In today's networked life, personal information is almost everywhere in every scene of life such as transaction payment, e-commerce, and social networking. This personal information contains an increasingly significant economic value, but it has also become the target of cyber attacks, telecom network fraud, extortion and other cyber crimes.
According to the Ministry of Public Security, as of November 21, the relevant local law enforcement departments in northern Myanmar have handed over a total of 3 suspects of telecommunications network fraud to our side10,000, under the strong crackdown of the state, the criminal activities of wire fraud have decreased significantly.
As a platform for storing a large number of user identity information and transaction information, the payment system is also an important channel for fund transfer, and is a key role in preventing telecom fraud. Payment systems have the responsibility, the ability and should do more to prevent telecom fraud and provide stronger protection for users' assets. The following section will introduce the functional design of the payment system from a business perspective to prevent data leakage and handle suspicious transactions.
01|Prevent data leaks
Fraud gangs use illegally obtained citizens' personal information to profile the victims of fraud, and use these portraits to carry out various fraudulent activities, such as online shopping refund fraud. Because the fraud gang can accurately describe the victim's personal identity information and shopping transaction information, it often matches the characteristics of official customer service personnel, so as to gain the trust of the victim.
This illustrates the importance of preventing data leakage and protecting users' private information in the fight against telecom fraud. Next, we will explain the password protection mechanism strengthening, sensitive data access control, sensitive data dynamic masking, and sensitive page screenshot prohibition.
1.Password protection mechanism is strengthened
Before the case, Shen worked for an international trust company, and used the method of "credential stuffing" to obtain the user name and password of a bank's credit information system, and illegally inquired, ** and retained more than 1,000 credit reports of others through the terminal of the special line interconnection between the trust company and the bank.
The password is an anti-theft door for user data, and the payment management platform has a series of enhanced protection mechanisms in the process of setting the password and changing the password by the operator, such as not using repeated or continuous numbers as the password, not using the birthday as the password, and the password must contain uppercase and lowercase letters, numbers and symbols. The back-office operator must update the password once within the time period configured by the administrator. When the number of consecutive incorrect password entries reaches the upper limit, the account will be automatically locked, and the system will immediately notify the account holder through SMS and other means, and record the IP address of the terminal where the wrong password is entered. In addition, the payment system prohibits the browser from recording the user's account name and password.
2.Access control for sensitive data
Preventing "internal ghosts" from stealing user information is an important consideration in the functional design of the payment system. Combined with the requirements of business, data protection, security compliance and other dimensions, the payment system formulates the authority for operators to obtain user information, and the authority from low to high includes: querying individual user information, querying user information in batches, and exporting user information in batches. According to the principle of "business essential, least privilege, segregation of duties", only the necessary data is presented to the operator. Privileged accounts are prohibited from accessing business data or unauthorized access by business system accounts.
3.Sensitive data is dynamically masked
Configure different masking policies based on the user name and access path of the business application to flexibly meet business requirements and regulatory requirements. For example, the sensitive data displayed by the payment system to internal employees needs to be desensitized, the operator needs to be approved by the authorized person to view the user's sensitive information, and the BI data analysis and data report automatically desensitize sensitive data as needed.
4.Screenshots of sensitive pages are prohibited
Using screen sharing to commit scams is a common tactic used by criminals. They pretended to be the customer service of the platform, the staff of the public security and law enforcement organs, etc., and asked the victim to ** conference software, turn on the screen sharing function, induce the victim to enter verification code, password and other bank account information, and steal the bank card bound to the victim.
The consumer app of the payment system has made separate processing of sensitive pages such as the user's personal identity information page, the payment and collection page, and the bound bank card information page, and the user cannot share these pages when sharing the screen through conference software and social software, and cannot also take screenshots. Prevent criminals from tricking users into sharing screens or screenshots, causing users to leak sensitive information.
02|Dealing with suspicious transactions
Whether it is the transfer or payment of funds by the victim of wire fraud to the criminal, or the transfer or laundering of funds by the criminal fraud, traces may be traced. Therefore, the risk control and anti-money laundering modules of the payment system should identify suspicious transactions as much as possible and manage risky transactions. The customer service module should also support the priority of receiving customer complaints related to fraud and handling suspected fraudulent transactions in a timely manner.
1.Suspicious transaction identification
The risk control and anti-money laundering module of the payment system can support the payment institution to configure multi-dimensional parameters in accordance with the Anti-Money Laundering Law and the institution's anti-money laundering transaction monitoring standards, including funds**, amount, transaction type, time, frequency, flow direction and nature, etc., to create monitoring indicators.
Payment institutions can combine monitoring indicators with corresponding action instructions to form risk control rules, and configure the automatic running time of these rules to create risk control tasks. Once the risk control task is started on time, the system will be able to automatically identify the transactions that hit the monitoring metrics.
2.Suspicious transaction management
In the payment system, once a suspicious transaction is identified, the system will take corresponding actions according to the action instructions configured in the risk control rules that are hit. Here's a description of how transactions with different risk levels are handled:
Low-risk trading:For low-risk transactions, the system will automatically send a risk alert to the user. After confirming that there is no risk, the user can continue to trade operations;
Medium Risk Trading:For medium-risk transactions, the system will automatically implement measures to strengthen identity verification, such as face recognition, SMS verification, etc. After the user passes the verification, the transaction can be released;
High-risk transactions: For high-risk transactions, the system will automatically trigger a notification mechanism to notify the risk control and anti-money laundering specialists to intervene. They can further investigate and analyze the transaction situation and take appropriate action. This may include intercepting transactions, dissuading users, triggering cooling-off periods, etc., to further ensure the safety of users' funds.
At the same time, the payment system will capture the transaction data that triggers the risk control rules and generate a suspicious transaction report. The AML Officer can further analyze these suspicious transactions in the system to rule out errors or confirm whether there is a money laundering risk. If a suspicious transaction is confirmed, the relevant data will be reported to the regulator to support anti-money laundering supervision.
Through such risk control and anti-money laundering mechanisms, the payment system can detect and process suspicious transactions in a timely manner, ensuring the safety of user funds and reducing the risk of telecom fraud to the greatest extent.
3.Trading account freeze
In the payment system, if the suspicious transaction is judged to be suspected of violating laws and regulations, the competent authority may request the payment institution to freeze the relevant suspicious account. When the payment system receives a freezing request, the operator can freeze the account involved in the case through a one-click operation to prevent the transfer of illegal funds.
In the event that a consumer finds that they have been defrauded or stolen, the payment app should support the consumer to file a customer complaint with the platform. Consumers can submit relevant supporting materials, and once verified by the platform, they can suspend the settlement of payment transactions involving fraud or fraud or freeze the account in the payment system to protect the safety of consumers' funds.
Relying on flexible monitoring indicators and strong risk control rules, the payment system can form a complete fraud prevention and crackdown mechanism, including pre-warning education, in-process reminder interception, and post-event punishment and disposal. This full-chain mechanism can help the payment system protect the safety of users' funds and prevent and combat fraud.
03|Summary.
The magic is one foot high, and the road is one foot high. Under the strong crackdown of the state, the crime of wire fraud and money laundering has been reined in, but the payment institutions can not sit back and relax, and the designers of the payment system can not take it lightly, in view of the old tricks and new methods of criminals, we must continue to upgrade the risk control model, actively use big data, artificial intelligence and other technologies to expand the dimension of risk information acquisition in advance, strengthen the capacity building of risk measurement, model research and development, feature extraction, etc., and strengthen response measures through digital means afterwards, so as to promote risk management from "civil air defense" to "technical defense" "Intelligent defense" to enhance the timeliness and accuracy of risk disposal.