Those hindrances make the battle against fraud increasingly difficult for banks and credit unions, says George Tubin, a senior research director for TowerGroup who focuses on delivery channels and financial security. As the survey's results reveal, banking institutions continue to rely on outdated technology that exposes them to serious security threats.
"I think the biggest threats are going to continue to be the cyberthreats and those types of techniques that get around current authentication procedures," says Tubin, who shared his perspective after reviewing the survey's findings. "Institutions are going to have to continuously re-evaluate and upgrade and enhance their front-end authentication capabilities, as well as their back-end fraud-detection capabilities going forward."
Increasingly sophisticated fraud techniques can easily get around standard password authentication practices, which has fueled an uptick in incidents of ACH fraud and account takeovers, Tubin says. And as the survey reveals, most financial institutions are not investing in security and fraud-prevention tools that today's electronic-transaction environment demands. "Many institutions only know about fraud when they get notified by the customer, and that is not indicative of an industry that is really trying to address the problem."
Strong authentication is important but is not enough on its own. Advanced transactional, behavioral capabilities are what the future demands. Tubin says investments in fraud-detection technology have not been a priority. In 2011, that will have to change.
During this interview, Tubin discusses:
- The flaws inherent in manual fraud-detection;
- Why the future demands cross-channel, neural-net fraud detection and adaptive analytics; and
- The growing problems ACH fraud will pose in 2011.
Fraud Detection in 2011TRACY KITTEN: The fight against fraud is a never ending battle and as results from Information Security Media Group's new Faces of Fraud Survey prove, financial institutions across the board are expected to invest in and focus heavily on fraud prevention and security in 2011, but are they investing in the best solutions and focusing their attention on the mot vulnerable systems and weakest security points? George Tubin, a senior research director for TowerGroup, shares his insights about some of our survey's findings.
George, a handful of the survey's findings stood out to you. One area you have noted relates to how the majority of financial institutions discover security breaches and fraud. According to our survey, 76 percent of respondents say they learn of fraud incidents when customers notify them. What does this high percentage tell us about detection measures financial institutions are not currently taking?
GEORGE TUBIN: That's, I think, the big concern with that number. It does clearly illustrate that financial institutions are certainly not investing and taking the measures that they need, especially as we are continuing to move to a more electronic transaction environment. The importance in identifying fraud as it happens, or the potential of fraud before it happens, is becoming increasingly important, and to continue to be in a mode where institutions only know about fraud when they get notified by a customer -- which, unfortunately, could be too far after the fraud incident to actually do anything about it, except to go into a potential recovery mode or write-off, mode -- is not indicative of an industry that is really proactively trying to go after this problem.
Lacking Technology to Fight FraudKITTEN: Back to the survey, 51 percent of the respondents also said the biggest challenge facing their organizations, where fraud prevention is concerned, relates to inadequate fraud-detection tools and technologies. Now, 56 percent said insufficient resources posed the greatest challenge, which, of course, is no surprise. Are the two related, with organizations simply not having the resources to invest in adequate fraud-prevention tools? Or, do you see other challenges getting in the way here?
TUBIN: I think your plane is right on; they are certainly related. What I continue to see as one of the biggest problems facing financial institutions is that the folks responsible for detecting and preventing fraud simply aren't doing a good enough job of communicating the importance of what they do to their organization, to be able to actually get more resources and get the tools that they need. As long is fraud is maintained within certain parameters or percentage points, which actually translate, potentially, to very high dollar amounts, these organizations typically don't get the resources that they need in order to prevent future fraud. The problem that we are having, or that we will have, is that as fraud is advancing and becoming more sophisticated, those big one-off attacks, which cause significant impact to the financial institution and a set of customers, may likely become a bigger problem.
KITTEN: Now, 55 percent of the respondents say they continue to rely on manual fraud-detection tools. Going forward, however, a healthy 55 percent said they expect to use or invest in authentication solutions in the future. Is authentication enough, George, or does more need to be done to address the manual processes so many financial institutions continue to rely on?
TUBIN: Authentication is great. We always advocate a layered security approach, and whatever we can put in place to help prevent fraud, or reasonably put in place to help prevent fraud, is nothing but good. Strong authentication is a very important tool to help prevent fraud; but, as you are asking, it is certainly nowhere near enough, and more advanced transactional or behavioral detection capabilities are going to become increasingly important, especially, as I said earlier, we are moving toward much more electronic and automated payment processes, which aren't going to give us the luxury of working in the manual batch mode that we have for a long time.
KITTEN: Talking about fraud-detection technologies, 33 percent of the respondents did say that they plan to invest in neural-net fraud detection. How do you define "neural net," and do you think investment in neural-net detection would help solve the manual-detection problem?
TUBIN: I think it is one of the ways to help solve it. Certainly, having really good rules-based and cross-channel fraud-detection analytic capabilities are important, and they continue to be very underutilized. As we get more advanced, we are using neural net or what we call "adaptive analytics" that allows for continuous updating and recalibration of detection models in response to changes and predefined data patterns. So, in advanced forms, yes, neural networks can help recognize even very subtle anomalies in common patterns, which send an alert for potential fraud. So, it is recognizing that we don't know what we don't know, rather than simply putting it in rules that we have to predefine based on what we do know. It is allowing us to look at patterns that are a little bit out of the ordinary, to help signal that something needs to be looked at a little bit more closely.
Cross-Channel Fraud Detection, IntegrationKITTEN: One thing that you have noted is a lack of understanding, as it relates to cross-channel integration, saying few institutions believe it is a big factor. According to the survey, 39 percent of respondents say cross-channel fraud incidents account for less than 10 percent of all fraud. Do you think that perception is off, and is cross-channel fraud actually much higher?
TUBIN: I think that financial institutions have a very difficult time in determining when a cross-channel fraud actually occurred. For example, an institution identifies check fraud and they will flag it as check fraud; but they may never realize that that check fraud came about by somebody using social engineering in their contact center to get to account information and the routing information that the criminal used to create the fraudulent check. Or maybe a check image was downloaded through an online banking account that was fraudulently accessed. So, tying these things together is incredibly difficult and I think most institutions don't really have the resources or capabilities to do it. Those institutions that do have the capability to do it are certainly reporting that they are seeing a large number and a growing number of cross-channel fraud incidents.
KITTEN: How do you define "cross-channel fraud," and do you think that institutions define it differently?
TUBIN: It may be defined differently. It is basically a fraud that occurs when a criminal or fraudster uses resources from the institution across different channels or payment types. So, it is getting bits and pieces of information where they can and utilizing different channels, and recognizing that a bank typically works in a very siloed technology environment, where information across the channels isn't necessarily shared; they then use that to information and insight from the institution and commit fraud.
KITTEN: Twenty-seven percent of the respondents said they do not have a team or a defined plan in place to address cross-channel fraud. However, 26 percent say they do have teams and plans related to cross-channel fraud detection. Why are institutions so in the dark when it comes to cross-channel fraud?
TUBIN: I think it goes back to just the inability to recognize when cross-channel fraud does happen. So, these institutions are continuing to see sort of the end result of the fraud, whether it is a credit-card fraud, debit-card fraud, an ACH fraud, whatever it might be. They simply stop there and classify it as a fraud that occurred that way, rather than working their way back to really understand the trail of that fraud and how it began and what the steps were that ultimately led to the fraud and the money that was extracted from the institution.
Employee Education: A Fraud Detection Crutch?KITTEN: One thing that institutions across the board said was that they are focusing quite a bit on employee education. In fact, 77 percent of our survey's respondents say employee education is the most effective way to prevent fraud; but, employee education, again, more of a manual-detection process, can only go so far. Where or how are institutions missing the mark when it comes to fraud detection?
TUBIN: I agree that employee education is an absolute critical component in helping to prevent fraud. They are the front line. Employees that work in fraud detection are in some of the back shop areas and are looking at information flowing through the enterprise and do need to have an understanding of what they should be looking for to fight potential fraud. But because of the sheer volume of transactions and the move toward more electronic types of transactions, we just absolutely have to invest in better technologies to automate the detection of fraud through all our channels, through all the payment types, in a more integrated fashion.
ACH Fraud Prevention: More Mandates NeededKITTEN: You also note that responses related to ACH and wire fraud confirm the need for strong regulatory mandates. Can you explain which results led you to that conclusion?
TUBIN: When I looked at the low numbers of institutions that really stressed the need to invest money and become more aware of monitoring ACH and wire transactions, especially those types of transactions that occur much more quickly, I get a sense that institutions don't really get what's happening and the dangers that are occurring in that space. And while it is not yet an epidemic, we do see a rise in very focused attacks on medium and small businesses that, unfortunately, don't have the same protections in place that consumers do; and when these small companies suffer a loss, the financial institution, generally speaking, isn't liable for that loss. That small business owner can essentially be put out of business when one of these incidents occurs. We know they are rising and the survey also indicates that financial institutions are just not yet taking it seriously enough and I think that the big reason is two-fold. One is that a lot of the mid and smaller-sized institutions, perhaps, have not yet been hit with one of these types of fraud -- where a small business gets a browser-type of piece of malware downloaded to their PC, which allows access to their account and perhaps an emptying of their funds. Because they haven't directly seen that type of attack, they are not taking action to prevent it. To me, it is very short-sighted, relative to the specific danger of that type of attack. And I think one of the reasons is because they haven't seen it directly. But because this type of fraud is so devastating to a customer, the institution should be moving to put better tools in place.
KITTEN: According to the results, and these jibe with what you were saying, ACH and wire fraud ranked fourth, trailing credit and debit fraud, check fraud, and phishing and vishing attacks. That, perhaps, leads us to believe that the ranking is a little bit too low. However, 53 percent of the respondents did say they have increased internal monitoring in response to ACH fraud, while 40 percent, similar to employee training, say they have increased customer awareness. What does that tell us about the results? Are they putting the responsibility back on the merchant and just saying that it is more of a customer awareness issue than it is an issue as far as fraud detection is concerned?
TUBIN: I think you say that just right. The traditional attitude between the financial institution and their business customers is one of equals, where as long as the institution is putting forth a reasonable effort to prevent fraud, they are doing their part and they sort of put the onus back on the small-business customer to be able to detect these increasingly sophisticated and difficult types of malware. The problem with that is these rules were written a long time ago, before a lot of the advances that we have in the online space; and because of that, I don't think we are still in the same environment where we can really consider the relationship one of equals, especially between a large financial institution and a single small-business owner that is really more focused on running their business than they are on running their finances.
Oftentimes, they are just simply not aware that this type of attack can happen, and they are also not aware that when this type of attack does happen, they are going to be held completely liable for it. So, it is just not fair to these types of bank customers to unknowingly be put in that type of situation or be expected to be able to put their own fraud-prevention technologies in place, which they are just simply not capable of doing.
2011: Siloed Systems, Cyberthreats and Tech Challenges to Fraud DetectionKITTEN: And, in closing, George, can you tell us from an investment and technology standpoint, what are financial institutions doing right, and where do they need to improve over the next 12 months? What will pose the greatest security threats in 2011?
TUBIN: We do see investment in fraud-prevention technologies continuing to rise. And we see a lot of emphasis being put on enterprise-fraud prevention, cross-channel fraud prevention, especially in the top tier of financial institutions that have a little bit more of an ability to recognize that fraud is happening this way; they really do need to invest money in this space. Granted, a lot of these investments are being done from a cost savings perspective, because our fraud-detection systems have grown and become so unyielding because of our siloed approach to fraud detection; there is a lot of redundancy and we are not getting a lot of benefits for consolidating on single vendor platforms. So, institutions are seeing economic benefit by consolidating, but at the same time, they are seeing tremendous fraud detection benefit as well.
That is one area where we are seeing good investment being made, as well in other areas around authentication and better ways to do that out-of-band authentication, like real-time, in-session behavior monitoring that looks at what a customer is doing through the transaction cycle to make sure there is nothing going on that should be questioned. And then continued customer education is something that they also are doing.
In terms of greatest threats in 2011, I think the biggest threats are going to continue to be the cyberthreats and those types of techniques that get around current authentication procedures that we have in place. It was only five years or so ago that the FFIEC required institutions to move beyond a simple username and password, which was very easily compromised. All institutions have to put something in place, but a lot of institutions really went with the bare minimum they thought would get them through a regulatory examination; and, because of that, more sophisticated fraud techniques can easily get around some of those authentication practices. So, I think institutions are going to have to continuously re-evaluate and upgrade and enhance their front-end authentication capabilities, as well as their back-end fraud-detection capabilities going forward.