Secure Payments Aren’t So Secure Anymore


Posted on by Robert Ackerman

The vast majority of adults pay bills regularly but seldom think about the payments industry writ large. However, more than a third of all outlays in the nearly $2 trillion payments industry in the United States are made online, continue to grow rapidly, and are a critical part of the nation’s infrastructure.

Predictably, the payments industry is on alert—as citizens should also be—about the rise in cybersecurity incidents, a problem that escalated sharply during the pandemic. Still, more people have become familiar with online transactions and continue to rely on them.

A study by J.P. Morgan found that more than 70 percent of organizations have been victims of payments fraud attacks in recent years. The ASEE group, an international producer of software solutions for business payments, says that business payment fraud, which has risen to about $20 billion a year worldwide, will experience a tenfold increase by the end of 2025.

Large retailers and other companies have been fighting the growth in cybercrime, liberally leveraging, among other things, automation and artificial intelligence. But there are far more malicious actors out there post-pandemic, further perpetrating vendor third-party risk. Vendors are appealing targets because they are commonly small businesses lacking the security resources of large companies.

These risks notwithstanding, it’s true that digital payments are typically more secure than offline payments. Paying for items with physical cash or credit cards requires customers to carry these items on their person, possibly exposing themselves to robbery and, in the case of cash, permanent loss. Retail sellers, meanwhile, keep physical transactions on their premises, also potentially making their store the target of a robbery.

In contrast, digital payment funds are immediately and automatically transferred to the merchant’s bank account, removing possible on-premise threats and placing monetary transfers behind tight security.

Still, this isn’t to say that digital payments don’t have security risks as well. Cybercriminals are quite adept at stealing emails, passwords, and credit cards, and they readily succeed at online theft. Cryptocurrencies—another relatively recent payment methodology—have also been the victim of increasing theft.

Last year, more than $1.6 billion worth of cryptocurrency was stolen from users, according to blockchain data platform Chainalysis. Among the victims was now-bankrupt FTX, which at its July 2021 peak was the third-largest cryptocurrency exchange. The biggest form of cryptocurrency theft is a so-called blockchain bridge, which allows consumers to swap crypto from one blockchain to another and makes it easier for skilled hackers to find security weaknesses in one blockchain or the other.

Like FTX, many cryptocurrency companies have gone bankrupt or have frozen withdrawals and announced layoffs. According to TurboTax, the total market capitalization of the global cryptocurrency market, which peaked at more than $2.9 trillion in November 2021, now stands at only $800 billion. Currently, no centralized authority resolves security concerns, a whopping oversight. Lawmakers in Washington have discussed changing this, but no definitive action has been taken at this time.

The two biggest risks in mainline online business payments are third-party risk and so-called business email compromise (BEC).

Ever more companies are relying on third parties to handle critical business functions in an effort to reduce costs and increase efficiency. Companies that fail to take the time to vet third-party vendors before establishing a business relationship can easily create layers of additional risk. Moreover, many third-party vendors are increasingly outsourcing their own functions to external parties, creating fourth- and fifth-party risks. Companies on top of these threats make a point of vetting vendors before onboarding and are increasingly incorporating risk management into their contracts. They also minimize third-party access privileges and regularly prioritize security audits that include external sources.

BEC refers to scammers who try to trick employees into sending them money or confidential information, typically by impersonating company executives. Companies can control this by making employees aware of last-minute email account address changes and by encouraging them to challenge suspicious requests. Firms also should employ anti-phishing protections, such as available software that analyzes the content and context of emails using machine learning models that help to determine malicious activity by detecting changes in patterns and behaviors.

In addition, to at least mitigate all manner of hacker attacks, companies should also consider two key steps: Implementing biometrics as the default form of authentication and adopting new security measures to decrease brute force attacks. These account for a stunning 80 percent of attacks on web applications.

There have been a number of false starts with biometrics in the past, but improvements in recognition accuracy and growing consumer comfort with the technology suggests things will be different this time around. Increasingly, companies realize that digital identities are far more secure than too-easy-to-penetrate passwords.

As for the mitigation of brute force attacks, companies should prioritize locking out accounts after two password attempts for at least an hour each—or inject random pauses when checking a password. Pauses lasting only a few seconds will usually deter hackers, who, in this case, heavily rely on volume to penetrate apps. But they’re unlikely to bother most legitimate users—and hence should be effective.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Technology Infrastructure & Operations

secure payments & cryptocurrencies identity theft supply chain data security phishing security awareness

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs