Tearsheet termsheet: What you need to know about financial services fraud

In the digital age of digital transactions and other digital engagements, the word fraud gets thrown around a lot. Just see here, here and here.

That’s particularly true in financial services, since gaining access to cash “fraudulently” is harder now. As much as technology has raised the bar for the customer experience, it’s also raised the bar for hackers and fraudsters.

Here’s what we’re really talking about when we talk about “fraud.”

OK, what is fraud?
Fraud happens when someone tries to take money that doesn’t belong to him or her for any number of reasons and has an increasing number of ways in which to do it. That person could find a card in the back seat of a cab and use it for the next meal or somehow know enough of someone else’s personal information to walk into a bank and get a new debit card issued, which is why Chase removed that feature of its card business last week.

In the digital age, however, it can get more complex than that — and so can the consequences for the victim. Creating passwords that meet certain companies’ standards for security is more difficult and people move more quickly in the digital age and have shorter attention spans; it’s led consumers to care more about speed and convenience that security and privacy.

“It’s incredibly hard for people to get stuff done digitally because we’ve made it so hard to prove who you are at the places where you want to share your data,” said Greg Wolfond, CEO of SecureKey, which is partnering with Canadian banks on a solution to that problem.

Are there different types of fraud?
In finance, there are three distinct patterns of fraud: transaction fraud, application fraud and account takeover fraud.

Most people who use plastic cards have experienced transaction fraud. The card or card number is stolen or otherwise obtained by some bad actor and then fraudulent charges begin to appear on your account. In this case it’s pretty likely the you alerted the bank, which reversed the fraudulent transactions and replaced your card, and you moved forward with your life. Card issuers lost $15.72 billion (72 percent) in gross fraud losses in 2015 and merchants and acquirers lost the remaining $6.12 billion (28 percent), according to the Nilson Report.

Application fraud is the fastest-growing type of fraud in financial services and happens when a fraudster actually pretends to be you using actual account credentials to open new lines of credit. We can break it down even further into three types:

  • Third party fraud: when someone gets enough of someone’s personal information from a compromised data set to go to a bank and pretend to be that person to apply or a loan or credit card
  • First party fraud: when the person coming to the bank (or other service) really is the person he or she claims to be but intends to not pay back the loan or credit card; in instances of first party fraud, the bank or business is the victim, not the customer
  • Synthetic fraud: when someone creates a persona using fake or borrowed information, like a social security number, and adds other, made-up elements of personally identifiable information like a name, address or date or birth

Synthetic identity is often confused with traditional identity theft, in which someone impersonates a real person. A synthetic identity is a purely fabricated identity; there’s no real person beyond the social security number. And whereas transaction fraud or third party app fraud is often motivated by a need for quick access to cash, synthetic fraud tends to have links to organized criminal activity, according to Ken Meiser, vp of identity solutions at ID Analytics, which is owned by cybersecurity firm Symantec.

Account takeover fraud is the final type of fraud (for the purposes of this primer, at least). It happens to people when fraudsters obtain their various user IDs and passwords to be able to access other accounts that involve financial transactions.

Did those new chip cards I got help?
Kind of! Account takeover incidents increased 61 percent to $2.3 billion from 2015 to 2016, according to research by Javelin published in February. Victims pay an average of $263 out of pocket and spent 20.7 million hours to resolve it in 2016 – six million hours more than in 2015.

In October 2015, U.S. card issuers began replacing people’s debit and credit magstripe cards with new chip cards and retailers began upgrading their payments terminals to allow customers to insert their chip cards into the devices instead of swiping the stripe. Even though Europe has been using chip-and-pin to pay for years, this finally went down in the U.S. two years ago as part of a push to lower card fraud — by using chips instead of magstripes, it’s harder to clone a card or steal the PII associated with it.

At the same time, it’s become easier for fraudsters to access accounts. Passwords have become kind of a pain in the ass so it’s not uncommon for someone to use the same password for multiple accounts and hope they can actually just log in biometrically. There are many sites one can access if they have Facebook credentials. Day-to-day engagement between people and businesses is generally more digital.

“As more of these activities become non face-to-face, if someone can compromise your credentials… Conceivably your identity lets fraudsters get access to other locations,” Meiser said. “When someone sells a compromised user ID and password, they’re really selling the opportunity to use that somewhere else.”

Behavioral biometrics is the next generation of bank security

When it comes to fintech services, bank customers want it all. They want streamlined, user-friendly applications on the one hand, but they also expect their financial service providers to protect them from the growing scourge of online threats.

The problem is that these two customer demands typically clash: in order to contend with the multiplying hordes of cyber attacks, social engineering schemes, trojans, and malware, banks have traditionally piled more security tasks on the user in order to minimize risk. However, the more banks make customers jump through security hoops to access and use their accounts, the less a user-friendly, sleek online experience banks provide.

“This friction between customer safety and customer experience is not something that is actually sustainable,” said Uri Rivner, head of cybersecurity at BioCatch. Founded in 2011, the company’s fraudster prevention technology for the finance industry also rests firmly on the user. Unlike traditional verification methodologies, BioCatch’s behavioral biometric solution needs customers to do just one thing: act normally.

If a user attempts to access her back account as she normally does with a device or app, BioCatch’s technology collects information about her and creates a user profile. “The idea of behavioral biometrics is to essentially monitor user activity over time, establish their regular behavior – behind the scenes,” explains Rivner. The technology then looks for deviations in normal behavior, “so if someone else then goes into that device or into that application using the username of the account, the system is able to detect it and alert the owner of the account in real-time that there’s some type of foul play that has been detected.”

Though the Israeli company isn’t releasing client names just yet, Rivner reports that four of the five biggest banks in the UK have started to implement BioCatch’s solution into their online and mobile retail banking services, with an average deployment of 5 to 10 million users at each bank.

BioCatch’s technology, which utilizes big data and machine learning, monitors approximately 500 parameters to determine whether an account holder is behaving as they usually do. The firm collects information from customers’ mobile devices, including how they hold the phone, the way they interact with it and touch it, and the way they scroll and swipe. It also analyzes customers’ cognitive choices, such as how they fill in their passwords, dollar amounts, or dates.

“One of the things we’re monitoring is the way that customers use the mouse because this exposes their hand-eye coordination,” Rivner explained. BioCatch will sometimes present invisible challenges to customers to verify that they’re behaving like themselves, like making the mouse disappear momentarily, or dragging the mouse off slightly to the side of the screen. These are barely perceptible changes, but it helps BioCatch ascertain that customers are humans, not malware. Moreover, different people respond differently to these very minor challenges.

After monitoring an account for a certain number of sessions, BioCatch builds a unique user profile, based on parameters collected from the general public and from the individual user. And while this may sound like a creepy big brother set-up, Rivner is careful to differentiate behavioral biometrics from physiological biometrics.

While physiological biometrics such as facial recognition or fingerprint collection is focused on accurate identification of a person, behavioral biometrics just wants to make sure that the account is behaving normally. Even if you were to aggregate all of the data from the account, you still wouldn’t to be able to identify who the account user is.

BioCatch’s biometric solution got a real boost in the U.S. in 2015, after the startup signed a strategic partnership with Early Warning, a bank-owned consortium that provides technology and fraud prevention services to the financial services industry. Nevertheless, even if behavioral biometrics has graduated from novelty to accepted technology, the space is still basically a two-player game.

The startup’s main competition is Swedish BehavioSec, which like BioCatch offers continuous authentication with behavioral biometrics. And while BioCatch may have snagged the Early Warning partnership, the Swedish company recently nabbed two awards at the 2016 European Fintech Awards. BioCatch’s solution is tailored to the finance industry, while BehavioSec also caters to ecommerce and social media platforms.

BioCatch and BehavioSec’s respective collaborations within the finance industry are a great example of how a partnership economy can benefit both financial institutions and their customers. By moving online security checks unobtrusively into the background, behavioral biometrics is helping banks facilitate a healthier balance between seamlessness and security across all remote channels. Your move, cyber criminals.

Photo: flickr

Avoiding investing scams in the Age of Fraud – with Pat Huddleston

Pat Huddleston is an increasingly busy guy.pat huddleston's The Vigilant Investor (Investor's Watchdog)

The former SEC enforcer is author of the new book, The Vigilant Investor: A Former SEC Enforcer Reveals How to Fraud-Proof Your Investments.

In this episode of Tradestreaming Radio, we discuss why Pat refers to our era as the ‘Age of Fraud’.  Please join us to learn how to identify and avoid investment scams.

Continue reading “Avoiding investing scams in the Age of Fraud – with Pat Huddleston”