17th March 2020 | Mansfield Thomas | Security Officer

Banking Fraud: The Importance of Safeguarding Personal Data

In 2017, in the US alone, an estimated 16.7 million people were victims of identity fraud resulting in $16.8 billion in losses according to a report published by the financial consultant group Javelin Strategy & Research.1

In 2018, cybersecurity firm 4iQ reported 14 billion identity records were circulating amongst cybercriminals with 3.6 billion of those identified as being new2. Unfortunately, data breaches can affect anyone, from social media users3 to National Aeronautics and Space Administration (NASA) employees4 and 2018 saw the highest number of breaches to date with a confirmed 12,449 having occurred (an average of about 34 a day).5 The news isn’t all bad, however, as additional means and methods of safeguarding personal data become available to the consumer and corporations daily.

The Need to Safeguard Personal Data

The US National Institute of Standards and Technology (NIST) defines personal data or personally identifiable information (PII), as “Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).”6

While unfortunate, it is necessary for individuals to entrust this information to others in order to accomplish anything in modern times. Whether applying for a bank account, signing up on a social media website, creating a new email address, or even just setting up a newly purchased mobile device, users must share their personal data to identify themselves in order to enable the service or product. This transmission and storage of data, however, creates an opportunity for malicious actors, or cybercriminals, to steal improperly secured data and use it for fraudulent purposes. 

Whether committing credit card fraud, sending phishing attacks, or even just compromising the security of an online account as part of a larger advanced persistent threat (APT), an individual’s data enables cybercriminals to carry out a wide variety of malicious actions. How personal data is handled and stored both by individuals and corporations is important for protecting the individual as well as for maintaining a safer cyberspace. By safeguarding personal data, users and corporations are taking away the tools that enable cybercriminals to launch a wide variety of attacks against many different targets thus making the cyberspace not only more secure for themselves, but for other users as well. 

Additionally, while the average cost of identity theft is rising,7 consumers must also consider the non-monetary costs incurred when their personal data is compromised. On average, it takes a normal individual six months and between 100-200 hours of work to recover from identity theft.8 Also, identity theft victims must take into account the impact of the fraudulent actions on their credit score. 

How Companies can Safeguard Personal Data

With the European Union and additional nations around the globe recognising the need to protect their populaces’ personal data and implementing regulations to obligate corporations and entities to do so, companies are fortunate to have a wide variety of means to comply at their disposal. When evaluating which courses of action to take to secure theirs and customers’ data, companies must keep in mind the Confidentiality, Integrity, and Availability (the CIA triad) of the data being stored and processed. Firstly, and obviously, the data should be stored and processed in a way that ensures only the appropriate persons, both externally and internally, have access to the data. Secondly, companies must ensure that the data remains unaltered an accurate as well as available to the appropriate departments in order to continue business operations. Additionally, companies must consider the three states of data, which include data at rest, data in transmission, and data being used. So, with these criteria in mind, how do companies actually safeguard data?

Data encryption is the first solution that usually comes to mind as it is one of the oldest and most widespread methods of data protection with many different types of encryption technologies available. In a nutshell, data encryption works by converting data, sometimes referred to as “plaintext”, through the use of algorithms and encryptions keys, into an encrypted, indecipherable form, known as “ciphertext”. Essentially, it’s a much more complex version of the decoder ring you might have gotten in a box of breakfast cereal as a child. The ring itself can be likened to the data encrypting algorithms and the encryption keys to the ring’s settings. The data, once encrypted, if leaked or otherwise compromised, is unintelligible gibberish without the encryption key needed to decode it. To go back to the decoder ring example, if the entity viewing the ciphertext doesn’t have the encryption key e.g. if they don’t know that “A=1, B=2, et cetera”, then the data is of no use to them. 

Another newer method of data protection involves machine learning and behavioural analytics. With this method, specific software is deployed to analyse how a company uses its data. The software collects information such as how often files are accessed, by which users, and at what times. It examines the length of time that files are kept open, whether the files are frequently edited, and many other metrics with which it then uses to create a baseline behaviour profile. Once a baseline has been established, any deviations or abnormalities from what is seen as standard data usage is flagged and examined. For example, if a certain spreadsheet is only accessed by a certain group of people during business hours, and then one time is accessed outside of business hours from a user not in the normal group, the software would flag the interaction based on those two abnormalities. It would then provide an alert to the security/IT department so the incident could be reviewed and determined if the action was malicious, or just an employee working late helping the normal user group.

There are a multitude of other methods that companies can employ to secure their data and, in any case, there is no singular solution that can be used to guard against the wide variety of cyber-attacks that exist in today’s cyberspace. Successful companies have learned, the best cyber defense combines a wide variety of policies, software, employee trainings, network segregation, and other industry best-practices, all organised and governed under one framework.

How Consumers can Safeguard Personal Data

While companies should be, and are, held responsible for the protection of their clients’ data, it is also the responsibility of the individual to safeguard their personal data. In the same way one might lock the door to their home before going out shopping, the modern individual must so to learn to protect their digital assets. Since we have already discussed common cyberattacks in previous articles,9,10,11 let’s take a look at some of the more unorthodox methods of safeguarding personal data.

One of the simplest precautions an individual can take is to protect their social media accounts. Accounts’ settings should be adjusted so that only friends of the user are able to view the individual’s profile and information. Likewise, users should not accept friend requests from persons they don’t know or from accounts they are not 100% sure are owned by friends. A major step in conducting phishing/social engineering attacks is researching the target before carrying out the attack, similar to how a military unit would conduct reconnaissance before carrying out an operation. The more information about an individual the attackers can glean, the easier it is for them to pose as a known or trusted person and the greater the probability the attack will be successful. 

Another excellent practice which is fairly low-tech, and requires only a small investment, is the shredding of all written correspondence. The cost of personal paper shredders has massively decreased over the years and a good, cross-cut or micro-cut shredder can be purchased for under £50.12 While less popular, given the rise of paper-less billing, in cities there are still criminals who dig through bins looking for others’ mail. Bills, bank statements, old insurance forms; these all contain sensitive personal information such as account numbers, addresses, phone numbers, and other information which can be used to commit fraud or sold to others looking to commit identity theft.13

While it’s common sense not to enter personal data whilst using public computers (e.g. library computers or at an internet café), what about whilst using public wifi? Most restaurants, cafés, and shops offer free wifi to their clientele, but is it safe to use? The answer is a resounding “not really.” As witnessed with the DarkHotel14 attacks as well as a series of others, it is common practice for cybercriminals to compromise businesses’ free wifi and then monitor all network traffic that connected devices transmit and receive. While it’s a better idea just to use one’s own personal mobile data, VPNs or Virtual Private Networks, offer a secure solution for users wanting to connect to free wifi during their travels. A virtual private network, like the name implies, is a network that exists only on the user’s device and establishes a private connection over a public network. To put it another way, it’s like having a secure tunnel that can take the user anywhere in the cyberspace and cannot be penetrated. Most VPNs offer encryption additionally and fortunately, due to their increasing popularity, there exists a wide variety of both free, and pay-to-use services that individuals can choose from based on their needs.

The Future of Data Protection

As time marches on, the data protection solutions employed today, will become obsolete with the advent and evolution of new and existing technologies. New controls employed by corporations such as behavioural analytics will become commonplace and employed on personal mobile devices and eventually be replaced as necessitated by a future threat environment. It is up to both corporations and the individual to stay abreast of current trends and invest in the new technologies needed to protect the personal data that cybercriminals seek to obtain. As owning an automobile integrated into global culture in the early 20th century, so too must cybersecurity integrate into our daily lives and modern culture.