The finance world may still have concerns after it was revealed that British Airways (BA) was victim to a two-week long hack that resulted in 380,000 payments being compromised in August. And while everyone might be on high alert today for how fraudsters
will use this data trove, the real risk may come further down the line.
The hackers used “very sophisticated” methods to get between the front end services and back end payments environment, allowing them to
copy customers’ data as they were typing it into the website, rather than stealing it from a database. The incident compromised critical data, including names, email addresses and credit card information, including very sensitive CVV codes.
Financial institutions are peppered daily by attempts to use stolen information, much of which is available on the dark web in marketplaces that sell pilfered personal data at relatively little cost. And in the case of the BA hack, that's what will likely
happen. To combat this, BA has offered victims access fraud prevention services for the next year. The problem is, the personal details exposed in this latest incident will be compromised long after the next 12 months.
Fraudsters understand how anti-fraud rules work and they have a great comprehension of the measures put in place to stop them. In this instance, the hackers know that lenders will be on high alert and more vigilant in light of the well-publicised attack,
so they'll simply bide their time. The stolen information will be worth even more in months to come, when the red alert subsides.
For example, in 2016 it was found that O2 customer data was being sold by criminals on the dark web. But the data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years beforehand. Often, online
fraud is best served cold.
The amount of rich data compromised in the BA hack (particularly the card details) combined with the fact that it’s in the hands of savvy fraudsters who understand the workings of how lenders combat fraud, mean that identifying any fraudulent event from
a genuine one won't be easy. Some financial institutions may block any perceived at-risk cards immediately, or they may mark them as high risk and manage a re-issue over time; either way it’s a costly process, for both the victim and the issuer.
That’s why more banks and lenders are turning to adaptive behavioural fraud prevention system. These AI-driven systems recognize an individual's unique behaviours in situational context, can protect customers in a world where this particular hack will become
By using these analytics, smart systems can ‘learn’ who you are and what your normal behaviour looks like to spot an anomaly, such as if someone else is using your card and personal information. AI can now identify you by your behavioural patterns, your
habits – even how you typically interact with a web page like your online banking portal – to create a profile of you.
While we don't know how many of the 380,000 users who were affected by the BA hack will fall victim to an attempted fraudulent event in the future, we
do know that it's an inevitability and it’s up to the financial institution to innately understand the individual's profile and then use that as a benchmark to detect fraud, or to rely on updated rules that are designed in response to known threats.
The former approach outpaces fraud, while the latter only reacts to it. As fraudsters bide their time and play the long game, the fintech sector has to match their guile and get out in front of them as soon as possible.