Exclusive: ‘To catch a thief’ – Omri Kletter, Bottomline and Ralph Echemendia, The Ethical Hacker in “The Paytech Magazine”
Cybercriminals were quick to spot vulnerabilities as millions more transactions were conducted online during the pandemic. So, how should the payments industry respond? We asked Omri Kletter, Global VP for Bottomline’s financial crime and fraud department, and ‘The Ethical Hacker’ Ralph Echemendia
As the pandemic continues to create uncertainty across the world, fraudsters have been making the most of what they see as a golden opportunity.
Indeed, one study from Javelin Strategy & Research estimated that there has been a 35 per cent rise in global fraud attempts during the outbreak.
Financial institutions shouldn’t rely on regulators to help them tackle this onslaught – according to cybersecurity expert Ralph Echemendia, aka ‘The Ethical Hacker’, the law will be years behind the criminals.
That doesn’t mean banks and other financial services providers are impotent as the threat level rises. In fact, according to Omri Kletter, global VP for the financial crime and fraud department at business payments technology provider Bottomline, while the pandemic has created a unique opportunity for online crime, it’s also handed companies the best weapon to combat it… data.
The rapid global increase in digital payments and online banking has facilitated the collection, sorting and fusing of data into fraud solutions. Armed with this intelligence, smart providers will develop data science teams to unleash its full potential, says Kletter.
Here, Echemendia and Kletter discuss the changing nature of fraud, the importance of people, not just tech, in its prevention, and why data transparency may prove the best way to defeat the problem of cyberfraud.
The Paytech Magazine: Has payments modernisation been matched by equal advancements in fraud prevention?
Ralph Echemendia: There’s been a lot more focus on fraud prevention across the entire banking and transactional community. Regulatory compliance has forced the industry to get better at it. When it comes to technology, machine learning is being used more and more for fraud prevention and overall security. So, it certainly has got better and continues to improve.
Omri Kletter: The bad guys have also advanced dramatically. At Bottomline, we’re seeing singular, or even dual hacking environments, evolve into organised crime. I would even go as far as to say that we are seeing state level [crime]. And that’s a different ballgame.
It’s a call to action for us in the industry. If I think about it from a board-level perspective, if I’m a head of payments or technology, I must make sure that my company invests much more in security because the protection is not against one or two singular hackers – there are much more advanced, serious concerns out there.
We talk a lot about technology, but people are also very important to this. Many more financial institutions are saying ‘we need to build this new paradigm of fraud experts in the organisation’ – dedicated data scientists within the bank.
TPM: What type of new fraud attempts have come about as a result of the pandemic and the increasing use of digital banking by customers?
OK: If there is one thing we’ve learned from this pandemic, as a society, it’s that it’s important to watch what happens in different territories: viruses are without borders, as are fraud and financial crime. So we are working with customers to see what’s happening in datacentres everywhere.
As to what is changing, in these specific times there are basically three types of fraud. First-party fraud, the traditional kind, where the customer is the fraudster; third-party fraud is where the customer is the victim; and the third kind, which is a focus area for us, because we have a dedicated solution for that, is internal fraud, where the employee is the fraudster.
Unfortunately, all of these types of fraud, which can have a catastrophic impact onan organisation, are definitely on the rise – and we can all understand why, because of the stress and distress caused by the pandemic, people working remotely, etc.
One of my best mentors taught me that fraud tends to follow speed, popularity and confusion. So, it’s almost like a play for fraud in the pandemic era. If you think about those three things, we can see what happens if there is a new scheme for a loan application after COVID, for example, where it’s not clear who is doing what.
RE: I can tell you from my research on the dark side of things that [new fraud attempts] are happeningbut it’s not something that we’re going to feel the impact of until much further down the road. The one area that I think is really taking a hit right now, is the crypto space. I’ve had so many cases where an incredible amount has been stolen in cryptocurrency – because a lot of people have been obviously dipping their toes in the cryptocurrency space over the last few months. It’s alarming as that’s an area that doesn’t really have much, if any, real fraud prevention.
TPM: New initiatives like SWIFT gpi, ISO 20022 and Visa B2B Connect are changing the industry in terms of real-time and straight-through processing. How can banks realistically prevent fraud when payments are going at these speeds, and across different territories, too?
OK: All these changes create a new normal, which makes it harder to profile in real time. We definitely need to adapt to this new normal and, if I
were a head of payments or operations, I would be bringing in my fraud and compliance guys much earlier on because we are seeing the benefits of planning in advance. Secondly, there are advances around technology, particularly analytics – our ability to use smart computing and understand each and every transaction. We are heavily investing in machine learning, both supervised and unsupervised. The popularity of ‘let’s do digital payments more and more’ is obviously good for us, to a certain degree, but also a challenge.
RE: As Omri said, so many organisations make the mistake of not including the right human resources early enough in the process, to evaluate what’s truly needed, because, at the end of the day, this is all a matter of risk management. That’s the name of the game here – how do we mitigate and reduce risk? There’s no way we can completely get rid of it, but we can make it work within a certain framework.
TPM: What’s the migration to ISO 20022 specifically going to mean for banks when it comes to fraud prevention? And how critical is it to have clear, transparent data for people to then act on?
OK: ISO 20022 is a data opportunity and fraud detection loves data. One of the biggest challenges today is actually not those cases where someone hacked accounts and pretended to be the customers, they’re cases where the technology used by the bad guys was so sophisticated that the transaction has been authorised by the genuine customer, such as authorised push payment or business email compromise.
Our target, especially in cases of authorised fraud, is not just to understand what happened, but also the intent. If we really modernise our platform and make sure our fraud solution is tightly coupled to it – so that we know how to consume and profile the data – we are then in a better position to understand the intent behind the payment.
RE: The more secretive the data is, the more value it has for criminal use. So, if we had more transparent systems, that data would become less usable by criminal elements. Why should your bank account number be private, when you happily give out your mobile number or email address? If having the account number on its own is enough to commit fraud, we’ve got bigger issues to deal with. The truth is that we still haven’t, on a global scale, come to an agreement on things such as privacy.
OK: I had a meeting with one of the heads of fraud prevention at a Nordic bank recently, and asked him how he worked with competitorson that. He responded: “Omri, my competitors are not the other banks; my competitors are the fraudsters.” I agree with Ralph, that if we want to unleash the full potential of fraud protection, we must think about sharing data between organisations in a much smarter way.