Security Spending Trends Reflecting Criminal Shifts

20080716gke9yl80-1-071708fraud.jpg

Bankers are spending more on fraud detection and anti-laundering technology to fend off the shifting tactics of criminals and to satisfy the demands of regulators, according to two reports published this week.

Anti-laundering efforts are the top priority for banks, according to a report published Wednesday by Aite Group LLC of Boston, which also found 59% of banks are planning to invest in technology related to money laundering in the next two years.

And a study the Stamford, Conn., market research company Gartner Inc. published Monday found that 60% of banks are planning to increase their budgets for fraud detection and customer authentication technology next year. (The report was made available to clients in May.)

The authors of both reports said regulatory compliance is one factor driving spending, though it is not always the most compelling one.

"What you do for the regulators isn't necessarily what you do for security," Avivah Litan, a vice president and research director at Gartner, said in an interview Monday. Regulatory compliance and fighting fraud are "two parallel initiatives, and sometimes they intersect."

For example, her report found that banks that have disclosed a data breach or a case of insider fraud were spending most on technology systems to improve their security.

Eva Weber, an analyst at Aite Group, said the driving forces behind banking companies' anti-laundering spending trends are "a mix of technology being necessary just to handle the volume of accounts, of transactions, that the banks have to deal with," along with "the regulators expecting use of technology."

Ms. Weber's report found that the average financial company is spending 31% of its anti-laundering budget on technology, though spending levels varied widely; at least one financial company surveyed said it planned to spend 70% of its anti-laundering budget on technology.

"With the dynamic nature of money laundering, I think technology will continue to be a focus of budgets," she said.

Ms. Litan's report found that bankers are giving equal attention to fraud detection for money transfers and to money laundering.

James Van Dyke, the principal and founder of Javelin Strategy and Research of Pleasanton, Calif., said that even though "there is no consensus on the part of banks or issuers" as to the best approach to spotting and preventing fraud, many companies are spending more on security technology.

"It's an evergreen area," he said. The constant threat of fraud, and criminals' ongoing efforts to come up with new scams, means that banks "can't afford to cut back, despite what's going on" with their business operations.

Another factor driving spending is that the criminals are constantly looking for new ways to beat banks' security systems, Mr. Van Dyke said.

Criminals may have had an easier time pulling off fraud on debit cards instead of credit cards, because there are often fewer protections in place, Mr. Van Dyke said.

In response, spending on debit security systems "is really catching up with credit," Mr. Van Dyke said, "because the card issuers and banks, by and large, are spending a lot."

Ms. Litan said criminals are shifting their attention from credit card accounts to deposit accounts, because it is typically easier to withdraw cash from a compromised deposit account than from a stolen card account.

This is also driving up the demand, and the black market price, for the credentials necessary to access a deposit account, she said.

An April report from the computer security firm Symantec Corp. found that last year deposit accounts details could fetch up to $1,000 each, depending on the balance. Symantec also said that hackers are expanding their efforts to steal bank account data; in the second half of last year it spotted 86% more malicious programs designed to steal bank account credentials than it did in the first half.

Criminals are shifting their attention to consumers' deposit accounts because "that's where the money is," Ms. Litan said. "With credit cards, you have to turn credit into cash; same with stolen identities. … With bank account numbers, it is cash."

Mr. Van Dyke said that the higher-priced deposit accounts are likely those that belong to wealthier people.

Sean Brady, a product marketing manager in the identity and access assurance group at EMC Corp.'s RSA Security, said that fraudsters are always looking for a new way to get into bank accounts of all kinds.

"They don't look for one specific item," like checking or credit accounts. "They look for the point at the bank that is softest," Mr. Brady said. "Once they determine that soft point, they launch their various points of attack."

Many bankers are trying to change their policies to toughen their security, but putting new procedures and business practices into place is not always enough, Mr. Brady said.

"If it's a threat that they feel they cannot control with business processes or with adopting new practices, then they usually look outside to adopt new technologies," Mr. Brady said.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER