The Knowledge Exchange / Risk Management / Remote banking is hot, fraud is not

Remote banking is hot, fraud is not

Real-time fraud detection and prevention according to HSBC

Derek Wylde, Head of Group Fraud Risk, HSBC

You take out your entire family – in-laws included – for a nice dinner to celebrate being together once a year. The bill comes, you whip out your credit card without thinking, take your last sip of wine and all of a sudden the waiter returns saying, “I’m sorry, your card has been declined.” This embarrassing scenario could turn go two ways – if actual fraud was detected as soon as the waiter swiped the card, you are grateful and your confidence in the card’s financial institution just skyrocketed. If the card was declined by mistake, your loyalty just shattered and you very well may move to another institution.

Now, let’s say you are the bank, and it is imperative that you make the right and immediate decision about potential fraud to not only avoid customer churn but also protect fees from the purchase. If you allow the fraudulent purchase to process – and it is actually fraud – your customer is now a financial crime victim and you pay for the big dinner.

“The bank must make the accurate call – in real-time, any less is unacceptable,” said Derek Wylde, Head of Group Fraud Risk, HSBC Group. His financial services colleagues at this week’s The Premier Business Leadership Series in Amsterdam understand why this is especially important in the digital world.

To get an idea of the depth and breadth of HSBC, it serves more than 89 million customers in 85 countries, “but only about 20 countries are relevant here, where we have scale and where fraud is a problem,” said Wylde. HSBC has US$2,555 billion of Total Assets (end 2011). Whether you’re a bank of this magnitude or a small community bank, it’s important to keep up with the latest fraud trends to continually come up with ways to prevent it.

Current trends show that credit card fraud in the UK has been falling over the last few years, and this is likely due to chip cards – which most countries have implemented, save for the US. Conversely card fraud is much higher anyway and will continue to rise. “The US needs to get their act together in this regard, in my humble view,” Wylde shared without hesitation.

What’s increasing dramatically is ‘Card Not Present’ (CNP) fraud which allows for easier information breaches through phishing tactics and online banking. Phishers are still very much in business. The Anti-Phishing Working Group reported that they took down close to 30,000, but others still remain and are cropping up all the time. In 2011, Symantec, an anti-virus protection system reported that there were 5.5 billion malicious attacks on systems, which is an increase of 81 percent over the previous year.

And customer demand for online will move to mobile banking. That is where the war on fraud is and will truly be fought, according to Wylde.

Ever-changing fraud

Internal fraud is now prevalent as well, and HSBC is implementing detection systems to discover this behavior. First party fraud or fraud among customers is an issue as well. “I’ll admit that historically we’ve not measured this appropriately but it is still a focus area.” Typically, fraud is very well-organized by criminal gangs that get into accounts and massage credit limits.

Recently, a more worrying trend is that crooks are able to inject malware into ATMs. For example, a Mexican bank suffered a loss a couple of years ago when criminals opened a number of remote ATMs at service stations and railway stations and incorporated malware in them via a USB port. The malware captured card details during the transaction and more alarmingly – PINs.

“ATM vendors could do more. If you buy a car with standard safety features, you should be able to buy an ATM with standard security measures,” Wylde explains. “The aforementioned Semantic research showed that there were 403 million incidents of malware out there. That’s a scary number.”

Crooks prey upon the naivety and carelessness of the customer. Fraudsters need passwords that they can discover via malware or by sending an email to customers with a link asking to update their account, thereby giving away passwords – the crown jewel of information.

Fraudsters also prey on weaknesses within an organization’s IT security to steal customer data. For example, at clothing retailer TJ Maxx, 50 million card customers were compromised. And many global payments companies have been hacked.

The future

Wylde said that banks and financial services firms are challenged with providing what customers want while still protecting them from fraud. “We need to be able to open a bank account, without paperwork and a signature. That’s a challenge for us because when one applies for a bank account online, we have traditionally sent out a letter for them to sign to confirm their information,” he explained.

“Customers don’t want to do the paperwork anymore. They want to get online and within a few minutes, have a bank account. That leaves their data – where they live, credit history in a fragile online environment.”

So, speed and convenience are driving customers to demand easier banking. As such, mobile banking will continue to rise and serve as the next biggest challenge for risk managers among financial institutions. Customers want fast decisions, accurate information and access to their account – 24/7.  

“And we have to combat whatever risks may arise from that movement.”

Another great post to read is Data breaches, cyberheists and payments fraud. Learn more about how HSBC is fighting fraud in this case study.

Tags: , , ,
  • Facebook
  • del.icio.us
  • Twitter
  • Digg
  • LinkedIn
  • email

One Trackback

  1. [...] credit card fraud is detected by sampling some transactions post the event and looking for fraudulent patterns. Then [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>