Banking fraud is as old as the industry itself, and it continues to be one of the largest expenses faced by many financial institutions, according to Virginia Garcia, research director for Needham, Mass.-based TowerGroup. Garcia estimates that 30 percent to 50 percent of the industry's $55 billion in annual operating losses is attributable to fraud.
"There are a couple of drivers that are convincing the banks to start rethinking some of their fraud management strategies," Garcia says. She points to the current media storm surrounding fraud and the evolution of ever-more-sophisticated fraud techniques as examples. New fraud schemes require new tools and strategies to prevent losses, she explains.
Of course, technology plays a critical role in fraud, both in creating new opportunities for fraud and offering new methods to defend against it. While some "new" fraud simply relies on technology to commit old types of fraud in different or faster ways - for example, the use of e-mail rather than traditional mail to commit "Nigerian banking fraud" - new technology-enabled scams also are emerging.
With the growing popularity of online banking, account takeover has emerged as a major fraud threat. One method that banks are adopting to battle such fraud is multiple-layer authentication, according to Bill Harris, chairman of PassMark Security in Redwood City, Calif. "The banking industry has spent the past year-and-a-half determining what is the biggest problem - keylogging, phishing, e-mail or something else," he says.
What's the Password?
"In 2005, the industry has reached a consensus that the root problem is authentication," Harris continues. "Passwords are no longer sufficient to let someone in the front door. Traditional authentication methods aren't enough," he asserts. As a result, banks are using a greater array of information and multifactor analysis to lock down systems when fraud schemes are detected, Harris adds.
User names and passwords should be supported in Internet banking transactions with new and better ways of authenticating genuine customers and identifying fraud artists trying to take over bank accounts, according to the summer update on identity theft from the Federal Deposit Insurance Corp. In its latest findings, the FDIC concludes that the risk assessment that financial institutions are required to perform for information security also should address customer authentication. In addition, the supplement says that if an institution offers Internet banking, it has an obligation to secure the delivery channel properly.
The extra security for online accounts often takes the form of multifactor authentication, which is used in addition to traditional passwords. The added security layers often include tokens issued to customers that generate new, random passwords every 60 seconds; software that can identify the computer from which a user is attempting to access an online account; or contacting customers by phone to make sure they legitimately are attempting to access their accounts.
Seemingly, however, as fast as banks can employ fraud-prevention solutions, criminals find new ways to part consumers from their money. For example, phishing, an almost unheard of term only three years ago, is the top Internet fraud scheme, according to the Federal Trade Commission (see related article, page 13). Large national banks such as Washington Mutual, Citicorp and Bank of America are among the most phished financial institutions.
Now, though, banks have been on the alert for phishing scams for nearly two years. They post information on their Web sites warning customers about the dangers of phishing and notifying them that the financial institution itself will not seek customer identification information via e-mail. So, fraudsters are developing new scams.
Shortly after banks and consumers became wise to phishing, a new, more-sophisticated variation emerged - pharming. Pharming involves a criminal infecting a PC or Domain Name System (DNS) server to redirect a user's Web browser automatically to a mirror site that looks like a financial institution's legitimate Web site, complete with account links, including ones asking for user names, passwords and other sensitive customer data.
And fraudsters, always on the cutting edge, have developed other scam methods for attacking banks, according to TowerGroup's Garcia. "Bust-out" fraud targets customers who have built strong credit relationships with their banks. In bust-out schemes, perpetrators wait until the victims have built up a significant credit profile with their banks, then use stolen ID information to "bust out" with an auto loan or some other type of credit and leave town, explains Garcia. Auto loans are typical targets, she says, because the criminal literally can drive away with the loot.
Bust-out schemes are particularly difficult to detect until it is too late, Garcia notes, because they build on the established trust between financial institutions and their customers and often involve one-time hits. This goes against conventional fraud scams that look to make many quick hits.
Holistic Fraud Fighting
To stop these and other emerging threats, financial services institutions must take a holistic approach to combating fraud, Garcia asserts. "Financial services institutions have historically reacted with point solutions for each type of fraud, over time assembling a menagerie of disjointed solutions that offer a fragmented and inadequate view of enterprise fraud," she comments, adding that while these point solutions might be good for detecting more traditional fraud, such as check kiting and hacking attempts, they are inadequate to detect newer fraud schemes. Banks need to look for patterns that go across product lines, including credit cards, auto loans and mortgage credit, Garcia continues, citing credit card issuers that contact a cardholder if a purchase seems to be out of the cardholder's normal spending behavior as a strong example of proactive fraud prevention.
According to Garcia, data management is critical for banks taking a holistic approach. "Institutions cannot manage what they cannot measure," she says. So banks are employing technologies that gather data in real time, cleanse it and combine it with information from other systems.
"While institutions cannot completely eliminate fraud, they can put architectures in place to detect and report it in a timely manner to minimize impact on the institution, customers, shareholders and other constituents," Garcia contends. "Those that approach fraud management as a mandate to protect their reputations and build customer trust will also improve operational efficiencies and see significant payback to their bottom line through reduction of losses."