Tearsheet termsheet: What you need to know about financial services fraud

In the digital age of digital transactions and other digital engagements, the word fraud gets thrown around a lot. Just see here, here and here. That’s particularly true in financial services, since gaining access to cash “fraudulently” is harder now. As much as technology has raised the bar for the customer experience, it’s also raised the bar for hackers and fraudsters. Here’s what we’re really talking about when we talk about “fraud.” OK, what is fraud? Fraud happens when someone tries to take money that doesn't belong to him or her for any number of reasons and has an increasing number of ways in which to do it. That person could find a card in the back seat of a cab and use it for the next meal or somehow know enough of someone else’s personal information to walk into a bank and get a new debit card issued, which is why Chase removed that feature of its card business last week. In the digital age, however, it can get more complex than that — and so can the consequences for the victim. Creating passwords that meet certain companies’ standards for security is more difficult and people move more quickly in the digital age and have shorter attention spans; it’s led consumers to care more about speed and convenience that security and privacy. “It’s incredibly hard for people to get stuff done digitally because we’ve made it so hard to prove who you are at the places where you want to share your data,” said Greg Wolfond, CEO of SecureKey, which is partnering with Canadian banks on a solution to that problem. Are there different types of fraud? In finance, there are three distinct patterns of fraud: transaction fraud, application fraud and account takeover fraud. Most people who use plastic cards have experienced transaction fraud. The card or card number is stolen or otherwise obtained by some bad actor and then fraudulent charges begin to appear on your account. In this case it’s pretty likely the you alerted the bank, which reversed the fraudulent transactions and replaced your card, and you moved forward with your life. Card issuers lost $15.72 billion (72 percent) in gross fraud losses in 2015 and merchants and acquirers lost the remaining $6.12 billion (28 percent), according to the Nilson Report. Application fraud is the fastest-growing type of fraud in financial services and happens when a fraudster actually pretends to be you using actual account credentials to open new lines of credit. We can break it down even further into three types:

• Third party fraud: when someone gets enough of someone's personal information from a compromised data set to go to a bank and pretend to be that person to apply or a loan or credit card
• First party fraud: when the person coming to the bank (or other service) really is the person he or she claims to be but intends to not pay back the loan or credit card; in instances of first party fraud, the bank or business is the victim, not the customer
• Synthetic fraud: when someone creates a persona using fake or borrowed information, like a social security number, and adds other, made-up elements of personally identifiable information like a name, address or date or birth

Synthetic identity is often confused with traditional identity theft, in which someone impersonates a real person. A synthetic identity is a purely fabricated identity; there’s no real person beyond the social security number. And whereas transaction fraud or third party app fraud is often motivated by a need for quick access to cash, synthetic fraud tends to have links to organized criminal activity, according to Ken Meiser, vp of identity solutions at ID Analytics, which is owned by cybersecurity firm Symantec. Account takeover fraud is the final type of fraud (for the purposes of this primer, at least). It happens to people when fraudsters obtain their various user IDs and passwords to be able to access other accounts that involve financial transactions. Did those new chip cards I got help? Kind of! Account takeover incidents increased 61 percent to $2.3 billion from 2015 to 2016, according to research by Javelin published in February. Victims pay an average of $263 out of pocket and spent 20.7 million hours to resolve it in 2016 – six million hours more than in 2015. In October 2015, U.S. card issuers began replacing people’s debit and credit magstripe cards with new chip cards and retailers began upgrading their payments terminals to allow customers to insert their chip cards into the devices instead of swiping the stripe. Even though Europe has been using chip-and-pin to pay for years, this finally went down in the U.S. two years ago as part of a push to lower card fraud — by using chips instead of magstripes, it’s harder to clone a card or steal the PII associated with it. At the same time, it’s become easier for fraudsters to access accounts. Passwords have become kind of a pain in the ass so it’s not uncommon for someone to use the same password for multiple accounts and hope they can actually just log in biometrically. There are many sites one can access if they have Facebook credentials. Day-to-day engagement between people and businesses is generally more digital. “As more of these activities become non face-to-face, if someone can compromise your credentials… Conceivably your identity lets fraudsters get access to other locations,” Meiser said. “When someone sells a compromised user ID and password, they're really selling the opportunity to use that somewhere else.”