August 02, 2010
Fight against payments fraud: The target is moving, but not everybody takes aim
Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.
Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.
|
|
| ENLARGE |
This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.
|
|
| ENLARGE |
Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.
|
|
| ENLARGE |
Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.
Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.
|
|
| ENLARGE |
Looking forward
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
August 2, 2010 in ACH, card networks, check fraud, consumer fraud, fraud, online banking fraud, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485f0df70970c
Listed below are links to blogs that reference Fight against payments fraud: The target is moving, but not everybody takes aim:
Comments
April 26, 2010
Sophisticated hacking software: Making detection and prevention of online banking fraud more difficult
The story is all too common. Malicious software infiltrates an unsuspecting victim's computer. The malware steals the victim's password and user name and gains access to his or her online bank accounts. Often times, the perpetrator steals the victim's funds through fraudulent wire transfers and ACH transactions, and the money ends up in accounts overseas, where the likelihood of recovery quickly diminishes. This year, banks and businesses alike experienced an increased level of cyber-attacks aimed at hijacking online banking accounts.
Although the crime itself is not new, the reason for concern is simple: hacking software is more sophisticated than ever, making detection and prevention more difficult. Because the legal boundaries for the liability of banking institutions are still evolving, this increasing sophistication poses a significant challenge.
Malicious software bypasses bank security
Some of today's most advanced malware can compromise security tokens and authentication techniques, demonstrating that even two-factor and multi-factor security techniques are vulnerable. Real-time Trojan horses—such as Clampi and Zeus—can allow the fraudster to use two- or multi-factor authentication security to steal banking credentials, thereby causing a weak link in the financial security chain. Other infections rewrite the bank's login screen that displays on the victim's computer and intercept the victim's credentials before they reach the bank's Web site.
A significant part of the growing threat to online banking are Zeus variants like the Mariposa botnet, which injects contents directly into Internet pages and intercepts credentials, preventing the user from sending them to legitimate sites. Luckily, online security firms and other officials shut down the Mariposa botnet in March, but not before its impact was felt worldwide.
|
|
| ENLARGE |
Identifying the weakest link
Some banks are looking beyond their own security systems and focusing on what they perceive is their weakest security link: the user. A number of types of software are available to banks to help in their efforts to combat unauthorized intrusions. For instance, one type allows banks to remotely analyze the computers of hacked customers. The customer, upon suspecting a breach, downloads the software onto his or her computer, at which point the bank performs a quick search for any digital tracks, software, or other evidence the online hackers may have left behind. The information the software gathers can better inform banks of where attacks originate from, patterns, and trends—and, hopefully, lead to the eventual recovery of lost funds. Other types of software are designed for business banking systems that evaluate risk based on individual online actions and rate overall session activity by identifying inconsistent behaviors for each user.
So, the account has been hacked, now what?
The Electronic Funds Transfer Act and Regulation E protect consumers' online banking transactions from fraudulent electronic money transfers. Businesses accounts, on the other hand, must look elsewhere for similar protections. The Uniform Commercial Code Article 4A governs the allocation of fraud losses arising from funds transfers for business accounts. Under Article 4A, the bank will be held accountable for fraud losses only if it failed to follow a series of procedures, including adopting commercially reasonable security measures.
But what exactly does "commercially reasonable security measures" mean? Generally, banks have followed the practice that as long as the security the bank establishes and follows have been in line with commonly accepted commercial practices within the industry, then these security measures passed muster. Lately, however, this practice has not been as clear as it once was. In fact, this very question—that of what exactly constitutes commercially reasonable is at the center of several ongoing lawsuits, particularly one currently being heard in a Texas court.
Will this case, and the others that will follow, reshape the approach to secure online banking by establishing new standards that outline what counts as commercially reasonable security? And will those new standards require banks to upgrade to software designed to spy on the bad guys, monitor consumers' activities, or both? In reality, fraudulently penetrating banking security systems will occur no matter how sophisticated or reasonable the security measure. But as more consumers and businesses move to online banking, commercially reasonable expectations for securing online transactions should be calibrated against the technological sophistication of hackers and their software to improve detection and protection against online banking fraud.
By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed.
April 26, 2010 in malware, online banking fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133ecf7c998970b
Listed below are links to blogs that reference Sophisticated hacking software: Making detection and prevention of online banking fraud more difficult:
