With the aim of strengthening the prevention of account fraud through cyber attackshe central bank (BCU), together with members of the financial system and payment systems, presented a proposal with tools that facilitate timely and effective actions for the recovery of embezzled funds.
This working group was formed based on the background of the various complaints from financial users due to ignorance of operations carried out in their accounts without their authorization. It arose from exchanges carried out between the BCU and financial entities in which a significant increase in account fraud was verified, under different modalities. This group included the participation of representatives of the BCU, the Association of Private Banks (ABPU), the Republic Bank (BROU), electronic money issuing institutions (Prex, Midinero and OCA Blue) and Urutec.
The final document indicates that one of the defined actions was the strengthening of financial education. For entities, it proposes to establish a training and financial education plan that contains uses of the instrument, rights and obligations, regulation and risks.
Another action is to establish a continuous improvement in fraud detection and monitoring. The text indicates that this issue will be addressed from two perspectives: prevention and action. Among the possible practices to consider in the case of financial entities is removing the use of links -clickable- in emails or SMS sent to retail customers.
PIXABAY
cyber attacks
Also the delay of at least 12 hours before the activation of a new soft token on a mobile device and other additional measures, such as a waiting period (not immediate) before the implementation of requests for key changes in the account, as well as of a customer’s key contact details.
It also states that when a client performs an operation that deviates from his behavior pattern, he will receive a notification. Another measure is to form a fraud monitor. The text states that once certain risk thresholds, the evaluation systems (SW) may prevent the transaction from taking place. Each institution will indicate the risk levels it is willing to tolerate and in which cases It must be assessed whether it is appropriate to reject the transaction.
Another proposed item was account monitoring. The work team explained that in practice the opening of basic accounts –salary- that are later used as “mule” accounts, ceasing to receive salaries. For this reason, it is necessary to carry out greater monitoring of the use of these accounts and take the corresponding actions. And for the purposes of this control of the accounts, it will be necessary to develop a proactive monitoring, instead of a reactive one (through, for example, an adequate knowledge of the client, in particular in the cases of digital onboarding in terms of more robust mechanisms for identity validation).
At another point, he points out other authentication practices based on what has been observed internationally. In this case, it proposes to authorize transactions directly through the access to a mobile application (directly from there), but forcing the authentication of the client in that application for this purpose is through, for example, a biometric factor so that the malicious actor cannot identify himself in the application of the user’s own device by performing the already stolen credentials.
Another mechanism to consider is on the new device logins. Regarding this aspect, it suggests that if the institution detects that its client is connecting from a previously unused device, it should warn the user or prevent him. There the institution will require the client to certify or validate that it is he who is starting that session, and not a malicious actor on his own device after having stolen his credentials.
