Digital banking fraud: Best practice for technology-based prevention
The shift of banking to digital channels is creating a revolution in banking fraud. Until a few years ago, this was the preserve of small-scale criminals attempting to steal relatively modest sums. But today, digital banking fraud is a major international industry in which sophisticated criminal groups employ increasingly sophisticated tools – and frequently collude with corrupt bank staff – to steal very large sums. This in turn has pushed up the liabilities that banks must absorb to cover the losses their customers suffer due to fraud.
As digital channels have multiplied, so have the routes that fraudsters can use. And their options are about to expand again with the implementation of Open Banking and the coming into effect of Europe’s second Payment Services Directive (PSD2). This will present a new set of challenges for banks, who will remain liable for losses caused by unauthorized transactions through these new digital channels.
Against that troubling background, we’ve complied a page that cover the what, why, and how of digital banking fraud. With this informative page, we hope to help banks anticipate the upcoming digital banking fraud threats, understand weaknesses, learn latest best practices so they can not only detect digital banking fraud, but also prevent it.
The context: fraud on an industrial scale
The digital revolution that is transforming banking is also enabling new forms of banking fraud. The banking transition from branch-based delivery to multi-channel services has opened up a new arena for criminals to operate in. Digital delivery has huge attractions: it is cheaper for banks to provide and it enables more customer-centric strategies, empowering users to access banking services whenever and wherever they want. But it also creates new vulnerabilities. Customers become the weakest links in the chain. Their awareness of online security risks is often poor and they are easily duped into divulging confidential data to criminal groups that can then be used to authenticate fraudulent transactions.
Digital channels also have huge attractions for fraudsters. These services create massive volumes of electronic transactions that are processed from end to end automatically. The sheer volume of digital transactions means that traditional manual methods of fraud monitoring and detection have neither the capacity nor the speed to meet the challenge facing banks today.
Case study 01
CYBER-HEIST: THE $951M RAID ON BANGLADESH’S CENTRAL BANK
In early 2016, a criminal gang penetrated the security systems of Bangladesh Bank with malware that cloned legitimate transactions. On February 4, the malware sent 35 withdrawal requests through the international SWIFT system to the New York Federal Reserve, where the Bangladeshi central bank had money on deposit. The fraudsters attempted to steal a total of $951m. Thirty of the orders, worth $850m, were blocked by the New York Fed, but the gang succeeded in having $101m transferred to banks in Sri Lanka and the Philippines before their activities were noticed, thanks to a spelling mistake in one of the transfer requests. Subsequently, $20m was recovered from a Sri Lankan bank, but officials were too late to stop the remaining $81m from disappearing. A spokesman for the Federal Reserve of New York said: “The payment instructions in question were fully authenticated by the SWIFT messaging system in accordance with standard authentication protocols.”
The gang involved is thought to have consisted of between 20 and 40 members with a range of skills and including financial and banking experts, hackers and software engineers. Had it not been for one slip-up, their audacious attempt to steal almost $1bn might have succeeded – a prospect that has caused huge concern among banks and their institutional customers, which keep large sums on deposit to pay staff and suppliers.
Case study 02
TESCO BANK SUFFERS UK’S FIRST MASS ACCOUNT THEFT
In November 2016, the bank owned by UK supermarket group Tesco suffered a huge online security breach in which a total of £2.5m was removed from 20,000 of its 136,000 current accounts and suspicious activity was discovered on a further 20,000.
The robbery happened over a weekend, while bank staff were absent, and there has been no official explanation of exactly how the thefts were executed. However, experts suggested that hackers had identified a weakness in the Tesco Bank website and exploited it to steal thousands of customers’ account details that were then used to make online purchases. On discovering the fraud, Tesco temporarily blocked online payments by its current account customers while continuing to allow them to use cards for cash withdrawals, chip and pin, and bill payments.
What are the looming challenges of open banking?
The risks: how and where cyber-fraud happens
There are numerous ways for fraudsters to penetrate digital banking systems and carry out thefts, often thanks to poor security awareness among banking customers, who write down passwords or can be tricked fairly easily into divulging them.
So-called phishing scams that use links in emails to direct customers to fake online banking webpages are well documented. In June 2013, three men were jailed in the UK for a total of 20 years after police uncovered a phishing scam that targeted people in 14 countries and involved 2,600 fake webpages. After their arrest, the Metropolitan Police’s Central e-Crime Unit located servers containing details of 30,000 bank customers, including 12,500 in the UK, and 70 million customer email addresses. They produced evidence at the men’s trial that their arrest had prevented the theft of up to £59m from UK bank customers alone.
Phone-based frauds, where criminals pose as bank staff to persuade victims to divulge their login details, are also widespread, although fraudsters are also exploiting a growing range of channels to steal confidential information.
Many phishing-type scams now involve significant elements of ‘social engineering’, in which the criminals use information gleaned from their victims’ social media profile, pose as officials to phone victims and check their personal details, and even intercept their mail to build a profile of the victim that will allow the fraudster to impersonate them. The information gained may be used to create lists of possible passwords that can be used in attempts to crack their online accounts. However, it can also be used to steal the victim’s identity and make fraudulent applications for financial products. Cifas, the UK fraud prevention service, states that a record 173,000 identity frauds were reported in the UK in 2016 and that nine out of 10 fraudulent applications for bank accounts and other financial products were made online.
Case study 3
ANDROID MALWARE INSTALLS FAKE APPS ON SMARTPHONES
In June 2017, security specialists at FireEye reported that they had identified malware that installs fake versions of eight popular apps including Facebook, WhatsApp, Uber, Google Play and Viber on victims’ smartphones. They are sent a text message saying: “We have not been able to deliver your order. Please check your shipping information here”, followed by a link. Once the victim clicks the link, it installs the malware, which waits for the user to open one of the targeted apps. The malware then overlays a fake interface on top of the legitimate app and attempts to trick victims into divulging their online banking information. The phishing texts were first seen in Denmark, where 130,000 victims were tricked into clicking the link. The malware is thought to have spread to the UK, Germany, Luxembourg, Spain, Sweden, Norway, the Netherlands, Italy, Greece and Turkey.
The video below demonstrates the example of a cyber fraud scenario through social engineering. Dynamic profiling and machine learning techniques are used to used to prevent the eBanking fraud.
Case study 4
STOLEN DONGLE USED IN ATTEMPT TO CRACK “STRONG AUTHENTICATION”
In one recent Swiss case involving a corporate client of a bank, 10 employees had the authority to issue payments in the name of the corporation but only three normally did so. One of the remaining seven staff had his dongle stolen but since he was not among the group that normally issued payments he did not immediately notice the theft. The thief waited eight months before attempting to initiate a transaction using the stolen dongle, but his attempt raised a flag and was blocked. However, the case highlights the need to check whether the person attempting to issue a payment is one of the normal users of the system or part of a wider group that has the authority to do so.
Case study 5
POOR SECURITY AT SOFTWARE SUPPLIER OPENS THE DOOR TO FRAUDSTERS
In one recent East African case cited by fraud specialist Gilbert Nyandeje, chief operating officer of Enovise, a software developer at the company hired to build a mobile banking app left a “back door” in the source code that was not detected before the app went live. Once implemented, the back door created an outgoing, or reverse, connection from the bank’s systems that criminals could use to access customer accounts, stealing a total of more than $50,000 before the flaw was detected. This method of breaching the bank’s security succeeded because while internal firewalls prevent outsiders from getting into the system, they do not necessarily block outgoing connections.
Rogue software is another favorite tool of fraudsters, who infect customers’ devices with worms and malware that recognize when they are signing into online banking services and log their keystrokes, enabling the criminals to steal their passwords. Both malware and physical hijacking of the line can also be used to initiate a fake transaction during an online banking session that the victim might re-authenticate by mistake among a succession of legitimate transactions.
Although the customer is often the weak link in online banking security, internal fraud and collusion between bank staff and external criminals is extremely common. KPMG estimates that about one-in-three frauds involves collusion between insiders and criminals outside the organization.
Criminal gangs are experienced in identifying employees who can be compromised, either because of grievances against their employer over pay or promotion, or because they have large personal liabilities. Once recruited, these internal sources can feed confidential data to criminal gangs or disable system logs so that activity can go unrecorded. Collusion often focuses on larger-scale frauds involving institutional accounts, since the sums available from personal accounts are not usually large enough to warrant the risk and effort involved in recruiting an inside accomplice.
Poor enforcement of internal controls is often a key factor in the success of frauds involving internal collusion. If oversight is compromised, for example the four-eyes principle, staff working with the fraudsters are able to verify or reverse a transaction that allows a theft to proceed.
Download our eBook on internal banking fraud to learn more about collusion between bank staff and external criminals.
Know your weaknesses: the three cs – customers, controls and culture
To secure themselves against fraud via digital channels, banks need to identify and address the areas where they are vulnerable. These include ensuring that basic IT security precautions are in place, applying appropriate internal controls rigorously, and telling their customers how to bank safely online, choose strong passwords and avoid being duped.
Case study 6
POOR CONTROLS ALLOW COLLUSION ON MOBILE FRAUD
Nyandeje points to another East African case where poor processes allowed a corrupt employee to gain access to the account opening forms that customers filled in and left at their bank branch. The details of the newly-created account were passed to an outside accomplice who then applied to set up mobile banking, giving a fraudulent mobile number that was connected on the bank’s systems to the legitimate account. With the ability to authenticate fraudulent mobile transactions on numerous customer accounts, the gang
went on to steal large sums.
Read more on mobile banking fraud: Mobile banking is booming and so is fraud. Here’s how to help stop it.
To address their major areas of weakness, banks need to focus on robust oversight of employee access to bank systems. If members of staff have access to both front-office and back-office systems, they can obtain sensitive customer information that could be passed to criminals outside the bank, and also approve the fraudulent transactions as they pass through the system. Each employee’s access privileges must be regularly reviewed and amended as appropriate.
There are also issues with the established culture in many banks, which have a long-standing preference for developing bespoke technology systems internally rather than adopting existing, proven technology from external providers. This preference for proprietary systems is leaving banks increasingly vulnerable: relying on technology developed in-house increases the risk that they will be overtaken by the growing sophistication of the technology available to criminal gangs. In some markets, such as the UK, banks are more advanced in working with fintech companies, but generally there is a need for a change in banking culture to promote more openness to external innovations in many areas, including advanced fraud-detection techniques.
The case for technology: eight reasons why it wins
Improving technology tools are enabling criminal gangs to execute more complex frauds; a technology-based strategy is the only practical response if banks are to succeed in safeguarding their brand reputation and customer trust. Advanced anti-fraud systems offer eight critical strengths in banks’ fight against fraud.
Therefore, banks must understand each customer’s established patterns of behavior so that every transaction makes sense when compared to his or her profile. Technology offers the only effective method of monitoring transactions and detecting anomalies in this way.
Read more: What to look for in an anti-fraud solution
Outlines for a tech-led solution: behavioral data analytics holds the key
Importantly, where some anti-fraud systems analyze transactions by size alone, flagging everything above a certain value, advanced systems draw on a wider range of contextual information to focus the search, reducing the number of false positives.
The effectiveness of technology-based anti-fraud systems depends crucially on their ability to operate in real time, so that suspect activity can be flagged immediately and transactions blocked. Most anti-fraud systems that employ advanced analytics, incorporating detailed user profiles, cannot operate in real time and risk failing to detect fraudulent activity quickly enough to prevent losses.
However, the most advanced anti-fraud systems employ Big Data technology, allowing them to apply the advanced analytical techniques to huge volumes of transactions in real time.
The video below explains the challenges with Big Data projects at banks and how to successfully overcome these challenges so banks can apply Big Data data analytics in fraud prevention.
In common with every type of security measure, transaction-monitoring systems must balance the need to provide more effective fraud prevention against the inconvenience caused to customers when legitimate transactions are blocked. Thanks to the wide range of contextual information incorporated into their risk models and the increased utilization of machine learning techniques, advanced anti-fraud systems can be tuned to reflect the requirements of individual banks and the range of institutional and personal customers they serve. This helps to reduce the proportion of false positives that the system flags up, while ensuring that it remains sensitive enough to capture a high proportion of frauds.
Case study 7
HOW UNUSUAL ACTIVITY SIGNALS A FRAUD
A recent case in Switzerland is a perfect illustration of how behavioral analytics looking for suspicious activity could stop fraud. In March, a Swiss company’s bank accounts were hacked and SFr1.2m fraudulently transferred to an account in Kyrgyzstan. Although four Swiss banks were involved, only one blocked the transfer after spotting a spelling mistake. The chairman of the company targeted by the attack believes the others should have noted something was awry and done the same; the destination account belonged to an individual who had never received funds from his company before – this alone should have been enough to raise an alert.
The ‘arms race’ between criminals and security specialists is entering a new phase. Cyber-fraud began with a few individual hackers trying to steal relatively modest sums; it is now a global illicit industry involving gangs of skilled criminals with inside knowledge of the financial system and access to very sophisticated technology tools. As a result, patterns of fraud are becoming more complex, they involve more people and they frequently depend on collusion between criminal gangs and people inside the bank. The more sophisticated cyber-fraud becomes, the higher the risk that it will fool the monitoring systems that banks rely on to catch fraudsters.
At the same time, regulation is also creating new areas of potential vulnerability for banks. Moves in several developed markets towards Open Banking, thanks to measures such as the EU’s second Payment Services Directive (PSD2), will oblige banks to give direct access to their customers’ personal banking data via APIs. This will give alternative providers better insights into potential customers’ financial situations, enabling them to offer more relevant and competitive services. However, Open Banking will also create new opportunities for customer data to fall into the wrong hands. The risk to bank security is far from negligible.
It is clear, therefore, that fraud detection tools must keep improving to match the developing threat from professional fraud gangs and the new areas of vulnerability that will develop as the digitalization of banking evolves.
The most advanced anti-fraud systems on the market today are using Big Data technology to apply advanced analytical models in real time, giving banks the capacity to identify and block suspicious activity as it occurs. What’s more, advanced computing techniques are creating a new generation of tools to combat fraud. Machine learning is already becoming a key tool in advanced anti-fraud systems and its role is certain to grow significantly. New generations of risk modeling, using machine-learning systems that have been trained to spot fraudulent transactions amid vast volumes of banking data, are starting to replace the statistical, probability-based approach that has been used up to now. At the same time, computer scientists are creating anti-fraud systems that are more sensitive to the complex patterns of fraud and collusion that are a feature of professionally-executed cyber-frauds.
Better-tuned and more sensitive systems, in turn, will allow banks to strike a better balance between detecting fraud and allowing customers to carry out their transactions unhindered. Improving technology tools and the introduction of innovative techniques based on machine learning are giving banks access to sophisticated anti-fraud systems that are more effective, more efficient and less intrusive for customers. Those banks that implement them can expect lower percentages of false positives, lower losses to fraud, improved customer service and less time wasted on compliance and verification to investigate false positives.
All of these ultimately contribute to strengthening the most important asset that banks possess: the customers’ trust in
If you are interested in taking those information with you: