Star One Credit Union didn’t think it had an online fraud problem.
The year was 2006, and although there was plenty of digital viruses and keystroke-logging malware out in the wild, the Santa Clara County financial institution (FI) was not seeing any fraudulent activity in its online banking channel.
Still, with so many threats converging, Star One decided it would be better to be safe rather than sorry. When digital security firm Guardian Analytics invited the credit union to beta test its security solution, Star One agreed. That turned out to be a good thing: While the fraudsters weren’t striking online, they were gathering intel there — enough to strike in other channels, and strike hard.
But, from the basic transaction data, one would never know that was happening. The bad guys were getting all the answers right in the multifactor authentication process, and were convincingly posing as true members of the credit union. In fact, it was only by reviewing behavioral data that Star One, through Guardian, was able to understand how and where its members were vulnerable.
The state of things today is that cross-channel fraud is originating online. Not all online account takeovers end in unauthorized online transactions, though, so it can be difficult to tell that an account has been compromised until an incident makes it obvious.
Marguerite Mucker, Star One Credit Union's executive vice president of operations, explained that if an FI is addressing payment fraud, it’s too late; a member has already been compromised. All it can do from there is hope to prevent the next one. An FI’s job is to prevent the first instance before it happens, she added, and to do so, FIs must stop fraudsters at the point of origin — before they gather any customer data.
In a recent webinar with Karen Webster, Guardian Analytics vice president of product development Jesus Ortiz described how his company uses machine learning and behavior analytics to do exactly that, and Mucker weighed in on how having the right fraud guardian in place might have changed the outcome for Star One members whose accounts were compromised before the solution was implemented.
Actually, Ortiz said, there aren’t any — and that’s why Guardian does so well in the fraud fight.
When fraud defense products use rules and patterns to determine which transactions are kosher, fraudsters simply learn those rules and play within the lines, he explained. For instance, if transactions over a certain amount require validation, then fraudsters will simply keep activity under that amount.
“It’s a yes-or-no question,” Ortiz said, specifically: Does the activity match this profile of fraud, or not?
But if defense products look at the behavior leading up to the moment of fraud, then it’s possible to catch the criminal before he strikes. That behavior includes data points such as location, transaction amounts, type of computer or device making the transaction and which web browser is used. If these differ from a customer’s usual activity, then it raises a red or yellow flag.
“The beauty of machine learning is that there isn’t just one thing,” said Ortiz. “We learn many data points, many signals and, based on all of those, we use the whole to make the determination. That’s what makes it difficult for a fraudster to mimic the behavior.”
Transactions in which all of the elements match are given a green light, Mucker said, while those in which one factor is off get a yellow flag. Only the direst incidents get red-level alerts.
“When they’re red, they’re really red,” Mucker said.
That frees up staff who handle such incidents to focus on the ones that really matter, she explained. The low false-positive rates lead to better operational efficiency and help with customer confidence, as well. After all, calling customers often to verify transactions would give them the sense that the online channel was not secure.
On average, 7,540 of Star One’s 100,000 members log in each day. Only 0.26 percent (around 200) of those logins generate red- and yellow-level alerts. Of those, only 3.35 percent (about 40) require further qualifying action. Seventeen percent of qualifying alerts are actionable, said Mucker, leading to fewer than 10 incidents that must be addressed per day: a very manageable amount.
Case One: Wait, You’re Not National Grid
Mucker recalled one incident in which a customer had set up online bill pay. A fraudster sent the customer a phishing email and succeeded in stealing his or her credentials. The fraudster then logged in, created a new bill payee and sent himself a check.
If Star One had been working with Guardian at the time, the security company would have identified that it was an abnormal transaction coming from a different IP address than usual, said Mucker. The login, not the mystery check, would have been the first clue that something was wrong.
In addition, Guardian would have noticed that the actions were not consistent with this long-term member’s typical behavior.
A similar scenario that was popular back in the day was the romance scam. A fraudster would groom his victim to believe he or she was becoming romantically involved through online chats and interactions. Then, once the victim trusted him, the fraudster would feign an emergency and ask for money.
Mucker says Guardian would have flagged the $4,500 transfer as suspicious, but because the customer was conducting the transaction him or herself, it did not raise any red flags for Star One before adding Guardian’s protection.
Case Two: Now That’s What I Call Tricky
One fraudster used social engineering to gain members’ login credentials. He was then able to call the bank’s call center and change the phone number associated with the account. It was not difficult to authenticate himself even when challenge questions were asked, because the customer had given the fraudster all the information he needed to succeed.
On top of that, the fraudster had been studying the customer’s signature by looking at cleared drafts, so not only was he able to forge it when he was ready to make the transaction, but when the credit union called to verify it, it reached the fraudster on the fake number he had given earlier.
Mucker said Guardian would have noticed that the fraudster had logged in from a different IP address and different browser, and that he then spent a good deal of time looking at the same check image. Most users will look at a check image once. Someone repeatedly viewing it in a short span of time — even if he claimed to be the user and had successfully authenticated the session — would have raised the red flag.
Because Star One did not prevent this incident, Mucker said the credit union took the loss.
Case Three: The Customer Is Always Right
One customer whose account had been compromised told the credit union that his security practices were squeaky clean. After all, he worked for a tech company, so he knew what he was talking about. No, he was not going to change his password or have his computer checked for malware just because Star One told him to.
The credit union couldn’t force him to do either of those things, so it had to just accept the customer’s choice. A few weeks later, though, the member called back to say he’d been thinking about Star One’s advice and had decided to get his computer checked after all. Lo and behold, there was a keystroke-copying malware on his PC.
There are so many ways to embed a virus now that even people who think they are doing everything right can still take a hit, Mucker said. The credit union must protect its members not only from the bad guys, but also often from themselves — and from the illusion of technical invincibility that, due to Star One’s location in Silicon Valley, many members may have.
Case Four: The Fraud Was Coming From Inside The House
A member claimed he was seeing fraud on his account.
However, by this time, Star One had joined forces with Guardian, and the security company couldn’t make the math add up. The fraudsters were not just spending money, but making payments into the account. Furthermore, all of the activity was coming from the same location and computer — and all from the customer’s home.
It turned out the mother in the household was sending money to her daughter but didn’t want her husband to know about it. Without a strong security partner, however, Mucker said Star One wouldn’t have figured that out. It was only the data that shed light on the situation.
Is It Getting Hot In Here?
Fraud has certainly been on the rise, and experts are bracing for worse. With so many recent data breaches, it’s only a matter of time before all the consumer credentials available on the dark web get put to use. Ortiz said fraudsters don’t always execute right away, so it’s no surprise that the onslaught hasn’t hit yet — but it surely will at some point.
Ortiz believes Guardian Analytics will be in a better position than some to withstand that onslaught due to its complex multifaceted approach including machine learning and behavioral analytics.
“You might be able to take over the account, but you can’t impersonate the behavior,” said Ortiz.
Mucker was pleased to share that the online fraud rate at Star One has been near zero since teaming up with the security company, and the number of incidents that must be handled is much lower.
One favorite saying among the security-conscious in the company: “Our members could tattoo their usernames and passwords on their foreheads for everyone to see, and we know [each] person is [still] protected.”