ACI Worldwide's Payment Industry Media Centre

Fraud around every corner?

2012-01-28T12:46:00.002Z

The latest round of industry statistics paints a bleak picture of UK fraud. CIFAS’s latest report identified a 9% growth in fraud, whilst also highlighting an 18% growth in account takeover related fraud, and 13% for misuse of facility fraud (first party fraud).

This comes of the back of last year’s National Fraud Authority report that recognized fraud was an estimated £38.4bn problem for the UK. More recently statistics on UK CyberCrime fraud tune in at estimated £3.7bn.

While UK PLC continues to shine the light and be more transparent on our national fraud problem than many other countries, I wonder what legacy we are leaving for our kids? Are we breeding a society where fraud is now acceptable......no longer a nation of shopkeepers, but fraudsters?

Perhaps the time has come for the UK to take a more mandatory approach to fraud prevention, similar to the F.F.I.E.C efforts in the USA? Clearly, we need to start tackling some of the challenges – social engineering, data breaches, customer education and ignorance all play a part in how the fraudster perpetrates their crime.

Investing in more solutions to disrupt and deter fraudulent activity from happening in the first place will also help, and more funding for targeting Police efforts in managing away this problem. Political food for thought… and perhaps a question for Mr Cameron’s big society as we step into Olympic year?

Andy Morris
Risk Business Solutions Consultant
ACI Worldwide

Should banks be held liable for Ponzi schemes?

2011-12-16T12:57:00.001Z

Ponzi schemes were named for Charles Ponzi after he defrauded customers out of approximately 20 million dollars back in 1920 (over $225 million today). While the idea of paying out investors with their own money rather than any money earned legitimately via investment had been around prior to 1920, the name Ponzi become synonymous with the scheme based on the amount of publicity and high dollar loss associated with his activity (including the downfall of six financial institutions).

Over the past few years, we’ve seen a tremendous increase in the magnitude of Ponzi schemes. Fingers have been pointed at the fraudsters, as well as the SEC, and more recently, the guilty label is being extended to the financial institutions providing services for the schemes.

In recent cases, the argument made by prosecutors was that the banks were negligent in not identifying red flags for these investor accounts, making them guilty of ‘aiding and abetting’ these criminals. To be guilty of this, in most states in the US, there must be three elements: the existence of fraud, the defendant’s knowledge of the fraud and proof that the defendant provided considerable assistance to the progression of the fraud scheme. Though this is the standard primarily under US law, this does not permit international financial services firms or banks from being included in the lawsuit, as seen in the case against Banco Santander in 2010, which involved defendants from seven different nations around the world.

The question of ‘knowledge’ of the fraud and providing assistance can be a bit subjective, since the banks didn’t know directly about the scheme. The question is: if they didn’t implement the appropriate steps to look for red flags or simply failed pay attention to them, does this make them guilty? For instance, in the Madoff scheme, an activity monitoring system to detect transfers between investor and personal accounts may have triggered an internal review of the activity and shut down accounts before investors were defrauded of the full $50 billion.

So what can banks do to prevent these schemes, and also ensure they are not on the receiving end of a lawsuit? Financial institutions need to implement a sophisticated transaction monitoring tool that is flexible enough to quickly adapt to the changing fraud schemes. Activity monitoring must be implemented across the enterprise, in order to detect complex patterns of activity that may seem normal alone, but when viewed collectively may be a red flag for a large fraud scheme.

Taking proactive measures to ensure that your institution is doing everything possible to prevent fraudulent schemes will help protect customers and keep your institution out of the hotseat should a new scheme appear, despite your best prevention efforts.

Amanda Burley
Senior Business Analyst
ACI Worldwide

Card fraud arrest 'too expensive'?!

2011-12-14T08:44:00.002Z

The concern with stories like the recent one in the Telegraph about it being too expensive for the police to arrest a fraudster - so there are no consequences for the card fraud criminal - is that they erode confidence in the entire payments system. We often talk about fraudsters going for the weakest link, but we don't often think the police will be that weakest link!

The problem with stopping fraud is that the closer you get to 100% fraud prevention, the more cumbersome and expensive it is. For example, a bank could stop a lot of consumer fraud if every single transaction was verified personally over the phone with a consumer - but it would be very expensive for the bank and very inconvenient for the consumer, the trick is to find the balance.

Stories like this go to show that the best way to tackle card fraud is to prevent it. The retailers should ensure that they are working with a merchant acquirer who uses comprehensive fraud detection tools and techniques to identify and block fraudulent transactions before they happen, and before goods are delivered - so the retailer doesn't end up on the front line of trying to stop the criminals single-handed.

Paul Love
Solutions Consultant
ACI Worldwide

EMV: What does it mean for Acquirers?

2011-10-19T21:05:00.002+01:00

With Visa’s recently announced U.S. EMV initiative, massive infrastructure changes loom on the horizon for card acquirers. To ready themselves for this change, acquirers can think about breaking down the implementation into three buckets: device enhancements, enhancements to acquiring systems and customer service.

While daunting, the complexity of the EMV implementation can be somewhat tempered by installing the new hardware in two phases, starting more simply with EMV-capable devices that can be upgraded later down the line. Sometimes it is just a software upgrade that can bring the devices fully up to EMV when needed. In addition, EMV acceptance device configurations need to include key certificates.

In terms of system enhancements, acquirers need to update transaction processing systems to handle additional data processing elements and EMV scripts as well as update switch interfaces. Storage of Transaction Certificates – or EMV e-receipts that prove the transaction took place – need to be automated and have the ability to send changes in case of charge disputes. Lastly, acquirers need to think through how these infrastructure changes affect the customer service end of things: merchant training and support, consumer training and dispute management all need to be considered.

The clock is ticking as Visa has set an April 1, 2013 deadline for U.S. acquirer processors to support merchant acceptance of chip transactions. Are you ready?

Jim Schlegel
Sr. Product Manager
ACI Worldwide

EMV: What does it mean for Issuers?

2011-10-14T20:13:00.006+01:00

The EMV ball is starting to roll in the U.S., and the EMV specifications will affect all actors in the existing payment scheme – from issuers, acquirers, merchants to consumers. For issuers, this transition to cards that can perform EMV transactions can be segmented into three parts: enhancements to the back-office systems, enhancements to authorization systems and customer service.

Part of the beauty of EMV cards is their ability to run multiple applications as well as their dynamic nature in which the card’s behavior can be changed while in the field. Much of the onus of this beauty, however, falls on the issuers. Back-office systems must now expand to handle new personalization requirements, application life-cycle management, parameter management and CRM. They also need to change their fraud monitoring and key, PIN and risk management solutions.

From an authorization system standpoint, issuers need to consider authentication and cryptography management. Data elements and script management become more complicated with EMV as cards can be blocked (or unblocked) and behaviors changed while the card is in the field. PIN changes also bring new complexity with online and offline PIN changes needing to be synchronized between the card and the host.

An often forgotten about area – customer service – needs to be addressed as well. With a more complex card payment product comes more complex service scenarios, which can range from an issue with the chip, problems with the applications on the chip and variable PIN settings, to name a few. Additionally multiple customer service points need to be trained not only on how to diagnose and fix the problem but also on how to access the information associated with the card.

While the transition to EMV will be complex and costly for issuers, there is a business payoff on top of the fraud deterrence advantages. With its multi-application flexibility, EMV products promise great potential for competitive differentiation. As contactless and mobile payments take root, innovations on the payment front will be the cornerstone of satisfying the usability and convenience expectations of today’s increasingly on-the-go customers

Jim Schlegel
Product Manager
ACI Worldwide

Why EMV?

2011-09-20T13:42:00.005+01:00

Why does the world care about EMV? The first, second and third reason is about stemming fraud losses. While there are some reduced operational costs via the decrease and automation of customer disputes, these are relatively minimal. People also point to the exciting potential of new, value-added products such as loyalty schemes, online banking two-factor authentication and national identification, but EMV’s impressive reduction of fraud losses dwarfs the benefits of these products. Case in point: from 2001-2010, UK card fraud dropped by about 50% with EMV smartcards.

EMV security suppresses fraud by attacking it from two fronts – detecting counterfeit cards and verifying the card holder. As the U.S. embarks on its path to EMV adoption, anybody involved with the transition will need to understand Card Authentication Method (CAM) and Customer Verification Method (CVM). To ensure a card’s authenticity, cryptographic capability on the card supports CAM where each EMV card is issued with its own set of keys specific to the card, rather than the portfolio or bin range. Through cryptography, the technology can roll in elements of the transaction so that the card cannot be skimmed, copied and then replayed in another transaction. In Canada, detection of counterfeit cards is so reliable that Canadian issuers “whitelist” EMV chip-on-chip transactions, whereby they virtually ignore these transactions with the confidence that they are authentic. Getting these transactions out of their cross systems eliminates the “white noise” and allows them to hone in on the fraud that is taking place on more suspect transactions.

CVM comes into play to verify that the card holder is the actual card holder. The card issuer sets up the verification parameters, which can range from online PIN, offline PIN, signature if there is no pinpad to contactless tap and go. How effective is this? In the UK, 50% of card fraud losses in 1999 were comprised of lost/stolen and mail non-receipt issues; with EMV in full swing in 2009, these two types of fraud accounted for only 13% of card fraud.

According to the UK Payments Administration: Fraud Facts 2010, the U.S. was the destination of choice for U.K. fraud abroad from 2006-2009 by two to three times more than the next fraud migration recipient. With the U.S. finally setting the stage to roll out EMV, it will no longer be theworld’s easy target for fraudsters and the global weak link in terms of card fraud.

Jim Schlegel
Product manager
ACI Worldwide

Staying 'fraud-aware' is critical

2011-09-16T17:11:00.003+01:00

The news from the FBI that it is currently investigating over 400 reported cases of corporate account takeovers does not come as a surprise given the tenacity of cyber criminals in their efforts to steal from businesses and consumers. The reference from the Department of Homeland Security that "the mission to reduce the cyber risks posed to the finance sector systems is a national endeavor, requiring broad collaboration" reinforces the need for financial institution to partner with customers on educating them on the dangers of these types of attacks.

Just yesterday I received an e-mail from Bank of America telling me my Online Banking privileges would be de-activated if I didn't renew my subscription. I have to say this e-mail looked extremely legitimate, until I read the smaller text and found a typo. Now I normally would never click through to a link from an e-mail but rather go directly to the site for any confirmed instructions around my account, however for some people this bogus phishing e-mail would have prompted them to follow its instructions. I did forward the e-mail to the bank (they have a dedicated abuse e-mail address) and they replied they were aware of the scam and trying to shut down the source.

Many banks will post any known threats on their site, so customers (businesses and consumers alike) should get to know where their financial institutions may be posting these bulletins to help heighten awareness.

These events reinforce the FFIEC's recent Supplement to its 2005 Guidance on Authentication in an Online Banking Environment. The Supplement calls for financial institutions to take a layered approach to authentication and anomaly detection for monitoring online banking transactional activity. Such an approach would include utilizing security tools like multi-factor authentication and limit management with a fraud prevention and detection solution which would include customer profiling and analytics to detect suspicious behavior. The Guidance also calls for authentication techniques, challenge questions, and customer education. Technology will always play a key role in the fight no doubt, but the financial community working together with its customers on awareness campaigns will continue to be critical.

Michael Grillo
Senior Product Marketing Manager
ACI Worldwide

EMV: Paving the road to mobile NFC

2011-09-13T13:53:00.004+01:00

Why is the U.S. the last holdout to adopt EMV? The pain of a costly conversion and the absence of government or industry mandates to force the issue are the obvious, key culprits. Some forward thinkers, however, muse that EMV is a 15-year old, out-of-date technology and are waiting for something newer and flashier to “leapfrog” EMV and jump straight to the promise land of mobile payments. While future focused, this thinking is misguided. As Visa’s recently announced U.S. EMV initiative spotlights, EMV adoption actually readies the landscape for mobile NFC payments now.

The prevalence of chip-and-PIN cards has made EMV synonymous with that specific payment form. In actual fact, however, the EMV standard is constantly updated, and more recent refreshes include basing NFC technology on the contactless version of the EMV specification; NFC is an EMV transaction. The underlying technology infrastructure is the same as well – transaction processing, risk management and card or token management solutions to name a few.

With nimble payment providers from the “virtual world” – PayPal, Google’s Android and Apple – knocking at the door, financial institutions need to get in on the NFC act soon. These new, flexible players do not have outdated legacy systems to maintain, yet have experience switching, billing and settling. The financial networks need to recognize the massive opportunity at hand. Today’s tech-savvy consumers have shown that they want to use their mobile devices in all areas of their day-to-day life, including payments.

The waiting game is over; EMV is defining how that newer, flashier technology people have been waiting for is going to operate.

Jim Schlegel
Product manager
ACI Worldwide

Combating Online Banking Fraud - A Top 10 List

2011-06-23T11:53:00.003+01:00

For many financial institutions, the recent ruling in the US holding a bank responsible for fraudulent losses from business accounts has raised a few eyebrows because, traditionally liability has remained with the customer for business accounts. However, the court ruled that the bank has a responsibility to protect its customers through the use of fraud detection mechanisms.

For most banks this just means doing what they do already. The fraud detection systems used today are comprehensive - looking at payments from different organizations, across different channels, all day every day, and spotting anything that seems even slightly out of the ordinary. As an industry we share information about types of fraudulent attacks, or even the IP addresses used by criminals to try to gain access to online bank accounts, and the fight never stops to stay one step ahead of the fraudsters.

If banks want to check that they are promoting reasonable efforts to prevent and detect online banking fraud protection for their customers, here is a checklist of ten of the most important features of successful fraud prevention and detection:

1.Apply multi-factor logon authentication for online banking systems - such as tokens with one-time password or Adaptive Authentication (risk-based authentication).
2.Utilize real-time analytics - monitor transactional behavior to determine whether activity is standard or anomalous for that customer. When high-risk activity is detected, action can be taken in real time or near-real time to stop the transfer of funds from the customer's account. Funds can also be held until customer validation can take place (see #4 below).
3.Employ profiling - include non-financial information (IP address, login activities, and device characteristics) to build customer profiles which can be stored to monitor ongoing behavior.
4.Make use of out-of-band notification methods- utilize phone call, text message, e-mail, etc to confirm activity with customers before transactions can be completed.
5.Maintain anti-virus software - Be sure to recommend your customers keep it current on end-user machines. While not fool-proof, it can stop lesser forms of intrusion.
6.Maximize password management - Ensure password management best practices are enacted (e.g. change password every ninety days, minimum length, combination alpha-numeric, varying history, etc.).
7.Leverage dual approval and limit management capabilities in your online banking tool -End-users with transaction initiation or approval entitlements should not also have administrative rights.
8.Implement token management at ACH or Wire release - this approach provides another layer of authentication prior to finalizing the transaction.
9.Employ a prescriptive, layered approach to security - utilize security tools within your online banking solution (e.g. multi-factor authentication, limit management, etc) with a fraud prevention and detection solution (e.g. profiling, analytics, etc.)
10.Education - keep it simple but constant. Partner with your customers to ensure they are aware of today's threats and know what tools are available today to protect themselves.

Michael Grillo
Senior Product Marketing Manager
ACI Worldwide

Fraud reporting – it’s criminal

2011-05-24T10:39:00.000+01:00

Understanding the scale and source of global fraud is vital if the industry is going to tackle it. Yet getting a handle on what is really taking place is a challenge. Every country seems to have a different way of measuring fraud, and each organisation within those countries often provides statistics that are not consistent with each other.

But if we as an industry cannot agree on standardised fraud reporting that treats everything in the same way, and provides a set of data that is globally comparable, we cannot ever really know the best way to tackle the problem.

While there is a wealth of information about fraud levels across the globe, there is little consistency in what it is saying. Taking a look at the figures over the last five or so years illustrates the point. In Italy there are measurements in terms of value with, for example, a €55 million loss to fraud in 2005 rising to €64 million in 2006. In 2007, skimming in The Netherlands cost €15m, rising to €31m in 2008. In Spain, card theft was responsible for the largest volume of fraud on cards, accounting for 41 per cent of purchase fraud alone. In the UK crime and card fraud losses reached £609.9m in 2008, up from £535.2m in 2007, driven by card-not-present crime. There was also a 63 per cent increase in reported financial crime in March 2009 compared to the same month in 2008. While useful in isolation, these statistics tell us very little about the overall problem and what can be done globally to tackle the growing problem of fraud.

Whatever the solution – and it is clear that there isn’t one at the moment – it is high time that a debate about consistency in fraud reporting was kick-started both in terms of the figures being reported and the categorisation and terminology used. And this needs to involve not just the banks, but the governmental organisations and other stakeholders. This would help these organisations make better informed decisions about tackling crime. Ultimately, it would provide true transparency to corporate customers and consumers, which can only serve to build trust in the banks and the financial sector as a whole.

Dave Divitt
Fraud & Risk Solutions Consultant
ACI Worldwide

Card fraud increases 60 per cent in 18 months

2011-03-10T12:54:00.002Z

ACI’s 2010 Global Card Fraud Survey has been making a splash in the media over the last few weeks. According to our research, approaching a third (29 per cent) of consumers across eight major economies have been victims of card fraud in the past five years. This is up from less than a fifth (18 per cent) in summer 2009. However, the good news for financial institutions is that 79 per cent of these card fraud victims were satisfied with the response from their financial institution, up from 75 per cent in 2009.

The UK has a higher instance of card fraud than most other countries surveyed, with a third (33 per cent) of consumers falling victim in the past five years, up from just 27 per cent only 18 months ago, which means an estimated 14.6 million UK consumers have been the victims of card fraud in the last five years. However, these results vary significantly by country – for example nearly half (43 per cent) of people in China have been victims of card fraud, compared to only 11 per cent in the Netherlands.

The research also showed that 50 per cent of consumers worry about card fraud over other financial threats. Yet the survey of 4,200 consumers across 14 countries also showed that too many people fail to take basic precautions for protecting themselves from financial crime. In the UK for instance, nearly one in ten (nine per cent) consumers break the cardinal rule – never carry your PIN number with your card. On average, this figure rises to 12 per cent globally.

There are clearly a lot of stats to take in here. But in essence, what they are telling us is that fraud is a growing issue – and as an industry tackling it remains a major priority. Reassuringly, financial institutions and processors are working tirelessly to combat the crime and protect their customers – and this is paying dividends in terms of customer satisfaction.

But there is also a clear need for further customer education. Banks need to continue to inform consumers about how they can protect themselves against fraud. For example, by driving home the message that you should never carry your PIN with your card.

Interestingly, the UK Cards Association has this week announced that UK card fraud is at a 10-year low. At first this may look at odds to our research, but that may not be the case. Their stats show that the value of cash being stolen is getting lower. This means whereas you might have lost £100 previously, you now only lose £50. But the incidence of fraud is obviously on the up – even if less is being taken each time.

So, as we all work together as an industry to combat this crime, the key thing to remember is that fraud is constantly changing and, looking forward, the industry will need to increase focus on customer education, remedies to safe guard customer identities, verification and authenticating customer payments to improve the overall customer experience.

Andy Morris
Risk Business Solutions Consultant

We have a collective responsibility for fraud

2011-01-27T12:21:00.002Z

News out today from the National Fraud Authority (NFA) shows that fraud costs the UK economy £38bn a year – leaving every adult in the UK £765 worse off.

Unfortunately, I'm not surprised by these figures. Fraud, of all types, is a serious problem across all areas of society, and I completely agree with the NFA that everyone has to play their part to help beat the criminals. For their part, banks in the UK and around the world make significant investments in their fraud prevention tools and people, using many different techniques to try to identify any suspicious activity and stop fraud as soon as they can. But it isn't enough to leave the problem to the government, police or banks, every single person must also take fraud seriously and try to protect themselves and their money.

This can be as simple as not throwing sensitive personal information in the bin, checking bank statements regularly and flagging anything suspicious, or protecting your PIN when withdrawing cash or using a card to pay in a shop or restaurant. It would be naïve to think we will ever be able to eliminate fraud completely, but there's no reason why we can't all work together to reduce it significantly.

Dave Divitt
Fraud & Risk Solutions Consultant

The changing nature of fraud

2010-12-07T13:41:00.005Z

The reduction in fraud levels seen in Australia once again reiterate the potential savings that can be delivered if countries roll out EMV technology, and it will be interesting to see if the current non-EMV countries such as the US reconsider their stance as these stories continue to come through.

However, the rise in CNP fraud in Australia shows how agile the banks have to be to try to stay one step ahead of the fraudster - once one fraud channel becomes more difficult to use or less lucrative for criminals, they soon turn to another, weaker link to steal funds.

CNP fraud, including that perpetrated through online shopping activity, requires banks to use a different set of tools and techniques to identify suspicious activity, such as so called "out of band" communication like SMS messages to communicate with customers, and much more detailed customer and account profiling so that any unusual activity can be flagged as suspicious and assessed in real time to try to identify and prevent fraud at the first attempt.

Dave Divitt
Fraud & Risk Solutions Consultant

Not just another Manic Monday

2010-11-29T17:03:00.002Z

According to Kelkoo – the online retail comparison website – and Visa Europe, Monday 29 November is the busiest online shopping day of the year. Visa Europe expects 3.8m purchases worth £265m to be made using Visa cards and Kelkoo says that online shoppers are expected to spend £537m on Christmas gifts today.

These numbers demonstrate just how important online shopping is, especially in the run up to Christmas. It’s increasingly popular with consumers and I would definitely encourage people to feel confident shopping online and not let security concerns put them off. Provided consumers follow a basic common-sense approach, there’s no reason that shopping over the internet should put them at increased risk of card fraud over shopping in person.

The basic advice to consumers against all fraud types is to check your statements, and flag anything suspicious to your bank immediately. With online banking, consumers don’t have to wait for their monthly statement or bill to arrive, but can check as often as they like, which can help spot and stop fraud even faster if there is a problem.

If consumers are shopping online with merchants overseas or perhaps those that aren’t well known, then they should remember that Google is their friend – have a search for reviews from other people who have used the site and if anyone has reported any problems. As with anywhere you spend your money – if you aren’t sure then don’t do it, and if it sounds too good to be true then it probably is!

Some banks have started offering out of bank communications such as SMS messages to track activity, and I would encourage consumers to participate in these schemes where they exist. I’m sure we’ll see increasing use of tools such as SMS between now and next Christmas, which will help consumers feel even more confident.

But otherwise my main message to consumers is to trust their bank to detect and prevent fraud using the vast array of tools they have in place, and to enjoy their Christmas preparations free from worry.

Dave Divitt
Fraud & Risk Solutions Consultant

Direct debit fraud at an all-time high

2010-11-23T11:59:00.003Z

It is worthwhile remembering that there is actually more than one victim involved in Direct Debit fraud. The Paying Bank executes the payment against a fraudulent direct debit mandate, and the Collecting Bank receives the fraudulent payment, whose customer provides goods and services – for simplicity let's assume they are in fact legitimate in the first place.

Under scheme rules the Collecting Bank is obligated to indemnify the Paying Bank up to a specific threshold limit where payment has been made by mistake (including fraudulent payments). So the actual victim here is not just the Paying Bank’s customer whose details were stolen, but also the Collecting Bank and their customer who in good faith provided goods and services to the criminal against a fraudulent payment instruction.

This is not a new theme. Those financial crime professionals that are old enough will also remember and be familiar will the old Direct Debit telegraphic transfer directory scam in the mid 1980s. However, Direct Debit and ACH fraud does need to be taken seriously This is also not just a domestic problem. Reg E in the US also exposes banks to fraud threats and requires careful management.

Fortunately there are a number of tools that banks can employ to help identify this type of fraudulent activity, possibly one of the most common and successful being ‘out of band’ communication – where the bank contacts the customer using a mobile phone call or SMS message for example, to confirm the new mandate instruction. This method can also be used as a verification tool for any type of transaction to confirm its legitimacy – including online payments or even debit or debit card transactions. For banks, the priority is identifying fraud accurately at the first possible opportunity, and stopping the criminals in their tracks.

Andy Morris
Risk Business Solutions Consultant
ACI Worldwide

Getting one view of financial crime

2010-10-27T12:02:00.002+01:00

Anyone who has worked in a bank, or has spent any length of time working with them, knows that technology silos are all too commonplace. Many banks have one system to process debit card payments, another for credit, a third for online banking, and the list goes on. The same applies for fraud prevention and detection, where many banks aren't yet taking a true enterprise view of a customer but instead trying to identify fraud on individual channels, which inevitably makes the detection slower and less accurate - for when fighting financial crime, information and knowledge really is power.

So I am heartened by the session I attended today in which the panellists of senior executives from major banks all agreed that sharing and centralising AML, sanctions, KYC and fraud prevention and detection are key in reducing costs and increasing success. I completely, wholeheartedly agree. The most important thing for the bank isn't maintaining silos or, dare I say it, the all-too-common politics that accompany them, it is about stopping the criminals and preventing fraud losses - both the banks' and their customers'.

I hope what they have seen and heard this week will really encourage banks to take a fresh look at how they are stopping all types of financial crime, and that the panellists today will continue to lead by example. Fraud isn't a competitive issue, it is something the whole industry needs to work together to prevent, and this could be the start of that process.

David Divitt
Fraud & Risk Solutions Consultant
ACI Worldwide

Wire transfer fraud – who’s responsible?

2010-10-22T18:05:00.008+01:00

I recently wrote about the risks that banks face with respect to the alarming scale and sophistication of today's wire transfers. Related to this is the issue of acccountability and responsibility.

While mitigating risk is both the financial institution's AND the customer's responsibility, it is often the customer authentication measures which fall short and opens up the point of penetration/attack. On their end, however, financial institutions are beginning to push the boundaries and implementing advanced technologies to provide predictive and early warning alerts to mitigate wire and ACH fraud.

With wire and ACH fraud, financial institutions are not only vulnerable to high-value fraud, but also to multiple points of loss across a corporate customers' account. Once "in" criminals are able to access and undermine the systems across the financial enterprise channel -- from wire transfer through corporate checking accounts, to CDs and corporate cards. To combat this, financial services companies are increasingly looking to electronic payment systems companies to provide sophisticated systems that deliver a combination of predictive analytics and user-defined rules to stop fraudulent activity. This form of software solution proactively manages and mitigates risk by monitoring and identifying changes in customer behavior patterns across the ecosystem of financial services products to cut off cross-channel fraud in real time. It also helps a financial institution's fraud operations rapidly recognize attacks from schemes such as identity theft, ACH kiting, skimming, account takeover and money laundering. By using an advanced fraud detection system that analyzes wire transfer transactions in real- and near-real time, financial institutions can augment current processes and resources to screen for high-risk activity and take action -- even before the money leaves the bank.

Monitoring ACH and wire activity not only mitigates financial risk by reducing overall fraud loss, it also mitigates reputational risk in terms of protecting the financial institution's brand equity, customer loyalty and customer satisfaction. So, while protecting against wire and ACH fraud is both the bank and corporate customers' responsibility -- arguably it is the financial institution that "risks" the most. Given this, banks and their partners should take protective measures and implement intelligent, customer-centric risk management solutions to cut the cords of wire and ACH fraud.

Cleber A. Martins
Business solutions analyst for Risk Management Solutions at ACI Worldwide

Social Media: Boon or Bane?

2010-10-05T15:59:00.002+01:00

The explosion of social media and networking presents both a boon and a bane for online banking. On one hand, it promises dynamic relationships, deeper connections and loyalty between customers and financial institutions, and a channel through which financial transactions may be executed ever more seamlessly. One the other hand, it poses a new sort of security and fraud risk to financial institutions and their customers.

Social media is helping banks and financial institutions know and understand their customers better. The rewards of this intimate customer engagement, access and dialogue are increased brand relationships and loyalty. But, for this reward to have sustainable and substantive value, banks and financial institutions need to be planning ahead and deploying advanced solutions that anticipate and intercept fraud originating through social media and networking channels.

From a sales and marketing perspective, large banks and financial institutions are, not surprisingly, taking a cautious and smartly managed approach to engaging their customers in digital conversations. Many are opting not to establish Twitter channels or Facebook pages to push out news and promotions, but instead are setting up Twitter channels to monitor customers ‘tweeting’ about concerns and issues in order to address and intervene in the early stages, and using Facebook for purely promotional and social responsibility initiatives. This cautious and highly managed approach is critical to preventing the potential for fraud.

No one would argue that social media is a means for individuals to become extensively known and recognized. One’s personal history, friends, interests and thoughts – one’s identity – is increasingly being digitally exposed. Clearly, it’s important to proactively limit exposure. Once a social media attack creates a point of compromise, the customer’s entire banking portfolio including deposit, savings, credit card etc. becomes vulnerable to financial fraud. Fraudulent new accounts and transactions may occur.

Are the financial risks of utilizing social media greater than the benefits? It’s an academic question. Social media is here to stay and evolving dramatically. Risks simply must be understood and reasonably mitigated.

Stay tuned for more insights into how banks and financial institutions can protect themselves and their customers from social media fraud.

David Nussenbaum
VP Product Line Manager at ACI Worldwide

Don't be discouraged from online banking

2010-09-29T11:19:00.002+01:00

The news that UK police have arrested 19 people in connection with the theft of millions of pounds from online bank accounts shows the lengths to which criminals will go to commit fraud, and the PCeU must be congratulated on breaking this criminal gang. However, it is important that stories like this don't discourage consumers from banking online. As an individual there are a number of steps that people can take to help protect themselves from fraud - including never clicking on suspicious links in emails or on websites that could download this type of malware to their computer; regularly running anti-virus software; always checking statements; and reporting anything suspicious to their banks.

From the bank side, there is a lot they can and are doing to help protect their customers. We're starting to see a growing number of banks using what is called ‘out-of-band' methods to confirm with customers if a transaction is genuine - such as a phone call or an SMS message. Banks are also implementing comprehensive fraud analysis tools to look at every transaction made on an account to see if they fit into the usual ‘pattern' for that individual, and stopping or delaying anything that seems to be suspicious.

Despite criminals' ever advancing methods of attack, police can still disrupt and put an end to this activity, and as banks and police team up and pool their intelligence, these sorts of busts will hopefully become more and more commonplace.

Dave Divitt
Fraud & Risk Solutions Consultant

Understanding today’s wire transfer risks

2010-09-28T17:05:00.003+01:00

While the rise of wire transfer and ACH (automated clearing houses) fraud is not news, the pure acceleration rate, scale and sophistication of corporate wire and ACH fraud is alarming. For example, the FBI recently took the step of issuing a cyber security advisory in response to the growth of unauthorized and fraudulent multi-million dollar wire transfers from business and government entities to overseas locations.

Wire transfers, previously one of the more secure environments within a financial institution’s operations, pose the greatest risk of loss to a financial institution. The transfer speed, potential size of such losses and the inability to recover funds once they are transferred to the destination institution all leave financial institutions vulnerable to significant risk.

To fully understand wire transfer risk, it is important to analyze the origin and the destination of the wire transfer. Many financial institutions allow business and consumer customers to initiate wire transfers in-branch, over the phone or online. In general, wire transfers originating from branch locations are the least risky as fraudsters are generally reluctant to put in a personal appearance. Despite this, it is important that branches have a documented authentication process, including requirements for multiple forms of ID or signature verification. Financial institutions usually require individuals initiating a wire transfer request over the telephone - typically corporate customers - to be authorized to initiate wires on behalf of the company for the particular accounts. These individuals must be able to provide appropriate security codes or correctly answer previously established security questions. Yet, internal employees, both within the bank and the corporation, may gain access to account information and passwords to overcome such security barriers.

Similarly, financial institutions that allow customers to initiate wire transfers online open themselves to risk by fraudsters who are able to circumvent online authentication measures. Many banks are turning to multi-factor authentication techniques such as “something you have” (e.g. a token), “something you are” (e.g biometrics) as well as “something you know” (e.g. a password) to help prevent fraud of this type. They also are using techniques such as IP profiling to identify fraudulent access. In fact, multi-factor authentication becomes a critical weapon in a bank’s arsenal as criminals continue to develop increasingly sophisticated techniques to conduct fraud.

Criminals have figured out ways to bypass the need to “break” a user’s authentication, such as deploying a Trojan or some other type of malware to perform man-in-the-browser attacks. These can be completely invisible to the user, who accesses the online bank account and makes a payment as they normally would, but behind the scenes the fraudster can redirect the funds to their own account and even change the amount of money being transferred.

So how can banks best protect their customers from the multiple entry points of today’s wire transfer risks? The key is an enterprise risk management system that tracks customer behavior patterns such as time, frequency, amounts and destinations of activity. Then when customer activities show variances or anomalies, the system can issue an alert to stop the suspicious transaction in its tracks. Such a strategy delivers an optimum detection rate and minimum false positive ratio.

Financial institutions face a growing burden to protect their customers from fraud, protect themselves from fraud losses and comply with mounting national and international regulations. Ironically, while combating fraud, financial institutions are also being pressured by customers and regulators to improve the speed at which payments and transfers reach beneficiaries’ accounts, with many countries now at a near- or real-time process. This rapid availability and transfer of funds creates additional challenges in terms of recognizing and shutting down fraud before it is too late. Are you prepared to guard against today’s wire transfer risks?

Cleber Martins
Business Solutions Analyst of Risk Management Solutions at ACI Worldwide

Internet banking faces a new threat

2010-09-27T16:45:00.001+01:00

The recent announcement of the multi-channelled Zeus attack on a user’s internet banking account is an interesting hypothesis and surely will not be the last when it comes to beating the ever advancing online banking systems. The attack method currently seems to use the mobile phone as a forwarding device for any one time password that is delivered to the customer. It’s unclear whether or not the mobile phone hack would hide the incoming SMS from the customer, however if it doesn’t, then if banks ensure they include relevant transaction details in the SMS - amount, and beneficiary - it could allow the legitimate customer to detect that something has gone wrong prior to money being lost.

However, if this is the beginning of these types of attacks, we can be sure that the sophistication will also ramp-up as time passes. It’s easy to imagine a few other tricks that could be implemented in the mobile phone side of the attack to further mask the attack. Banks need to keep on top of these threats by maximising the technology they use in Out of Band communication and not simply using it as a basic notification service.

Having the customer respond or sign a transaction via the Out of Band channel could cut down on the potential for abuse since the bank would be able to look at the incoming mobile phone number to help authenticate the transaction. All of this, however, further points to the fact that our most advanced and innovative protection methods will inevitably be defeated as the never-ending game of cat and mouse progresses. When the locks on the door cannot fully protect, the banks will always have the incredibly robust suite of transaction behaviour detection tools available to them.

Regardless of what technology is sitting at the front gates, there is always a way to detect abnormal behaviour when it's occurring, and banks will always keep these systems honed to ensure customers' money is protected.

David Divitt
Fraud & Risk Solutions Consultant

The PFM debate

2010-08-24T17:01:00.003+01:00

According to new research from Fiserv Americans prefer to access personal finance management (PFM) tools through banking Web sites, with security concerns trumping the advantages, such as account aggregation, offered by third party providers.

These are very interesting results and demonstrate how security-conscious consumers are, despite the benefits that PFM sites promise. True, a full view of all your accounts in one place via a PFM site gives a useful indication of all assets and how best to manage them, but the threat of losing all those assets through a security lapse is a risk. Those who were polled for this piece of research are right to be worried as these aggregator sites may pose a weak link in the security chain, for example if they aren't PCI compliant or don’t employ sophisticated anti-fraud measures like 'out-of-band' communication and IP Profiling.

There are also other worries for me, as an anti-fraud specialist. One is that the originating banks may not be able to see all the activity performed on the sites so will not be able to build a robust profile of their customers’ activity. On top of this, the behaviour of the sites is often close to that of a trojan whereby log in and page clicks are done rapidly by a script - this could cause a bank to have false alarms of malicious activity on an account leading to disruption of service for the customer.

All of this means that it is vital that customers wanting to use PFM sites take the time to understand the way in which they work and how liability for fraud may shift as a result.

I agree with the George from TowerGroup and I think it will be interesting to see is how financial institutions evolve their current online offerings. If there is a desire from customers for PFM functionality, but not the desire to use PFM sites, perhaps that is indeed where the financial institution can step in.

David Divitt
Fraud & Risk Solutions Consultant

Bringing the customer into the fraud prevention process

2010-08-19T14:18:00.002+01:00

This news is very encouraging for banks and consumers around the world. It’s great to see banks taking steps to give their customers as much control as possible over their account. At the moment it sounds like this will only be used for credit card accounts, but where this type of technology really has potential is when it is implemented across a customer’s full range of accounts with the bank.

It will be interesting to see how much this system is integrated into the fraud prevention process within the bank. Alerts, such as SMS messages, can be a very valuable tool to contact a customer immediately and in an unobtrusive manner if a suspicious transaction is made, or attempted. If that alerting process is two-way (for example enabling the customer to reply to say STOP if it isn’t them making that transaction) fraudsters can be stopped immediately, and all future transactions can be blocked.

By empowering their customers in this way, banks can reassure them that they take fraud prevention very seriously and are committed to their protection. This example from Citi is encouraging and I’m sure we’ll see more roll-outs of this kind over the next few years as banks adapt to their customers' demands.

David Divitt
Fraud & Risk Solutions Consultant

A collective approach to international fraud prevention

2010-07-26T10:31:00.005+01:00

Guest blogger: Jim Oakes, managing director at Financial Crime Risk Limited

So, the World Cup is over for another four years and sports fans will be turning their thoughts to the next big event on the sporting calendar. While I enjoy these types of events from a personal point of view, professionally, it’s disappointing to see a lack of pro-active discussion about how the UK banking industry should collectively handle payments fraud during large sporting events. While banks do take individual measures to protect their customers, there is little or no public discussion or consumer education as to the potential and unique risks associated with host countries.

Why is this important, you might ask? Well, the simple fact is that just by travelling abroad, consumers are more at risk from payment fraud by highly skilled and well-practiced fraudsters, adept at avoiding detection. As a result, banks need to ensure that they work more closely with customers to understand their spending patterns and adapt their behavioural profiling accordingly. For example, if a bank had known that a customer was going to the World Cup, it could have updated its behavioural profiling rules to accept transactions in South Africa and blocked other foreign countries. Then, fraud teams would have also looked out for transactions in high risk areas relevant to the venue such as Ghana and West Africa in the case of the recent World Cup, or for expensive purchases that don’t fit with someone travelling such as white goods, furniture, and transactions that occur a long way away from the games which would not ordinarily fit the customers behaviour. From a transaction monitoring perspective it is also important to make sure that transactions which occur during the night over weekends and in particular during public, seasonal and religious holidays are monitored closely, ideally in real time as these are often key high risk periods of attack.

Improving the communication and knowledge sharing within the different parts of the industry is a key step in the fight against card fraud. Fraudsters tend to take the path of least resistance, so if a decent amount of information sharing is in place the rest of the industry can take steps to prevent fraud before it occurs. This can dramatically reduce losses across the board, right down to blocking individual offenders’ IP addresses.

Many banks are already taking steps to put their own minds and those of their customers at rest. A combination of customer education, communication and comprehensive real-time analysis techniques will help banks to prevent spikes in fraud around major sporting events. However, only when they begin to take a more collective approach to payment fraud and consumer education can banks ensure that they are doing their utmost to protect their customers.

Jim Oakes

Managing Director at Financial Crime Risk Ltd

Certified Fraud Examiner

Vice President of the Association of Certified Fraud Examiners UK Chapter (ACFE)

Certified Financial Crimes Investigator

International Association of Financial Crimes Investigators (IAFCI)

The rise of first party fraud

2010-07-22T10:20:00.001+01:00

First party fraud continues to be a challenge facing institutions and is, arguably, a necessary evil of doing business for institutions today. However, this also can prove problematic when also trying to balance regulatory and consumer pressure to treat customers fairly. Here the advantage tips in favour of the fraudster: how do institutions manage and treat a customer that they suspect of showing symptoms of first party fraud - fairly. Just look at some of the consumer web forums describing tales of woe where customers or credit applicants have negative registrations against their credit history – purportedly for account misuse or supplying false or misleading information. However, let’s not lose sight of the fact that dishonestly making a false representation is now recognised as a criminal offence under the Fraud Act 2006.

Hence, how the institution identifies and manages a suspected first party fraud customer requires very careful tact and diplomacy - assuming of course the institution was able to recognise the symptoms of first party fraud verse genuine bad debt. There will also be a “tipping point” when the fraudster becomes suspicious that the bank knows what is going on, leading them to perpetrate their crime earlier than anticipated.

There are a number of subtle differentiations between first party fraud and bad debt, and how this impacts upon institutions today. First party fraud refers to cases where a consumer opens a credit or debit account and uses it to make payments and purchases that they don’t plan to pay for. It is a pre-meditated fraud where applications for funds are submitted based upon legitimate information which is supported by verified identification. Once accepted in the system the fraudster uses various payment methods such as credit, debit cards and cheques to make purchases with no intention of actually paying, leaving the merchant, financial institution or payment scheme at a financial loss.

What is becoming clearer in these recessionary times is just how fine the line is between bad debt and first party fraud. The main challenge banks face in preventing first party fraud is to prove beyond reasonable doubt that it is pre-meditated and not simply a genuine inability to pay a bill.

The best way to combat first party fraud is to monitor customers and attempt to detect it before it has even taken place. This may sound ambitious but there are identifiable fraudster characteristics which tend to be consistent across the globe. For example there is a greater propensity for a certain age bracket to commit first party fraud. Once these characteristics are identified, banks should scrutinize and observe trends to distinguish between routine and inconsistent activity. A combined strategy of predictive analytics and full end-to-end payment and transaction monitoring best positions financial institutions to deter and shut down first-party fraud. If a customer is identified as suspicious, the activity can then be checked before the fraud is perpetrated thus reducing the risk to the institution. The key to assessing this successfully and reducing the frequency of false positives is by having a real time holistic view of the customer across all of their accounts.

First party fraud is more likely to grow rather than subside going forward. The recent recession has played a role in cash strapped individuals reverting to fraudulent activity to attain goods, which has been reflected in the increase in the level of fraudulent activity since the recession has escalated. While banks have previously gone to great lengths to protect their customers from third party fraud, they must now also take action to protect themselves from the risk of financial loss as a result of first party fraud.

Andy Morris
Risk Business Solutions Consultant