Fraud and Payment Channels: Onsite Coverage
ORLANDO, Fla. — Mix one part encouraging news with one part truly worrisome news and there are the bookend messages from two panels during the closing morning of NACHA’s Payments 2014 conference Wednesday at the Orlando World Center Marriott.
First, the optimistic news. The $6 billion Citizens Business Bank in Ontario, Calif. has suffered not a dime in ACH fraud losses since it implemented sophisticated fraud prevention tools from Guardian Analytics in 2012, said Assistant Vice President Robert Piccini.
Terry Austin, CEO of Mountain View, Calif.-based Guardian Analytics, which claims hundreds of financial institution clients, said that Guardian Analytics’ tools “look at thousands of different data elements, from what IP they are logging in with through the device they are using, the browser, even down to the screen resolution settings.”
He added that the process is invisible to customers and criminals alike. The objective is to detect anomalies – departures from established patterns – before fraudulent activity occurs.
“There are not a lot of false positives,” Austin said. “Data analytics is the most accurate way to distinguish illegitimate users from legitimate.”
He stressed that a complication is that in these cases – typically fraud attempted over the online banking channel – the criminal has valid login credentials. The fraudster looks real, at least at first glance, which is why more sophisticated analysis needs to be performed to separate the fraudulent from the honest. But the tools, increasingly, exist.
That was the good news.
However, double doses of bad news arose in a session on emerging fraud trends led by Citibank SVP Brian Todd and David Fapohunda, Citibank director, fraud policy.
Fapohunda delivered the first dose when he said what has been keeping him awake at night has not been fallout from the Target breach, but rather from breaches suffered by two data aggregators. Specifically naming Dun & Bradstreet as one aggregator, Fapohunda said the companies gather substantial personal and professional information on millions of individuals.
“Now fraudsters can easily answer security questions,” he said.
In credit card breaches, such as Target’s, banks typically are notified of potential problems. But, the data aggregators do not notify banks.
"They may notify individuals whose data was compromised. But not the bank,” Fapohunda said.
That’s left Citi and other financial institutions scrambling not to get tricked by wily fraudsters, he said.
Todd delivered the last bit of bad news: Citibank is seeing substantial growth in mobile remote deposit capture fraud.
It is getting much more sophisticated, Todd said, and the prevailing regulations and rules simply have not kept up with the technology evolution MRDC represents. That makes sorting out responsibility and who suffers the loss more difficult.
As for the growing MRDC sophistication, Todd said initially this double dipping usually was to one account. It was easy to detect. Now, criminals are involving multiple accounts, making it much harder to unravel what can be a lengthy chain of deposits.
Fraudulent MRDC is also showing up in new account openings, he said.
And worse, although MRDC fraud losses have been well contained so far, mainly due to the low deposit limits imposed by most financial institutions, consumers are pushing for higher limits. As those amounts go up, so will fraud, Fapohunda predicted.
“This issue will grow significantly,” he added.