By David Nussenbaum, vice president, ACI Worldwide
Fraud is on the rise and it's expected to accelerate in the wake of the global financial crisis, with not just cards but other bank products and channels being targets for criminals. Urban gangs like the Crips and the Bloods have been known to collect more than 10,000 credit card numbers a night. Right now, a gang member is likely approaching a waiter as he starts his shift. The crook simply offers the waiter a card skimmer, which is smaller than a deck of cards, and he tells him that all he has to do is swipe cards through the skimmer during his shift, and in return he'll get paid $25 per swipe. Unfortunately people need money for gas and rent, especially in this economy, so they tell themselves they aren't doing any harm and they go ahead and swipe the cards of unsuspecting diners.ATM skimming is another popular form of card fraud. In fact, according to the U.S. Secret Service, it's one of the financial industry's fastest-growing electronic crimes, now costing institutions and consumers $8 billion annually. This scam involves hiding a skimming device and camera within an ATM machine. When people slide their cards through the skimming device it reads all of the account information stored electronically on the magnetic stripes, and a small camera that is fitted to that ATM records their personal identification numbers (PIN) as they punch them in on the ATM keypad. The criminals download this sensitive data and sell it to counterfeiters.
Card related scams have been around for years. As countermeasures to fight card fraud get erected, enterprising fraudsters hedge their risks of getting caught by expanding into other sorts of attacks. Internet banking, ACH and wire transfer products are also being compromised via schemes ranging from the use of high tech malware to simple social engineering.
If that's not enough to keep bank CROs awake at night, all they have to do is starting thinking about a mass data breach. When a retailer or financial institution stores card or identity information it is at risk of getting hacked. A mass data compromise can result in the theft of millions of valuable records, which in turn are brokered over the internet, resulting in compromised identity and card information. Fraudsters then rack up millions of dollars in merchandise using the fake credit cards to make purchases at stores, online and over the phone. Others open up new account relationships at bank and draw down on available credit. Detective Bob Watts, Newport Beach police department, explains how criminals make counterfeit cards in the Wired Magazine video below. It's scarily easy.
To successfully combat payments fraud, bank risk managers need to look at payments fraud holistically and overcome the following three challenges:
1. Accurate quantification and timely reporting of fraud. Fraud definitions and the labeling of reported payment fraud differs widely throughout the industry, from region to region and even from institution to institution. The most typically reported and accepted quantification of card fraud is the annual losses reported by card issuers - Visa, MasterCard, American Express, and Discover. However, these estimates do not reveal the whole picture. Unreported and undetected fraud at card issuers is significant, and it often ends up classified as a credit loss, which means these losses end up in the collections file making fraud losses difficult to separate from bad debt write-offs. The losses from individual merchants and consumers are accepted to be even greater, yet these losses are incredibly disparate and go largely unreported and unmeasured. Furthermore, the fraud levels that are quantified are reported in aggregate, and by the time these reports reach the strategists who are combating fraudsters, the information is out of date and watered down.
Inadequate quantification and reporting is an industry problem that needs to be addressed in order to help financial institutions stay one step ahead of criminals. Without detailed information, experts within banks can't properly assess current fraud schemes and apply appropriate countermeasure techniques. With this in mind, banks need to implement strategies and technologies for real-time fraud detection.
2. Current processes do not detect fraud quickly enough. Today, much of bank fraud is detecting something after it happens. But, the end game is real-time fraud detection, which is the ability to quickly detect a fraudulent transaction while it's being authorized and before the transaction is actually consummated. It's a double-edged sword because banks don't want to err on the side of too many false positives, which means declining legitimate transactions that appear to be fraud. For example, banks don't want a VIP customer who is traveling to Hong Kong to be denied a hotel room because the system sees the transaction as unusual.
It comes down to the accuracy of the analytics deployed. Real-time and what we call "near-real-time" fraud detection, which is essentially doing the analysis within milliseconds after the transaction is consummated, is a demanding science. Proactive banks are using predictive and dynamic analytics for real-time fraud detection. For instance, ACI has been working with one bank in North America to implement real-time blocking capability for ATM and POS usage of its debit cards. The bank has achieved $2.4 million in savings a month, while keeping a remarkably low false positive ratio.
Quality models are built by teams of expert mathematicians and may be combined with dynamic rules, capable of reacting to ever-changing environmental shifts. For example, if there have been recent attacks on an ATM, fraud analysts can quickly respond and adjust rules to account for the current fraud scheme. Or, if a customer advises that there was a false alarm and a transaction was legitimate, the rules may be dynamically changed to minimize any disruptions to the customer going forward.
3. Fraud departments remain in silos. Banking payments and administrative systems can be a confusing mix of different technologies. This approach is mirrored within fraud management departments, where different teams and systems deal with different types of fraud. Even debit and credit card fraud management may be handled by different teams at some banks, using different systems and 'best' practices.
This makes it difficult to gain a comprehensive overview of customers' payment patterns or to identify fraud that crosses payment types or channels. In a case of account takeover as a result of phishing, a fraudster who goes online and changes the account address and then requests a new card to use for fraudulent purchases may not be picked up within a siloed system. The address change may be viewed by one team and the card transaction by another team. In isolation, this may appear to be normal activity, but when combined, it's flagged as abnormal activity and investigated for fraud.
Banks can benefit from consolidating to one strategic financial crimes detection and case management platform, while at the same time having the knowledge and capabilities to address all types of threats, including card fraud. They need a holistic view of the account, the customer, and the risk type that cuts across product, channel or geography.
Debit card fraud has a dual nature. Many of the scams around debit cards are similar to other card frauds, however the debit card is also linked to the consumer's checking account. Therefore, if the area of the bank that has been managing debit card fraud extends its system and processes to include transactional data from other lines of business such as wire transfers, ACH, internet banking, and check processing, it can monitor and protect other cash movements that are tied to the debit card. With a holistic view of the account, the bank experts that are managing debit card fraud are now positioned to examine the other debits and credits that are hitting the account.
When it comes to breaking down the silos, banks are in different phases of evolution. Even the more sophisticated fraud managers are just getting their hands around a thorough monitoring of demand deposit accounts. Consolidating other fraud silos on the asset side of the bank balance sheet, including credit card, mortgage, auto loan and student lending will follow. The ultimate vision is where banks can see fraud across silos and connect the dots to better detect and prevent fraud. It's easy to talk about enterprise fraud, but to be effective banks need to understand the individual dynamics of how transactions are processed within each silo - card processing, wire transfers and Internet banking - and the way that translates into constructing rules and scenarios that are specific to those particular silos. For example, a rule for an anomalous wire transaction may be completely different than a rule to look for an anomalous credit card transaction.
Criminals innovate and continually avail themselves of new technologies and techniques for robbing banks electronically; so there is an ongoing need for to banks to break down the silos and implement real-time fraud detection solutions. To stop fraud in its tracks, bank CROs must also realize the importance of combining powerful mathematics with a dynamic, and agile financial crimes software platform and best operational practices that can be responsive to sudden changes in the environment.
David Nussenbaum is product line manager for ACI's Risk Management solutions. He began his career working in the cash management group of today's JPMC. He has specialized in fraud management at HNC-FICO, TransUnion and FML.