Despite being under constant fire from attackers, financial institutions as a whole arguably do better than companies in other industries when it comes to IT security. However, that doesn’t mean they can’t learn a thing or two from other industries.
The online gaming industry is also targeted by many cyber criminals due to their possession of personal information and user payments. For this reason, financial companies, gaming companies and customers are often the target of account takeover attacks or, increasingly, synthetic account attacks. (Synthetic account attacks occur when cyber thieves use information from a multitude of different accounts to create a realistic-looking fraudulent account.)
“The master fraudsters who typically attack gaming companies are now also targeting financial institutions,” said Kevin Gosschalk, founder and CEO of Arkose Labs. So-called “master cheats” are more persistent attackers who “script multiple tools, use cheat farms, and are willing to invest more time and money to bypass defenses,” Gosschalk said.
Gosschalk said the types of attacks vary, but most banks primarily deal with account takeover attacks, application fraud, and a small percentage (around 9%) of synthetic account attacks. In the metaverse, however, financial companies and gaming companies are seeing a growing percentage — 30% growth in recent months — of synthetic or fake account attacks, according to Gosschalk.
With synthetic account volume growing at such a rapid rate for online businesses, Gosschalk said, “Banks will need to adapt fraud prevention strategies quickly to deter volumetric attacks.
“Synthetic accounts are extremely difficult to detect and deter because they appear to be genuine consumers,” Gosschalk continued. “Banks need to develop the ability to defend against this type of attack now, so they are prepared to protect their consumers’ online accounts later.”
Jeff Wheat, Chief Technology Officer of Lumu, pointed out that in the gaming industry “the threat at the business level is the risk of taking too many bets on one side or the other of a bet.
“They’re constantly assessing that risk and responding by updating the ‘odds’ on the bet,” Wheat said. “This constant evaluation is the key to their financial security.”
Similarly, financial institutions “need to constantly assess the level of compromise within their organization,” Wheat said. “From a network security perspective, the gaming industry does a good job of segmenting its internal networks – to move the crown jewels to the center of the castle and protect financial assets with layered defenses.”
“To do this, financial institutions also need to understand what they are protecting or ‘labeling’,” Wheat added, “and monitoring critical elements continuously and with higher priority.”
As fraudsters hone their techniques, financial institutions are dealing with growing volumes of traffic, which is hard to categorize as “good” or “bad,” according to Gosschalk.
Rather than piling on additional layers of threat scores or slowing users down with out-of-band authentication, financial institutions need robust secondary filtering delivered directly into the normal user workflow, Gosschalk added.
Just like gaming companies, “Banks investing in the metaverse should place a high premium on trust and security when logging into the account, registering and taking actions on the platform to protect identities. avatars in their virtual worlds,” he said.
That means U.S. financial institutions “are going to have to flex new cybersecurity muscles to operate in the metaverse,” Gosschalk said. “With this understanding, as banks build and deploy their metaverse strategies, they can create controls specific to the types of attacks they will most likely encounter in the metaverse.”
How Banks Can Practice Cybersecurity in the Metaverse, According to Kevin Gosschalk, Founder and CEO of Arkose Labs
As banks begin to explore the metaverse, they need to rethink their cybersecurity posture to protect customers in the virtual world. To stay ahead of fraudsters, banks should look to gaming companies like EA, Blizzard, and Roblox who are pioneering this new digital territory, to understand cybersecurity best practices.
- Sophisticated cybercriminals: Metaverse attackers script multiple tools, use cheat farms, and are willing to invest more capital to bypass defenses. Banks that invest in the metaverse must place a high premium on trust and security when logging into the account, registering, and performing actions on the platform to protect the identities of avatars in their virtual worlds.
- Younger targets: Banks should keep in mind that Metaverse users are likely to be much younger than traditional bank customers. As the metaverse is embraced by an increasingly younger generation, the authentication methods expected will be very different from what we are today with passwords, OTPs, etc.
- New Attack Techniques: Most banks are unprepared for the upsurge in synthetic account attacks in the metaverse (up 30% vs. 9% in the real world). Synthetic identities are extremely difficult to detect and deter because they appear as real consumers in the virtual world. Additionally, the volume of synthetic accounts that exist is huge for metaverse businesses – so banks will need to quickly adapt fraud prevention strategies to deter volumetric attacks.