(Definition-Fraud Red Team testing is external third-party testing where tester thinks like a fraudster to show how the layers of security can be defeated)
Look, I ran online security for a US bank for almost two decades. I identified new security risks, found solutions and deployed them. My fraud losses were low. All-in-all pretty good. I always felt I was in pretty good shape. Because my fraud losses were low, I watched what I spent and rarely did fraud red team testing. But that was four plus years ago. What has changed?
- Online account opening has dramatically grown, especially with the Covid-19 environment we have just come out of. And we have stolen identities from all of the online breaches, heavy use of synthetic IDs and the massive stolen US mail that mines stolen driver’s licenses, credit cards, bank account statements, passports and more.
- Financial scams have gone off the chart. The 2022 IC3 showed over $8 billion in financial scam per year. This includes, romance scams, investment scams, Zelle impersonation scams, robocall and robotexts leading to scams, etc. And reports in the past 12 months show organized gangs in Asia are luring unsuspecting folks from various countries in Asia to Cambodia and Myanmar for “well-paying jobs”, only to kidnap them to work in scam call centers. And in June 2023, we are hearing the Mexican drug cartels are using English speaking Mexicans to work in call center buildings to do financial scams against Americans and Canadians. If these Mexicans don’t want to continue working for the cartels, they are brutally killed as a lesson to the others.
- Cyber criminals are joining forces with Nation State forces to commit financial crimes and are becoming quite adept at it. Just this summer, a hardware vendor told its customers to replace their hardware as there was no way to fully remove the malware on the existing machines.
So, these days, no matter how good you are as a fraud manager, with a good team of folks, the world is very tough. And to survive in this world, you need to think like a fraudster and test the edges, just as fraudster will do to the steal your money (fraud) or your customer’s money (scams).
It is really important to remember that the team that writes the requirements and develops the code have built in biases on how the fraudster will act. What you need is an independent person to think like fraudster to try and crack the flows and controls that have been defined and built out. If you are a large enough bank, maybe you can afford such staff. If not, your best option is a trusted third party with experience in red team testing.
In summary, prudent financial institutions should take part of the budget for new products and annual online security maintenance and apply it to fraud red team testing. In reality this testing should also cover call centers and branches. As the fraudsters get more sophisticated and focused, and this is happening now (e.g., billions of dollars in Covid relief funds stolen, scam call centers around the world, use of artificial intelligence for fraud and even low-tech theft of US mail), online services will be a lucrative target. This is especially true for finance and eCommerce.
In the next blog, we will talk about red team testing for receiving bank activities.