Most of us in the business of fighting fraud understand it is and will be an ever-changing challenge. And we expect 2015 to be no different, unfortunately. One of the most difficult expectations placed on fraud organizations is the anticipation of where fraud will occur and how often. In an effort to help you understand what the fraud landscape might look like in the year ahead, I have outlined some considerations that should be understood along with suggestions on how they should be addressed.
1. Fraud Controls Continue to Favor Criminals
Regulations dictate what Financial Institutions (FIs) must do in order to protect their customers, however FIs are usually the strongest and most capable at performing this protection already. Fraudsters understand this and have moved to “softer” targets, pun intended. Retail and payment breaches are not isolated events; these are deliberate methods to circumvent anti-fraud solutions. These types of exploitations take the banks’ controls out of the equation, limiting their ability to influence their fraud profile.
The overwhelming burden on the FIs to identify the very small percentage of fraudulent activity in a disproportional amount of legitimate transactions is almost unrealistic in most anti-fraud programs. This results in financial institutions “boxing-in” fraud, setting limitations on how fraud can happen and where. By defining the “acceptable fraud” you inherently provide the fraudster with a built-in work around to your controls. As a result, this type of mitigation strategy will always be in favor of the fraudsters.
This is a major problem for institutions, because they lack the ability to differentiate between fraud and legitimate activity due to the limitations of the traditional controls that can be deployed in this space. Those institutions that stack controls are often trying to balance between customer friction and potential loss of usability and functionality, this too works in the favor of the fraudster.
2. EMV Will Not Solve Card Fraud, Just Shift It
Over the last few years many FIs have requested even more regulations, the move to EMV chip cards, and the need for associated parties to take on some of the liability for loss. This is not solving the fraud problem; this is only addressing who is responsible for fraud when it occurs. For the last two years, card fraud has been rated one of the top three concerns for banks, yet it remains year over year one of the most exploited channels, why? I think it is because the industry is looking for answers in the wrong place. EMV is not going to solve card fraud; it is going to move card fraud to a different exploitation, as it did in Europe and other EMV adopted environments. In fact, Javelin Strategy & Research predicted that Card Not Present fraud will increase dramatically over the next few years. So why push for EMV? Do FIs believe they are better at identifying card-not-present (CNP) fraud than magnetic stripe fraud? The real answer is no, but it buys them time…but time to do what? Remember, FIs want their customers to use their cards, this not only a major source of revenue but also reduces transaction processing cost associated to different methods of payment. Card usage also keeps the brand in your mind, or in the wallet, touch points making a customer more “sticky” and more likely to use the bank for other services. We have to ask ourselves, is moving to EMV a fraud related strategy or a marketing one? Without a solid EMV strategy, banks will still be vulnerable to EMV exploitations, CNP, and other channel related fraud activities that are masked due to FIs inability to differentiate between legitimate and fraudulent transactions.
3. Fraud Will Shift to New and Old Channels
Another consideration for the inevitable EMV movement is the migration of fraud to other channels. Strengthen one channel and it simply moves to another. Holistically, a program needs to be able to identify fraud, not just box it in. We anticipate the migration back to more traditional fraud exploits like physical checks and social engineering in 2015.
The checking channel is another regulation heavy payment method that has many protections withhold periods and validation methods already in place, so why would they go back to it? Because most check fraud detection systems are inadequately updated and since the adoption of Check 211, fake and forged checks are harder and harder to isolate and identify. Watermarks, MICR, and fonts are no longer sufficient identifiers of forged checks. Many of the checks are legitimate, just in the wrong hands, or the accounts themselves are funded with stolen funds. How many of us have experienced this scenario:
• A new account opened online, funded by an ACH
• The new checking accounts issues a checkbook and debit card
• The new account is emptied as soon as the ACH clears
With the ease of social media engineering (fake profiles) and the ability to find identity-specific information on social media sites, it is very easy to open a bank account in someone else’s name and forge application information.
4. Mobile Fraud Will Get Interesting
Mobile is a gateway into accounts. Most mobile offerings have limitations to transact business due to its unknown security and vulnerability status. Most FIs do not know what to expect from this channel, or how they will engage this channel from a fraud prevention strategy. However, mobile is a perfect opportunity for a fraudster to learn about customer’s accounts, balances, verification takeover, and credential harvesting. Today, many financial institutions are limiting who can make transactions and the kinds of transactions being made through mobile devises, and not because of technology limitations but due to their lack of ability to mitigate fraud in this channel. Instead of mitigating fraud through effective anti-fraud solutions, they are compromising their customers’ experience by not providing competitive functionality. In situations like this, the disadvantage is two-fold: first, end-users switch to a bank that offers full mobile banking features and second, the FIs miss the opportunity to authenticate and verify transactions through mobile devices.
The year ahead will likely again be an interesting one for the good guys and the bad guys. However, by having good data sourcing, good anomaly detection, and the ability to identify common account and identity take-over characteristics, organizations can make the fraud landscape in 2015 an uphill battle for fraudsters.
1 Effective in 2004, Check 21 is the conversion of physical checks to electronic checks. It facilitates banks to send electronic checks to each other for clearing instead of having to mail physical checks. This adoption was applied to customers as well, with the absence of the physical check, it is much harder to detect check fraud outside of the physical security features.