Fighting Real-Time Payment Fraud In Layers, With Moats

Real-time payments, real-time risk. As consumers embrace real-time transactions, financial institutions (FIs) must recalibrate their fraud-fighting strategies.

In an interview with PYMNTS, Kannan Srinivasan, senior director of risk strategy and analytics for Fiserv, said the bad guys are constantly shifting tactics — so the battle must be joined on several fronts.

“The real-time movement of money,” he told PYMNTS, “has implications on your ability to manage losses — and you have to make sure you are keeping pace with new fraud trends.”

In fact, Srinivasan added, the parameters of risk itself are changing. He noted that, with real-time payments, credit risk is largely negated, as transactions require immediate posting of debits and confirmation of sufficient funds — and it can be immediately ascertained whether or not user accounts are in good standing.

However, with payments rendered in real time, the ability to deplete funds in a matter of minutes is, of course, an attractive lure to fraudsters. Against that backdrop, bad actors are changing their strategies to gain access to users’ online bank credentials. Those tactics include low-tech and high-tech methodologies, spanning the construction of synthetic identities and the hijacking of devices (sometimes referred to as the creation of “zombies”).

In one tactic blending low and high tech, a fraudster can find a victim’s phone number online, call the victim with a spoofed bank phone number (pretending to be the bank), explain that a one-time password (OTP) is being sent, and trick them into divulging their own login credentials or reading the security OTP code over the phone. The fraudster then has the information they need to do everything — from resetting passwords to changing phone/email contact info, or updating debit card details to executing transactions.

As Srinivasan told PYMNTS, one effective strategy financial institutions can undertake to guard against such attempts is akin to “locking the front door,” as he said: continually reviewing login controls and password reset processes. Most FIs deploy anomaly detection during login to detect fraud attacks. Two-factor authentication tools are part of the strategy, and technology can help ascertain whether multiple login requests are coming from the same device.

Building Moats

The goal is to spot anomalous activity, and build “moats” of protection around a financial institution’s customer base. A layered security approach — with robust identity authentication capabilities, executable in real time and across the entire customer journey — is among the most effective solutions. The ability to better understand genuine customer behavior — and accurately differentiate from a fraudster, robot or mule — is pivotal.

“We do this by padding human intelligence with machine learning,” said Srinivasan.

The mindset governing anti-fraud efforts has had to evolve, he noted. It’s not feasible for a financial institution to eliminate all risk. The key is to manage risk at an appropriate level so that legitimate transactions get through, and false positives that impact good users are reduced. FIs must ensure that their analytics and business intelligence efforts are constantly recalibrated, with an eye on fraud detection, user friction and false positives.

Fraud is not static, said Srinivasan. As fraudsters change their patterns, the fraudulent activity being uncovered may disappear in one channel as efforts shift to new channels.

Financial institutions themselves must be nimble in finding and stopping those shifts — and, as Srinivasan noted, it’s important to break down silos within a bank’s operations. For instance, the teams monitoring peer-to-peer (P2P) transactions may not be in conversation with those looking at BillPay or online security. Cross-communication, in real time, can minimize losses.

In addition, financial institutions must be vigilant in detecting and stopping attacks that target FI employees — notably, at the call center. Fraudsters, after all, are able to gather user data, such as mothers’ maiden names and Social Security numbers (and, with access to online banking, even details on recent transactions). One best practice financial institutions can deploy is to audit their call center user authentication processes to ensure that proper protections are in place. Another is to ensure that education programs on current fraud trends and social engineering are propagated throughout the call center.

Another line of defense lies with vigilant consumers, said Srinivasan. Thus, financial institutions can benefit from educating end users about how to avoid various fraud schemes, in addition to putting controls in place to immediately inform them of abnormal activity. One simple, effective fraud prevention tactic is to alert consumers to the fact that an FI will never ask for a password over the phone.

“We’ve found that there is no silver bullet when it comes to fighting fraud, so a layered approach is the one that ultimately helps,” said Srinivasan.