Combating the innovative crook

 
It cannot be denied: fraud incidents are inevitable. Today’s consumers and financial institutions may arm themselves with state-of-the-art detection and prevention services, but even so, the likelihood of being victimized by fraud or a security breach is very high.

Unfortunately, fraudsters are only growing in their sophistication and organization. In fact, fraud has slowly grown into a multi-billion dollar industry--and malicious activity is growing at record pace. As technology advances and new channels of delivery emerge, financial institutions need to have a solid understanding of the types of attacks and how the business of fraud is evolving.

There are four top categories of fraud and data compromise that we expect to remain prominent in 2012. By understanding what risks each one brings, and how criminals are changing their tactics, those affected by fraud have a better chance of mitigating the risks and stopping criminals in their tracks.

 

 

1. Network Intrusion—stealing from code and hardware
Network Intrusion represents the majority of fraud that takes place today. The term refers to malicious activity conducted on a network by hackers or others attempting to misuse or break into a system with the intent of stealing data. Network Intrusion covers a range of attack methods, including:

• Malware: Comprises a variety of forms of hostile, intrusive, or annoying software or program code that can collect sensitive information from a computer, undetected. Spyware, botnets, and keystroke logging are all forms of malware.

 

• SQL injections: Involves entering SQL code into web forms such as login fields or browser address fields to access and manipulate the database behind the site or system. In other words, it tries to fake out the login function using SQL commands instead of actual user names and passwords to gain access to sensitive information. (SQL stands for “structured query language,” and refers to programs that manage data in relational database management systems.)

 

• PIN hacking: On the low-tech side, some criminals use cameras to record customers entering their PINs at ATMs and payment terminals. More sophisticated criminals grab unencrypted PINs while they sit in memory on bank systems during the authorization process, or tap into a bank’s hardware security model and trick the model into providing an encryption key to “unlock” the data passing through the system.

 

• Packet sniffing: With packet sniffing, a malicious intruder can capture and analyze all of the network traffic within a given network, and capture username and password information that is generally transmitted in clear text and viewable by analyzing the packets being transmitted.

The sophistication level of these threats has increased and attackers are getting smarter about evading detection, giving them more time to steal information and use it before the attacks are discovered.

Once account data is acquired, hackers can use social networks to find personal information that may provide answers to security questions or help imitate buying patterns that fool fraud detection systems. With the widespread use of online shopping and internet banking, the potential for loss can be significant, forcing financial institutions to put more emphasis on authentication and to dedicate even more resources to detection and prevention.

 

 

2. Social engineering—fooling human beings
This type of fraud focuses on manipulating people, rather than hacking into computers for information. The key to social engineering fraud is to trick a person into performing a specific action, such as revealing an account number or password, or downloading and installing malware.

Some of these attacks start with network intrusion, in the form of stealing email addresses from a financial company. The criminals then send emails that link to a fake landing page mimicking the website of the consumers’ bank or credit card provider. The consumers enter usernames, passwords, Social Security numbers, and/or account information--unaware that a cyber thief is capturing that data for malicious use.

Another common social engineering practice is to send an email plea from a friend or relative asking for money or information. Criminals know it is hard to resist a request for money from a known friend who has “had their passport and wallet stolen” while in a foreign country.

New delivery channels such as mobile devices are opening up more opportunities for fraud. In fact, these new channels are a perfect target for social engineering. With more financial institutions sending alerts to customers via texts and voicemails, customers become targets for SMiShing (text) or Vishing (voice)--fake alerts or messages that fool customers into revealing passwords or account numbers.


3. Skimming—piggybacking on legitimate transactions
Skimming techniques allow thieves to gather account information, PINs, and even the printed card security numbers on the face of payment cards. (Essentially, this is an advanced method for stealing card information by using a small electronic device (skimmer) to swipe and store victims’ credit and debit card numbers. This type of theft takes place in an otherwise legitimate transaction at ATMs, gas pumps, restaurants, etc.

Skimming often involves the use of a hidden camera to record customers’ PINs, or phony keypads placed over real keypads to record keystrokes. For criminals, there is a risk in getting caught when going to retrieve the devices. The criminals are getting smarter, though. Now, using Bluetooth technology, they can sit in a nearby vehicle and remotely gather data instantaneously, with no need to retrieve the devices they install.

Criminals also are growing smarter about where they install the skimmers. Traditionally a device attached to unattended terminals, criminals are now leveraging their social engineering skills to get an accomplice to install skimming devices at valid, card-present locations.

 

 

4. Insider Fraud
Insider fraud is a growing problem among financial institutions. It is a term assigned to a wide variety of criminal behavior perpetrated by a firm’s own employees or contractors, and generally falls into three categories: theft from customers, theft from the firm, and abuse of position.

Unfortunately, employees and contractors who access financial institution systems during the course of work know the system better than anyone else. They are better positioned to exploit the systems’ vulnerabilities.

As with other forms of fraud, insider fraud is changing. Historically, employee fraud involved account skimming and other small-scale attacks that put money in the employee’s pocket. Today, with access to the online fraud forums, employees can advertise and sell customers’ personal and financial information and make money without stealing directly from accounts.

 

 

What can you do about fraud?
Along with having an understanding of what criminals are doing to adapt their fraud practices to the market, it’s critical for financial institutions to implement necessary strategies for fighting these evolving strategies.

Here are some strategies for keeping sneak attacks under control:

 

 

Empower consumers and cardholders through education. Traditionally, fraud has been measured in terms of financial losses. If losses met a pre-determined threshold, then the institution had a “fraud problem.”

But increasingly, institutions are concerned about customer loyalty—the customer experience. To retain valuable customers and accounts, institutions must reduce the risk of fraud by investing more in detection and prevention--and then make customers aware of those extra investments.

Security should no longer be considered a corporate secret; it’s a competitive advantage to be marketed.

 

 

Make fighting fraud an integral part of internal culture. Given that criminals are no longer targeting just ATMs or payment cards, but seeking to compromise customers in every way that institutions interact with them, financial institutions must have fraud awareness and prevention programs deployed across every department.

For example, the Marketing group should know and understand how to monitor for suspicious behavior when promoting new debit/credit card programs. At the same time, the Fraud Prevention group needs to understand Marketing’s customer acquisition goals, and not implement fraud controls that are too stringent for a program to succeed.

Human Resources must also be on high alert when hiring employees, even those whose jobs do not give them access to sensitive information. Financial institutions scrutinize applicants for new accounts with authentication tools, and must be willing (and able) to use those same tools to screen potential employees.

All financial institution employees should be trained to detect and prevent fraud, both external and internal. Institutions should also have a clear process for reporting suspected fraudulent activity.

 

 

Use data analysis tools to get a 360-degree view of fraud. To be proactive about fraud prevention, it’s important for financial institutions to understand the fraud that’s happening in their own portfolios and keep on top of what is happening in the industry, as well. As mentioned before, fraudsters are tricky—so what appears to be a small risk within your own portfolio could turn into serious fraud when viewed from an industry-wide perspective.

For example, people can spot a pattern in their own portfolio, such as a low risk change of address from a specific merchant, and then look at the larger industry and see that ten other financial institutions of similar size had the same exact pattern--indicating fraud. With that information, you can go back to your own portfolio and flag all the accounts that match that pattern, or be alerted when that pattern does occur--as well as to put checks in place to prevent the fraud from happening at all.

 

 

Know your customers’ behavior. Generally, financial institutions use 20 to 50 different data points on the back end for authentication decisions. In today’s environment, having the capability to see many more data points and translating that data into real-time risk decisioning can make the difference between being the victim of fraud and stopping fraud.

With access to more data points, you will know that an online purchase, even it is just one time, is atypical for the 75-year old woman who lives in a small community and has never shopped online. Using that data analysis point, not just on the back end for your findings, but up front for the authorization decision, is critical to reducing and preventing fraudulent activity.

And it doesn’t end with blocking the authorization; you also need back-end tools that allow you to communicate effectively with cardholders to notify them about fraudulent activity, to reissue cards, and really take the proper action to mitigate fraud, while maintaining account holders’ faith in your brand.

 

 

Take action now
With attacks coming in many different forms and from many different channels, financial institutions must gain a better understanding of how criminals operate and how fraud is changing. With this understanding, you will have a better chance of mitigating the risks and recognizing attacks before they do serious damage.

In addition, financial institutions need to adjust fraud detection and prevention strategies to keep up with the evolving trends. In some cases this means investing in new technologies; in others, it means bridging organizational silos. In all cases, it means improving your odds of detecting a fraud threat before it reaches the customer.

 

 

Shelly Hunter, vice-president, product management, Fraud and Risk Services, First Data Corp.
As vice-president, Product Management, Shelly Hunter leads First Data’s North America fraud product management and product development organization. She is responsible for developing and executing the company’s fraud product strategy, managing partner relationships, and leading the product development team in managing the fraud product suite, as well as delivering new fraud products and product enhancements. Since joining First Data in 1995, she has held project and product management roles within areas including Customer Correspondence, Credit Risk, and other strategic company initiatives.