Blog article
See all stories »

The Sting in the Long Tail of Cyber Hacks

The finance world may still have concerns after it was revealed that British Airways (BA) was victim to a two-week long hack that resulted in 380,000 payments being compromised in August. And while everyone might be on high alert today for how fraudsters will use this data trove, the real risk may come further down the line.

The hackers used “very sophisticated” methods to get between the front end services and back end payments environment, allowing them to copy customers’ data as they were typing it into the website, rather than stealing it from a database. The incident compromised critical data, including names, email addresses and credit card information, including very sensitive CVV codes.

Financial institutions are peppered daily by attempts to use stolen information, much of which is available on the dark web in marketplaces that sell pilfered personal data at relatively little cost. And in the case of the BA hack, that's what will likely happen. To combat this, BA has offered victims access fraud prevention services for the next year. The problem is, the personal details exposed in this latest incident will be compromised long after the next 12 months.

Fraudsters understand how anti-fraud rules work and they have a great comprehension of the measures put in place to stop them. In this instance, the hackers know that lenders will be on high alert and more vigilant in light of the well-publicised attack, so they'll simply bide their time. The stolen information will be worth even more in months to come, when the red alert subsides.

For example, in 2016 it was found that O2 customer data was being sold by criminals on the dark web. But the data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years beforehand. Often, online fraud is best served cold.

The amount of rich data compromised in the BA hack (particularly the card details) combined with the fact that it’s in the hands of savvy fraudsters who understand the workings of how lenders combat fraud, mean that identifying any fraudulent event from a genuine one won't be easy. Some financial institutions may block any perceived at-risk cards immediately, or they may mark them as high risk and manage a re-issue over time; either way it’s a costly process, for both the victim and the issuer.

That’s why more banks and lenders are turning to adaptive behavioural fraud prevention system. These AI-driven systems recognize an individual's unique behaviours in situational context, can protect customers in a world where this particular hack will become more prevalent. 

By using these analytics, smart systems can ‘learn’ who you are and what your normal behaviour looks like to spot an anomaly, such as if someone else is using your card and personal information. AI can now identify you by your behavioural patterns, your habits – even how you typically interact with a web page like your online banking portal – to create a profile of you.

While we don't know how many of the 380,000 users who were affected by the BA hack will fall victim to an attempted fraudulent event in the future, we do know that it's an inevitability and it’s up to the financial institution to innately understand the individual's profile and then use that as a benchmark to detect fraud, or to rely on updated rules that are designed in response to known threats.

The former approach outpaces fraud, while the latter only reacts to it. As fraudsters bide their time and play the long game, the fintech sector has to match their guile and get out in front of them as soon as possible.


Comments: (0)

Sean Neary

Sean Neary

Senior Product Officer


Member since

12 Sep 2018



Blog posts


This post is from a series of posts in the group:

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.

See all

Now hiring