Tearsheet termsheet: What you need to know about financial services fraud

In the digital age of digital transactions and other digital engagements, the word fraud gets thrown around a lot. Just see here, here and here.

That’s particularly true in financial services, since gaining access to cash “fraudulently” is harder now. As much as technology has raised the bar for the customer experience, it’s also raised the bar for hackers and fraudsters.

Here’s what we’re really talking about when we talk about “fraud.”

OK, what is fraud?
Fraud happens when someone tries to take money that doesn’t belong to him or her for any number of reasons and has an increasing number of ways in which to do it. That person could find a card in the back seat of a cab and use it for the next meal or somehow know enough of someone else’s personal information to walk into a bank and get a new debit card issued, which is why Chase removed that feature of its card business last week.

In the digital age, however, it can get more complex than that — and so can the consequences for the victim. Creating passwords that meet certain companies’ standards for security is more difficult and people move more quickly in the digital age and have shorter attention spans; it’s led consumers to care more about speed and convenience that security and privacy.

“It’s incredibly hard for people to get stuff done digitally because we’ve made it so hard to prove who you are at the places where you want to share your data,” said Greg Wolfond, CEO of SecureKey, which is partnering with Canadian banks on a solution to that problem.

Are there different types of fraud?
In finance, there are three distinct patterns of fraud: transaction fraud, application fraud and account takeover fraud.

Most people who use plastic cards have experienced transaction fraud. The card or card number is stolen or otherwise obtained by some bad actor and then fraudulent charges begin to appear on your account. In this case it’s pretty likely the you alerted the bank, which reversed the fraudulent transactions and replaced your card, and you moved forward with your life. Card issuers lost $15.72 billion (72 percent) in gross fraud losses in 2015 and merchants and acquirers lost the remaining $6.12 billion (28 percent), according to the Nilson Report.

Application fraud is the fastest-growing type of fraud in financial services and happens when a fraudster actually pretends to be you using actual account credentials to open new lines of credit. We can break it down even further into three types:

  • Third party fraud: when someone gets enough of someone’s personal information from a compromised data set to go to a bank and pretend to be that person to apply or a loan or credit card
  • First party fraud: when the person coming to the bank (or other service) really is the person he or she claims to be but intends to not pay back the loan or credit card; in instances of first party fraud, the bank or business is the victim, not the customer
  • Synthetic fraud: when someone creates a persona using fake or borrowed information, like a social security number, and adds other, made-up elements of personally identifiable information like a name, address or date or birth

Synthetic identity is often confused with traditional identity theft, in which someone impersonates a real person. A synthetic identity is a purely fabricated identity; there’s no real person beyond the social security number. And whereas transaction fraud or third party app fraud is often motivated by a need for quick access to cash, synthetic fraud tends to have links to organized criminal activity, according to Ken Meiser, vp of identity solutions at ID Analytics, which is owned by cybersecurity firm Symantec.

Account takeover fraud is the final type of fraud (for the purposes of this primer, at least). It happens to people when fraudsters obtain their various user IDs and passwords to be able to access other accounts that involve financial transactions.

Did those new chip cards I got help?
Kind of! Account takeover incidents increased 61 percent to $2.3 billion from 2015 to 2016, according to research by Javelin published in February. Victims pay an average of $263 out of pocket and spent 20.7 million hours to resolve it in 2016 – six million hours more than in 2015.

In October 2015, U.S. card issuers began replacing people’s debit and credit magstripe cards with new chip cards and retailers began upgrading their payments terminals to allow customers to insert their chip cards into the devices instead of swiping the stripe. Even though Europe has been using chip-and-pin to pay for years, this finally went down in the U.S. two years ago as part of a push to lower card fraud — by using chips instead of magstripes, it’s harder to clone a card or steal the PII associated with it.

At the same time, it’s become easier for fraudsters to access accounts. Passwords have become kind of a pain in the ass so it’s not uncommon for someone to use the same password for multiple accounts and hope they can actually just log in biometrically. There are many sites one can access if they have Facebook credentials. Day-to-day engagement between people and businesses is generally more digital.

“As more of these activities become non face-to-face, if someone can compromise your credentials… Conceivably your identity lets fraudsters get access to other locations,” Meiser said. “When someone sells a compromised user ID and password, they’re really selling the opportunity to use that somewhere else.”

What it will take to make digital identity real

The biggest problem with digital identity is that it’s just a pain in the ass.

As banks, governments and e-commerce giants try to solve the issue of customers having account overload and password amnesia, the problem becomes that security is just inconvenient: there are so many required security specs for passwords and so many different passwords to remember, it’s just easier to create an easy-to-remember password and use it for everything — and at the end of the day, if an account is hacked, the bank can just return the money. No big deal.

Passwords are how customers identify themselves for every service they use. They know the system is hackable but still entrust companies their data, even if they don’t actually trust them. Fixing the system means there has to be a single identifying entity that people trust, that has an established history of collecting and holding personal information. Banks are the best positioned to do so, but trust has to be part of the process of designing identity verification services and it should be clear who owns customer data and what happens to it.

“The use of digital identity will exceed the use of physical identity when more digital identity solutions emerge in the market — that’s what’s lacking today,” said Matthew Thompson, director of digital business development at Capital One, which launched a digital identity application programming interface (API) this week that lets websites and apps authenticate the identity of their customers against the identity information stored by their banks.

“We have to design for trust in the solutions: trust with the relying party or business partner that they can trust the assertion we’re making, and trust with the consumer that they want to use or share the information in this ecosystem. When those things come together you’ll see digital identity exceed the use of physical identity.”

Who has my data?
Collecting customer data is in the interest of the customer, banks (or any company, really) will tell you. By doing so, banks say, they can improve their products and services. Knowing more about customers — their preferences, routines, where they save and when they splurge — helps them personalize their offerings and deepen connections with customers, which makes them feel even more comfortable granting the banks even more of their data.

Right now, it’s not clear who owns customer data, whether it’s banks and our payment information or Facebook and the details we put on social media. Banks are held to higher standards of privacy and security; that’s part of what makes them so well positioned to take the lead on providing digital identity services.

“We don’t know who really owns our data but I bet you the large banks absolutely don’t want that” to be made explicit, said Pascal Bouvier, a venture partner with Santander InnoVentures, the Spanish bank’s fintech venture capital arm. “There [would] be clear liabilities as well as clear asset and cash flow streams that people either have access to — or don’t. In order for us to fully actualize federated digital identities built off data streams we create directly or indirectly, we need to have some type of clarity on that ownership.”

The ownership question is also more important now than ever, as startups and technology providers look to increase their data-sharing agreements with banks. Intuit has landed agreements with JPMorgan Chase and Wells Fargo; Finicity just signed one with Wells; Xero established similar deals with Wells, Silicon Valley Bank and most recently, Capital One. These initiatives also give banks safer ways to move data and help give customers control over how their data is used — the holy grail of digital identity — by using application programming interfaces instead of the more commonly used screen scraping method, in which customers log into the third party site or app with their bank credentials and that company “scrapes” the information to log in as the customer to retrieve account data as necessary.

Convenience over safety
The widely agreed upon solution is data minimization: That an organization will collect only the data it needs, using it only what it agreed to use it for and getting rid of it when the purpose is achieved. A bartender doesn’t know customers’ ages to serve them, she just needs to know it’s greater than or equal to a certain age.

One way is to let the customers opt in to having their data shared. The Canadian banks have a solution to this. Or put a disclaimer on the bank website that spells out how the data is going to be used. But that’s slightly inconvenient. And even when customers are cynical toward banks, they seem to be trusted enough to continue serving them.

“Consumers will always choose the path of least resistance, and if you rely on your consumers to be interested in their best interest when it comes to security, that’s probably not going to happen,” said Ryan Fox, director of consumer identity at Capital One. “We’re always two-step or multi-factor authenticating our customers. It’s always dynamic, always risk-based, aways multilayered.”

In 2015, Capital One launched SwiftID, which removes the friction of passwords by letting people authenticate biometrically from their phones when signing in from an unknown device. By designing security right in the banking experience, Fox says, the bank can send the customer a push notification they can respond to in a second instead of requiring them to read a lengthy security statement, Fox said.

The important thing for banks to remember when building on their security is that people don’t think about it in terms of what’s most secure; they think about what’s easiest, he said.

“That’s why touch ID had such an adoption rate,” Fox said. “We went away from knowledge-based login to something I can just touch. It was adopted not because it was a pattern they understood but because it took half the time. Is it easier? Yes. Do I have a cognitive load associated with doing this? No? Then I’ll do it.”

How Citi’s latest cybersecurity bet veers from the usual model

Financial technology trends come and go but three are here to stay: Everyone has a mobile phone, large businesses are moving their data to cloud systems — and threats to cybersecurity are evolving with and around both behaviors.

As the threat cybersecurity poses for financial services – or any company, since they’re all collecting customer data – isn’t going away, these companies are heavily invested in analytics firms that monitor breaches, defenses and other activity to try to make sense of user behavior and identify patterns to help prepare for the next attack. That space is getting kind of crowded though, which is part of why Citigroup’s startup venture capital arm just invested in a newer cryptographic solution by a company called Dyadic.

“There are established vendors of hardware security models and systems we all buy from. They’re trying to prevent or detect threats. We’ve invested in that,” said Arvind Purushotham, global head of venture investing at Citi Ventures. “The Dyadic opportunity came along and was fairly unique, there are not 10 startups in their area.”

Dyadic is a software company that helps companies manage their cryptographic keys, a long string of numbers required to encrypt private information. Citi Ventures participated in a $12 million growth investment in Dyadic along with Goldman Sachs Principal Strategic Investments and Eric Schmidt’s Innovation Endeavors.

In many current systems, there is a key to encrypt and one to decrypt. Dyadic’s solution effectively splits each key into two and allows them to be stored in different places – one half on a company server and the other on a mobile phone, for example, or one half in the cloud and the other in a data center. This way, even if a hacker somehow obtained the part of the key stored in the cloud, it couldn’t use it to decrypt information without finding its pair. The solution isn’t completely unhackable, but it creates an additional challenge for nogoodniks.

The technology is also easy to implement at the types of large financial institutions that would benefit from the product, he added, which counts for a lot when deciding to invest in a company. It’s rarely ever about how innovative an idea is. Most companies using Dyadic’s solution probably already employ cloud storage and have an increasingly large mobile customer base.

“[Dyadic] plays to the trends of cloud, mobile and enables us to make mobile offerings even more powerful not just at Citi but at any enterprise,” Purushotham said. “It is lowering the complexity and cost of a cryptographic system and if you can make it cheaper and easier to use, enterprises will use it more, and more commerce can happen online more securely.”

However, defending a bank and its customers against cyberattacks is as much – if not more – about how companies identify and verify their customers when asking them to hand over sensitive information as it is about identifying the attackers. Many websites now require numbers, capital letters and special characters of their users’ passwords, in order to make their accounts harder to breach. Some have employed fingerprint authentication and let customers store credit card information so they neither have to enter their credit card information or their password.

But financial services is one of the most highly regulated industries, and it has many reasons for requesting certain sensitive information. Some are business-related, but many come back to regulatory compliance.

“Security is sort of a murky problem,” Purushotham said. “We need to collect what we need to collect for a variety of reasons but it’s also our job to ensure the data stays secure inside the enterprise and make it simple for customers to use our services while still making it secure.”

High 5! The five fintech stories we’re following this week

5 trends we're tracking in finance

Payments get bigger, faster

Of all the moving pieces and parts of financial technology, payments is more than likely the most mature. That’s because the technology is here today and there’s an associated revenue model with most forms of payments. Given that backdrop, we’re seeing stadiums and sports teams, like the San Francisco 49ers, develop their own apps. Done right, these apps are growing in-seat orders and increasing the size of the average sale.

Even if it’s from a defensive posture, banks want in on this business. The thinking is, better that account holders use banking apps to conduct peer-to-peer payments than having them use a third party app, which could eventually poach them to a bank-like account at some point. So, most of the largest US banks are rolling out real-time p2p payments that will eventually work to move money between banks. clearXchange is the payment network behind this activity and it’s expanding to thousands of other financial institutions and payers via a hookup with Fiserv’s NOW Network.

The credit card companies aren’t taking this lying down, either. They’re worried that ACH-enabled bank-to-bank payments are gathering steam and cutting into payments that used to be their domain. For example, to help foreign students studying in the U.S., Mastercard has partnered with Plastiq to enable payments to be made via a credit card no matter how the receiving party prefers to receive it. Startups also recognize that the path to digital payments is cut through hybrid solutions and they’re working on some pretty cool stuff.

The future of fintech, today

Tradestreaming published its fintech manifesto this week, laying the ground for where we think we’re headed. Let’s all agree to drop the word disruptive from our vocabulary and we can move on. There’s a lot to be excited about in fintech, but today’s environment feels bubbly. We’re starting to see some of the fissures in the new structures we’re building while we remake the financial services of old. Technology’s impact on financial services and how the modern financial system evolves will take years and decades.

The nature of the corporation is already changing. Many startups have higher aspirations for their businesses than just a single bottom line. This is reflected in the interest around B corps and it’s also reflected in how some fintech firms are creating corporate giving programs as part of larger Corporate Social Responsibility plans.

Risk is back on

During quiet periods like August, we sometimes lose connection to the fact that everything is being hacked all the time. It’s got people asking why the blockchain is so darn hackable. Banks of old protected our cash and valuables. The new systems? Less so.

There’s a bull market in cybersecurity and the thinking goes that companies that are helping to protect the digital form of our assets should benefit. Kensho, a financial data, analytics and automation firm, has created a dynamic stock index of firms with cybersecurity at their heart. Its KCYBER Index has returned 65% annually since launching in 2013. Who wants the ETF? That said, not one of these top 27 fintech unicorns is a security play.

So happy together!

For some ludicrous reason, the media got all excited with the prospect that fintech was going to, um, in some way, um, disrupt financial incumbents. If our fintech manifesto didn’t dispel of the notion that David can indeed defeat financial Goliath, we now have UBS for support. The bank published a study on how a growing number of financial institutions are partnering with fintech upstarts, building products and services together.

banks and fintechs partner

Certainly, there will be more collaboration in the future. The UK is encouraging this will happen by rolling out legislation that would mandate the sharing of core banking data with fintech firms. Beginning in 2018, British banks will have to share customers’ data with third parties who can then show how much could be saved by using other lenders.

New financial products get launched

Crowdfunding payment app, Tilt, launched P2P payments functionality, bringing it a lot closer to head-on competition with Venmo. Square Capital, the lending service from the business payments firm, is opening itself up a bit. Now, vendors who don’t actually use Square but are on a partner network can apply for short term loans from the firm.

Business Insider is getting serious about fintech by expanding its subscription business overseas. BI Intelligence now has 5,000 paid subscribers globally across six verticals and it’s launched a new fintech product not from New York City, but the UK. “London is the fintech capital of the world, and we have this great footprint with Business Insider here already.”