When the Kansas City blues shouter Big Joe Turner first performed the immortal “Shake Rattle and Roll” in 1954, there was no way he could know the future hit might as well fit the mood of banks fighting payments perfidy.
In essence, one lyric sums up the predicament the financial industry faces due to payments fraud: “The harder I work, the faster my money goes.”
Indeed, banks are working it very hard when it comes to picking up the pace of payments. But speed can cut both ways and the faster payments fly, the faster fraud swoops in, says Kimberly Sutherland, vice president, fraud & identity at LexisNexis Risk Solutions.
“Just as payments are evolving at a rapid pace with new providers and payment methods, so is their unpleasant companion: payments fraud,” Sutherland says. “Payments fraud is multi-faceted. Most concerns center on who’s transacting and how. Payments fraud is a subset of identity fraud, impacting both consumers and businesses, and occurs when a fraudster has stolen someone’s credit or debit card number or financial account data.”
Then, of course, comes the rip-off’s payoff: “They use that payment information to make an unauthorized purchase,” Sutherland says.
Speed versus security, friction versus fraud
Lexus Nexus Risk Solutions’ Threat Metrix report shows how 2019 turned into a banner year of booming payments opportunities, and the operational challenges that followed from mobile and online payment fraud. To be certain, banking industry leaders are paying attention.
A 2019 survey from TD Bank notes that the risk of payments fraud marks the number one concern for 44 percent of financial industry professionals this year. That’s a 14 percent jump in just 12 months. Not surprisingly, processing faster payments ranks as the second-biggest concern, named by 37 percent of survey participants. Countries that have already implemented faster payments—in Europe, for example—can definitely recognize this financial rock and a hard place.
For the U.S. financial industry, tackling the problem means weighing speed versus security, friction versus fraud.
“These competing forces will continue their never-ending battle this year,” the report states, “challenged for primacy only by that other force of nature: consumer expectations and customer convenience versus fraudster opportunity.”
Crooks just want to have funds
One thing is certain. The fraudsters are making bank on the banks. According to Juniper Research, online and mobile payment fraud is fueled by identity and payment information stolen through the ongoing epidemic in data breaches. The firm estimates online payment fraud losses will top $22 billion this year—and could climb as high as $48 billion by 2023.
Financial institutions see the problem from several angles, says Paul Caulfield, executive vice president and chief risk officer of IDB Bank, based in New York City. Smart banks must first surmise where they face the most direct risk.
“A bank maintains certain credentials when effecting transactions for customers or moving its own money bank to bank,” Caulfield says. “Controls over those credentials, ‘keys to the kingdom’ if you will, require strong controls. Who has authority? Who has access? Who monitors the proper use and storage?”
Caufield notes that while banks have upped their game in terms of self-awareness and stronger controls, “Downstream, clients are now being targeted directly. We’d like banks and the industry in general to do as much as possible to educate the consumer as to their own access controls and fraud awareness.”
The financial industry finds itself in a race to keep up with customer expectations while maintaining security, adds John Watkins, an industry consultant for SAS Institute. A former banking executive, he now partners with financial services companies to prevent losses, reduce compliance risk and minimize customer impact.
“Authentication is a paramount issue,” Watkins contends. “The industry is embracing digital and more mobile channels to keep up with customers’ expectations for ease and convenience—and rightly so. But how do financial services organizations determine the person interacting or transacting online is who they say they are? The industry has seen an uptick in card-not-present fraud and account takeover.”
And so, the tightrope walk: “creating a seamless, frictionless experience for your good customers while simultaneously detecting and thwarting the bad guys.”
Identity crisis: When real criminals create fake people
The rise in fraud applications is another big concern, Watkins says. “Data breaches, seemingly non-stop, have led to the commoditization of identity and also given rise to manipulated or manufactured identities, what we commonly call synthetic identities.” (Note: This BAI Banking Strategies podcast offers an excellent primer on synthetic fraud.)
As a result, keeping up with the fraudsters is a challenge, says Jordan Blake, vice president of products at BehavioSec, which provides online security solutions to the financial services industry.
“The common denominator behind a lot of large-scale fraud threats targeting financial institutions and their customers is internet-scale theft and abuse of digital identities and login credentials,” Blake points out.
In “new account fraud” schemes, for example, “A fraudster creates a persona and opens accounts solely for the purpose of committing fraud or laundering stolen funds,” Blake explains. ”Because most new accounts are set up by benign users, it can be hard to identify the subset of accounts created for criminal purposes.”
Another problem involves massive trafficking in passwords.
“Password reuse among consumers is a serious problem, meaning it is trivial for cybercriminals to discover or purchase vast caches of login credentials in the underground,” Blake says. Then they “methodically run them against multiple financial sites until they find a match and can exploit for emptying someone’s account.”
Attackers, he cautions, “will try to brute-force their way in with ‘credential-stuffing’ attacks, try to find another point of infiltration—like testing whether a bank’s mobile app has lower security thresholds—or use stolen passwords to con their way past a call center employee.”
With banks shaken, rattled and rolled by payment fraudsters, Watkins suggests financial industry leaders sing from the same sheet music. “The best approach is a layered approach: ‘belt and suspenders,’” he says.
Five ways to take on, take out payments fraud
Watkins and other industry experts suggest these five steps to stay ahead of the crooks:
1)Proper authentication: Preventing fraud starts at the front door. Keeping the bad guy off the books or out of the accounts is critical. Banks should leverage device information and device biometrics, comparing it to public record information such as the address, phone information and email history. To that end, consortium data is invaluable for helping stop fraud at the front door.
2) Strong analytical capability: Payments is a data-rich environment. Financial services organizations must invest in data science talent combined with domain expertise. You need a data geek who can think like a crook.
3)Robust tools: Tools mush be flexible and agile. “Many times I’ve watched the fraud meter run while waiting for an IT team to get rules installed. With the right technology, what used to be a batch, overnight process can be brought down to hours,” Watkins says.
4)Real-time predictability: Bank’s models need to run in milliseconds and have the ability to consume not only the transaction data but also customer behavior and other third part signals. (Again, that consortium data is critical.)
5)Customer focus: Banks need robust customer experience strategies. When a transaction must be declined or funds held to prevent fraud, every effort must be taken to inform the customer and prevent dissatisfaction. Says Watkins: “I used to say: ‘If I decline a customer, I want their phone buzzing before they’re able to reach their wallet.’”
As for what to say when the crooks get nailed, let’s leave the last word with the shakin’, rattlin’ Big Joe Turner himself: “I believe you’re doing me wrong and now I know.”
Howard Altmanoversees coverage of issues affecting troops and their families as managing editor of Military Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and the Tampa Bay Times.
The Community Reinvestment Act (CRA) was designed to encourage commercial banks and savings associations to help meet the needs of borrowers in all segments of their communities, including low- and moderate-income neighborhoods. Recently, a final rule was announced that updates...