Web Banking Fraud Actually in Decline
Until the mid 1980s, most fraud went undiagnosed or misreported. The debate today seems to be whether the increasing digital landscape ends up increasing or decreasing fraud overall.
We hear stories of major crime syndicates from Eastern Europe or Africa skimming cards, phishing Internet banking accounts and resultant losses in the millions. Javelin Strategy & Research reported in the U.S. that victims of identity theft rose 12% to 11.1 million adults in 2010, the highest level since 2003.
This type of information might lead us to believe that fraud is rampant, and that technology adoption correlates with these increases. For example, it could be implied that social media is responsible for the increase in identity theft? However, if we look a little deeper at the facts on fraud the reality is a little different.
In the last few years internet banking fraud losses have actually plummeted in most developed economies. In the period from Jan-Jun 2011 there was a 32% reduction of online banking fraud in the U.K. Whether this was due to improved customer awareness, multi-factor authentication, three-domain security, out-of-band verification, better fraud systems and processes or all of the above – it’s hard to tell.
The introduction of chip and pin through the E.U. decreased card fraud significantly. 2011 showed the lowest figure for U.K. card fraud in more than 11 years, and was the third consecutive year with a decrease. Estimates by UK Payments claim the introduction of EMV chip and pin in the E.U. has resulted in a 50-75% reduction in domestic card-not-present fraud.
In the U.S. also average fraud resolution time dropped 30% in 2010 to 21 hours according to Javelin. The FBI's Internet Crime Complaint Center reported a 10% drop in Internet crime related complaints in 2010. E-retailer revenue lost to fraud has dropped dramatically in the last 10 years, from 3.6% of revenue in 2000 to just 0.7% last year.
In comparison to the likes of SocGen with their €4.9 billion loss in 2008, and UBS with their $2.3Bn loss from a rogue trader in 2011, often Internet fraud ends up being a relatively small component of overall exposure in the industry.
The reality is that when technology is utilized effectively, fraud tends to decrease. Why? Fraudsters increasingly need to resort to social engineering methods, or old style scams to get consumers details and affect the fraud because of the improved technology. This might explain why identity theft is on the rise, when internet fraud is actually decreasing. It means that the decades old methods bank use to identify someone, are no longer secure in a hyperconnected world and identity theft is more easily engineered.
Better technology means that banks and card providers are more likely to recognize a fraud and put a stop on the offending account before it does real damage. While clearly fraud is still a problem, the trend is clearly that the application of technology actually makes fraud easier to identify, track and prevent. As our ability to respond to fraud improves, fraudsters have to improvise and new, organized approaches to fraud emerge.
Most of the recent attention in fraud technology has been on third-party fraud. The most common forms of which are identity theft and account takeover. However, about 6 or 7 years ago in the U.K., a team at FICO identified a new very sophisticated method of fraud emerging – that of first-party fraud. I recently had the opportunity to talk with the team at FICO managing the response to this threat
First-party fraud is the use of what appears to be a real identity that satisfies application requirements, but where there is no intent to pay for the credit facility or loan that is given. It can often involves a synthetic ID that has been generated over years or months to look legitimate.
Adam Davies, the director of the global fraud consulting group at FICO, says that "the potential of first-party fraud is something like ten times what third party fraud is today. Primarily because it gets through the typical application processes and looks like a legitimate identity."
Davies, and others, believe that organized crime syndicates are systematically using weaknesses in the system to engineer first-party fraud over many years, building up legitimate activity against a synthetic or stolen identity. This often involves quite sophisticated engineering of good 'credit' activity or behavior through mule accounts (sometimes up to 30 separate accounts) and the like. Often, small debts are taken and repaid to build up credit scores leading to what is termed a "bust out" – when multiple lines of credit have been secured and all the available credit lines are maxed out. The individual or synthetic identity then disappears.
There has also been a rise in individuals who, during the financial crisis, have taken out credit facilities with the clear intention not to repay that debt as it becomes due. All of these types of activity fall into the first-party fraud category. Davies says that these types of debts typically result in much higher exposure for banks and creditors. However, recent technology advances and the use of neural-net and data mining techniques now enables FICO to trap up to 80% of first-party fraud.
The biggest problems facing online and application fraud clearly originate with identity. I'm critical of weaknesses in current identity verification as an industry because it relies on easily corruptible artifacts like drivers licenses, utility bills, etc and because these same entrenched processes often prevent online onboarding. Brian Kinch, a senior partner at FICO in the U.K., thinks that is all about to change. "We're in a period of ID reform that is going to continue over the next 10-20 years… ultimately the mobile phone [and other electronic identity verification] will become the proxy for identity."
In identity verification reform we often refer to 3 key elements, namely: what you know (current state of most identity verification today); what you have; and something you are.
Recent techniques for improving verification include the use of one time passwords (OTP token-based authentication); and out-of- band verification. Kinch says that by marrying the phone/tablet to a person, and then being able to verify both the location and user of the device, is a likely approach for better identity verification. Davies referred also to data-mining techniques used currently by mobile operators called "fingerprinting," where operators check the 10 most commonly dialed numbers and can identify delinquent account owners who have just created a new account using a different name/identity.
Increasingly we'll see the use of tokens or OTP generators built into apps on phones, and eventually these will incorporate the use of biometrics (something you are). The most promising of the biometrics approach in use today are those of voice and facial recognition.
"Voice recognition can already eliminate background noise, use language heuristics and other methods to confirm someone's identity far quicker and easier than asking them for their date of birth, address or social security number," says Kinch.
It's probable that in the future, we'll only be asking for proof of identity via paper when there is a problem that needs an additional layer of validation.
The implications of this are pretty clear. Investment in redesigning identity verification and customer onboarding processes should be a high priority if you wish to avoid fraud, and enable the digitally aware customer.
The view of many a compliance officer that paper, face-to-face identity verification methods are superior to those available through an online or mobile channel, really needs a quick, swift adjustment.
The facts are that online identity verification not only opens up massive revenue opportunities for more seamless engagement and fulfillment, but if applied with the right technology, will reduce exposure to fraud and identity abuse massively.
Brett King is the author of "Bank 2.0" and the founder of Movenbank, a direct mobile banking startup to launch in 2012.