When was the last time you read a news article about an 'old school' brick and mortar bank robbery? Or perhaps even seen a new Hollywood movie about a gang of bank robbers? I suspect the answer is...you haven't.
Online banking has facilitated a revolution in how we do our banking, with mobile pushing it even further in recent times. It has also been a game changer for organised crime. Online banking has removed the physical risk of stealing funds, whilst increasing both the potential yield and attack surface. Brilliant.
However, in my opinion, there have been two influential market factors, which have reduced the potential scale of online banking fraud losses:
- Delayed clearing of payments
- Where to send the stolen funds (i.e. 'mule' accounts)
Delayed Clearing of Payments
End of day payment processing and intraday payment batch files, provide a window for banking fraud management teams to identify and stop fraudulent payments. As discussed previously, this delay provides a recovery window to reduce any net fraud losses.
Although many global markets have moved to real-time clearing of digital banking payments, Australia is not quite there (yet). The New Payments Platform (NPP), due for rollout in 2017, will change all of that. NPP poses to be an excellent initiative for the Australian consumers, but it has the potential to facilitate a spike in online banking fraud.
Where to Send the Stolen Funds (Mule Accounts)
One of the largest limiting factors in how much an organization loses due to online banking fraud, is a bottleneck of mule accounts. Compromised online banking accounts may not be converted to cash without somewhere to send stolen funds.
Mule accounts often manifest themselves in the form of prepaid cards, debit cards and other quasi-financial (e.g. gambling) instruments, which are relatively easy to obtain. Recruitment of a large, reliable and operational network of mule accounts is a constant challenge for attackers.
As well as introducing real-time payment clearing, NPP is introducing a concept called 'aliases'. Aliases will remove the need to memorise bank account numbers and will allow consumers and businesses to pay each other with mobile numbers, emails or ABNs.
Given the low barrier of entry for an attacker to create a new mobile, email address or ABN, the reliance will be with the enrolling NPP entity (e.g. bank) to perform customer due diligence during on-boarding. However, the reality is, even with strong 'Know Your Customer' (KYC) processes, plenty of new mule accounts will still get through.
Strategies to Reduce the Impact of Fraud
The desired outcome of any digital banking fraud management strategy is simple; prevent as much fraud as possible without negatively impacting the customer experience. My personal opinion is that a four-pillar strategy is required to achieve this goal:
- Strong Authentication (used sparingly)
- Behaviour Analytics. Understand your customers and identify outliers
- Understand the endpoint
- Threat Intelligence. Know your enemy
For a baseline validation of your organisation's readiness for real-time online banking payments, here is a simple checklist;
- Are your two-factor authentication controls used only when really necessary? Mandatory two-factor authentication for all payments negatively impacts the customer experience and may result in dilution of control effectiveness. Two-factor authentication should be used sparingly, for higher risk events.
- Can you easily enable new authentication form factors? For example, once implemented, SMS based two-factor authentication cannot evolve into a different and/or improved customer experience. It also cannot be updated to mitigate any emerging threat vectors such as phone porting. Given the large-scale customer impact, the ability to fundamentally change authentication is a costly and time-consuming exercise. In contrast, a software based two-factor solution may be incrementally improved with each new app release, to include options, such as biometric authentication.
- Payee 'white-lists'. Typically, ~90% of payments are to people we've paid before. White-lists are an easy way to reduce the haystack in which to find fraud.
- Payment segmentation into 'Allow' (~95%) and 'Delay' (<5%). This segmentation will provide your fraud team a window to identify and stop fraudulent transactions prior to release. As 'Delay' transactions will still be processed after a short delay (e.g. 1-2 hours), the impact to legitimate customers is negligible.
- Session intelligence. Can you quickly understand every action, which a specific customer (or attacker) has performed during a digital banking session? Does it involve asking IT to manually pull a log file or can your teams source the information immediately?
- Do you have a memory of all the devices a customer has used in the past minute, hour, day, week, month and year? If yes, can you use this information directly in your fraud and riskstrategies?
- Can you use specific device elements in your fraud detection and authentication strategies? For example, you may wish to step-up authenticate everyone using an older version of Windows,but treat customers with the latest version of iOS as lower risk.
- Do you have a defined mechanism and operating rhythm for obtaining both strategic and actionable intelligence? Understanding potential threats can help an organisation mitigate the risk prior, or alternately manage the incident once the threat materializes (a recent example). Threat intelligence may be obtained from many locations, including open source, commercial products and industry forums.
- Do you have a process to not only gather, but also interpret and taken action on threat intelligence? Often, threat intelligence is treated as a 'gather as much information as possible' exercise, but this is a misuse of resources if we don't take the time to understand the signal in the noise, and ultimately convert this learning into an action plan.
The above list is a small sample of factors to consider when evaluating the readiness of a business for a move to real-time online banking payments. It will provide a 'heat check' as to how ready you are and also a starting point of questions to ask.
Provided real-time payments are implemented in parallel with a considered fraud management strategy, there is no reason they have to fundamentally change the rules of the (online banking fraud) game.
BTW - If you would like to reminisce about the days of old school, bank robberies, I'd highly recommend Heat. Pacino vs. De Niro. Classic.