Fraud Looms
By Clint Swift and Karen Epper Hoffman
Crooks sniff opportunity and strike first via identity theft, phishing and ACH fraud. What trouble does Check 21 invite?
|
Related
Sidebars
|
Fraudsters are an inevitable part of the payments ecosystem and over the last 20 years, financial services organizations have developed a proficiency for tracking fraud. In the last several months, however, new and different manifestations of fraud are showing up on the radar.
As payments make the transition from paper to electronic, fraud, too, is migrating and morphing. Identity theft, account takeover and ACH fraud are among the newest concerns as banks fighting fraud today do battle with adversaries as common as pickpockets and counterfeiters and as deadly as drug lords and terrorists. To complicate matters further, the industry is bracing for an onset of additional frauds related to substitute check issues emanating from this fall's implementation of the Check Processing for the 21st Century Act, or Check 21.
The irony: Reduction in check fraud is one of the expected benefits of moving to electronic payments. Banks expect to reduce those losses by being able to confirm signature images and confirm funds availability more quickly, as well as trim the amount of time an organized criminal ring would have to flood the system with bad checks or attack good accounts. But far from the banks having the advantage of time, fraudsters have been the first to strike, exploiting new vulnerabilities.
This is Part 1 of a two-part Banking Strategies report on fraud. Our coverage includes highlights of recent industry conferences, including BAI's TransPay 2004 and NACHA's Payments 2004, as well as BAI's Check 21 Readiness Forum Webinars, to present the gravity and magnitude of the state-of-the-art of fraud. Our September/October issue will feature the industry's state-of-the-art responses. These issues also will be addressed at BAI's Combatting Identity Theft & Payment Fraud Conference November 8-10.
Open Window
In her position as co-chairman of the BITS Fraud Reduction Steering Committee, Wachovia Corp. senior vice president Shirley Inscoe has a broad and deep perspective. "Fraudsters are very creative," Inscoe says. "When we close a door, they open a window."
As an example, Inscoe cites an updated manifestation of the old scam of altering check amounts. Formerly, a fraudster might receive a check for $12 and physically alter the amount to $120. Today, as a measure of their ability to acclimate to the new environment, fraudulent telemarketers will sell an item over the phone for $19.99 and then process an ACH debit for $199.99.
Perhaps it's no surprise that the five top emerging fraud threats Inscoe cites — identity theft, debit cards, Internet commerce, organized fraud rings and check electronification — target development areas for banks where they are likely to be most vulnerable. Lisa Wilhelm, a managing partner at Global Payments Experts LLC, a Corte Madera, Calif.-based banking consultancy, notes that many crooks have already figured out that electronic transfer transactions happen more quickly, and "that really pushes the majority of fraud detection to real-time."
Fraud has become much more complex because of the widespread use of open networks, such as the Internet, to conduct financial transactions, adds Steve Mott, principal of BetterBuyDesign, a Stamford, Conn.-based consultancy. "The Internet provides a generally risk-free environment to test compromised information rapidly, cheaply and typically anonymously, enabling thieves to be much more efficient in culling through stolen account numbers to see which ones work," Mott says.
What's more, opportunistic fraudsters are believed to be positioning to take advantage of Check 21. "As with any new technology or law, criminals will look for the soft underbelly to find and exploit weaknesses to defraud financial institutions, retailers and account holders," said Glen Sgambati, senior vice president, Primary Payments Systems (PPS), at a recent BAI Check 21 Readiness Forum Webinar.
While the majority of fraud incidents are perpetrated by professional criminals, even dishonest customers may seek to take advantage, particularly if they're aware of the rise in identity theft or the industry's gradual transition to paperless systems. "Because they can take advantage of the confusion, consumers who want to dispute a transaction will be more likely to get away with it. Just as fraudsters take advantage of chaos in the marketplace, consumers might also," Sgambati said.
Identity Theft
Identity theft, according to Avivah Litan, vice president and research director for payments and security at Gartner Group, is up 80% since last year, when seven million U.S. adults were victimized.
Identity theft, of course, is nothing new. In its classic, low-tech mode, a thief steals a person's wallet or purse and makes use of the credit card and other personal identification. The new aspect is that identity theft can now occur online, when a fraudster penetrates a customer's home computer, or it can spread in online venues, even when it originates in the physical world.
Litan says identity theft can lead to three major types of fraud:
- New account fraud, which involves the criminal
using a false identity, made-up or stolen, to open a new account, typically
to obtain a credit card or loan. The consumer is the main victim. Banks
write off the money as a credit loss. When a bill isn't paid, the bank,
lender or often a cell phone provider has no reason to suspect identity
theft.
Sixty percent to 80% of new-account fraud loss is classified as credit card loss, according to Litan. If a stolen identity is used in new account fraud and the victim is unaware of the theft, the loss typically will be written off after 180 days as credit loss. If a synthetic identity is used, or if a real person falsely claims identity theft, the loss also is likely to be classified as credit loss. Only if a real person becomes aware of the theft and reports it before the loss is categorized as credit loss is the theft likely to be classified as fraud loss.
- Payment fraud, through which fraudsters use stolen
information to pay for goods or services. Often involving check or
credit-card forgery, this type of fraud is prevalent online and merchants
are the main victims. They assume the loss when consumers prove they
didn't make the purchase. Banks are liable for checking account fraud
loss.
- Account takeover fraud, which results in diverting cash to an imposter. Using merchant or consumer accounts, thieves enrich themselves through a bill payment or funds transfer from a consumer checking account, made either online or via an ATM. This category has grown the most during the last six months, according to Litan.
Some of these ATM attacks are hardware-based. A false card slot is attached to the original card slot, and a digital reader within copies the card information. To the side of the screen, a brochure box may be attached. A glass-covered hole hides a tiny camera that films the keystrokes as a consumer or merchant types in a password. Other times, a membrane may be placed over a keypad to log PIN keystrokes.
Litan described the following troubling trends in identity theft:
- Hackers are becoming more sophisticated, leading to more account takeovers;
- As electronic consumer databases proliferate, information on thousands of individuals at a time can be stolen;
- Attacks are moving to smaller banks and lenders ("Identity theft is going downstream to the community bank in Arkansas, not Bank of America, which has too many screens up.");
- Thieves are opening small business accounts because the screening often is less effective than what's required for consumer accounts;
- Drug lords are discovering that identity theft can be more lucrative and less risky.
Phishing
A recent Gartner study of 5,000 online adults, extrapolated to 140 million online adults, showed that 57 million "think or are sure" they have been involved in a phishing attack.
Three percent of this group (which extrapolates to 1.7 million) said they clicked through and recalled giving information, possibly a user ID and password, to a phishing site. Later, more than half suffered new account, checking account or account takeover fraud, according to Litan. Assuming the fraudsters used data revealed during the phishing attacks, phishing victims are three times more likely to suffer fraud than the average online consumer, she concludes.
Gartner's research suggests the widespread size of the problem and banks individually and in groups are appropriately focusing on it. In June, for instance, the Financial Services Technology Consortium announced the launch of an initiative to focus on counter-phishing measures. But the key vulnerability is the consumer, according to Jerry Brady, chief security officer of managed security services at Mountain View, Calif.-based VeriSign Inc.
He says successful phishers — those who attack code in e-mail or lure customers to a Web site and attack their workstations — know that outside the corporate environment, there's only a one-in-three chance that PC users have appropriately patched their workstation software.
Consumers need to validate the source and destination of electronic communications, Brady says. While solutions exist in devices such as authentication certificates and secure sockets layer channels, they would be more effective if banks followed consistent communication guidelines. Over time, according to Brady, financial services companies need to teach customers what a genuine company e-mail or Web site looks like.
"The direct defenses we use for our corporate networks don't scale out to consumers, and communication strategies are a little too loose," Brady says.
Forcing these rogue Web sites out of action is more difficult than it may seem. Sites usually go up in parts of the world that lack the legal infrastructure to help find the owner or take down a site. There's also no good way to quickly authenticate a security or financial services firm that is trying to force a site off the Web. "Good luck getting a Russian or Antiguan Internet service provider to shut off bandwidth to a server in a cage somewhere, if they can even find it," Brady says.
Neither is Litan optimistic about addressing the source of the crime. Noting that law enforcement is not well equipped to deal with cyber crime and cross-state (and international) jurisdictional issues, she estimates that thieves face only a one in 700 chance of getting caught.
ACH Fraud
Electronic check payments, which include debits initiated online and by phone and checks converted from paper as remittances or at the point of purchase, are increasingly popular. E-checks are transactions that convert the MICR line of the check to an electronic ACH transaction. They can be accomplished through the point of sale (POS/RCK), the virtual point of sale (WEB), the mail (ARC) or the telephone (TEL).
Currently one in three ACH debit transactions are e-checks, and WEB and TEL transactions are growing more than 300% annually, according to PPS. Convenience has made them the most popular e-check application for consumers. E-check payments appeal to banks for the savings they represent, given that it's nearly five times more expensive to process a check through the Fed (5.1 cents in 2003) than it is to process an ACH payment (1.1 cent). However, according to PPS, the origination volume is associated with more than 23 million returned items, 700,000 of which were not authorized by the account holder.
As a form of payment, e-checks have the potential for large-scale, systemic fraud. "The biggest opportunity for fraud with e-checks is that just about anybody with a computer and modem can originate a file," says J.P. McClernon, first vice president for consumer to business product management for Bank One Corp., Chicago.
Indeed, receiving financial institutions are experiencing a rise in losses associated with new account funding via the Internet, bank-to-bank transfers (debiting a corporate account), bill payments and online DDA direct purchases. Based on current volumes and return rates coupled with projected growth, PPS estimates that the banking industry will process more than $10 billion returns in WEB and TEL annually during the next several years.
E-checks shift the responsibility for guaranteeing the payment from the consumer's bank to the originating institution. For example, with traditional checks, "a paying institution is responsible for verifying the accuracy of the signature, must operate under strict return timeframes, and has somewhat limited rights to return an item," McClernon says. However, with a corresponding ACH transaction, the paying bank is protected against an unauthorized transaction under Regulation E, and if a consumer signs a statement declaring an item was fraudulent, that paying bank can return an item to the ODFI up to 60 days later.
Clearly, there's a race online between the bank and the authentication of a fraudster accessing an account. The best way to head off a fraudster from using a synthetic identity to defraud, according to Wilhelm, is to have controls in place at the new account stage.
Check 21 Fraud
The specter of substitute check fraud is a frequent topic throughout the industry and in BAI's Check 21 Readiness Forum Webinars as well. Certain anticipated Check 21 frauds can be minimized with proper employee training, as was discussed in a June Webinar that focused on the scenario of a nondepositor presenting an Image Replacement Document (IRD) to a teller. "An IRD presented for cash, especially by a non-depositor, is potentially a fraudulent document," said Michael Harris, consultant, Executive Project Support. "Even the acceptance of a forward original IRD for deposit should occur only in closely managed environments."
Other fraud attempts are less easily addressed. Conversion of an item to a substitute check results in the loss of security features such as special paper, void pantographs and heat sensors typically found on payroll checks. With months to go until the implementation date, some banks are researching alternatives such as image-survivable security features that can be read through sorters. And, too, there are concerns about the authenticity of IRDs being printed by non-bank entities — and the risk incurred by the bank that accepts them and in so doing become the re-converting bank.
These issues notwithstanding, the consensus of the industry is that fraud losses will decrease as paper gets worked out of the payments system and ever-improving encryption technology strives to make electronic payments impenetrable. At the same time, several financial institutions are rethinking their fraud-fighting efforts in an attempt to build enterprise-wide, industry-wide and cross-industry defenses. These will be the focus of Part 2 of Banking Strategies' look at fraud, in the September/October issue.
Mr. Swift is a freelance writer and information technology consultant based in San Antonio, Tex. Ms. Hoffman is a freelance writer based in Poulsbo, Wash.