Criminals are getting more effective in their ability to leverage information about customers to beat a bank's or credit union's process controls.
They can often determine customers' recent payments and credit details – either via internal collusion or a host of security vulnerabilities – and are actually monitoring that as the customer engages with their account.
Worse yet, individuals often make things easier for account thieves by posting details in various social media outlets (things like mother’s maiden name or high school attended ring a bell?) and other information freely available on the Internet.
Addressing online security for financial institutions and their customers means looking at all activity across the organization – not just in the cyber sphere.
Cross-channel monitoring and assessment is essential, particularly as criminals get bolder about engaging with banks beyond online activity to potentially escalate or confirm privileges to set in motion the movement of money, such as a call to the bank to enable an automated clearing house (ACH) transfer prior to the typical two-week cooling off period after making a major change to the account.
In just one week, here's what a thief can accomplish with a stolen account.
Day 1: Thief steals Mr. A's user ID and password for an online bank account using a Trojan on a PC.
Days 2-3: Thief logs into Mr. A's account and changes his email address. Then, the thief logs into Mr. A's account a few more times and looks around, gathering information on account activity. The thief also gathers some personal information from Facebook, LinkedIn or another social media site.
Day 4: Thief calls the bank and speaks to a customer service representative. He authenticates himself as the account owner by answering challenge/response questions, having gleaned the information from social media or other avenues. An email verification notice is sent, and since it now comes to his email, he is granted full account access.
Days 5-6: Thief creates a new transfer account within Mr. A's existing account; the new account is verified by the bank.
Day 7: Thief pays himself a large amount of money directly from Mr. A's account.
Only after noticing the money is gone does Mr. A report an unauthorized payment.
In this scenario, the financial transaction happened on day seven. However, by then the thief had successfully breached several layers of security and the money was essentially gone.
Risk Assessments and the New FFIEC Supplement
As this scenario reveals, a cross-channel view of user activity is essential to detection and prevention of fraud. Fraudulent activity that is not transaction based is often even more difficult to spot because these actions occur in isolation and can be obscured from traditional detection methods.
In 2005, the Federal Financial Institutions Examination Council issued guidance that provided a risk-management framework for how institutions should authenticate the identity of customers accessing Internet-based financial services.
The overarching goal of the guidance is to ensure that sensitive customer information is protected, and that techniques used for that protection scale appropriately with the level of risk entailed.
In June 2011, the FFIEC issued a Supplement to the 2005 Guidance that broadens the initial guidance to include transaction monitoring and tasks banks and credit unions with “knowing their customers” in an effort to curtail account takeover and fraud. The new recommendations provide a great opportunity for credit unions to start the New Year with an assessment of business practices across the enterprise, including monitoring and analyzing activity across multiple data channels and core banking systems.
With traditional approaches and the "siloed" detection capabilities, fraudulent activity can be very challenging to detect when it occurs across different channels and across different applications. It makes multiple layers of security – technologically and from a business process control standpoint – even more important.
This leads to a need for more business process controls to help detect and prevent cross-channel fraud. Credit unions can use an automated, risk-based approach to provide insight across the enterprise to flag potential incidents.
For example, when a customer calls the institution, organizations now map what phone number the caller is using. If it is a new phone number, it can be noted and provides an additional layered risk score to be put on any activity that happens during that session.
Such an approach can be applied to maintenance activity, new service requests and many other behaviors. This layered approach to risk assessment also should be integrated into the institution's back-end processes. For example, the money vault staff can assess requests against other recent activity. Such risk-assessment mechanisms on top of layered security can flag and alert potentially fraudulent transactions – before the money goes out the door.
Credit unions can use the new FFIEC Supplement as an opportunity to get the broadest business value – and use it as a mandate to better understand how their members are interacting with their financial institution, both online and in other direct activities, to analyze the risk of fraud.
Christine Meyers is the product marketing manager for Seattle-based Attachmate Luminet, an enterprise fraud management solution.