Fraudsters Find New Bank Stomping Grounds

If it seems like cases of fraud and hacking are always in the news, that’s because new incidents pop up practically every day. One of the latest involves hackers successfully accomplishing account takeovers (ATOs) of users of Zelle, the digital payment service. According to the new Digital Fraud Tracker, total losses due to fraud equaled $4.2 trillion in 2018, and fraudulent mobile app transactions increased 680 percent between 2015 and 2018. Fraud doesn’t impact all industries equally. According to the Digital Fraud Tracker, one-quarter of malware specifically targets FIs, and over 5 percent of online retail revenue is now lost to fraud. By 2020, it’s estimated that U.S. credit card losses will exceed $12 billion. More businesses are adopting artificial intelligence (AI) and other technology to fight fraud. According to the AI Innovation Playbook, 63.6 percent of FIs believe AI is an effective tool for stopping fraud before it happens, and 80 percent of fraud specialists using AI believe the technology could reduce payments fraud. Financial Institutions The rise of online banking has provided a host of opportunities for fraudsters. Old manual detection techniques like analyzing geolocations, IP addresses and discrepancies between billing and shipping addresses aren’t able to catch high-level attacks, and often result in false positives. BNY Mellon implemented an AI-based fraud detection initiative in 2018 to use pattern recognition and deep learning to analyze millions of transactions and identify those that are likely fraudulent. AI isn’t just used for fraud detection in the financial industry – it can also help with regulation compliance and adherence to anti-money laundering (AML) standards. Joseph Sieczkowski, head of technology architecture and data at BNY Mellon, explained how it isn’t enough to use AI reactively. Financial institutions also need to stay one step ahead of fraudsters, because they change techniques quickly and often. “[We] do testing constantly to retrain our models to be able to pick up on different types of fraudulent activities,” he said. Retail Balancing security with improving the customer experience is a challenge for all industries, though reducing friction is even more vital for luxury merchants. “Luxury retailers typically operate in a ‘high-touch’ environment, designed to be as friction-free for the customer as possible,” said Shamoun Siddiqui, chief information security officer of Neiman Marcus, in an interview with PYMNTS. “Any measure of security introduces friction. So, the challenge is to make security as transparent as possible while still protecting the customer’s personal information.” The luxury retailer has been using device fingerprinting to identify devices based on unique configurations – and, ultimately, to determine whether it’s being used by a human or is automated. “We are investing heavily in fraud detection systems that [use] machine learning and artificial intelligence to differentiate between normal patterns of customer behavior and potentially fraudulent ones,” Siddiqui said of the retailer’s approach to identity theft and other types of fraud. “These are patterns that would not be visible to the naked eye.” Fraudsters are getting more sophisticated, making use of bots to mimic typical online shopping behavior. After Neiman Marcus identified a bot attack, the hackers started including mouse movements to fool detection systems. Gaming Due to in-game purchasing becoming more standard – a recent study found that approximately half of all personal computer (PC) and console gamers spend money in-game, a share that climbs to more than 75 percent for mobile gamers – gaming platforms have become an attractive target for fraud, especially for hackers who acquire personal data via account takeovers. Gaming and gambling sites face similar issues, as too many security measures can turn off users who will go elsewhere. Some sites are reluctant to implement overly stringent security measures. Beyond using machine learning to detect fraud before it happens, gaming platforms are also using liveness detection, which requires players to be physically present during the verification process so they can submit photos, video playback or audio recordings to confirm their identities. Fingerprints, voice prints and other forms of biometric authentication are gaining steam in the arsenal of fraud-fighting tools. More than 63 percent of all smartphones manufactured in 2017 incorporated some type of biometric authentication, and a growing share of devices are expected to offer these solutions as fraud increases.

The good news in the world of fighting fraud and cybercrime is that, by the numbers, the battle against the thieves has been shown to be tipping toward the white hats. As GIACT EVP David Barnhardt noted in a recent conversation with Karen Webster, overall fraud dropped 15 percent between 2017 and 2018. That’s good news, he noted, and a good indication that industries like banking have made real progress in fortifying themselves against attacks better than they have historically.

But, as is often the case with good news in the ongoing war against cybercrime, it is a lot more limited and qualified than it appears at first glance. The overall dollars lost to fraud declined some in that time period, but not much. When the going gets tough in one channel, Barnhardt told Webster, the fraudsters just get going to a new one where the security is less sophisticated and less fortified against attack.

“If you look at where the big gains are for fraudsters, it is in industries that historically have not had a problem — suddenly they are seeing double, triple and even quadruple instances of fraud,” he said.

And while those fraud increases are across the board, Barnhardt said, they are emerging particularly quickly with new account fraud, where banks are suddenly finding themselves trying to fend off a type of attack they had never considered before it started showing up, and often.

Balancing Protection and Ease

As companies across the board are increasingly moving online and expanding their service offerings, he said, they now have to worry about being a target for fraud, whether they have been targeted historically or not. The proper risk controls have to be there, or “you will certainly become very popular in the fraud community.”

And the targets can be pretty inventive — and pretty scary.

Take home equity lines of credit as an example. Online processing systems have been a blessing to ultimate customers, Barnhardt noted, in that they’ve taken what used to be a messy, lumpy process of applying for a HELOC product and streamlined it into a quick and easy way to access funds. That blessing, however, is a curse in the hands of a fraudster with ill-gotten data — hackers can fool the system and take out a home equity line of credit on a consumer’s home without their knowledge.

That sort of scenario occurs in many rapidly digitizing arenas. Auto lending is frequently becoming a target, as is student lending.

“In a lot of these industries, the fraud operators are branching out and finding less-fortified places,” Barnhardt said. “And if it is an easy process, you can grab $40,000 in one click — the payments are getting bigger and the targets are getting easier.”

The problem is that while businesses are avidly racing to provide the fastest, easiest experience for customers on the front end, they aren’t doing the concurrent work on the back end to thoroughly screen for fraud. That is creating a huge opportunity for fraudsters, who can easily exploit gaps in the back-end verification systems. Why work hard extracting less value from a bank-issued card when there is a fraudulent mortgage refinance a few clicks away?

The industry needs to get it together, Barnhardt said, and make sure these gaps are closed.

And it shouldn’t be a one-sided effort, he noted: Consumers should also be in the game by monitoring their credit reports. Barnhardt pointed out that consumers have shown limited interest in being their own advocates — that’s proven by the relatively few who signed on for credit monitoring after the Equifax breach. That means, at least in the near term, businesses across the vertical spectrum need to be thinking about how to fortify their customer relationships, end-to-end.

The Ongoing Relationship

As Barnhardt noted, firms of all kinds need to lock down onboarding as they are considering hardening their back end against fraudsters — even as they are constantly pushing to make that process smoother and more friction-free on the front end.

At the start of the process, Barnhardt suggests asking, “Are they who they say they are? Can you find digital DNA for that customer? Can you verify all the payment information, authenticate with their bank and make sure all of the information coming in actually matches?”

And that is only the start of the process, which is now an ongoing series of check-ins and re-checks to ensure all of the associated data still makes sense. Even if this is a two-year or six-year customer with whom the business has no issues, when there is a request to change something on the account like contact information, that should trigger a whole verification process to make sure account takeover fraud is not underway.

Ultimately, Barnhardt noted, it is a matter of looking at all the entry and exit points in a relationship and pinpointing (and fortifying) the areas of vulnerability. That is notably obvious in banking and financial services — a fraudster who gets added as an authorized card user on a checking account can quickly wreak all kinds of financial havoc, and banks have spent the last decade hardening their systems in myriad ways. But, Barnhardt told Webster, while the effects aren’t always equally dramatic, a fraudster breaking into any kind of consumer or business account is not a good thing.

“Anytime you are providing a good or a service, if you aren’t doing these steps, it can create risk for a consumer,” Barnhardt stated. “This really applies to any industry. FIs are in the mix, but any business — both B2B and B2C — really needs a water-tight process. They must not only provide a world-class experience, but also protect themselves and their consumers from losses.”