Banks have long had to contend with a daunting array of threats, but the enemy was usually human. Today, criminals are becoming ever more sophisticated, using AI and data science to build new cyber-weaponry that can penetrate even the hardiest financial institution’s defenses.
According to the Financial Stability Institute, “lockdown increases the scope for criminals to exploit vulnerabilities and commit financial crime. The increased online presence of virtually everyone has led to new, and in some cases more naive, targets for online fraudsters.”
To fight back and stay ahead of the criminals, banks need proactive strategies and next-generation security tools, including AI-enhanced data quality for customer due diligence (CDD), dynamic application security testing (DAST) to examine defenses and ensure compliance, and attribute-based encryption for versatile identity and access management (IAM).
Mihoko Matsubara, chief cyber-security strategist at NTT, says focus in the time of Covid-19 must be on securing applications and remote workers. “During the pandemic, financial institutions also had to shift to remote work,” she says. “The challenge is to protect telework IT assets such as online conferencing applications from cyber-espionage.”
NTT DATA deploys NTT’s technological assets — along with decades of expertise serving the financial sector — to build customized, end-to-end solutions that tackle each client’s security challenge’s specific nature and scale.
“The best mousetrap in the world isn’t effective if you have an elephant problem,” says Edmund Tribue, NTT DATA’s risk and compliance practice leader. “We build partnerships that address your unique business model and security needs.”
Tribue is a veteran of the intensifying AI-versus-AI battle between cyber-criminals and financial institutions. The specific theatre is KYC (know your customer), an evolving set of protocols used to assess identity, suitability and risk in a business relationship.
KYC is critical to everything from global remittance flows to partnerships in the new banking paradigm of the digital business platform (DBP).
In one recent case, a global financial services client entered into a segment, acquiring consumer product portfolios. The client found delinquencies rising sharply even though the debt was rated premium. Losses mounted as the client took the bad debt through the collection cycle.
NTT DATA proposed stepping in to carry out “synthetic fraud” AI forensics on the client’s portfolio. Deploying advanced modeling methods such as anomaly detection and pattern recognition, Tribue’s team initially projected that 20 percent of the write-offs were synthetic IDs.
The AI sleuthing saved the client millions of dollars in losses. While it was too late to rake back dud loans, the company was able to reclassify the bad debt as fraud, significantly reducing loan loss provisions for the write-offs.
For decades, corporations have approached digital security by building impregnable walls around computing infrastructure. Many learned a hard lesson: the approach leaves the front door — business applications — wide open to hackers.
“Would you leave your house without locking your front door or bolting the windows?” asks Craig Hinkley, CEO of WhiteHat Security. “Many financial institutions are doing pretty much that. It’s no surprise hackers try to come in and steal everything inside.”
In fact, NTT research finds that 67 percent of cyber-attacks affecting FI businesses targeted web-enabled applications or the systems and tools supporting them.
Click here to download NTT’s latest research: Intelligent Cybersecurity: 2020 technology trends
WhiteHat Security has two decades of experience in pioneering application security systems. The firm was acquired last year as a wholly owned independent subsidiary of NTT as part of a broader strategy to build an ecosystem of best-in-class partners forging synergies under the NTT umbrella.
After securing applications, WhiteHat tests them by acting like a “black hat” trying to break in. The firm is unique in being able to test in production. That means applications are secured in deployment, with zero service interruptions — an advantage in the 24/7 financial industry.
Ensuring compliance is another benefit. WhiteHat recently tested security for a payment card firm with DAST — staging a simulated cyber-attack — and manual business logic assessments. Within months, WhiteHat enabled the client to move from 40 percent data compliance to 100 percent.
In 2005, Brent Waters, NTT research distinguished scientist, and Amit Sahai, a computer science professor at the University of California, Los Angeles, published a paper introducing attribute-based encryption (ABE).
With ABE, policies, not individuals, unlock access. For example, ABE might grant permissions to a financial analyst not because of their ID but because of their “attributes”, which might include working with the CFO or being part of a budgeting group. ABE’s advantage is being simultaneously more flexible and more secure.
Fifteen years ago, such research was largely confined to academia. Today, thanks primarily to NTT’s practical application development, ABE is becoming the new data encryption standard. Last year, the Waters-Sahai paper won the International Association for Cryptologic Research Test-of-Time Award.
Kei Karasawa, NTT’s research vice-president for strategy, spearheads efforts to propel ABE into daily life, bringing “by-products of advanced technologies into the actual market”.
“Ordinary cryptography is just encrypted data and decrypted data, needing a single key,” says Karasawa. “Under ABE, we provide multiple decryption keys for a single encryption.” In the financial industry, that means more security, flexibility, efficiency and utility in encryption protocols.
Ultimately, NTT’s mission is to deliver “proof-of-value”. In everything from client partnerships to R&D projects such as ABE, this goes beyond proof-of-concept to demonstrate how performance, efficiencies and the bottom line are boosted measurably.
“NTT solutions are outcome-based. You can quantify an outcome working with our teams,” says Tribue, adding that there has never been a more urgent time to invest in security outcomes. “The criminals are investing heavily in talent and technology. Are you investing just as heavily in solutions to keep pace? That’s the million-dollar question.”