Takeover Scheme Strikes Bank of AmericaTwo-Year Scam Exploited User Authentication Weaknesses
Seven people have been accused by Michigan authorities of pulling off a unique account takeover scheme that targeted Bank of America and involved nearly $360,000 in fraudulent funds transfers.
See Also: Top 50 Security Threats
Prosecutors say the nearly two-year scam was perpetrated primarily through online- and telephone-banking channels. In some instances, hired hands also are alleged to have been used to open fraudulent accounts and withdraw funds at ATMs and teller windows at BofA branches.
The scheme was relatively elaborate, and in some cases atypical. It allowed fraudsters to exploit human weaknesses and target specific channels and transactions.
Experts say it all points back to why financial institutions need to improve authentication strategies across the board, even for transactions initiated within the branch.
"'What you know' is, by itself, not good enough for the online channel," says Jason Malo, a CEB TowerGroup research director who covers financial security and fraud. "It shouldn't be good enough for the other channels."
While institutions have made strides to enhance online authentication, they've failed to invest in similar enhancements to improve authentication at call centers and teller windows, Malo says.
The SchemeAccording to an eight-page indictment filed Aug. 9 by the U.S. Attorney for the Eastern District of Michigan, from June 2010 through April 2012, the seven suspects moved funds from legitimate BofA accounts to accounts opened under false pretenses.
Xavier Hicks and Darerraul Jackson of Detroit; James Ramsey and Ashley Pasternak of Warren; Bobby Percy of Eastpointe; Benjamin Carter of Harrison Township; and Jonathon Gibson of Macomb were charged with bank fraud and conspiracy to commit bank fraud. Each charge carries a maximum sentence of 30 years in prison.
Ramsey, Percy, and Carter have been charged with recruiting runners to open accounts and withdraw funds. Gibson and Pasternak have been charged with recruiting runners and acting as runners themselves.
The indictment alleges Hicks was the leader of the scheme, and that he used new accounts opened by runners to transfer stolen funds from legitimate BofA accounts. Hicks also allegedly opened joint accounts in the names of runners and existing BofA customers by accessing personally identifiable information about those customers through BofA's telephone and online banking systems.
How Hicks supposedly obtained those BofA account and customer details was not revealed. But Avivah Litan, a distinguished fraud analyst at Gartner, says it was probably an easy task to pull off through the bank's call center.
"Oftentimes, fraudsters call the call center to add subaccounts to an existing account," she says. "That is a relatively common fraud practice, and it looks like that's what happened here."
Once the joint accounts were opened, Hicks allegedly initiated funds transfers online or through the call center from legitimate BofA customer accounts to the fraudulent joint accounts. After funds appeared in the joint accounts, prosecutors say they were transferred to the runners' accounts, where they could be withdrawn by the runners.
For his role, Jackson has been accused of driving runners to different BofA branches to open accounts and withdraw funds, as well as for taking runners to area businesses, where they could make fraudulent debit purchases.
Litan says that's one of the unusual points of the case. "Sophisticated fraudsters typically stay out of the branches and away from cameras," she says. "If need be, they will hire [underlings], who are often drug addicts desperate for cash, to show up at a bank in-person. And often times, law enforcement can persuade [the underlings] to talk and help identify the ring leaders."
Litan suspects that's likely how the bank and law enforcement traced the fraud back to the seven indicted in the BofA scheme. "Because the runners showed up in the branch in-person, it was easier to identify and eventually arrest them and their ring leaders," she says.
How Banks Should Respond
Litan says BofA likely connected the dots on its own, through cross-channel fraud detection or document inspection, and later notified law enforcement. But at smaller institutions, similar schemes could go undetected for even longer.
How can financial institutions improve?
Malo says institutions have to do more to educate customer support staff about social engineering tactics used to gain account details and personal information about accountholders.
"There seem to be more incidents involving customer-support channels," Malo says. "The breakdown here seems to be at the account-opening level, where the runners had information on the accountholder and were able to answer security questions about the account."
Litan and Malo recommend:
- Enhancing call-center authentication and identity proofing. "Banks need to pay more attention to call-center identity-proofing practices," Litan says. "This has been notoriously weak at banks, and is one of the weakest links in their security chain."
- Automating the inspection of hard-copy identity documents to pick up on signs of fraud or counterfeit documents. "There are some good modern tools that can enable this," Litan says.
- More cross-channel fraud detection, which connects potential fraud involving call center, online channel, and branch transactions.
- Identifying collusive networks by way of entity-link analysis, which Litan says leverages big-data analytics and visualization techniques for investigators.