-
In detecting merchant fraud, sometimes less is more. RBS WorldPay has observed that philosophy in upgrading its system for identifying potentially bogus transactions.
November 12
Second in a series
The risks associated with certain transactions made it difficult and expensive for Chevron Federal Credit Union to serve its customers, so the institution turned to behavioral analytics — and eliminated its online fraud.
In changing its approach to online fraud, Chevron was adapting to an issue many financial companies face: fraudsters continuously adapt to find weaknesses in any security system, making it more expensive and more time-consuming for financial institutions to keep up.
To get ahead of the fraudsters, Chevron installed a Guardian Analytics system in the first week of 2010, said Sachin Kundra, Chevron's vice president of information systems and technology. "Since we've implemented the system, we've had zero actual fraud losses occur in the online channel," compared to up to 15 cases a year previously, he said in September. And "that number was increasing, month after month," until Chevron put a stop to it.
This year, the Oakland, Calif., company found 22 cases of potential online fraud that Guardian's system stopped. It estimated its potential fraud losses from these cases at more than $800,000; Kundra would not say what the credit union's actual fraud losses were before that.
The benefits went beyond stopping fraud. Chevron Federal was also able to expand the range of services it can offer members by switching on certain types of transactions it had earlier deemed too risky.
In particular, Guardian Analytics' system allowed a major change in how Chevron handles wire transfers.
It faced what Kundra said were "huge wire-transfer frauds," particularly as fraudsters were quick to adapt to any change the credit union made to protect itself.
Chevron wanted to let anyone initiate a wire transfer of less than $10,000 without having to be phoned for additional verification. The fraudsters realized that, so they snuck in transfers just under the limit, prompting Chevron to repeatedly reduce the limit in what Kundra described as "a cat-and-mouse game," until the limit was $4,000.
"We had staff sitting in operations … paid staff that we had to bring in and sit there all day and call back every wire transfer that came in" under $4,000, he said. These people were calling members for nearly "every single wire transfer request that came in, 16 hours a day and five days a week — that actually adds up," he said.
Its old methods of authentication were ineffective on their own, Kundra said.
"Fraudsters out there had account info for members, and they had answers to their challenge questions, … so having the Guardian system, being able to really decipher to some degree of confidence that this is something" authorized, was a huge improvement, he said.
With Guardian's system vetting online requests, "we pulled that limit from $4,000 back to its $10,000 limit — anything less than $10,000, we can let it slide because we have some confidence" that the person requesting the transfer is authorized to send the money, Kundra said.
Guardian Analytics examines online banking behavior to determine which actions are legitimate and which signal fraud.
It said that Chevron's example is not unique — another credit union on the East Coast used Guardian's system to identify 75 compromised accounts last year, blocking potential losses of $15 million.
Another client, a large business bank, stopped 80 fraudulent automated clearing house payments that would have aggregated to $800,000. A credit union client stopped a fraudulent home equity line of credit worth $700,000.
Guardian's system examines the characteristics of each individual's typical online activity, creating a behavioral profile for each customer of a financial institution.
"We develop a very individualized, very specific behavior pattern of a user's history, and it's very difficult to match," said Terry Austin, Guardian's president and chief executive. "We do this at an individual, user-by-user level."
Business accounts add some complexity, because they have multiple users, but opportunity still exists to catch suspect behavior.
For example, if a business account requires a separate user to approve wire transfers, the fraudster may create a new user account. Though that new user account would not have a history to match itself against, its behavior can still be seen as unusual compared to the behavior observed for all other authorized users of the account.
"We know there's something unusual about that login when they establish a new user … [and] the new user gets established and immediately goes in and approves wire transfers, … that can look suspicious," Austin said.
Guardian's method has held true even as other methods of authenticating a user have crumbled under fraudsters' attacks, he said.
The Internet protocol address, which can be used like a phone number to identify the online banking site where a user is "calling" from, is one example of a factor that has lost its relevance.
"A year ago, when we saw a trusted IP address … we placed a fair amount of confidence in that factor," Austin said.
Fraudsters realized this and set about exploiting that trust. By piggybacking on legitimate online banking sessions — those initiated by the account holder from a trusted computer — the fraudsters would come into the online banking site using the same IP address known to belong to the user.
Generally, authentication is no longer as strong as it was once believed to be, Austin said. Technology that strengthens the front door "is just a big hole that you're pouring money into," he said.
Rules to determine whether to authorize specific transactions based on the characteristics of the transaction, such as the dollar amount, "just don't work in online banking," he said.
Behavioral analytics, by contrast, "really does take the biggest asset that a bank has, which is a lot of data … and leverage it to solve this problem" of recurrent fraud, Austin said.
"Some banks have taken the position that it's on the end user[s] to protect themselves," particularly businesses and organizations that lack the legal protections consumers have, he added, but "there's a real backlash" against this practice.
Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc., said it was important for Chevron to find an alternative to phoning customers — besides being expensive, the tactic can be defeated by fraudsters.
Typically, banks and credit unions that phone their customers to verify a risky transaction would present them with challenge questions, as Chevron did — but fraudsters have access to the databases the questions are drawn from because "they've been spear-phishing employees" of the companies that provide the data, she said.
If the fraudster has also changed the phone number on the compromised account to intercept calls from the financial institution, the fraudster may be able to get the bogus transaction approved by answering the security questions.
"The fraud analyst gets on the phone … and then they'll start asking questions from third-party databases … and the criminal's got all the answers," Litan said. At one bank that let her listen to a recorded call, "on the recording, we could hear the fraud analyst ask the questions, and the guy on the other end said, 'Hold on a minute,' and we could hear the crook clicking his screen, going through the screens, and then he'd give him the answer like: 'Where's your mortgage?' … click click click … 'Wells Fargo.' "
Using software to prevent a transaction from even getting that far goes a long way toward preventing fraud, she said. "The software can do a good job in spotting risky transactions, [and] not just Guardian's software," Litan said.
It is even better if the software blocks a fraudster from even getting to the point of being able to request a wire transfer, Litan said. "They want to not only scan the payment transaction but [also] look at the access," she said.
It also is important to create individual profiles for each user, to better defend those accounts as fraudsters refine their attacks, Litan said. For example, a fraudster today may skip pages in the flow of an online banking session to go straight to the payment page — something most end users wouldn't be able to do. As the fraudsters catch on to how obvious a sign of fraud this is, they may instead try to use a more natural path to get to the payment page — and that might only look like fraud when compared to the legitimate user's behavior, she said.
"As soon as the criminal[s] find out that their behavior is being tracked, they'll change their behavior," Litan said.
Chevron's success with Guardian's system "is definitely demonstrating the power it has," even if the dollar value of the fraud it has stopped may seem low compared to what a large financial institution typically sees, she said.
However, institutions of any size could benefit from improving their defenses with behavioral analytics, she said. "A little technology goes a long way."
Next: BB&T Corp. weighs the advantages of building or buying risk management technology.