One cannot doubt the incredible pace of technology and its impact. Just five years ago, no one would have thought that Facebook could grow to become a global network with 500 million users or that an estimated 4 billion mobile phones would be in service, many of them being used to conduct financial transactions.
Consumers and businesses alike have embraced technology to improve communications, convenience and efficiency.
This rapid rise in the availability and use of technology has created consumer and business expectations that providers will offer anytime, anyplace, always-on, real-time access to financial services. Financial institutions have moved quickly to meet these expectations, introducing products and services that leverage technology advances and support new access channels.
These advances have a dark side, however; Criminals, too, are leveraging the power and efficiency of technology to perpetrate fraud attacks of incredible speed, scale and, when needed, precision. What used to be a local check-kiting scheme has become a global conglomerate of financial criminals executing coordinated attacks against dozens or even hundreds of financial institution customers, moving money in an instant with anonymity and little fear of prosecution.
One just needs to look at two recent attacks to understand what criminals can achieve given the means, focus and desire. First, there was the Google attack from China that, by leveraging a set of sophisticated social engineering and hacking steps, enabled a major IP theft from highly secure companies such as Google. Next, there was the Stuxnet Trojan designed to attack Iran's nuclear program; it was said to be one of the stealthiest and advanced malware programs ever designed, leveraging techniques that haven't been seen before. Though this may, or may not, be a classic organized crime effort, it nonetheless demonstrates the increasingly complex malware capabilities that exist today
As technology and globalization keep evolving, and the pace of innovation by both banks and criminals quickens, today's controls often are simply not enough. As criminals' sophistication grows, so, too, must the associated security technology. Flexibility and quick response to new threats will be crucial for long-term protection of bank and customer assets.
Malware programs, such as the Zeus Trojan, have been in the news recently, and the threat will not go away as media attention fades. Malware gives fraudsters a massive distributed computing capability at virtually no cost allowing them to execute attacks on a huge scale yet, at the same time, with an ability to make precise strikes against selected targets by leveraging the target's own computer.
Financial institutions must make significant investments to combat these threats. This asymmetry in the cost of doing business suggests that malware will continue to evolve and be used in creative ways to perpetrate fraud. For example, in the past 18 months, the use of malware to execute true man-in-the-browser attacks (beyond traditional key-logging) has significantly increased against online commercial banking customers. Accounts are drained through wire and automated clearing house transactions; losses are often in the six- and seven-figure range per incident.
Using these technologies, criminals have even begun to change their business models. It is becoming less common for a single domestic person to create and use malware to collect information, then personally extract assets. Committing fraud has become a global business in itself, with a network of criminals teaching others how to perpetrate fraud.
For example, an organized group of criminals may rent computing power from a botnet provider in Eastern Europe, acquire compromised customer or card data from a provider in France who stole it from U.S. customers, solicit money mules from a Spam services provider in China and have money wired to accounts held in the Bahamas. This means a single attack may come from dozens of loosely organized individuals spread across the globe, each performing different tasks. They have great agility and the ability to leverage new technologies very quickly. They are difficult to find and prosecute because each task is but a part of the whole.
Not surprisingly, fraudsters will leverage their technical capabilities wherever a large number of targets exists, and social networking sites provide such mass. One scheme is a targeted variation on the 419 scam: An attacker compromises a person's login to a social networking site such as Facebook, MySpace or others, possibly through phishing or malware. The scammer then sends messages and posts updates with many plausible personal details regarding a dire situation requiring funds, often a claimed emergency while traveling abroad. Since these pleas for help appear legitimate, victims wire funds, hoping to assist a friend.
Social networks can aid substantially in another old attack made new. Many users are indiscriminate about whom they allow in to their networks and often "over-share." A fraudster may send requests to become connected, through messages such as "we met at a party recently and wanted to stay in touch," which many people will accept. Once connected, the fraudster has access to large quantities of information commonly used to validate a person's identity — such as a mother's maiden name, father's middle name, pet's name, high school and college — along with many other personal details that can be used to help a scamster develop rapport with a target and extract funds or account information.
In many of these attacks, the financial institution is only one component in a complex scheme. Yet because financial institutions are where the money moves, they must be prepared for the variety and complexity of these attacks. Defenses that seek only to keep the fraudsters out, like putting another lock on the door, are insufficient by themselves. It is much more difficult to completely stop the fraudster at the front door, and it would be dangerous to rely solely on such approaches. Efforts to keep criminals out should be supplemented with strategies that quickly identify them once they are in and then act to minimize or avert the damage they can cause.
Financial institutions must investigate and leverage new technologies in the fight against fraud. Historically, technology has been used primarily to keep fraudsters out — often by putting more locks on the door. This approach alone is no longer sufficient to prevent fraud, when criminals have the "keys" and can impersonate legitimate users. The one thing the criminals cannot easily do (though some try) is to mimic legitimate customer behavior while extracting assets. Monitoring and understanding the behavior of individual customers and peer groups can let an institution identify suspect activity and intervene before funds are lost.
In the past this was done by branch tellers who quite literally knew the customer. Later, a channel-specific "rule-set" or models gave warnings. Today's technology lets institutions of all sizes develop cost-effective behavioral profiles of customers across channels and products and effectively identify any activity that is unusual for the customer or peer group; this creates a more consistent and broad-based ability to monitor and detect.
Combining the power of cross-channel, cross-product customer behavior profiling with real-time fraud-detection integration dramatically improves an institution's ability to reduce fraud. As customer expectations move toward faster payments across all channels, the right combination of comprehensive algorithms and data analysis can prevent funds from leaving the institution fraudulently, while keeping false positives to an acceptably low level and preventing a negative customer experience. This capability changes the game from reacting to fraud scenarios and attempting to recover funds, to more proactively preventing organizational losses.
The speed with which consumers, businesses, financial institutions and criminals adopt technologies has never been greater. Their global nature raises the bar even higher. Judging from the Google and Iran attacks, things will get much more complex and painful sooner than some think. Rapid technological evolution brings new risks but at the same time supplies tools to manage the risks. Tools that let institutions keep out criminals are industry standards, but leveraging technology to understand client behavior and activity across channels is progressive and increasingly needed. As the financial industry's product offerings evolve, and criminal threats keep pace, institutions must use technology with a high level of flexibility to adapt.
When designing a fraud strategy for the next decade, organizations can no longer rely on "front-door" locks to keep the bad guys out. Their focus must be on built-in flexibility, cross-channel and cross-product analytics and real-time blocking. Technology may be a double-edged sword, but it is one that financial institutions can and must wield to their benefit.
