Today's Internet Banking Fraud Attacks Create Severe Challenges to Financial Institutions

Online Banking

Online Banking is Strategic

Protecting Internet banking customers and members from fraud attacks is not just a simple matter of making sure their money is not stolen. The strategic opportunity at stake is much larger. (Video: Why Online Banking is Strategic)

Individuals and businesses want to bank online. It's convenient, it's efficient, and it's cost-effective. Whether it's from their computer, or increasingly from their smart phone, an expanding amount of banking activity is taking place online.

To be competitive, to meet customer needs and reduce churn, banks and credit unions must not only offer online banking capabilities, but must continually expand the set of offerings. And do so while building customer confidence that their transactions are secure, their assets are safe. To fully realize the strategic benefits of robust online banking services, financial institutions must have an internet fraud prevention solution that's up to the challenge.

Please click the Know Your Enemy tab to learn more.

Know Your Enemy

Know Your Enemy

It's a war, and the enemy is relentless.

Fraudsters are not unsophisticated, individual crooks. They're not the college kids who are hacking just because they can. They are businessmen. Fraud is a large, organized global business, predominantly based in Russia and Eastern Europe with strong funding and state support. And their targets are financial institutions in the West.(Video: Financial Institutions are at War with a Formidable Enemy)

Fraudsters are organized and each offers a specialty. For example, one might focus on testing and penetrating anti-virus and anti-malware software while another is expert at defeating secure clients and authentication techniques. Fraudsters also have established social networks to help each other and share their most successful attacks so others can replicate their success.

In addition, fraudsters have a very efficient capital system, and operate with the implicit approval and support of their federal government. In short, by being criminals and operating outside of the laws, ethics, and procedures that guide much of the law-abiding institutional behavior, fraudsters have a lot of advantages. And the financial return they realize is very attractive.

How They Attack - Fraudsters' goal is simple and limited: steal online banking credentials, then steal the money. The different techniques they use are all just different ways of accomplishing the same thing.

To achieve this objective, they are directly targeting online banking customers, focusing on the weakest link - the end user (and it's not entirely the end user's fault). Their attacks are relentless, sophisticated, and pervasive. Collectively, users don't stand a chance.

They infect a user's computer with a virus - for example the Zeus financial malware Trojan that has already infected 3.6 million computers with one of its 70,000 variations. The virus waits for the user to launch on online banking session, at which point the virus captures the online banking credentials - user name, password, answers to challenge questions, etc. - or in some cases simply hijacks the online session. The fraudster now has complete and direct access to that user's online banking account.

Please click the Current Solutions tab to learn more.

Current Solutions

Current Solutions are Ineffective

Against this onslaught, current solutions are ineffective.(Video: Existing Controls Aren't Enough)

Multi-factor authentication solutions, although a necessary and appropriate frontline defense for any financial website, are not aimed at fraud detection as a core competency. Online account credentials remain vulnerable, as fraudsters have proven the ability to completely circumvent this technology. Authorization failure and the need for challenge questions are non-actionable, inaccurate indicators of fraud, and challenge rates are too high to be acted upon by limited fraud investigation resources. Weak fraud detection capabilities (e.g., device identification, cookies) do not deliver the performance required and lack the rich behavioral models and account history necessary to investigate suspicious activity effectively.

The FFIEC has acknowledged the shortcomings of conventional authentication techniques with its Guidance Supplement issued in June 2011. It states that authentication is no longer sufficient and that anomaly detection solutions could have stopped many of the fraud attacks they studied.

Fraud rule- and pattern-based transaction monitoring solutions are always one step behind. They merely react to known threats instead of recognizing new ones as they happen. They require complicated rules development, known fraud "truth sets" for algorithm training, and ongoing "care and feeding" maintenance to try to remain current. As a result, these solutions are unable to spot new fraud types and patterns - such as seemingly benign account reconnaissance activity. Once a breach occurs, most return minimal detail on any given fraud instance to aid investigation. They return little context, limited characterization of individual customer behavior, no visual analytics, less granular risk scoring, and minimal forensics.

What's needed is a holistic solution that integrates existing point solutions.

Please click the True Cost of Fraud tab to learn more.

True Cost of Fraud

The True Cost of Fraud

Guardian Analytics surveyed 500 financial institutions. In 80 percent of attacks, the money left the institution before the attack was recognized. So, the initial fraud loss certainly is part of the cost. But additional costs can be significant, too. (Video: The True Cost of Fraud)

The full cost of fraud loss includes:

• Investigation & Remediation. The cost of investigation and remediation is often larger than fraud loss itself. Investigation is the significant staff time it takes to do the forensics (i.e. what malware was involved and how the account was compromised), figure out whose fault it was, and analyze what processes worked or didn't work. Remediation is determining how the bank may or may not compensate the business for a loss. This takes time, and includes legal fees plus possible reimbursement of the original loss.
• Litigation. Who's liable here? There's some controversy on the issue of fraud liability and lots of related litigation. Even if the bank is found to be not liable, they likely will still incur legal fees and time loss. If they are found to be liable, then they can expect to have penalties added on.
• Customer churn. Customers will leave if they feel bank is not adequately protecting them, costing the financial institution the future lifetime value of that customer
• Brand & Reputation. It's hard to measure true cost, but clearly there's damage to a bank's brand and reputation if it's a victim of fraud losses.