Tearsheet termsheet: What you need to know about financial services fraud

In the digital age of digital transactions and other digital engagements, the word fraud gets thrown around a lot. Just see here, here and here.

That’s particularly true in financial services, since gaining access to cash “fraudulently” is harder now. As much as technology has raised the bar for the customer experience, it’s also raised the bar for hackers and fraudsters.

Here’s what we’re really talking about when we talk about “fraud.”

OK, what is fraud?
Fraud happens when someone tries to take money that doesn’t belong to him or her for any number of reasons and has an increasing number of ways in which to do it. That person could find a card in the back seat of a cab and use it for the next meal or somehow know enough of someone else’s personal information to walk into a bank and get a new debit card issued, which is why Chase removed that feature of its card business last week.

In the digital age, however, it can get more complex than that — and so can the consequences for the victim. Creating passwords that meet certain companies’ standards for security is more difficult and people move more quickly in the digital age and have shorter attention spans; it’s led consumers to care more about speed and convenience that security and privacy.

“It’s incredibly hard for people to get stuff done digitally because we’ve made it so hard to prove who you are at the places where you want to share your data,” said Greg Wolfond, CEO of SecureKey, which is partnering with Canadian banks on a solution to that problem.

Are there different types of fraud?
In finance, there are three distinct patterns of fraud: transaction fraud, application fraud and account takeover fraud.

Most people who use plastic cards have experienced transaction fraud. The card or card number is stolen or otherwise obtained by some bad actor and then fraudulent charges begin to appear on your account. In this case it’s pretty likely the you alerted the bank, which reversed the fraudulent transactions and replaced your card, and you moved forward with your life. Card issuers lost $15.72 billion (72 percent) in gross fraud losses in 2015 and merchants and acquirers lost the remaining $6.12 billion (28 percent), according to the Nilson Report.

Application fraud is the fastest-growing type of fraud in financial services and happens when a fraudster actually pretends to be you using actual account credentials to open new lines of credit. We can break it down even further into three types:

  • Third party fraud: when someone gets enough of someone’s personal information from a compromised data set to go to a bank and pretend to be that person to apply or a loan or credit card
  • First party fraud: when the person coming to the bank (or other service) really is the person he or she claims to be but intends to not pay back the loan or credit card; in instances of first party fraud, the bank or business is the victim, not the customer
  • Synthetic fraud: when someone creates a persona using fake or borrowed information, like a social security number, and adds other, made-up elements of personally identifiable information like a name, address or date or birth

Synthetic identity is often confused with traditional identity theft, in which someone impersonates a real person. A synthetic identity is a purely fabricated identity; there’s no real person beyond the social security number. And whereas transaction fraud or third party app fraud is often motivated by a need for quick access to cash, synthetic fraud tends to have links to organized criminal activity, according to Ken Meiser, vp of identity solutions at ID Analytics, which is owned by cybersecurity firm Symantec.

Account takeover fraud is the final type of fraud (for the purposes of this primer, at least). It happens to people when fraudsters obtain their various user IDs and passwords to be able to access other accounts that involve financial transactions.

Did those new chip cards I got help?
Kind of! Account takeover incidents increased 61 percent to $2.3 billion from 2015 to 2016, according to research by Javelin published in February. Victims pay an average of $263 out of pocket and spent 20.7 million hours to resolve it in 2016 – six million hours more than in 2015.

In October 2015, U.S. card issuers began replacing people’s debit and credit magstripe cards with new chip cards and retailers began upgrading their payments terminals to allow customers to insert their chip cards into the devices instead of swiping the stripe. Even though Europe has been using chip-and-pin to pay for years, this finally went down in the U.S. two years ago as part of a push to lower card fraud — by using chips instead of magstripes, it’s harder to clone a card or steal the PII associated with it.

At the same time, it’s become easier for fraudsters to access accounts. Passwords have become kind of a pain in the ass so it’s not uncommon for someone to use the same password for multiple accounts and hope they can actually just log in biometrically. There are many sites one can access if they have Facebook credentials. Day-to-day engagement between people and businesses is generally more digital.

“As more of these activities become non face-to-face, if someone can compromise your credentials… Conceivably your identity lets fraudsters get access to other locations,” Meiser said. “When someone sells a compromised user ID and password, they’re really selling the opportunity to use that somewhere else.”

‘A new customer segment’: Inside Western Union’s refugee assistance program

Remittance giant Western Union is recognizing that refugee communities can be emerging economies in their own right.

The Kakuma refugee camp in Kenya has 164,571 registered refugees and asylum-seekers, according to the UN Refugee Agency, and more than 500 merchants: produce markets, coffee and tea shops, bars; hardware and electronics shops, clothing stores, bike shops. Most refugee camps operate as largely cash-based economies — an expensive and inconvenient reality.

Now, Western Union and Mastercard are working on creating a digital infrastructure model for refugee camps, with Kenya as their test bed, focusing on mobile money, digital vouchers and cards that remove the intermediaries and losses associated with in-kind donations, brings funds directly to beneficiaries and gives them some control over their financial health.

“Ninety plus percent of refugees will never be granted asylum,” said Maureen Sigliano, head of customer relationship management at Western Union. “A lot of these countries where the bulk of the world refugees are” — Jordan, Lebanon, Turkey — “are poor; hosting such large volumes of refugees puts a burden on those countries. If they have a little cash in their hand, they’re no longer a burden, they become a new customer segment.”

In most of the developed world, digital transactions generate data on customers that companies can use to evaluate their credit, create new services and bring new businesses and customers into the economy.

The idea is still in an exploratory phase, but the plan is to use Mastercard’s digital voucher program to provide chip cards to refugees and host community members. The cards would be loaded with points they can spend on everyday purchases and are designed to work on or offline so participating agencies, like the International Rescue Committee, for example, can monitor different programs.

They also want to incorporate more widespread use of Kenya’s advanced mobile payments — the shining example of how mobile infrastructure can bring underserved people onto the formal financial grid — inside the camps. M-Pesa, the mobile money transfer service launched in 2007 by telecoms giants Vodafone for Safaricom and Vodacom, is the largest mobile payments network in the world. It’s used by 90 percent of the country and Western Union already offers the option to send remittances directly into an M-Pesa wallet.

Other countries with large refugee populations don’t have the physical, financial or technological infrastructure to pursue a digital model, but assuming in a few years they could, Western Union is betting they’ll be able to apply what they learn in the Kenyan camps to others.

The problem with cash 
Refugees manage money in a number of different of ways, according to Gregory Matthews, deputy director of economic programs for cash initiatives at the International Rescue Committee. Most rely on receiving aid in cash, some use prepaid debit cards — but it can be hard to find an ATM; and some use money transfer agents like Western Union, whose fees can be hefty depending on the transaction.

“High fees are definitely a problem from an operations and efficiency perspective, but they’re also a reality,” Matthews said. “In places where we work, nothing else is available — that’s why they have high fees.” It’s possible to shift those fees away from the person receiving the funds, he added, but the IRC itself still processes a lot of bulk payments and has to swallow those fees.

How refugees handle money depends in large part on the local banking infrastructure. With its high mobile penetration, Kenya becomes the perfect test bed. And as more countries show interest in that kind of development, “working with refugees is increasingly an onramp to getting people to use mobile wallets,” said Matthews.

“Nothing is all digital or all cash, it’s a mix,” Sigliano said. “The word is evolving such that it’ll increasingly become digital, but not as fast as we’d like, so we have to make sure all options are available.”

From default to design
Western Union is 166 years old and operates in more than 200 countries; it was serving refugees “before people were talking about refugees,” Sigliano said. But in September 2015 a photo of a drowned Syrian boy sent tremors around the world. She identifies this as the day Western Union changed.

“We saw that photograph and realized we actually need to be more focused on this reality; it can’t just be by default, it has to be by design,” she said. “How is it possible that a company like Western Union who serves the immigrants of the world wasn’t taking a strong position on refugees when we are uniquely positioned to do so? How can we ever expect customer loyalty if we’re not loyal to them at a time like this?”

That’s when the company decided to work harder on financial empowerment, instead of just financial access. Of the billion of dollars being moved each year between government agencies and NGOs to refugees, some 90 percent is for in kind aid: food, clothes, books, tents. Just five to 10 percent is delivered in cash. And with procurement, transportation and distribution costs associated with it, it’s so expensive it’s a wonder no one has successfully tried to disrupt the system.

“On average the cost of delivering in kind aid is 50 percent,” Sigliano said. “You put a million dollars in and get $500,000 on the other end.”

It also creates a cycle of dependency. Refugees fall in line in to receive cash in an envelope and so far the global perception of them is that they’re “poor, dependent, hopeless people,” she said.

“What they need most is financial empowerment, dignity and opportunity. So when a refugee gets even a tiny bit of money and can decide to spend, save or invest it, it gives them back dignity, choice and allows them to take a little control of their lives.”

How TD uses voice to bring a retail experience to digital banking

The more sophisticated online and mobile experiences become, the more difficult is for people to prove their true identity — especially when it matters.

It’s a problem for both banks and their customers. Not only does it put a dent in the customer experience, it presents fraud and privacy risks for both parties. That’s why TD Bank is implementing voice recognition technology at its customer call center.

“One of the largest irritants our customers had was with authentication and having to answer all those questions we had to ask them in order to verify they were who they said they were,” said Robert Ghazal, TD’s head of U.S. contact centers.

The technology, branded as TD VoicePrint, reads about 150 different characteristics of a customer’s speaking patterns to create a “vocal fingerprint,” without recording the voice itself or storing any kind of voice biometric that can be stolen. After capturing the voice print, customers can phone in and TD will verify their identities by their voice prints instead of by answering security questions, and the customer service representative will prompt them to speak more if it doesn’t recognize them. The bank worked with agency TBWA/Chiat/Day to create an experiment to test the technology.

The identity problem gets more complex as customers choose to bank through multiple channels — at the branch, in their mobile apps, through their desktop computers or on a call — and banks try to make their presence more ubiquitous, positioning themselves wherever the customer is and whenever. Plus, customers have accounts with multiple financial services providers — they have deposits at more than one bank, they have PayPal and Venmo accounts, they share those credentials and data points with their various online shopping accounts — making the whole process more complex.

The modern banking experience is often characterized by mobile and online experiences, but by investing in voice tech, TD is saving customers’ time as well as translating its human-first store and retail experiences to all of those various channels, said Arianna Orpello, senior vp of brand, acquisition and digital marketing.

“The idea of being able to recognize people by the sound of their voice — what a great human moment,” she said. “If you think about the people in your life that recognize you by your voice they’re usually all people with whom you have a personal relationship… that’s the bar we hold ourselves to: we should be able to recognize you when you call us, just like when you walk into our store.”

TD’s mobile app has a secured in-app call feature that accounts for nine percent of the bank’s total call volume, Ghazal said.

Authentication had been a pain point for TD for a long time, Ghazal said. Its parameters around respond acceptance are very tight. For example, if a TD customer calls and is asked to verify a recent transaction to confirm his or her identity, TD needs to know the exact date it occurred and the exact amount.

“It’s a very small margin,” he said. “Often we hear that people have to log into their online banking or mobile banking in order to answer their security questions.”

Of course, the alternative of loosening authentication is even worse; doing so would expose customers even more to potential fraud.

Last year, TD also invested in fingerprint authentication provider SecureKey, whose technology is at the center of a Canadian bank consortium effort to let customers self-identify in a digital world. Biometrics aren’t a perfect solution yet — should a cloud database of customer fingerprints be hacked, they’re not replaceable like passwords are — but they’re proving to be a good enough solution for now in the right direction as customers largely favor speed and convenience over security and privacy.

“Security is a major concern for people,” Orpello said. “We’re trying to figure out how to protect but also enable the convenient experience… deliver it in a human way in your normal life. What better way than the equivalent of your fingerprint?”

How Western Union is digitizing a 166-year-old business

Western Union

As young companies like TransferWise and WorldRemit move into the remittances arena, Western Union is working to maintain its dominant position.

As tech companies, these younger companies are often able to innovate faster because they aren’t subject to the intense regulatory scrutiny that slows down large institutions like Western Union — it’s one reason legacy and startup firms have begun various partnerships with each other. Western Union, for example, is running a pilot for cross-border settlements with Ripple and has partnerships with messaging platforms Viber and WeChat. (Incidentally, Ant Financial has bid $1.2 billion to acquire Western Union competitor MoneyGram.)

These partnerships should bring more value to customers, but Western Union also has compliance officers to please. So its also working on technology solutions internally to help strengthen security and reduce fraud, which pair data with biometric capabilities, a global identity system and “polymorphic” technologies that try to fake out automated attacks.

“We’ve built our foundation on big data technology,” said David Thompson, Western Union’s chief information officer. “We do a real time risk assessment of every transaction in real time… this allows us to take a lot of data elements where we make a decision on the transaction for risk.”

Western Union has built a global presence based on the ability to move money to and from almost anywhere in the physical world, but like most financial firms, how it handles customer data will have a big effect on its place in the digital world. There’s an overflow of customer information floating around the Internet and every trace of it is vulnerable to online attackers with the motivation to steal people’s identity and use it to commit financial fraud. It’s one reason digital identity has become such a hot topic in the financial world, where fraud is becoming more sophisticated with the financial systems themselves.

“You might have many different personas but from a compliance perspective we have to view you as ‘who you truly are,’” Thompson said. “The compliance systems need to know you’re one, individual human.”

Western Union processes 30 transactions per second, to which it must apply hundreds of compliance and risk rules, using a concept it calls Galactic ID. At different points in time, users can register at different parts of the site as different personas — like students or small businesses. Western Union snaps that information together through the elements the customer provides, like her name, birthday, address, serial number from the computer or phone on which she registered.

“If you change any type of data element we snap you back to your Galactic ID, and if we see you trying to use data elements to try to adjust your ID, the compliance officers can very quickly see [it],” Thompson said.

He wouldn’t comment on how Western Union might use customer data for a future use case. Right now, it’s focused on security and compliance.

Whereas some companies try to minimize the amount of data that’s transacted, Western Union is still collecting data and using polymorphic technologies to block hackers out of its system. The idea is that an attacker could program a bot to try to enter an application or financial transaction — it would tell the bot how many fields there are to complete and have a trove of stolen credentials to try to throw at it, to try to gain access to your application, or fund a transaction.

“When you have a bot attacking app or infrastructure, our app is constantly morphing itself so the bots can’t pick out certain fields, because 10 seconds later those fields appear in a different way,” Thompson said.

Western Union is also tying that concept it with biometrics capability. Biometrics are becoming more widely used for authentication in the developed world — customers can unlock their phones, pay for purchases or log into apps by pressing their fingerprint against their phones. But in more developing countries — like India, the Philippines and others in which Western Union operates — biometrics are being tied to national identity schemes, where governments register citizens’ fingerprints to their IDs.

“They’re opening up the system to financial services so if you walk into one of our retail locations you can put your thumb on an identity plate, it will bring up your ID and you can validate a transaction,” Thompson explained. “We’re trying to buy into that very quickly. It helps us keep folks out of our network that are blocked by that local government, that can be identified as a criminal that shouldn’t be pricing, or are on a sanctions list.”

WTF is digital identity?

Moving shopping and banking online means our transactions are more than making money: They’re about getting data.

“People are extremely aware of how digitized their lives have become and how little control over that. They want to know that if they’re providing this info they’re getting something for it and it’s not just for banks or large technology companies to use for their own purposes,” said Steven Ehrlich, lead analyst for emerging technologies at Spitzberg Partners.

That data says a lot about us — a lot more than a piece of plastic with a photo and address on it. There lies the digital identity dilemma: legally accepted drivers licenses and passports supposedly show that we are who we say we are in the physical world, but don’t do the same in the digital world. As the digital world evolves, that could get complicated. But right now banks, technology firms and governments are all looking at how to make it easier for people to prove they are who say they are, effectively allowing customers to own their own identity. In this WTF, we dive deep into digital identity.

So, what’s a digital identity?
A guy walks into a bar and shows the bartender his ID. In doing so, he gives the bartender more information than he needs: his name, date of birth, address, height, weight, eye color, whether or not he’s an organ donor. But all the bartender needs to verify is this guy’s date of birth, because all he needs to know is if he’s of the age to be in a bar.

People do this online everyday: when they want to login somewhere or make a transaction they often give away more data than they may realize they want to, and to a company that doesn’t need all of that information.

“How the consumer behaves when online, what they share about themselves, where they’re located, how they interact with their device — all of those components are really what creates digital identity,” said Kim Sutherland, senior director of fraud and identity management strategy at LexisNexis Risk Solutions. “There are use cases where your digital identity never has been connected to the physical world and there are other times when your digital ID and physical ID do need to intersect.”

What’s the problem?
Everyone owns your identity, except you. According to the government, you are what your drivers license or identification card says you are. Amazon, Facebook and Google identify you by the places you check into and map, what you purchase and where you have it delivered. But the airline operating your flight home won’t believe you’re you if you give them the email tied to all that data. And Amazon doesn’t ask for your drivers license when you want to buy something, you enter a password.

Where do banks come into this?
Banks are well positioned to provide identity verification services because of the amount of data they hold and the level of trust consumers and corporations have in them as authoritative institutions. Even when confidence is low.

“Banks really think about their role as custodians of personal data and the identities of their customers,” said Ehrlich. “They recognize it’s becoming more important to have access to this information so they can optimize services but do it in a way that is transparent, secure and equitable so people continue to use the services and provide them with even more data.”

Now banks need to look at what data is necessary for them to conduct their operations and how they can best use the information to optimize their services in a way that makes their clients feel they really are equal partners.

What’s the solution?
The holy grail of digital identity is that people only provide the minimum data necessary for their purpose. There isn’t a credible plan to make it happen across the world and across industries. But everyone involved is working on it.

“In order to get to that situation we need to find a way for people to be in charge of their own information so they don’t necessarily have to trust a bank or Google or Facebook,” Ehrlich said.

Biometric authentication efforts are the most visible examples.

IBM is working with security company SecureKey and several major Canadian banks on an app that would push notifications to people when utility providers need access to their information. For example, when signing up for a new phone line, the customer would receive a notification saying the wireless provider needs to verify his or her name, address, date of birth and social security number, and that it will access that information through the customer’s bank. The customer approves, by biometrical authenticating on the phone, and the bank transfers that data to allow the customer to open the account.

“People will feel much more secure if they know they can control their information and permission it out only if they want to,” Ehrlich said.

He added that there’s a design element to the solutions as well. Organizations working on solutions worry that everyday people won’t have the tech savvy to work with encryption, but that can be solved by creating a user interface customers want to try and use.

How long will this take?
As they say in the Valley, it will change the world in our lifetime. Future generations will be taking this for granted.