Page 26 - GS240101_Flipbook
P. 26
Co v er St o r y
CoverStory
driven by real-time payments. "The world is increasingly he said, machine learning is becoming adept at reverse en-
digital with more payment methods than ever before so gineering code, which will help merchants and providers
what was a simple matter of complexity will get ever more verify and authenticate consumers and transactions.
intricate," he said. "Factor in the volume of payments too;
across the board the number of transactions using debit Advanced, automated attacks
cards is increasing, for example there were 2.2 billion debit Jeff Zitomer, senior director, product management, emerg-
card transactions in July 2023, 4.9 percent more than the ing products at HUMAN, has observed that half of today's
same period the year before." internet traffic is made up of bots. There are positive bots,
he said, such as Google's crawler, and there are malevolent
Businesses need to meet this upward trajectory through- bots that use advanced, automated technologies to attack
out 2024, Dawson stated, noting that preparedness and websites in ways that are difficult for service providers
finding the right regulatory, security, processing and ac- and end-users to detect. "Think of the Facebook 'Like' but-
quiring partners will be key to success in the coming year. ton, the checkout with PayPal button or the Klarna buy
Payments are increasingly swift and convenient for shop- now pay later button," he said. "These buttons use JavaS-
pers, but underneath the surface they are vastly complex, cript from PayPal, Klarna, Facebook, Pinterest and TikTok.
with even the simplest transaction going through a num- Then Google Analytics and advanced analytics vendors
ber of different processes and entities before it is complete, record these sessions and provide product managers with
he added. heat maps of where users are clicking on sites."
Troy Leach, chief strategy officer at Cloud Security Al- Through it all, he noted, JavaScript scrapes and records
liance, agreed organizations must prepare for massive user data, including payment card data and login creden-
regulatory changes, particularly regarding third-party tials, which advertisers leverage to retarget users with re-
service providers, generative AI and geo-political impacts cently viewed items. These activities use scripts that load
on global cross-border payments. dynamically from across the internet, bypassing change
management and security controls while relying on third
"For regulation, it will be looking at cloud and other ser- party providers and leaving original website owners with
vices that financial services are reliant upon and matur- little to no control over what's running on end-user brows-
ing demonstration to regulators of their resiliency," he ers, he said.
said. "We already have clear expectations from DORA
[Digital Operational Resiliency Act] in Europe with en- PCI DSS v4.0 addressed these issues, Zitomer noted, with
forcement planned for 2025-2026. PCI DSS v4.0 has many the following requirements:
new requirements for 'multi-tenant service providers,' and
the U.S. Treasury along with several other U.S. federal • Requirement 6.4.3: requires merchants to confirm
agencies have begun work on exploring the role and influ- scripts are authorized, have integrity and are in-
ence of cloud service providers in critical infrastructure." ventoried with written justification as to why each
script is necessary.
Human, artificial intelligence
• Requirement 11.6.1: requires merchants to deploy
Leach also expects generative AI to impact customer jour- change and tamper detection mechanisms that alert
neys in 2024. "We will likely see more code developed by personnel when http headers and page content are
machine learning that is truly built with security in the modified without authorization, including those
design, but we will also see faster exploits of known vul- who outsource payment processing to third-party
nerabilities," he stated. Unfortunately, he noted, fraudsters payment service providers.
will also deploy AI-driven attacks, which will require a Shadow APIs
proportional response driven by machine learning and
human intelligence rather than manual gatekeeping. Unknown and unmanaged APIs, also called "shadow
APIs," pose security risks, as well, according to Laurent
Crime-as-a-service offers AI tools to novice criminals with Van Huffel, senior vice president, financial services at
little technical knowledge, Leach noted, stating easy-to- Axway. Citing the Cequence 2022 API Protection Report, he
use interfaces like FraudGPT and WormGPT enable newly noted that sophisticated attackers study APIs and exploit
minted criminals to deploy a variety of scams and fraudu- security flaws, such as weak authentication and excessive
lent attacks at scale. data exposure, while eluding detection.
"Generative AI will create unique, well-crafted social en- "Shadow API was the leading source of API security risks,
gineering attacks that are much harder to detect, at a vol- followed by API abuse or OWASP API10+ and the 'Unholy
ume and quality never before seen," he said. "This includes Trinity' of credential stuffing, shadow API and sensitive
easy ways to circumvent several forms of bio-authentica- data exposure," he said, adding that these risks highlight
tion and to spoof people in authority using video and au- the need for organizations to have visibility and control
dio representations from credible-looking sources." In this over all APIs. Protecting APIs will be critical in open
climate, authentication will be disrupted like never before, banking, Van Huffel said, adding that the Consumer Fi-
Leach added, underscoring the need for multi-factor au- nancial Protection Board's proposed personal data finan-
thentication at all points of interaction. On the bright side, cial rights rule, which is slated for enforcement in 2024,
26
