CyberNews Interview: Online businesses that handle money will be a target

Feeling like doing some quick online shopping through an attractive ad or signing up for a lucrative deal with a bank? Be wary: cybercriminals are lurking to exploit your personal information by setting up fraudulent pages.

Even though many e-commerce businesses are already choosing premium web hosting services with advanced security solutions to protect their customers, hackers still seem to be one step ahead.

Now, they create fraudulent online banking login pages to lure users and employees into revealing their passwords or even opening up new bank accounts with synthetic credentials to launder money.

Recently, we talked with the CEO and Co-Founder of Castle, Johan Brissmyr, who explained the most common fraud methods and how businesses can protect themselves without compromising the user experience.

Can you tell us a little bit about what you do? How did Castle originate?

Castle was founded in 2016 by me (Johan Brissmyr) and Sebastian Wallin – with the goal to protect businesses from fraud. Over time that simple idea morphed into what Castle delivers today, which is a combination of device fingerprinting, behavioral risk signals, and analytics. We also believed in a product-first experience that companies of all sizes could use.

Which red flags indicate that someone else has taken over a user’s account?

Typical red flags are that a user is on a new device and something about their location or behavior doesn’t look right. We look at hundreds of behavioral signals to assess whether a particular user interaction is suspicious. For example,  whether a device is being spoofed or if the IP address is in a data center.

Our machine learning models summarize the risk a user possesses with a  score from 0 to 100. Then, you can take action depending on the received score and do things like challenge users with a pin code or reject their login attempts.

How can online businesses ensure security without compromising the user experience?

There is tension between locking a site down and providing a low-friction customer experience. With Castle’s risk-based approach, you can do both.

Low-risk users can be sped through the login or signup process, while higher-risk users can be put through a verification flow or extra manual scrutiny.

Did you notice threat actors using any new techniques during the pandemic?

We’ve seen several new developments come out of the pandemic. First, there’s been a lot of data reported about the rise of online fraud. We’ve definitely seen this in the market, as it seems like almost every online company is experiencing attacks or fraud of some sort.

As for new types of attacks, we started seeing more mule accounts, where someone signs up for an account with stolen or synthetic credentials, goes through a Know Your Customer (KYC) process, and then sells the account to a third party. Castle has a risk signal called the Impossible Travel that started noticing such accounts more frequently.

What security risks do business owners often fail to take into account when launching their website?

We think the biggest thing businesses overlook is how to prevent unwanted or malicious users. Unfortunately, too much emphasis is placed on downstream monitoring for when the fraud occurs, but at that point – the damage has already been done.

When talking about online fraud, account takeover (ATO) is probably the most common type of attack. Can you tell us more about how its specifics?

There are many categories of fraud and abuse, and certainly, ATOs are one of the most common. This is when someone’s password has been obtained by a bad actor, which can happen in many ways – social engineering, stolen password databases, or even brute force guessing.

The dark web is full of password lists for sale, and at this point, most professionals don’t believe passwords alone are enough to take over an account.

Unfortunately, once someone else has your password, they can access your account as if they were you, which is normally not going to end well.

Both the individual and the company are impacted by this type of fraud, which is why it’s so important for companies to protect against this attack vector.

Besides ATO, what other fraud methods are prominent today?

There are dozens of categories of fraud, but there are the two that seem to be fairly prominent today.

The first one is synthetic identity fraud, when an online identity is created and nurtured over some time to appear to be real even when it’s not.

With enough fake history, a synthetic identity can be used to obtain a loan which for example, would never be paid back.

The second type of fraud that is always on the rise is credit card chargebacks. The existing solutions in the market did a decent job at protecting e-commerce companies from stolen credit cards for years. However, criminals have gotten smarter and better at evading detection. So, you have to go beyond simply looking at the payment method and order details to detect fraud.

In your opinion, which organizations are a high target for fraudsters and should implement proper security measures as soon as possible?

Any online business that handles money is going to be a target for sure. We’ve all seen the news stories of high profile crypto-exchanges having account takeover problems. But really, we see companies from all industries experience fraud.

And finally, what’s next for Castle?

We’re really excited about the future because the problem of online fraud is already big and getting even bigger. In particular, we see how many of our customers are building a cobbled-together solution on their own to manage all the various aspects of discovering, investigating, and mitigating fraud. We think there’s an opportunity to provide a single platform to help with this, and that’s what we intend to do.

by Anna Zhadan, cybernews