As a follow-up to my appearance on CNBC’s, The Call July 22, I feel it is appropriate to comment further on the fraud risks we are seeing across industries due to the continued move online. Karen Tso did a nice job of raising the significant cyber-crime issues we see due to the mass availability of personal information in online channels and highlighting the need for analytic approaches to better combat the problem. What has proven true over the past decade is that no matter what enhanced network security measures are taken, criminals are still gaining access to Personally Identifiable Information (PII). And no matter the sophistication of the authentication procedures, fraudsters apply more sophisticated tools to gain access to online accounts and payments. This verifies the need for an additional layer of security – a portfolio of analytic approaches to identify suspicious activity at the transaction level to prevent fraud before the transaction is processed.
Though we were mainly discussing banks during the interview, this is a problem that transcends industries. With fraudsters typically moving to the path of least resistance and toward the lowest risk, no industry is safe. Stolen PII can be used to manufacture counterfeit credit cards (“white plastic”) or establish bogus credit accounts, false beneficiaries or providers of medical or social services programs. These stolen PII can be used to open illegitimate life insurance policies, claim false victims in insurance scams or file phony tax returns for unsuspecting victims to obtain refunds prior to the legitimate returns being filed. The list goes on.
What can be done?
SAS has coined the term “perfect storm” for fraud – the clear mismatch between the sophistication of fraud criminals and the sophistication of the systems institutions deploy to prevent fraud. Addressing this perfect storm has most recently surfaced in the FFIEC’s Supplement to Authentication in and Internet Banking Environment published in June. It requires banking institutions to become more proactive and use more advanced approaches to combatting fraud. Though this guidance is specific to Internet banking, the same principles apply to any industry looking to protect their consumers or beneficiaries from fraudulent attacks.
The FFIEC guidance recommends a layered security approach “characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” Education of consumers and beneficiaries on fraud risk management is clearly a key piece of the process. However, when looking at how technology can assist, it can be boiled down to three key areas:
- Network and Session Security (e.g., anti-malware)
- Authentication (e.g., dual layer, Device ID)
- Transaction Monitoring (e.g.., anomaly detection, transaction velocity, beneficiary creation, watch-lists).
As mentioned above, fraudsters have proven their abilities to skirt network security and authentication, which means it’s time for institutions to further focus on that third leg of the stool: Transaction Monitoring.
Transaction monitoring should cover both monetary and non-monetary transactions (e.g., account maintenance, address changes, beneficiary creation and change) and extend beyond the simple heuristic rules that are widely used today. Institutions must utilize a portfolio of analytic approaches geared toward addressing fraud across the spectrum from opportunistic to organized while stopping the transactions in real-time before the loss occurs. This requires developing profiles of transactional behavior that can be used to determine if current transactions are in line with past behavioral patterns and leveraging those profiles in advanced anomaly modeling (e.g., regression), predictive modeling (e.g., neural networks), and even automated link analysis for organized crime detection.
The question that always comes up with our clients is “How can SAS help our business stay ahead of the ever changing fraud trends and schemes that are used?” I will come back with a Part II to this blog that will discuss SAS’ Hybrid Approach to fraud analytics that will address exactly that question. Until then….