Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.

Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we’re doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there’s no reasonable way for us to opt out of it.

Spying is another matter. It has long been possible to tap someone’s phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people’s phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.

AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and it’ll do that. Want to know who is talking about what? It’ll tell you.

The technologies aren’t perfect; some of them are pretty primitive. They miss things that are important. They get other things wrong. But so do humans. And, unlike humans, AI tools can be replicated by the millions and are improving at astonishing rates. They’ll get better next year, and even better the year after that. We are about to enter the era of mass spying.

Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).

Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.

There’s so much more. To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.

This spying is not limited to conversations on our phones or computers. Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and “Hey Google” are already always listening; the conversations just aren’t being saved yet.

Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.

Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secrets—it’s all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance won’t be able to resist collecting and using all of that data.

In the early days of Gmail, Google talked about using people’s Gmail content to serve them personalized ads. The company stopped doing it, almost certainly because the keyword data it collected was so poor—and therefore not useful for marketing purposes. That will soon change. Maybe Google won’t be the first to spy on its users’ conversations, but once others start, they won’t be able to resist. Their true customers—their advertisers—will demand it.

We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we haven’t done anything to limit mass surveillance. Why would spying be any different?

This essay originally appeared in Slate.

Read More

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Information security requirements and standards are in a constant state of evolution. Recent issues, such as COVID-19 and the growing global reliance on mobile devices and remote work solutions, have played important roles in this ongoing transformation. At the same time, the increasing sophistication of cyber attackers has added new layers of complexity to the cybersecurity landscape. In this article, I will explore the importance of implementing fraud detection systems as a crucial measure to mitigate the impact of both traditional and emerging fraudulent schemes.

Challenges faced by financial institutions

The landscape of user behavior has undergone significant shifts, primarily driven by external factors such as the COVID-19 pandemic. This factor led to an increase in online transactions, coupled with reduced income streams for many individuals, resulting in decreased spending in specific user categories. Additionally, local conflicts, like the war in Ukraine and Israel, influence spending patterns in particular regions.

The implementation of restrictive measures and the resulting increase in stress levels have provided cyber crooks with more opportunities to exploit social engineering techniques through acts of intimidation. One prevalent scam involves fraudsters posing as bank security officials to deceive unsuspecting individuals.

Another concerning trend is the rise of legitimate channels that drive people to scam schemes via mainstream advertising platforms like Google and Facebook.

Furthermore, the economic hardships some people face have led them to seek alternative income sources, driving them to engage in various forms of online criminal activities. Some individuals become involved in schemes where they act as money mules or work in illegal call centers.

It is challenging for financial institutions to guarantee absolute safety. Malicious individuals can present counterfeit identification to authorize transactions that were initially denied by the anti-fraud system. While financial institutions strive to know as much as possible about their clients and run transactions carefully, they are constrained by data retention limitations (typically several months) and the need to respond within seconds, as stipulated by Service Level Agreements. So, again, achieving complete certainty about every transaction remains a huge problem.

Detecting suspicious activities becomes even more challenging when malicious employees request details about a specific client or transaction, as this falls within their routine work tasks. Some fraud detection systems use computer webcams or video surveillance cameras to monitor employee behavior. Modern surveillance systems have become more intelligent, leveraging artificial intelligence and historical data to perform comprehensive risk assessments and take action when unusual employee behavior is detected. However, these cameras may not always be effective in identifying deceitful behavior when employees remain almost motionless.

Understanding fraud detection systems

Fraud detection systems are designed to detect and prevent various forms of fraudulent activities, ranging from account hijacking and identity theft to fraudulent financial transactions. Initially adopted by financial institutions in the early 2010s in response to large-scale attacks on e-banking systems, fraud detection systems have since found their way into various sectors, including e-commerce, client loyalty programs, gaming services, contextual advertising platforms, and insurance. They play a pivotal role whenever online transactions and trade occur. While the concept of fraud detection systems is well-established, there are different types of products with unique characteristics that cater to specific needs and challenges.

The core functionality of fraud detection systems involves the examination of online transactions and user actions to assess the level of fraud risk. Typically, fraud detection systems consist of standard and system-specific rules, filters, and lists against which each action is checked. AI and ML technologies embedded within these systems significantly enhance their performance by analyzing client data and identifying patterns indicative of fraudulent behavior.

Types of fraud detection systems

Fraud detection solutions can be broadly categorized into two main types: transaction fraud detection systems and browser fraud detection systems.

Transaction fraud detection systems

Transaction fraud detection systems employ behavioral and technical indicators as well as machine learning algorithms to assess the risk associated with each transaction. Typically, these systems rely on predefined rules and filters that activate based on specific algorithms or triggers. Various markers are employed to flag suspicious transactions, including unusually large or frequent transactions, transactions in atypical locations, etc. For instance, a user’s account may be temporarily frozen if they initiate multiple identical actions, which is an example of a behavior-based evaluation relying on technical signs.

One of the most critical aspects of transaction fraud detection is their attempts to detect targeted social engineering attacks. In such cases, high-level behavioral indicators are indispensable for preventing or slowing down illicit operations.

The system leverages machine learning to process extensive data and identify hidden correlations between user actions that could signal fraud. Historical data on blocked operations, such as unauthorized fund transfers, is used to train the system to recognize patterns leading to denied transactions. This enables the system to independently detect and halt transactions showing signs of fraud.

Browser fraud detection systems

Browser fraud detection systems do not analyze actual transactions but instead collect various technical details about the user’s session. This includes information about the device, connection channel, and user behavior, such as keystrokes, touchpad/mouse movements, and more.

Browser fraud detection systems are good at detecting credential theft resulting from phishing attacks or data breaches. They can also identify fraudulent accounts at the initial stage when a fraudster attempts to sign up.

Identifying and preventing financial fraud

To effectively identify and combat financial fraud, it is recommended to establish a comprehensive cross-channel real-time fraud detection and prevention system capable of instantly identifying illicit transactions. Such a system should leverage a combination of techniques, including machine learning technologies through a risk assessment module and rule-based methods via a policy module.

The fraud assessment process should be based on user and event profiles, which generate a set of characteristics that can be used by a probabilistic model to determine risk levels. This model can take the form of a custom-built Bayesian tree, where nodes represent probability scores for various combinations of features and events. By incorporating the policy module and its customized rules, organizations can define their unique business scenarios and combine the resulting risk evaluation with various indicators drawn from user profiles and other sources.

Selecting the right fraud detection system

Choosing the most suitable fraud detection system involves assessing your organization’s specific needs and risks. Different types of fraud detection systems examine distinct datasets, and the ideal approach may involve a combination of both transaction-focused and browser-based solutions. To save funds, some organizations, such as those offering personal accounts without internal payment systems, may find that a browser fraud detection system is enough for their requirements.

When evaluating fraud detection solutions, consider the following criteria:

Price transparency: Evaluate the cost of the fraud detection system, including deployment, fine-tuning, administrator training, and related expenses. Ensure the overall cost does not exceed the potential losses it is designed to prevent.
Testing and objective indicators: Assess the system’s functionality in terms of risk level determination and objective indicators that provide actionable insights. Look for specific criteria, such as the detection of VPN server usage during website access or the system’s ability to remotely access devices. These tangible indicators offer a more accurate assessment of the system’s effectiveness.
Machine learning and AI capabilities: Consider the extent to which the fraud detection system incorporates machine learning and artificial intelligence algorithms. ML and AI can be crucial in identifying risks by analyzing extensive data sets and uncovering hidden patterns and regularities indicative of fraudulent activity. Systems with advanced AI capabilities can adapt and improve their detection methods over time.
Data privacy: Examine whether the system requires the collection of confidential or personal client data. A robust fraud detection system should minimize the need for collecting such data or employ privacy-enhancing techniques. This not only reduces the risk of data breaches but also eliminates the need for obtaining client consent to process personal data by third parties.

Conclusion

While no single fraud detection system can provide foolproof protection against all types of cyberattacks, the primary objective of an efficient security solution is to raise the complexity and cost of executing a fraudulent attack to the point where fraudsters opt for easier targets. Many products on the market meet the criteria outlined above. Still, the performance of a specific fraud prevention system depends on its internal algorithms, which are typically proprietary and not disclosed by developers.

To make an informed choice, organizations should consider running comparative pilot projects using several fraud detection solutions tailored to their specific needs and risks. Again, fraud detection solutions are highly effective and efficient tools for combating fraudulent activities. I advise thoroughly researching, comparing, and adopting a system that aligns with your organization’s unique fraud prevention requirements. By staying proactive and vigilant, organizations can significantly improve their defenses against evolving threats.

Read More

Notorious Russian APT28 group is actively exploiting CVE-2023-23397 to hijack Exchange email accounts

Read More

Online Safety Act’s mandate for age verification to access pornography could be a security and privacy disaster, think tanks warn

Read More

Europe’s largest nuclear site, Sellafield, is accused of consistent security failings

Read More

A 40-year-old Russian man faces a lengthy prison sentence in the United States after pleading guilty to his involvement in the distribution and development of the notorious Trickbot malware.

Read more in my article on the Hot for Security blog.

Read More