Tackling Fraud in 2014ABA on Banks' Anti-Fraud Strengths, Areas for Improvement
See Also: How to Defend Your Attack Surface
The ABA recently issued results of its latest bi-annual Account Fraud Survey Report, and some results are positive: U.S. banks stopped $9 out of every $10 of attempted deposit account fraud in 2012. Additionally, while banks saw $14.8 billion in attempted fraud against deposit accounts in 2012, the survey says, security controls stopped $13 billion in fraudulent transactions.
"Banks have been successful in keeping up or even staying ahead of the fraudsters," says Yao, the ABA's senior vice president, benchmarking and surveys, in an interview with Information Security Media Group [transcript below].
But the survey also highlights some gaps banks must fill - starting with timely threat intelligence.
"I think banks recognize that they increasingly need to have the latest threat data, and many of them have indicated to us that's always a challenge," says Johnson, vice president of risk management policy at the ABA.
Another challenge is the velocity of change in the banking environment, he says. This year could be the year of mobile banking, Johnson argues. "We could see a substantial uptick in the utilization of tablets and phones for banking applications [this year]," says Johnson, and banks need to be prepared by having the proper levels of security in place.
In an interview with Information Security Media Group about the ABA's Fraud Survey Report, Johnson and Yao discuss:
- The latest fraud trends reported by banks;
- Where banks see their greatest fraud losses;
- How institutions can improve fraud detection and prevention in 2014.
Johnson leads the ABA's enterprise risk, physical and cybersecurity, business continuity and resiliency policy and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources to deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness. He also represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues. And he serves on the BITS/Financial Services Roundtable Security Steering Committee.
Yao has more than 25 years of research experience in the banking industry. She developed the American Bankers Association's peer benchmarking program, which she now leads. Since 1999, she also has run ABA's DDA fraud benchmarking groups. Yao oversees data collection on fraud losses and monitors fraud attempts related to checks, debit cards, online banking, ACH and new accounts. She also oversees ABA's Operational Loss Data Sharing Consortium, which collects operational loss event data according to Basel II AMA (Advanced Measurement Approach) event types and business lines. The ABA Consortium data is used by banks and credit unions for operational risk management and capital modeling.
Survey's Key Findings
TOM FIELD: Jane, what's the key takeaway from this new report for your member banking institutions?
JANE YAO: The survey results show that there are significant fraud attempts against deposit accounts and banks of all sizes are potential targets. The other thing the survey results show is that banks have been successful in keeping up or even staying ahead of the fraudsters. That's good news. The survey results suggest that, even if a bank is not experiencing any fraud right now, you need to be informed of the latest trends and implement strategies against it because your bank could be the next target.
DOUG JOHNSON: We've been doing this survey for quite a few years, so we do have some theories associated with the losses and the recoveries that institutions have had. One of the things that I think is important with this particular study - and Jane can confirm this - is we went through and really got data on a variety of different types of channel fraud, and I think what we've seen, as you mentioned, with the nine dollars which we recovered or prevented for every dollar that we lost, is that's a number that has been fairly consistent over the last three or so years, even though we broadened the survey to include arguably different types of more sophisticated frauds. I'd like Jane to comment a little bit on that because I think that's one thing that I really took away from the report.
Account Fraud Survey Report
FIELD: I'd love to hear more from Jane on this. Jane, I wonder if at the same time you might give us some background on this survey, please - how it was conducted and how it compares to previous research that you've done.
YAO: This year's survey was conducted between March and July of 2013. We used a Word form for the survey. The survey was very lengthy with over 100 questions, very detailed information about the different channels. As Doug said, this is actually our tenth addition of the bi-annual survey. We do this every other year. This year we definitely expanded the electronic channels, including RDC, mobile via online banking, and the focus started shifting from check fraud, when we first started, to the Internet-based channels. We have in total 145 banks participating in this survey. The respondents are from all sizes of institutions across the country. The total assets represented by these 145 banks were a little bit over $6 trillion. Because of the different sizes experiencing different types of fraud, [having] resource issues and [being] different, we presented the results by bank exercise.
As in the past, ABA always tried to involve industry estimates for total fraud against bank accounts; it could be checks, debit card and so forth. We did that again this year. The ABA also conducts various benchmarking groups and collects the data throughout the year, so we look at all the data and all the information we gathered to produce these estimates. This is really the first time we're estimating for total fraud against deposit accounts. We have done estimates for check fraud and have done estimates for debit card individually in the past, but increasingly we're seeing cross-channel fraud. Understanding the total fraud against deposit accounts is very important.
Common Forms of Fraud
FIELD: Jane, what do you find to be the most common forms of fraud that are striking banks now?
YAO: There are two types of fraudulent activities. One type is information gathering. That's very significant and can do great harm further down the road. For that, we're seeing increased skimming activities and phishing activities. Some of the phishing, trying to gather account information, is being done through the phone channel, which is posing challenges because you're dealing with customer-service issues, and at the same time the fraudsters are trying to get that last piece of information from the representative. That kind of information gathering will lead to account takeovers. We're seeing account takeovers not only in the commercial business side, but also personal account takeovers.
In terms of the actual fraudulent transactions, we're seeing counterfeit check cards, counterfeit checks, unauthorized ACH transactions and unauthorized wire transactions. On the wire side, we're seeing increased use of fax or branch locations, which pose more challenge than the online channel because a lot of time wire is initiated online through known customers and authorized individuals using that. We do still have the risk of account takeover.
Greatest Fraud Losses
FIELD: Those are the most common forms of fraud. Where are banks seeing their greatest fraud losses? Do you see a one-to-one match there?
YAO: It's a pretty close match. Debit card is the largest proportion - more than 50 percent - followed by check fraud and then electronic transactions. There are a lot of attempts online, but the actual loss is very low at this point. One thing I wanted to say is that [with] check fraud, the number of transactions is coming down, but check fraud remains in a large share or part of deposit accounts.
What Banks Are Doing Right
FIELD: Doug, I'd like to bring you back into the conversation here. Based on what you've seen of this survey, what are banks doing right in terms of detecting and preventing fraud?
JOHNSON: In addition to the survey, Jane's group has done some additional work as well [with] the FS-ISAC in terms of trying to measure corporate account takeover, as well as a recent survey of our Community Bankers Council. The CEOs in the Community Bankers Council wanted us to request a survey of information security professionals to really see what keeps them up at night and what they're doing right, like you said.
One of the things which we really see is those individuals do recognize the seriousness of the threat and recognize that the threats are going to continue into 2014. No one thinks that they're going to decline. I think armed with that sensitivity toward the seriousness of the issue and the fact that the CEOs as well are sensitized to that fact, I think we really have a great opportunity to have additional resources even over and above what we have now dedicated toward detection and prevention.
Banks recognize also that some of these attacks are being blended. For instance, there may be a denial-of-service attack which is used as a diversion away from a compromised corporate or other account holders at the same time. We got it that the bank will be concentrating on denial-of-service as opposed to concentrating on the compromise. Banks recognize that and they look for it. I think they're doing right in terms of understanding how the threat is working over time. It's not just a regulatory responsibility; it's frankly a business imperative because if we don't as bankers continually understand how that threat is changing over time and becoming potentially more sophisticated or moving in a different direction, we're unable to protect our customers. If we can't protect our customers, we lose the trust. That's one thing that we're doing increasingly well, and I think we do have an opportunity over time because we have the eyeballs of the CEOs right now to justify the resources and make a business case to where additional resources to protect accounts.
Fraud Prevention: Areas for Improvement
FIELD: Doug, flip side of the question: Where do banks have the best opportunity to improve what they're doing to prevent and detect fraud?
JOHNSON: I think banks recognize that they increasingly need to have the latest threat data, and many of them have indicated to us that's always a challenge. Secondly, many banks are looking at how they can improve mobile banking security because they recognize 2014 could very well be the year of mobile banking. We could see a substantial uptick in the utilization of tablets and phones for banking applications in the next year. Banks would recognize that they need to have the proper levels of security in place in order to protect that very important channel as their customers migrate to it. I think that's going to be a big imperative.
YAO: If I may comment on the question regarding what banks did right - we do see the use of technology has helped banks significantly. Increasingly, the best practice is to really do link analysis. Have shared information of recent fraudulent activities among the other different product lines and different channels, because a lot of times the same fraudsters will target different products in the siloed world. The deposit side might have no idea this same individual has already hit the loan side. But in the new model, all that information is sitting in one repository. This is why risk managers will have access. One alert is going to reach everybody and now we can be on the lookout for any similar activities from this same telephone number or voice recording of the fraudsters ... calling the call centers trying to get that last piece of information. All that information may be shared to help early detection of any attempts and fraudulent activities.
Anomaly detection is another thing that I feel yielded good results, because knowing your customers' pattern would help you detect any out-of-norm activities. For large volumes of transactions, having solutions is very, very important because that would help detect each out-of-norm transaction. I think that these are the new strategies banks implemented and have been very successful in the past couple of years detecting. ...
JOHNSON: One of the things we also see that banks do increasingly well is communicate across banks and collaborate, because clearly security is something which is not competitive. We have to operate as a community in order to stop a lot of this fraud. Jane facilitates a lot of conversations across banks to really help mitigate those frauds. Of course, FS-ISAC does the same from the standpoint of making sure that the entire financial community has a good understanding of what their targets are. From the anomaly detection standpoint, we've actually recognized that there's a potential gap in our current compliment of security practices which we endorse at ABA, and anomaly detection is one of those things which we're currently evaluating in terms of attempting to provide better customer protections.
FIELD: That's great insight from both of you on what the banks are doing. Doug, as you mentioned, mobility and more is in the hands of the customers, I've got to ask you: What's the customers' increased role now in fraud prevention?
JOHNSON: The customer has an absolute vital role in terms of fraud prevention. The environment really cannot be protected without the customer understanding that role and taking their responsibility seriously. To the extent that, for instance, the customer has the capacity to voluntarily put certain software on their machines which makes attempts to catch some of the anomalies, I think that's a vital piece.
The customer also needs to recognize that they have a substantial role in monitoring their account activity because, as Jane indicated, these attacks create compromises and create transactions much more swiftly than they have in the past. It's really going to be the customer a lot of times that's going to have best understanding whether or not a particular transaction is really one that they requested or not. Out-of-band authentication goes to other devices which confirms account activity, [having] consistent monitoring of accounts using the Internet as a tool to be able to monitor accounts on an ongoing basis.
Practicing proper computer hygiene is obviously something that customers always have to do. Recognizing that you're in a corporate environment may be advisable because you should have additional levels of security; maybe have standalone customers that perform those types of functions. Regarding online banking, we found in terms of surveying business customers particularly that they're not opposed and get the fact that having a standalone PC can be a great value to them because of the fact they can control that environment to a great degree. They want to get mail on that particular PC; they won't browse the net on that particular PC. It's a much more protected environment. Actually, use a different operating system on that PC as well. It's a great question because the customer obviously has to fulfill those same responsibilities if the environment isn't really going to be protected.
Top Challenges in 2014
FIELD: We've talked about a lot here. We've talked about the sophisticated threats to financial institutions, increasing threats, cross-channel. Now, so much, in terms of detection and prevention, is in the customers' hands. What do you find to be banks' biggest challenges in improving fraud prevention in 2014?
JOHNSON: From my perspective, one of the largest challenges - and Jane touched on this - is the velocity of change in the environment: the velocity of change as it relates to the technologies that are being utilized by criminals; the velocity of change in terms of the customers using different types of devices that require different levels of protection on them; and the change in the velocity of the threat environment, generally, as we have now a wide variety of different types of characters that are trying to either compromise customer information, track data or disrupt services. We've got nation-states as well as criminals that have been tending to do that over the course of the last year, and there's no expectation that that's not going to continue. It's really the velocity of change in the environment that's a tremendous challenge.
YAO: I want to add to that the balancing between control and customer experience. There's always a fine line. You can set very high security levels and check every transaction, but delaying the customer funds is not available because you're doing the fraud review. If we lose the responsibility, the fraud is going to go up. The survey collected data and we asked questions. ... That's a business strategy issue that banks will have to address, almost like a tolerance issue, and I think there are some challenges there as well.