Table of Contents

Is 2026 The Toughest Year for Online Security?

We are half way through 2026 and we are starting to see the impacts of Gen AI for evil. In just one example, fraudsters have figured out how to defeat many controls around account opening. Create and upload a bogus government document—no problem. Do a selfie and liveness test—no problem. Submit PII to look like a real applicant—no problem. Create money mule accounts to support fraud and scams—no problem.

Another example is the ease of a scammer to convince a romance or investment scam victim that the victim’s friend is real. Take a photo and turn it into a video—no problem. Add interactive conversation in the language of the victim—no problem.

Alarm bells are ringing around security gaps in open-source code, used by everybody in 2026. It is potentially so bad that OpenAI and security firm Trail of Bits just announced Patch the Planet, a joint initiative to help open-source code maintainers strengthen critical open-source software.

Is 2026 The Toughest Year for Online Security? - image 24

This week, the ‘Five Eyes’ cyber chiefs warned “AI models capable of launching major cyberattacks that could overwhelm the defenses of governments and businesses are months — not years — away.” 

These warnings are not just about government and corporate software, but include web, mobile, API and open banking online security!

In times of stress like this, there needs to be a plan to follow to address these threats.  To help with this effort, Transmit Security asked me to write an in-depth report on online security. Help the financial institution (FI) fraud and scam prevention team weather the upcoming storm.

In this paper I talk about three overarching points:

  1. Think of the entire customer life cycle as you focus on understanding threats: Marry and bridge new account opening to enrollment and through to online banking/APP scam detection and mule detection
  2. Recognize that there are several new ways for transactions to be created with bots, AI agents and more.
  3. Think about both fraud and scams.

The next step is to really understand the threat landscape. You may have vendor threat reports, open-source threat reports (often available on LinkedIn) and of course your own experience of the threats that affect your FI. There are also several generic threat framework sources:

  1. MITRE ATT&CK Framework and the new MITRE Fight Fraud Framework Matrix
  2. Fraud Kill Chain
  3. NIST Digital Identity Guidelines

You might also want to hire a firm to conduct red team testing to find weaknesses you are not aware of. You better find them before Gen AI models do.

Organize these threats in two categories: 1) general threats (e.g. phishing attacks and credential stuffing) and 2) specific threats across the customer life cycle (e.g. MFA Bypass or new account opening attack vectors).

The next step is to lay out your current controls and identify the security gaps. This is not as easy as it sounds because the threats have gotten more sophisticated and in fact some attacks actually couple several threat vectors into one attack. In addition, with everyone moving toward Gen AI solutions, there are new attack vectors around AI Agents (e.g. prompt injections) that need to be considered.

The more difficult step in assessing your current controls is that you may have a control, but it may be 5-10 years old. In today’s threat environment, that may be legacy control that may no longer be effective against today’s AI enabled attack patterns’ tools. An honest assessment of the current tools is essential.

The next part of the process is to review controls that exist to address the overarching threats and the specific threats at each point in the customer life cycle. This is more complicated than it used to be because the solutions are more technical than before.  This is where the fraud team will need the help of the Infosec cyber team cryptography experts or possibly a third-party security team to analyze the solutions. Here are two good examples.  

  1. You decide it is time to replace User ID/Password/OTP with phishing resistant authentication. Now you need to explore public private key cryptography and the risks of MFA Bypass when this new technology is implemented.
  2. You need to replace your account opening document verification/user verification step.The newest solutions are using the physics of photography to assess photos and video with liveness testing. Document verification alone is no longer enough to protect against AI enabled attacks and a layered, multimodal and orchestrated control environment should be considered table stakes

Ultimately, you will come up with a list of the security gaps that exist and new controls required to fill those gaps. Part of this final assessment will also need to review which existing security controls should be sunset.

As you go through the threat assessment/solution choices steps, remember you are responsible for mitigating both fraud and scam losses. Your control stack should be independent of who takes the loss. Spend time seriously thinking about what controls best help mitigate consumer scams. And remember, even if the bank does not take the consumer scam loss, your bank customer can be devastated both emotionally and financially by these scams. Two key scam controls are:

  1. Effective staff training on the psychology of scams to help provide meaningful customer interdiction to ‘break the spell’ (to keep the money in the customer’s account).
  2. Inbound anomaly detection to identify and remove money mule accounts. This is becoming an increasing regulatory focus in many countries (UK, Australia, EU).

A sound online strategy must include protection for the customer across the entire life cycle, including consumer scam prevention and money mule mitigation.

Is 2026 The Toughest Year for Online Security? - image 25

For the more in-depth discussion and details on this topic that I put together, find the full report on How to Protect Your Customers in One of the Toughest Years of Threat.  

There will also be an upcoming webinar in July discussing the key points and enabling you to protect your institution, register here

Author

  • Since 2005, Ken has been in Online Security. He was a Director at MUFG Union Bank, retiring in early 2019. He helped shape the initial responses to the U.S. 2005 and 2011 FFIEC Regulatory Guidance to improve online security for US Banks. He is an early adopter and has selected and implemented a number of online security products. Ken was an advisor to the RSA eFraud Global Forum and a Program Committee member for the annual San Francisco RSA Conference. He was on The Knoble Scam Committee for three years. In 2019, he received the Legends of Fraud Award at the 3rd annual FraudCON conference in Israel. He is currently consulting to banks and to online security vendors.

    View all posts Legends of Fraud Award, FraudCON, Israel — 2019