In June 2011, the US government released updated guidance on customer authentication and layered security in an ‘increasingly hostile online environment’. The updated guidance was issued to address the rash of corporate account takeovers targeting North American banks during the past year. In the past 12 months, small-to-medium sized businesses in the US have been the target of more than $250 million in attempted fraud attacks.
One of the challenges facing financial institutions is that their fraud detection and prevention systems have been siloed by products and channels. They use one system for credit card detection, another system for check fraud and yet another for online banking. Most existing systems fail to recognize risks that are perpetrated using multiple channels and relationships. These legacy systems fail to block transactions in a timely manner.
Fraudsters know this, and they take advantage of the lack of systems integration. If we take the example of a recently indicted Eastern European fraud ring: They were highly sophisticated and organized; they targeted specific individuals (aka “spear fishing”) at small businesses with malware infected e-mails; and once they compromised the officers of the corporation, they used “man-in-the-middle” attacks to capture online banking authentication credentials. Then they set up money mules as payees, and withdrew considerable sums using automated clearinghouse (ACH) transactions over the course of several hours.
In one high profile case, cybercriminals conducted 93 transactions totaling nearly $2 million dollars over the course of one morning. Email, malware, electronic funds transfers, mules, and other money laundering techniques are used by perpetrators to avoid detection by outdated batch systems.
Five layers of defense
So what does the FFIEC Guidance recommend for superior fraud detection? First, a renewed emphasis on risk assessments to determine which customers, products and services require enhanced controls. Second, implementation of more robust controls for high risk online transactions. Finally, because every layer is susceptible to compromise, a ‘Layered Security Program’ of multiple defenses is recommended. A “Layered Security Framework” consists of five core layers:
- Fraud detection and monitoring – this includes monitoring and blocking of the actual payment transaction.
- Authentication – multi-factor authentication can use a variety of tokens and out-of-band verification.
- Internet protocol and device analysis - the ability to analyze specific online behavior, geographic location, and whether the IP address, smart phone or tablet has been associated with a prior fraud event.
- Transaction limits and controls – systemic limits on the number, type or value of transactions permitted for that customer.
- Customer awareness and education – continuous education to inform clients of threats, best practices and anti-virus protection.
One final caveat, use information from each of these layers to provide a more holistic view of customer and payment risk. Don’t create more silos!
Take the phased approach
The first step of a phased approach is to accurately assess your risks. If you consolidate existing investigations and known frauds into a centralized alert and case management environment you’ll have a better understanding of your exposure.
The next step is to deploy behavioral analytics so that you know whether a transaction or a pattern of behavior is abnormal. For example, do these wire transactions exceed the number or dollar value of what’s normal for this customer? What if an ACH origination is requested during a high risk time period or from a new IP address?
Leading edge institutions are deploying entity link analysis to analyze behavior of multiple customers or communities to identify organized crime rings and better understand hidden risks.
Finally, move from detection to a fraud prevention paradigm. This means you must block transactions in a timely manner to prevent the loss of funds. As customer expectations for convenience increase in a mobile banking world, as you expand the products and services offered through smart phones and tablets, you’ll need a system that blocks transactions in real-time.
Institutions have to become more effective to protect their customers against emerging threats.
Part of an enterprise financial crimes strategy
As financial institutions prepare for the FFIEC’s supervisory expectations in January 2012, there has been significant interest in new technologies that analyze behaviors, devices, and access points in specific channels. These tools and techniques should provide useful risk measures as part of a broader enterprise fraud management capability. It will be crucial for institutions to integrate alerts from authentication and device/IP analysis with alerts generated on other events to gain a holistic view of customer risk. If you are looking for more information about combating these emerging threats, download this whitepaper.
Do you have examples that you can share that show these five layers or the phased approach in action? Please share them in the comments section below.