By Karen Hoffman
Despite being constantly under the gun from attackers, financial institutions on the whole are arguably doing better than companies in other sectors when it comes to IT security. However, that doesn’t mean that they can’t learn a thing or two from other industries.
The online gaming industry is also targeted by many cybercriminals due to their possession of personal and payments information from users. For this reason, financial firms, gaming companies and customers are often the focus of account takeover attacks, or increasingly, synthetic account attacks. (Synthetic account attacks are when cyber-thieves use information from a host of different accounts to create a realistic-looking, fraudulent account.)
“Master fraudsters that typically attack gaming companies are now targeting financial institutions as well,” said Kevin Gosschalk, founder and CEO at Arkose Labs. So-called “master fraudsters” are more persistent attackers who “script together multiple tools, use fraud farms and are willing to invest more time and money to bypass defenses,” said Gosschalk.
Gosschalk said that the types of attack vary, but most banks primarily deal with account takeover attacks, application fraud, and a small percentage (about 9 %) of synthetic account attacks. In the metaverse though, financial firms and gaming companies are seeing a growing percentage — 30% growth in recent months — of synthetic, or fake, account attacks, according to Gosschalk.
With the volume of synthetic accounts growing at such a rapid pace for online companies, Gosschalk said that, “banks will have to adapt fraud prevention strategies quickly to deter volumetric attacks.
“Synthetic accounts are extremely difficult to detect and deter because they appear like genuine consumers,” Gosschalk continued. “Banks must develop the ability to defend against this type of attack now, so that they’ll be ready to protect their consumers’ online accounts later.”
Jeff Wheat, chief technology officer of Lumu, pointed out that in the gaming industry “the threat at a business level is the risk of taking too many wagers on one side of a bet or the other.
“They constantly assess this risk and react in the form of updating the ‘odds’ on the bet,” Wheat said. “This constant assessment is key to their financial security.”
Similarly financial institutions “must constantly assess the level of compromise within their organization,” Wheat said. “From a network security perspective the gaming industry does a good job of segmenting their internal networks — to move the crown jewels to the center of the castle and protect financial assets with layered defenses.”
“To do this, financial institutions also must understand what they are protecting or ‘labeling’,” Wheat added, “and monitor critical elements constantly and with a higher priority.”
As fraudsters hone their techniques, financial institutions are dealing with increasing volumes of traffic, which is difficult to categorize as “good” or “bad,” according to Gosschalk.
Rather than piling on additional layers of threat scores or slowing down users with out-of-band authentication, financial institutions need robust secondary screening delivered directly within the normal user workflow, Gosschalk added.
Just like gaming companies, “banks investing in the metaverse must put a premium value on trust and safety at account login, registration and in-platform actions to protect avatar identities in their virtual worlds,” he said.
That means that U.S. financial institutions “are going to have to exercise new cybersecurity muscles to operate in the metaverse,” Gosschalk said. “With that understanding, as banks build and deploy their metaverse strategies, they can build controls specific to the types of attacks they will most likely encounter in the metaverse.”
How banks can practice cybersecurity in the metaverse, according to Kevin Gosschalk, founder and CEO of Arkose Labs
As banks begin to explore the metaverse, they must rethink their cybersecurity posture in order to protect customers in the virtual world. To stay ahead of fraudsters, banks should look to gaming companies like EA, Blizzard and Roblox who are pioneers of this new digital territory, to understand cybersecurity best practices.
- Sophisticated cybercriminals: Metaverse attackers script together multiple tools, use fraud farms, and are willing to invest more capital to bypass defenses. Banks investing in the metaverse must put a premium value on trust and safety at account login, registration, and in-platform actions to protect avatar identities in their virtual worlds.
- Younger targets: Banks need to be mindful that metaverse users are likely much younger than the traditional customer banks are used to. As the metaverse is adopted by an increasingly younger generation, the expected authentication methods will be very different compared to where we are today with passwords, OTP, and the like.
- New attack techniques: Most banks are unprepared for the surge in synthetic account attacks in the metaverse (up 30% compared to 9% in the real world). Synthetic identities are extremely difficult to detect and deter, because they appear like genuine consumers in the virtual world. In addition, the volume of synthetic accounts that exist is massive for metaverse companies – so banks will have to adapt fraud prevention strategies quickly to deter volumetric attacks.