Banks continue to be prime targets for all sorts of cybercrime and fraud. As the risks escalate, so do the efforts of financial institutions to identify the fraudsters and stymie their actions. These efforts, however, also have the potential to complicate banks’ efforts to provide a good customer experience. What are the current and emerging fraud threats to banks, and what kinds of technologies are banks using (or should be using) to combat these threats? How can banks balance fraud prevention and protection of customer information with the need to optimize convenience, simplicity and ease of use for consumer and corporate customers?
Give Customers A Sense Of Control
Today, we see threats associated with denial of service attacks, potential disruptions of sites, not necessarily intrusion onto sites. Phishing exploits continue, as do attacks on individual company databases. We have seen fewer attacks on individual financial company databases to try to compromise data and more attempts to attack our customers directly. Phishing attacks are designed to essentially accumulate bank credentials so that unauthorized transactions can be made.
Over the years, banks have grown accustomed to the balancing act between protection and convenience. As threats change, protection measures must change, as well. Some protection measures are more transparent to the customer. One example is device authentication. Many customers use the same personal computer to conduct online banking, and their financial institutions are able to recognize the familiar computer as a method of authentication.
In some cases, the additional authentication is important to the customer. But the customer can opt into that or not. As an example, banking customers can opt to receive a text message on their mobile phones that a certain transaction has occurred. The ability to set up these alerts according to their preferences gives customers some control over their devices and authentication measures.
Banking customers may have to do something they might not ordinarily do to get a measure of convenience. For example, a customer might use a computer or device he or she doesn’t typically use to log on to mobile banking. This will cause them to answer not some simple shared secrets but maybe some complex information about themselves like transaction information. This additional authentication measure gives additional protection while allowing the customer the convenience of using an additional device.
-- Doug Johnson, VP Risk Management Policy, American Bankers Association
Connect Fraud, AML, Security Data To Spot Patterns
While techniques evolve, today’s threats are as old as the financial system itself. Cyber criminals are after money or other assets of value. Hacktivists are politically and socially motivated so their attacks are often highly visible (e.g., DDoS). While they aim to disrupt services, attacks can result in financial loss and reputational damage. Criminals may use DDoS as a diversionary tactic while executing fraudulent activity.
It’s challenging to understand “normal” customer behavior across devices and entry points. Many are implementing identity- and behavioral-based fraud detection systems designed to identify and address issues before they become major problems. Banks should connect fraud, anti-money laundering and security data to recognize patterns and suspicious behavior.
It’s a delicate balance to successfully protect against fraud while minimizing customer disruption. Banks should acknowledge that the customer end point is compromised. Real-time, behavioral-based fraud detection helps allow legitimate transactions while blocking malicious attacks. Early detection is critical to minimizing consequences.
Security must be an ongoing practice, not a one-time exercise. Rules should continuously be updated in response to new attacks. With mobile applications, operating system updates should trigger an assessment. Independent security assessments should be an integral part of the process.
According to EY’s Global Consumer Banking Survey 2012, greater confidence in security would encourage 78 percent of young people to make greater use of mobile banking. Banks should communicate to provide their customers with greater assurance about the security of online and mobile banking. Security is a shared responsibility. Conveying how security practices will benefit the customer will promote accountability and more secure online behavior.
-- Chip Tsantes, Principal for information Security Advisory Services, EY
Pursue The Convergence Of Biometrics & Mobile
It’s nothing new that banks are prime targets for all sorts of cybercrime and fraud. The threat of Distributed Denial of Service (DDoS) attacks and phishing expeditions, for instance, is constant. However, efforts to enhance fraud-prevention and detection capabilities, such as requiring customers to use multi-factor authentication, has the potential to diminish a good customer experience.
The bulk of fraud losses continue to come from traditional payment methods such as credit cards, debit cards and checks. However, one of the current fraud threats that the industry battles today is account takeover. This is partly due to difficulties in accurately authenticating the customer as they are transacting with the financial institution, even in the branches and call centers. Account takeover results from criminals taking advantage of the vast amount of personal information freely available on the Internet, through malware and spear-phishing attempts, the utilization of social engineering tactics and the compromise of data from merchant and processor breaches.
These threats do require enhanced methods like multi-factor authentication. Financial institutions continue lead the pack in fraud detection and mitigation, but are still dependent on using customer information and passwords that are readily available and easily compromised. Technologies that use biometrics for authentication are on the horizon and could make a difference with this issue. The use of mobile devices for things like fingerprints, voice recognition and visual identification appears promising and much more difficult to compromise. Financial Institutions also need to combine all available data to enhance their ability to identify anomalies in all aspects of customer interaction.
Educating and enlisting customers in the fight against fraud must remain a priority. In addition, the biometric technologies mentioned are beginning to be incorporated into the mobile devices which have become ubiquitous throughout the world. These techniques, along with comprehensive data analysis,g may be able to enhance the institutions ability to properly authenticate without inconveniencing the customer.
-- Nancy Guglielmo, Vice President of Fraud Reduction, BITS
Adopt A Layered Approach Leveraging Multiple Analytical Techniques
There has been an increase in both frequency and complexity in bank fraud. Opportunistic fraudsters are taking advantage of financial institutions’ customer-centric programs, while organized fraudsters are becoming more and more sophisticated in multi-dimensional attacks. Today's fraud exposure is growing with more advanced plays involving everything from cyber to organizational and logistical capabilities to attack banks in multiple locations at once.
We believe that banks need to look at layered approaches to predict fraud and protect the organization on multiple levels. Organized fraudsters are smart and know how to defeat your models and your rules, but they leave trails. Banks need the ability to identify these trails, and uncover how the fraudsters mask their identities. On the other hand, opportunistic fraudsters do not leave trails, but can be caught with more sophisticated predictive analytics.
Banks also must widen their observation space, which defines the areas and sources of data that they can analyze and observe behavior. The richer and broader that you can make this space, the more likely you’ll be able to disrupt and defeat the more sophisticated fraudsters.
There’s no magic for balancing fraud protection with customer convenience, but a layered approach can go a long way for financial firms. Banks cannot separate fraud from other customer-centric activities. Launching a customer-focused enterprise or doing a digital transformation and other customer-focused initiatives create avenues and opportunities for fraudsters.
To protect themselves from both organized and opportunistic fraudsters, banks need to be able to model behaviors using predictive analytics and have the ability to recognize and understand history and relationships. Otherwise, if an individual exhibits a behavioral tendency that indicates that he or she is a fraudster, but if a bank doesn’t connect that information to the individual’s identify or relationships, the institution could make a big mistake in flagging the activity as fraudulent. On the flipside, today’s sophisticated analytics may be able to uncover hidden patterns and relationships that can help banks to contain fraud and better manage risk while improving customer relationships.
The normal approach is to use pattern recognition and behavioral tendency, but if you don’t couple that with identity detection and relationship analysis, you could come up with many false positives. It all goes back to the essential layered approach that leverages multiple advanced analytical techniques.
-- Rick Hoehne, Global Leader for Fraud Solutions for IBM Global Business Services, IBM
Peggy Bresnick Kendler has been a writer for 30 years. She has worked as an editor, publicist and school district technology coordinator. During the past decade, Bresnick Kendler has worked for UBM TechWeb on special financialservices technology-centered ... View Full Bio