Nightmare On Your Street

Be afraid. Be very afraid. They're out there, walking among us. Well-organized hordes of fraudsters roaming your online banking channel like the undead, often unseen and unheard until it's too late. Their greatest advantage is invisibility-their uncanny ability to blend in among your honest online members as they consume credentials, identities and eventually assets. But what if you could shine the light of day on these phantom visitors and reveal their surreptitious, shadowy methods?

We're all well aware of the methods and technologies employed by our industry over the past few years to battle these demons. Stronger authentication and user education are fighting the good fight on the front end, spurred by government mandates. But the chilling fact remains, member credentials continue to be vulnerable, assets remain at risk, and fraudsters continue to compromise accounts supported by growing, organized digital criminal networks. The consequences of fear: industry research firm Gartner Inc. estimates that almost nine-million adults in the U.S. have already stopped stopped banking online and that another 23.7 million won't even attempt it.

Internet security experts concur that a truly multilayered approach leverages both defensive and offensive measures. To stay a step ahead, some institutions have even started to implement back-end transaction monitoring approaches that move beyond simply hanging garlic on the front door. Unfortunately, the nature of online account fraud makes even these approaches ineffective.

What if Fraud Doesn't Look like Fraud?

Today's sophisticated criminal methods mean online account fraud often doesn't look like fraud at all. In fact, it can look exactly like how you expect and even want your members to behave online. That's because fraudsters do exactly what your members do-use bill pay, look at check images, check balances, update personal information and so on. To make the situation even more difficult to address, today's fraudsters use multi-channel fraud methods that combine both online and offline steps - any one of which looks perfectly acceptable, but when taken in combination amount to a fraudulent attack.

Case in point is the haunting tale of what happened recently to a top-50 credit union that serves tens of thousands of members daily. Despite aggressive efforts to safeguard its online environment, fraudsters were still able to pull off a multi-channel fraud scheme.

Here's how it worked:

The fraudster called the credit union's member service number and using social engineering techniques and information voluntarily given to the fraudster by the victim in a phishing e-mail scheme, managed to have the online account password reset to one of his choosing and changed the contact phone number as well.

1. The fraudster accessed the online account. There he downloaded check images complete with the member's signature, and learned more about the member's personal information and online activities.

2. The fraudster then called on a second bank, and used the stolen information to open a new account in the member's name.

3. A wire transfer was arranged to empty the victimized account of its assets and credit the new account at the bank. Because the names on the accounts were the same and the fraudster had provided a phone number under his/her control and a valid signature, an offline verification of the transfer by phone, as a second means of identification, passed and was authorized.

4. The fraudster withdrew his loot piecemeal, visiting separate branches in a state different than the victim's.

5. Besides the financial business impact of a direct loss, the credit union also incurred additional expense in allocating staff's time and resources with the investigation and audits.

The truly insidious nature of this fraud scheme is that the actual loss didn't even occur within the online account, rather was simply aided by access to it. Is such a loss then to be classified as wire fraud, check fraud, or online account fraud? It may be difficult, if not impossible to isolate and quantify such multi-channel fraud schemes. The really important question is: how can this kind of nightmare be prevented from visiting your house?

To Beat The Fraudsters, Focus On Members

Fraud prevention best practices of the past would seem to dictate that if we can just write the correct business rules, any fraud pattern can be detected when next it occurs. But labeling any of the above steps in our example as potentially fraudulent would certainly impede online activity -because the fraudster is doing exactly the kind of things we expect our real members to do. Implementing rules against these typical actions - which happen thousands of times each day on most banking sites - would trigger an unmanageable volume of alerts for investigation and never-ending rules maintenance hassles. Continuing this "rear view mirror" approach to fraud prevention will keep our industry in reactive mode, one step behind the fraudsters.

Ultimately, the emergent best practice is to employ predictive models of individual member behavior to immediately detect when the "member" logging in isn't who they say they are, even if they pass authentication. Way beyond simple machine signature technology, emerging user profiling technologies rely on trended analysis of behavioral patterns account by account. They start by understanding what "normal" behavior is for each individual member - and admit that there is no single pattern of "normal" behavior to write an anti-fraud rule against. Dynamic, model-based analysis of account activity "does the math"-piecing together what are by themselves very weak indicators of fraud until a powerful pattern emerges. Behavior that deviates from what's expected becomes suspicious-the more the deviation the deeper the suspicion. This analysis lends more granular risk scoring, correlation with offline activity patterns, and ultimately a more manageable number of suspicious incidents for fraud team resources to scrutinize. A byproduct of this behavioral analysis is a rich history of online activity that aids investigation and forensics.

So in our real-world example, using these techniques the credit union would have identified the fraudster through the anomalous activity outside the member's predicted behavioral pattern in terms of the login activity and the fraudster's attack could have been shut down in mid-stream. A member representative could have been alerted to unusual online activity, or could have stopped or recalled the wire transfer during approval.

Fraudsters continue to refine their methods for compromising and draining accounts and know how to stay under the radar of traditional fraud detection approaches. Institutions can contain online risks to acceptable levels through a more holistic approach to risk management that involves cross-functional investment in the solutions chosen. A next-generation approach to online fraud prevention is needed, if we are to continue to inspire member confidence in the online channel. New best practices and back end technologies are emerging that focus first on how customers actually behave online on any given day to better isolate anomalous and otherwise suspicious activities.

This Halloween, don't get tricked by the fraudsters at your front door. Treat yourself to a better understanding of their latest methods to take the bite out of their frights.

Tom Miltonberger is president and CEO of Guardian Analytics, a technology leader in protecting online channels from account fraud. Mr. Miltonberger has more than 20 years of executive and technology leadership experience. For more info: www.guardiananalytics.com. (c) 2007 The Credit Union Journal and SourceMedia, Inc. All Rights Reserved. http://www.cujournal.com http://www.sourcemedia.com