The FFIEC Guidance Supplement issued in June 2011 put anomaly detection in the spotlight and generated significant interest in technology solutions that will enable financial institutions to conform to this new requirement. It also created some confusion about just what anomaly detection is. This article provides a brief primer that answers two frequently asked questions:
What is anomaly detection?
How does it work to stop the online banking fraud attacks that other solutions miss?
Today’s fraudsters are professional criminal gangs who are continually developing innovative ways to defeat financial institutions’ defenses. Internal researchers at Guardian Analytics are constantly evaluating attacks across more than 100 financial institutions and regularly releasing their findings. Some recent examples include:
- Automated Transfer Systems (ATS) malware that automatically initiates or modifies transfers during a victim’s online banking session, effectively eliminating the need for human involvement to execute fraudulent transactions;
- Fraudsters targeting online banking platforms instead of individual accounts, which enables them to attack multiple institutions simultaneously and expand attacks to include smaller banks and credit unions;
- Fraud attacks featuring wire transfers to high-end jewelry stores with Distributed Denial of Service attacks that act as a smoke screen, eliminating the need for mule accounts into which funds are transferred.
These examples highlight the innovation and sophistication of attacks that encouraged the FFIEC to act. The Guidance Supplement asserts that “anomaly detection and response could have prevented many of the frauds” that the FFIEC studied in preparing the Supplement. So, what is anomaly detection and how does it work to stop these and other types of fraud attacks?
Anomaly detection is a technique that compares current behavior with established patterns of legitimate behavior and looks for anomalies. There are options for how to implement it, such as comparing behavior to generalized population-level behavior or comparing online activities to rules that dictate what “normal” behavior should look like. But the most effective form of anomaly detection uses “behavioral analytics” to look at the individual behavior of every account holder and compare every online session by that account holder to their previously established normal usage patterns.
Each account holder has a unique online banking fingerprint or DNA. Anomaly detection creates a behavior profile of every user and then uses it to decide if behavior during this session is normal for this user. Fraud is not a singular event, but typically takes place over a period of time and a number of online sessions. Anomaly detection looks at all facets of online banking to build a cumulative risk score across all online sessions over time to determine when fraud is likely taking place.
A few of the factors that behavior-based anomaly detection solutions monitor to formulate a risk score are log-in (challenge questions, device, time of day and network); non-transaction online activities (view balance or history, update email or address, add new user and change approval limits) and transaction (type, amount, frequency and payee). Instead of monitoring just one aspect of online activity, such as looking for authorized devices or anomalous transactions, behavior-based anomaly detection solutions look at all of the above factors and more from login to logout to develop a cumulative risk score. For example, some fraud attacks have been detected before a transaction was even attempted based on fraud set-up activities that came from a different machine or browser, at an unusual time of day or new location, and that included activities such as adding a new user and increasing approval limits that had never been done by this user previously.
The FFIEC included anomaly detection in the Guidance Supplement because it has been proven to work against sophisticated online and mobile banking fraud schemes and it can be a very effective element of any financial institution’s layered security strategy.
Ms. Riley is a vice president of marketing for Mountain View, Calif.-based Guardian Analytics. She can be reached at triley@GuardianAnalytics.com.
Stay connected to Expert Perspectives, Research and Intelligence — subscribe to BAI Banking Strategies now!