Fintechs are facing a ‘dystopian future’ with software fighting software threatening major disruption later this year.
In the software marketplace, Software-as-a-Service (SaaS), where software is supplied online to businesses on a subscription basis, has become endemic.
Now in 2022 financial criminals are taking this concept to a new level, with Fraud-as-a-Service.
Fraud as a Service (FaaS) is a process by which tools and services are made available to bad actors online to facilitate fraudulent activity.
“Just as fintechs deploy SaaS to run and grow their businesses, so these bad actors are deploying web-based FaaS tools and tactics to commit financial fraud on an unprecedented scale – with little or no risk to themselves,” explained James Brodhurst, Principal Consultant at Resistant AI.
So, what does this new, dark underbelly of fraud look like in 2022? And what are the challenges facing fintechs as they attempt to fight this new generation of fintech-focused cybercriminals?
Financial crime upscaled
The first thing to understand is that FaaS is not an isolated fraud activity, but rather it is widespread financial crime on a scale not previously seen before, stressed Brodhurst.
“FaaS is enabling cybercriminals to gain easy, fast – and, arguably, cost effective – online access to the sort of data, tools and analytics used by the very fintechs they are attacking, but for their own criminal ends,” he said.
In the words of Levi Gundert, SVP of Recorded Future, speaking at a recent webinar on FaaS in 2022:“Fraudsters continue to be very clever and, where there is money to be made, they are looking for weak spots to exploit.”
“Whether it is Covid-19 relief funds, or cryptocurrency exchange thefts of millions of dollars, there is a real incentive for cybercriminals to find new methodologies that work,” Gundert said.
FaaS is undoubtedly one of those methodologies, Brodhurst stressed.
“Criminals recognise that, once you can steal money in the cyber fraud market using easily accessible tools on the Internet, there is less incentive to participate in other nefarious activities, such as drug dealing, where the risks are a thousand times greater.”
With everything moving into the digital space, identities are becoming rich sources of income for cybercriminals.
FaaS enables criminals to buy and then exploit these identities and use them for fraudulent purposes. For example, hacking into credit card data.
“Cardholder information is one of the hottest areas of FaaS, enabling criminals to overwhelm financial systems with bad traffic and complete fraudulent transactions.”James Brodhurst, Principal Consultant at Resistant AI
But FaaS is also becoming increasingly prevalent in financial apps, an example of which is Apple Pay, generally regarded as a super-secure way for consumers to make payments.
“The problem is, when you introduce something that you think is super-secure, suddenly you have huge potential for fraud. Why? Because people actually onboard existing legacy cards onto the Apple Pay app, with the potential of turning payment fraud into application fraud,” Brodhurst explained.
There is a significant increase in the use of ‘robotic identities’.
These are either robots based on the identities of real people, or they are synthetic, which means that the level of security in the onboarding process is so low that you can onboard someone who doesn’t even exist.
“Given that there are approximately 200 different legal systems globally, it can be incredibly difficult to have a totally secure onboarding process for a worldwide service, which opens up further opportunities for criminal exploitation using FaaS,” Brodhurst continued.
A dystopian future
Today, the fintech sector has AI-based onboarding systems on one side and robotic identities, powered by scripted behaviours or AI, on the other side.
“With all these different automated steps in the onboarding process, once the bad actors have found a deficiency in that process they can use FaaS to attack at scale,” Brodhurst noted.
“The types of crime Fintechs have to fight now are completely different from what we have seen in the past. I believe that what we are looking at is a ‘dystopian future’, where software is fighting software,” he added.
“In my view, we have reached a point where regulatory regimes really need to catch up with FaaS-based threats in the fintech sector.”James Brodhurst, Principal Consultant at Resistant AI.
“AI and machine learning are definitely needed to take on these threats – and fight the cybercriminals at their own game.”
Brodhurst said fintechs need the ability to process and monitor each interaction for behavioural anomalies, call it real-time forensics.
“By hunting for criminals while they develop their attack strategy, Fintechs’ underlying systems can be protected from new threats before any damage can occur,” he concluded.