Preventing Financial Fraud in Electronic Banking
In the past decade we have seen a tremendous change in the way banking services are offered to customers without needing to visit a bank branch: via the telephone, Internet and, most recently, mobile platforms. Simultaneously, consumers have rapidly embraced the use of smartphones and tablets to conduct financial transactions.
But the convenience of electronic banking also brought new risks. Account takeover is the primary fraud attack on electronic banking channels. This is when a customer’s logon information is obtained and used to make unauthorised withdrawals. Account takeovers often extend into identity theft, when the perpetrator applies for new account privileges (cheques, credit cards, overdrafts) or products (cards, lines of credit, loans). These fraud attacks often involve multiple channels.
The first step in performing an account takeover is to steal access information. Access information varies by channel, but usually involves something you have, such as a card, or something you know, such as a PIN or password. This access information is most commonly obtained in two ways: either by employee fraud, where employees with access to customer data use it themselves or sell it to others for profit; or by social engineering, where customers are tricked into divulging confidential information. It includes:
- Phishing: Invitations to fake websites that trick users into disclosing their username, password, and other personal information.
- Vishing: A variation of phishing, where customers are called (voice) and tricked into divulging access information. It can also result in a kind of enrolment fraud, where the fraudster persuades the customer to establish credentials for the fraudster.
- Pharming: A hacker redirects a website’s traffic to another, bogus website. It’s usually occurs through the exploitation of vulnerabilities in DNS server software.
- Man in the Middle: An attacker uses a program that appears to be the server to the client and appears to be the client to the server. The program may be used simply to gain access to a customer’s access credentials or enable the attacker to modify the message before retransmitting it, allowing the attacker to steal funds.
- Man in the Browser: A variation of Man in the Middle, where malware in the web browser interjects itself between the user and the browser to modify transaction data.
Three ways financial institutions can prevent such attacks and thefts:
- Continually educate customers and employees on how to avoid compromising their own and other’s information. This includes keeping virus protection up-to-date and avoiding suspicious links, downloads and websites. Never give your account PIN information to anyone, even if they claim to be from the bank. If someone says they are calling from the bank, call them back via the bank call-centre through published phone numbers.
- Implement strong company policies covering the use and protection of customer information. For instance, only provide access to sensitive data on a need-to-know basis; keep comprehensive logs of all customer data access; use stricter password policies; and don’t allow external USB devices to connect to the network or PCs.
- Ensure that Know Your Customer (KYC) policies and procedures are up-to date and easily available to employees. KYC policy sets out a business’s approach to ensuring that it can effectively identify, verify and monitor its customers and the financial transactions in which they engage.
How analytical software can help detect fraudulent activity
Sophisticated fraud detection software works in several ways, such as maintaining “fingerprints” of customer PCs to be able to detect changes that may indicate the presence of malware. It also looks at patterns of behaviour such as unusually quick inputs from a customer, which may indicate the presence of “man in the browser” code running in the background. We also look at the financial profiles of transactions to identify abnormal behaviour for customers and devices and determine the level of risk.
The software can also automate policies and procedures as to whether to block, delay, or allow certain transactions based on the company’s risk appetite and desired end-user experience. Various tools are also used to conduct investigations to find the root cause of cases, such as looking for common factors in incidents across multiple customers (“triangulation”).
Unisys anti-fraud solutions are based on the creation of a unified financial crime prevention platform that spans across products, channels and regions to deliver superior protection, detection and investigation. This approach addresses multiple modes of fraud in a consistent way including: Internet and mobile banking, debit and credit cards, retail and commercial payments, employee fraud, deposit fraud and claims fraud.