LOS ALTOS, Calif.-Credit unions are being urged to pay more attention to fraud detection than fraud prevention this year.
Fraud experts say there is too much personal consumer financial data in the hands of criminals to make fraud prevention strategies, such as multifactor authentication, the front line of defense. Real-time fraud-detection solutions-neural networks and behavior analytics-are the best strategies to protect members' money, analysts told Credit Union Journal.
Analysts assert that criminals' skills and the amount of compromised data they control are approaching a tipping point from which a significant amount of fraud activity could increase. The race to the mobile space, too, may open the door wider for thieves.
Terry Austin, CEO at Guardian Analytics, summed up the task facing financial institutions to protect their account holders: "If you do online banking, your user name, password, and challenge questions are probably in a criminal's database somewhere."
Austin pointed out that what is preventing the rapid acceleration of crooks' crime attempts is not today's fraud-fighting tools, but their own inability to use all of the compromised data they have. He explained that to move a lot of money fraudsters need "mule accounts," an intermediary account controlled by the criminal that lies between the victim's compromised account and the fraudster's account. The mule account is set up to appear as if it is one of the victim's standard pays, making the movement of the stolen money less suspicious.
"If fraudsters moved money straight from someone's account to the Ukraine, the credit union would stop it," Austin explained.
For every mule account today there are 70,000 stolen credentials, Austin believes. "That is the bottleneck the thieves are working through. They are using improved software to create the mule accounts easier and faster, and they are bringing in more people, with fake passports and visas, to create the accounts."
Baking In Security
Julie McNelley, research director at the Boston-based Aite Group, said security has to be "baked into the online session-go down to the transaction level to detect when suspicious activity is taking place and communicate with customers to make sure the transaction was one they intended to make."
Most of the traditional defense mechanisms, such as multifactor authentication methods, including out-of-band authentication techniques, are being systematically taken apart by criminals, sources confirmed. Text messages and e-mails, standard out-of-band authentication techniques to verify login credentials, are being intercepted by criminals who send back approvals.
McNelley said her findings and the results of a recent Aite Group fraud mitigation study ("Online Fraud Mitigation: Tools of the Trade") of 32 North America financial institutions show that behavior analytics is a highly effective and reasonably affordable solution to fight sophisticated crooks. Behavior analytics are programs and tools that monitor user sessions to detect anomalous behavior patterns, using a combination of rules and analytics.
"Behavior analytics was deemed in our study to be the solution most effective and least intrusive for the customer," said McNelley, the study's author.
The latest FFIEC guidelines also encourage banks and credit unions to employ methods to detect anomalous consumer behavior.
Guardian Analytics provides behavior analytics solutions to institutions across the U.S., and Austin said the tools learn each consumer's particular transaction behaviors to spot activities out of the ordinary.
"We exist behind the scenes, invisible to the credit union member, and monitor at a very detailed level every little thing a member does in an online or mobile banking session," Austin said. "We look at what web browser they are using, when they log in, how often they log in and at what times of the day. Do they typically look at their balance? What is their pattern of setting up payments? We monitor every click they make and every transaction they execute."
It's a very end-to-end holistic view of a member's behavior, said Austin. "From that we create a mathematical model that predicts a member's future behavior. Whenever we see an activity we compare that activity to our predictive model, and if it does not match the model we create an alert and recommend an action the credit union can follow up on. Typically we are several steps ahead of the fraudsters before they can move any money out."
Investments Need To Be Made
While Guardian has seen a significant uptick in its behavior analytics business recently, McNelley suggested that not enough financial institutions are adopting the solution, especially the smaller ones, often due to cost. "There are quite a few behavior analytics solutions to choose from today," said McNelley, who added that about 30% of the big banks use the technology and only about 10% to 15% of smaller financials are on board. "You can go for the Cadillacs that are expensive and take a while to implement. But there are also solutions that don't cost as much. Those are the types I see smaller institutions adopting and getting good results."
More credit unions have to move in this direction, observed Mike Urban, director of financial crimes at Fiserv, Brookfield. Wis. "Fraud detection is critical. You just about have to assume that most financial data is compromised and therefore you have to scrutinize transaction activity based on a customer's behavior and characteristics of the online session."
The bad guys are doing their homework, which includes knowing that smaller financial institutions tend to have weaker fraud defenses, noted McNelley.
"The thinking that because you are small the criminals will pass you by on their way to the big banks is flawed. Thieves know they can target smaller institutions and data supports they are doing that. If you are a small bank or credit union and think you are not in the criminals' cross-hairs, you are making a big mistake."
