When a fraudster is successful, you know it. It is much harder to know when the fraudster has tried and failed.
And at a popular site like ING Direct, fraudsters are always trying to find holes; even their unsuccessful efforts can help them figure out what eventually will work.
To stop them, the U.S. online banking unit of ING Group NV is trying to learn from those failures to better prepare for the next onslaught.
"The majority of the things we've actually identified are unsuccessful, but you learn from watching the other team's plays," said Rudy Wolfs, ING Direct's chief information officer.
Fraudsters learn from their mistakes, he said, and "they're going to start combining their techniques or altering the techniques — so us knowing the playbook" makes ING "able to build better knowledge and better rules."
ING uses behavior analytics from Silver Tail Systems, which creates a profile of typical behavior on the bank's website and flags anything that deviates.
George Tubin, a senior research director at TowerGroup, said that, though in-session behavioral monitoring to cut off successful intrusions is increasingly common, what ING is doing to monitor failed attacks is less common.
Laura Mather, Silver Tail's founder, said that her system can help catch fraud even when certain factors, such as a successful authentication, indicate legitimate access.
Silver Tail's software "essentially watches every single click on a website," searching for abnormalities, Mather said. Though banks improved their online security after the Federal Financial Institutions Examination Council announced in 2005 a mandate that banks strengthen online-banking authentication beyond a simple username and password, the improvements have not stopped fraud.
"Unfortunately, the criminals didn't just give up," she said. "In fact, they got more organized."
Fraudsters today use malicious programs that can hide their presence until an online banking user logs in. Once authentication has taken place, the malware would try to quickly send instructions to move money before the user logs out.
In such an instance, indicators of potential fraud would remain — most notably that two online banking sessions are happening at once, indicating that only one is being controlled by the legitimate account holder. Another indicator could be the malware's practice of skipping pages in the flow to get straight to the money movement page.
Wolfs said that ING uses Silver Tail's system alongside other tools, which he would not name, but said that Silver Tail's system supplies a speed advantage on detecting fraud that its other tools might also catch on their own.
"The teams were getting alerts faster than on our other systems," he said. This frequently gave ING's teams a four-hour head start over what the other systems provide.
Wolfs said that, even when other systems might block the fraud anyway, stopping it earlier has benefits. For example, when fraudsters try to open new accounts, "there's an obvious cost to us processing all those requests," even if they are rejected, he said. Blocking these account applications earlier frees up resources. "We've definitely seen the ROI on the product," which ING began using this year, Wolfs said.
Mather said that, in an incident a month ago, Silver Tail caught what it suspects is an organized crime ring trying to find areas of ING's website that had lower authentication requirements.
As this was happening, ING's team "could just sit and watch the criminals and see what they found without even alerting them that they knew about them," Mather said.
Wolfs said the fraudsters "didn't find anything, but" the incident taught ING "types and patterns of behaviors to watch for."
Tubin said that "almost anything you use, any of those analytics that add value and intelligence, is useful."
In particular, he said, the extra four hours ING's fraud analysts get is "tremendously helpful because, when a fraud alert comes off to a fraud analyst, they have to make decisions on what to do based on the severity of the alert," and the early warning can improve the quality of that response.
"Session monitoring … [and] behavioral analytics are just a fantastic tool as part of a layered security approach," Tubin said.