Mastercard: Staying two steps ahead of cybercriminals and bad actors

Amit Mehta, VP, Cybersecurity Services, EEMEA, Mastercard, outlines why a multi-layered defence is crucial in combating ransomware, highlights the importance of tailored cybersecurity awareness campaigns, reveals how Mastercard leverages AI to prevent fraud and detect threats, and explains how Mastercard’s cutting-edge technology is driving innovation to safeguard its digital ecosystem, staying two steps ahead of cybercriminals and bad actors.

With ransomware attacks emerging as a leading cybersecurity threat for organisations globally, how can they protect themselves?

Protecting against cyberthreats including ransomware involves a multi-layered approach. It starts with establishing and maintaining basic security hygiene that covers people, process and technology.

Here are some important controls that could be considered:

1. Keeping systems patched with latest security patches
2. Using multi factor authentication for business-critical systems and their supporting infrastructure
3. Strong passwords
4. Regular backups of data and ensuring that these can be restored when required. Moreover, backups should be stored in multiple locations for Business Continuity
5. Technical security controls such as firewalls, antivirus, anti-malware, networking segmentation etc.
6. Employee security training and awareness that is dynamic and based on the current threat landscape
7. Practicing incident response and building that ‘muscle memory’ that will help you respond and recover from such incidents more effectively

The above list is just a small subset of controls that can help improve the security posture of organisations to mitigate this threat. There is no one size fits all and ultimately it depends on the nature of your business, threat landscape and third-party risk that will influence your cyberthreat protection.

 How can companies tailor messages about cybersecurity awareness for staff and customers?

A strong culture of security awareness in the organisation is perhaps one of the most effective cyber-risk management strategies, and it is everyone’s responsibility. For the security awareness program to be effective, it’s important to tailor the content to specific roles within the organisation.

There is no one-size-fits-all approach to training. For example, finance employees should be trained on scenarios related to request for payment transfers, Business Email Compromise and other real-world examples and recent security incidents etc. When employees see how security applies directly to their daily work, they’re much more likely to engage with the content and retain the information.

Cybersecurity risks can evolve quickly as bad actors adopt more sophisticated methods. Regular training sessions with bite-sized modules allow companies to update their training to include the latest trends and keep security top-of-mind throughout the year. Additionally, gamification of security awareness including embedding interactive learning experiences keep the users engaged. 

Finally, use simple jargon free language for such programs and encourage open dialogue about security issues and make it easy for employees to report concerns.

What security risks have emerged since the arrival of Generative AI?

We are obviously excited about what new forms of technology can do for payments from a security, experience and speed perspective.  But bad actors also have access to these new forms of tech and are ‘weaponising’ them.  Emerging Tech is increasing the sophistication of their attacks resulting in:

• Relentless rise of impersonation scams in various forms – Purchase/Romance/Investment
• Use of Generative AI to create ever more compelling methods to deceive victims
• Use of AI/Machine Learning to relentlessly test for vulnerabilities in systems
• Use of AI to create malicious content such as phishing emails, Deep Fake videos and even malware

It’s important that the industry continues to discuss and address these issues as AI becomes more embedded in our daily lives.

Are there any particular verticals that are most under threat from cybercriminals?

Cybercriminals are generally motivated by financial gain or to acquire personal data.

From a financial perspective, these criminals are after sensitive data such as personally identifiable information, national identifiers, medical data, payment and financial data etc. This information can easily be monetised in various open and Dark Web forums. Hence, industries such as financial services, public sector, healthcare etc. are generally most under threat from such financially motivated criminals.

What are some of the use cases of AI in payment security?

Over the past 10 years, at Mastercard, we have been using AI to prevent fraud, detect threats and identify vulnerabilities. Coupled with our unique network-wide view we can prevent frauds of multiple varieties. 

We want to stay two steps ahead of cybercriminals and bad actors. To do that we will continue to monitor trends and methods, using our world leading technology to innovate and create new solutions that continue to protect our digital ecosystem.  Thanks to our AI powered solutions we help secure the digital ecosystem for all. Some examples of this are:  

• Decision Intelligence:
  • A real-time decisioning solution – already helps banks score and safely approve 143 billion transactions a year.
  • Thanks to newGenerative AI technology we can now scan an unprecedented one trillion data points to predict whether a transaction is likely to be genuine or not.
  • DI Pro – In less than 50 milliseconds, this technology improves the overall DI score, sharpening the data provided to banks. Initial modelling shows AI enhancements boost fraud detection rates on average by 20% and as high as 300% in some instances
• Gen-AI Card Fraud Predictor
  • This new technology works by scanning transaction data across billions of cards and millions of merchants at faster rates than previously imaginable. In doing so it alerts Mastercard to new, complex fraud patterns. Using Generative AI-based predictive technology built by Mastercard it is able to protect future transactions against emerging threats, by:
    • Doubling the detection rate of compromised cards,
    • Reducing false positives during the detection of fraudulent transactions against potentially compromised cards by up to 200%,
    • Increasing the speed of identifying merchants at-risk from – or compromised by – fraudsters by 300%.  

• RiskRecon Third Party Risk Solution
  • RiskRecon by Mastercard continuously monitors millions of companies globally, assessing wide-range vulnerabilities including own enterprise and subsidiary risk, third-party risk, fourth-party risk, and extended nth-party supply chain risk. 
  • We constantly scan 19mn entities regularly to assess their defences in the areas of (software patching, application security, web encryption, system reputation, breach events, system hosting, email security, DNS security and network filtering).
  • It provides data analytics and a risk score that enables organisations to identify vulnerabilities across their third-party networks and supply chains. 

 What are the latest trends and tactics used by cybercriminals?

Fraudsters are using technology in more innovative and sophisticated ways to trick consumers, and the problem is growing with global e-commerce fraud losses estimated at US$48 billion in 2023.  The techniques and methods used by bad actors are constantly evolving. Based on the data seen by our cybersecurity systems, we see the following most commonly used methods to target organisations:

• Phishing and spear-phishing
• Exploitation of known vulnerabilities
• Malware deployment (trojans, ransomware, etc.)
• SQL injection
• Cross-site scripting (XSS)
• Distributed Denial of Service (DDoS)
• Supply chain attacks