It almost seems like a day doesn’t go by without someone reporting the discovery of hundreds of millions of pieces of user-specific information related to credit and debit cards, e-mail addresses, or log-in credentials being sold on underground markets. If these numbers are true, the banks are paying the price for these leaks in a big way.
In many ways banks are at a disadvantage. Financial institutions must provide functionality, engage their customers and make the banking experience a pleasant one. This provides additional challenges to banks when they must also mitigate risk with transactions that happen across multiple channels. The lack of visibility into end-user devices, and the inability to see who’s performing the transaction in-person poses a dilemma of choosing security over a convenient customer experience.
Many current fraud schemes have adopted countermeasures to combat fraud controls, specifically mimicking geo-location of the log-in and capturing credentials to engage in multi-factor authentication high-jacking. This, combined with the adoption of mobile banking, adds more risk to dependence on traditional fraud solutions. Most banks see mobile as a positive customer engagement opportunity, since it enhances the customer experience and facilitates more business. However, mobile is also a potentially less secure platform. Most security-related fraud tools do not have a mobile presence, creating a gap that permits malware and device takeover fraud attacks to occur – such as the Eurograbber mobile banking malware attack that victimized thousands of Europeans. Yet many banks adopt the mobile platform and send step-up authentication codes for transaction approval without thinking a fraudster might intercept them. The banks are then stuck with the risk these authentication codes might create, even though they lack the ability to mitigate it.
Traditional fraud solutions rely on their end-users protecting their personal information and devices by alerting or “flagging” known fraud patterns related to risky transactions. Unfortunately, traditional solutions do not work for non-traditional fraud schemes. Banks need to focus their resources and rely on targeted fraud solutions that can be applied to the widest range of possible attack vectors. This means they often adopt ‘80% solutions’ that can only engage fraud in its most common forms. But what about new, sophisticated attacks? Banks must make the distinction and decide if they want to live with an 80% solution or move to adopt new technologies that identify fraud as it evolves.
When I was at a large U.S. based brokerage firm and bank, as a strategic program manager, I had to weigh the costs and benefits of building solutions, adopting new technologies, or trying to enhance existing technologies to deal with new and emerging threats. Significant investments made with older, bloated security solutions re-purposed to work as fraud solutions are usually flawed, because they rely on the very characteristics being spoofed by cybercriminals. This leaves banks with either high false-positive rates when identifying fraud, or parameters so open that fraud events go through unchallenged.
Even harder than combating fraud is convincing fraud program managers to rethink the way they see fraud solutions. You do not have to manage rule sets, or design specific rules for every possible fraud scenario. It is possible to deploy lightweight, simple integration products to prevent fraud at the account level. Knowing your customer is arguably more valuable than identifying a bad device or IP address. Authenticating a device which you know is secure and protected from malware, phishing, and pharming attacks increases the confidence that a session is genuine. Understanding the normal behavior of your customer and measuring the deviation of expected behavior when transactional activity is observed, regardless of channel or form factor, also increases the opportunity to identify fraud while reducing the number of alerts or limitations placed on true customers.
Deploy solutions that ensure your bank is only looking at activity it has to look at. Reduce your false positives and false negative ratios, and remove the overhead burden of managing the tools so you can focus on managing your business. Be more proactive in your anti-fraud solutions by identifying fraud schemes in their planning stages, keep track of the underground forums for your brand, and break the fraud cycle by removing those threats from the internet before your customers fall victim to them.