December 21, 2009

Fraud Graphic
Bank fraud can take many forms. It can manifest itself in the shape of a counterfeit debit card or as a stolen online ID and password. Sometimes it even appears as a 25-year-old man wearing his mother's pink blouse and head scarf.

That was the picture of fraud at a Chase Bank branch in Franklin, N.J., in early December, when Tita Nyambi, speaking in a high-pitched voice and holding a withdrawal slip with a forged signature, attempted to withdraw $700 from his mother's bank account, according to a report in the Newark Star-Ledger. More often than not, though, banks are not able to look fraud in the face and identify its suspicious five o'clock shadow.

In fact financial institutions are finding it increasingly difficult to distinguish between fraudsters and their own customers. And as social engineering attacks, such as phishing, grow in popularity and complexity, in many ways perpetrators of fraud are not seeking to exploit weaknesses in a bank's security environment, but rather weaknesses in a bank's customer base.

"The basic idea behind a social engineering attack is that you can harden your IT systems to any conceivable degree and there will always be a weak point, which is that those IT systems need to interact with humans," explains Tim Callan, VP of product marketing for Mountain View, Calif.-based VeriSign. "If [hackers] can trick the humans into letting them in, it doesn't matter how strong the security is."

That sentiment is echoed by Bernhardt A. Alama, VP of product management in Honolulu-based Bank of Hawaii's ($10.8 billion in assets) cash management department. "Whether you're talking commercial or individual [accounts], the challenge we have is ... the physical person," he says. "The weakness is really with the individual."

Fraud Graphic
In response, banks have learned to change the way they approach fraud mitigation. Historically, financial institutions addressed fraud on a channel-by-channel basis, according to S. Ramakrishnan, CEO, Reveleus and Mantas products for Oracle (Redwood Shores, Calif.) Financial Services Software. Individual susceptibilities were identified, thus generating individual remedies, he explains.

"What's happened since then is that fraudsters have gotten very clever," Ramakrishnan relates. "Now they attack the entire system through a combination of factors. They tend to do cross-channel fraud. If you continue to look at fraud as it is occurring in each channel, you're missing the connections across these channels that fraudsters are typically exploiting."

As recently as 2004 and 2005, banks still were taking a modular approach to fraud mitigation, says Alison Kuo Sullivan, director of fraud product management at FICO (Minneapolis). Then, "[Banks] started to adopt some of the concepts around enterprise fraud management," she recalls.

An enterprise approach to fraud detection is critical today, asserts Bank of Hawaii's Alama. "The primary driver is that the majority of fraud conducted [today] is related to social engineering," he says. "There are some technical issues related to fraud being conducted, but most of it involves convincing someone to give up their credentials one way or another, whether that's via voice, e-mail, cell phone or another method. What we're finding globally is that our customers are getting duped somewhere in a process to give up something that they shouldn't."

Given changes in products and channels, fraud trends ebb and flow, notes Ben Wallach, VP and fraud operations manager for Regions Bank ($140 billion in assets). But most recently, he adds, he has seen an uptick in cross-channel fraud. "If I had to pinpoint a change, that would probably be the biggest one -- [fraudsters] are using multiple channels now to perpetrate fraud," he says.