Fighting the Fraudsters:
Lessons in security

The banking sector continues to battle the scourge of fraud and is making significant progress. Tom Jowitt examines how trends are shifting and what the banks are doing to stay one step ahead.

There is a constant battle between the banking industry and individuals and criminal gangs seeking to carry out fraud. Perpetrators are using increasingly sophisticated techniques and, as one avenue of attack gets closed down or made more difficult, another often opens up.

We are not really talking about frustrated teenage hackers here, but sophisticated criminal gangs exploiting the latest technology and tactics. Most of the criminals are quite simply after your money but the recent arrival of the hackivist (hackers with a cause), as exemplified by the Anonymous group who targeted the websites of Mastercard and PayPal in protest at the treatment of Wikileaks’ Julian Assange, demonstrates obvious vulnerabilities.

VISA has recently announced that new modelling software is detecting twice as much fraud on the riskiest transactions and three times the fraudulent cross-border activity as its previous version. However, in spite of such advances fraud continues to grow in some areas while falling in others.

“Today’s fraudsters,” according to Brian Kinch, senior partner, client services, at FICO , a decision management company with expertise in analytics and consulting, “are constantly shifting the focus of their attack.” For example, thanks to chip and pin we are now seeing the lowest levels of card fraud in the UK for 10 years with criminals targeting other countries where this technology doesn’t exist.

Fraudsters are also, according to Kinch, focusing more on identity theft and account fraud; stealing someone’s details to open up a new account, or take over an existing account. Incidences of identity theft have increased by 10%, while impersonation is up 18%, year on year.

Phishing attacks are often used as a precursor to identity theft where users are tricked into handing over their details to what they believe is a trusted institution such as a bank, but which, in reality, is an organised gang of fraudsters. This hasn’t been helped by some banks using different website landing pages. If banks regularly direct users to different landing pages or URLs, customers will become less suspicious of different web addresses and therefore more susceptible to phishing.

Another problem area is social networking. “People are putting a lot of information out in the open and are not locking it down,” says Kinch, “and fraudsters, by targeting those organisations, are able to harvest a lot more data.”

Similarly, the way we are now paying for things, both instantly via BACS and via mobile phones, creates further cause for concern amongst those trying to combat fraud.

Opportunities in old technologies
But there are still problems with old school, low-tech fraud. Though on the decrease, cheque fraud hasn’t gone away and, with banks looking to phase these out, there is a risk that they take their eye off the ball and leave them exposed to opportunistic fraudsters.

And ‘money mule’ fraud, where confidence tricksters persuade victims to route payments through their banks in return for 10% of the transaction, continues to thrive. The difficulty with money mules is that whether they are naive innocents or willing participants, they always claim to have been duped, which is virtually impossible for the industry to disprove. It’s worth noting that, according to insurance firm RSA , the number of mule-recruiting websites grew from 34 in December 2007 to 591 in December 2009.

‘Reshipping’ is another technique fraudsters employ to turn stolen data into cash. Criminals buy an item online using a stolen credit card. They then ship it to the home of the mule who sends it on to the fraudster who subsequently sells it for a profit.

Increasing trends
The rise in internet banking will certainly see more demand for user and transaction authentication, according to Julian Lovelock, director of commerce markets at ActivIdentity, which specialises in identity assurance and authentication. He cites last year’s APACS report that fraud associated with internet banking was levelling off in the UK, but that phone banking fraud was on the rise. “Many gangs’ first approach is to make an initial call to the bank’s call centre to gain account details and then use that information for a fraudulent internet banking attack.” Applying security measures across all channels will, he believes, be key and help ensure banks keep in line with AML (anti-money laundering) regulations.

He also talks about malware attack, where a machine becomes infected with a trojan and the fraudster is essentially piggy backing on the authentication process. He points to the fact that higher value transactions such as business banking will increasingly require the user to authenticate themselves every time they conduct a transaction as a direct response to malware attacks.

Fraud advice
A FICO industry panel discussion in November noted that fraud tends to be cyclical in nature and that investment in new technology and detection methods does help combat the problem. But fraudsters will circumvent new technologies and come up with new ways to continue their crime. The industry therefore has to keep up the pressure.

FICO ’s Kinch believes the banking sector needs to think outside the box to deal effectively with fraud. It needs to focus on quality of service for the customer rather than the actual loss. Banks now alert customers to the steps they take when fraud happens which, as well as a sales tool, is a great way to educate consumers.

“We need to question how we hone our fraud detection capabilities, ask how can we use neural networks, and think of new ways to involve customers less, but catch fraud earlier,” says Kinch.

Lovelock’s advice is to make sure that any security processes and systems banks employ are applied in an integrated way across all of their facilities. He thinks that, while it may be a bit dramatic to call the fight against fraud an arms race, that is exactly what it is. “It is an incremental and evolving process and it is important for the banks to think long term and put in place a solution that can expand and adapt to threats,” says Lovelock.

Final thoughts
There is little doubt that banks could do more to educate customers, reminding them that a bank will never ask for passwords, and any promises the banks make, they must keep. If the bank’s customer service unit promises not to contact the customer, and then three weeks later the marketing department does exactly that, it doesn’t help. Kinch believes that this could discourage the consumer from contacting the bank when there is a problem or if they receive a phishing email when it is imperative that they do just that.

Lovelock points out that internet banking is a much cheaper option for banks than branch and telephone banking, so it is vital for banks to maintain customer confidence in online banking. “That’s the biggest cost driver for the banks,” he says, “not fraud prevention. If the banks lost another few million pounds through fraud, that is not an overly big deal for them. But if the bank lost say ten per cent of its internet banking customers because they had lost faith in online banking that would have a huge impact.”

Back to Special Report contents page
Back to Magazine contents page