"It's been a real lopsided war," says Terry Austin, President and CEO of Guardian Analytics. "The criminals have been out-manning, out-spending and out-innovating the financial institutions, and they've been evolving their technology to defeat the end user and to defeat the existing banking security. The industry has learned that the common controls just aren't enough anymore."
But additionally, banking institutions have learned how to transition from reactive to proactive mode against fraud in all its forms.
In an interview about how banks are winning the fight against fraud, Austin discusses:
- Lessons banking institutions have learned about fraud;
- 2011's top fraud threats;
- Proactive new strategies to fight fraud.
Prior to joining Guardian Analytics, Austin served as CEO and president of MarketLive, a leading provider of eCommerce platform solutions, where he created a scalable business strategy, assembled a world-class executive team and led successful fundraising efforts. He was previously president of worldwide marketing and sales at Good Technology, a provider of mobile computing solutions, where he spearheaded the company's rapid growth from 10,000 to over 500,000 subscribers and facilitated its acquisition by Motorola in January 2007. Austin has also served as president of EMEA and executive vice president for Manugistics, a market leading provider of enterprise software. He started his career at Accenture, where he ultimately led an $80 million consulting practice as a lead partner.
TOM FIELD: Terry, for folks who might not be familiar with Guardian, why don't you give us an introduction both to yourself and to the company?
TERRY AUSTIN: I have been with the company for a couple of years now, and I have a long career in the technology industry. Guardian Analytics is a very exciting company. We provide an advanced behavioral analytics technology for monitoring and detecting fraud in the banking system, and we are experiencing very rapid growth with a large number of banks and credit unions across all sizes, from small community banks and credit unions up to mid-sized banks and very large financial institutions adopting our Fraud Map technology as their standard for fraud detection in the banking system.
We interoperate across all the leading banking platforms like Fiserv, FIS, Intuit and many others, and over the last year we have actually helped prevent a very large number of frauds. We have stopped fraud proactively before money could leave the financial institution, and we really feel like 2011 is the year that banks are going to turn the tables on the cybercrime epidemic we have been experiencing.
Fraud Lessons LearnedFIELD: Well, that's a good point, Terry, because in a lot of ways 2010 for banks was the year of fraud. What lessons would you say that banking institutions have learned from that experience?
AUSTIN: Well, I think a lot, and the first thing is that it has been a real lopsided war. The criminals have been out-manning, outspending and out-innovating the financial institutions, and they have been evolving their technologies to defeat the end user and defeat the existing banking security. I think the industry has learned that the common controls just aren't enough anymore. The banks don't know what is going to hit them.
There is a mix of how accounts are compromised, whether it is a phishing attack or vishing or smishing; we've have seen the advent of what has been called man in the browser attacks where the credentials are completely compromised and the criminal mimics the end user or the victim.
We also see a real mix of how accounts are accessed. Humans are using stolen credentials, there are automated attacks, and there are manual attacks, so there is just a wide array of attacks. The criminals invest enough to make them as efficient and as effective as they possibly can. They take the time to learn what an institution's online banking platform is, they learn what their processes are, they learn what the limits that are going to trigger extra protections are, and then they access their customers' accounts.
What I think the overarching lesson is: Anyone, anytime, anywhere can be attacked. The fraudsters focus on large banks, but this last year they have also found a down market and they have attacked small and medium businesses, they have attacked small banks, they have attacked community banks, and they have attacked small credit unions, so nobody is immune.
Fraud FocusFIELD: Well given these lessons you have just outlined, what would you say are banking institutions' current focus in the fight against fraud?
AUSTIN: Well, we are very encouraged because we are starting to see a real shift. We are seeing banks move away from sort of learning about the scope and the severity and the size of the problem to really taking action and solving the problem for themselves and their customers.
And they are doing a couple of things. They are assuming, at least the leading banks, the banks that are really being proactive, they have accepted the fact that the endpoint is compromised and that their end consumer, whether it is a merchant, a commercial account, or a consumer account, can't be a security expert and can't adequately protect their computer endpoint device.
Once they have accepted that, the key trend is they are really finding ways to move from being reactive to being proactive and to identify fraudulent activity across all their account holders where money can be stolen; so it is very encouraging.
FIELD: Now, in 2010 we saw a lot of corporate account takeover, our audience certainly talked a lot about payment card fraud and check fraud, vishing and smishing as you say; what do you see as 2011's biggest fraud threats?
AUSTIN: Well, the thing about fraud is nothing ever goes away, so we are going to keep seeing all of the old attacks, and imposters are going to layer on a whole bunch of new ones. They are going to keep innovating on a new way to compromise accounts and the access points. With mobile really taking off and mobile banking really taking off, we are going to see a lot more account compromises that originate at the mobile device, so being able to protect those mobile device endpoints is an important trend.
They are going to continue to get better at appearing to be the legitimate user. You know, this trend of man in the browser was really the beginning of the fraudsters' ability to mask themselves and mimic the legitimate user in how they access the account, what they do when they are in the account and how they move money around. So just the level of sophistication and the stakes are going to go up again in 2011.
New StrategiesFIELD: Terry you talked up front about the number of banks and credit unions you are serving now, and I would be curious as to how your customers are (1) taking responsibility for fraud prevention, (2) being proactive in their efforts, and then (3) rethinking their prior security strategies.
AUSTIN: Those are great questions, so let me take them one at a time. So first off, a lot of banks that we work with are really taking responsibility for fraud prevention by recognizing that this is not something the end user can solve. So while awareness and education are great, the threats are just too large, and they move too fast, and the average consumer or small business cannot be expected to be security experts.
These banks have taken responsibility by not waiting to find out from their customer about a fraud attack, but really trying to get ahead of that, and they are taking more control of managing the problem and not waiting for either their online banking platform provider or their end customer to do what is needed to provide protection; so they are really take responsibility in a more profound way.
Secondly along with that, they are being proactive. They are not waiting. They know the criminals can strike anywhere and anytime, and they don't want to face the ramifications for their customer and their own business. So they are looking for ways to be proactive, and they are using advanced analytical technology to do that.
And then, finally, they are rethinking their security strategy. This has been a really important shift. As banks take on responsibility, try to be more proactive, they are really putting this at the top of their business strategy agenda, so it is moving from being risk management to being a prominent feature in their overall business strategy. They are seeing it as a strategic problem related to the future of their bank and not just an operational risk and a cost of doing business.
You know, there is a growing realization that fraud impacts cost beyond the actual dollar loss. Because every fraud attack yields hundreds of hours and thousands of dollars of investigation, remediation work and lost productivity. And there is also a realization that there is impact to their reputation. No bank wants to be the next one that gets hit in a highly publicized lawsuit or is associated with a small business being put in precarious situation.
Ultimately, it impacts the financial institutions' competitiveness. They need to be able to offer competitive online solutions and competitive mobile offerings and keep up the emerging payments trend. To do this, they have to have confidence in the security of their channels. They can't expand to more devices and more offerings and more people without being sure that they are very secure and very protected against fraud.
So overall, when you look at that together, we are really seeing the banks stepping up, and more and more are adopting this philosophy and this approach, and this trend is really catching on, so we are very encouraged to see that.
FIELD: Well let's dive into the strategies here a bit. If you could, how would you characterize your customers' new security strategies?
AUSTIN: It is a proactive and layered security approach, and it involves varying types of authentication and verification, mixed more recently with leading behavioral analytics to identify account takeover and fraudulent transactions. And the great news is it is not just big banks anymore doing this. It is very available and accessible to community banks, small banks, regional credit unions and the like. We have sort of characterized this in the four P's of a holistic security strategy. The leading institutions that are leading the way in this from the smallest guys to the large institutions, and they are in some way or another taking on each of these four P's.
The first P is about being protected, and that is providing instant and transparent coverage to every account holder, and not relying on end user adoption of any type of security techniques or anything being installed at the end user's computer; so providing that protection across all account holders.
The second P is about being prepared, and that is being ready for any type of threat, whether the credentials are stolen through a vishing attack or smishing or phishing or whether there is malware downloaded from a website or from an email, whether it is a man in the browser attack. They need to be prepared to protect 100 percent of accounts from 100 percent of the threats and techniques that the fraudster uses to steal their credentials.
The third P is about being proactive. The banks that we work with are able to detect account takeover and transactions before money leaves the banks across multiple accounts, and this is across all payment types. We are detecting large dollar amount wire frauds originated through the online channel. We are detecting when numbers of batch payments using the ACH system are set up and attempted to be executed. We are detecting checking fraud that is enabled by the online channel. We are detecting when fraudsters defeat dual control systems that commercial accounts may have in place; so really being proactive across all accounts, all transactions, and all payment vehicles.
And then finally being productive. We have shown that this technology can be deployed rapidly, we can really focus the banks' attention on the highest risk accounts, the highest risk transactions, and can significantly reduce the productivity hit, the cost of investigation, the cost of remediation, all of that manual work effort can really be massively reduced and can be easily integrated into existing workloads and workflow for the banking staff.
So protected, prepared, proactive and productive; those are the four P's that we are really seeing being executed very well in the market today.
Improving the Customer ExperienceFIELD: One of the things we have heard a lot about in the last several months is the customer experience in wanting to ensure the integrity of the customer experience. How do you see these strategies of the four P's as you described them impacting that customer experience?
AUSTIN: I want to say that it is a myth that security and convenience can't co-exist. We are seeing everyday the exact opposite of that. Transparent, non-intrusive fraud monitoring and detection can actually enhance the service and allow banks to do more for their customers, provide more options for money transfers, provider higher thresholds for mobile transactions, more frequent release of funds, more rapid transaction flow, and they can do this all without inconveniencing the customer and having the customer have to do special tricks or enter special codes to do sort of special authentication techniques.
They can do it by tapping into the data that is at their disposal and really effectively analyzing the behavior. Our banks report that their end customers love the fact that the banks are being proactive, and they are getting a lot of feedback that their end customers are really appreciative and are expressing that by increasing the funds that they are depositing with the banks that use our technology, and expressing it in many other ways.
Tips for 2011FIELD: Well, if I can get your final thoughts, Terry. We've talked about an awful lot here in this conversation. Given what you have learned about fraud, given what you have learned from your customers, how would you advise banking institutions to best fight fraud in 2011?
AUSTIN: Well, I think first it starts with realizing that they can really get proactive and be the heroes in this war. This does not have to be a lopsided war where the cybercriminals are outgunning them and out-manning them. The banks have the assets they need at their disposal, and the technology exists, so if they think layered security and not point solutions, then they solve this problem holistically. And we are here to help them, They really can be the heroes in this war, and we are looking forward to 2011 being the year where we really turn the tide on the cybercrime.