Adapting to Automated Fraud
A new kind of Trojan—“Win32.Grams”—may be the first example of a new class of Trojans that significantly raise the potential for electronic fraud. Unlike previous Trojans, which were designed to spy on victims and steal their usernames and passwords, Win32.Grams, first reported late last year by LUHRQ Corporation, goes much further. Delivered through a spam message, the Trojan automates the entire fraud process—from gaining access to the victim’s account, to checking his or her bank balance, to moving the funds to the criminal’s account.
At first glance it may seem that these new fraud types are nothing more than modern variations of tried-and-true social engineering techniques, repurposed and adapted to leverage e-mail, autodialers, and rogue Web sites. But somewhere in the maze of details, a profound realization is becoming increasingly unavoidable: Right under our eyes, fraud is being industrialized.
To adequately prepare for the challenges presented by automated fraud, banking and financial services must learn to think dynamically about these evolving risks and how to mitigate them.
History lesson. When banks began using the Internet for business, they focused on eliminating organizational barriers and providing the customer with a single point of entry to all bank services. Unfortunately, just as the process made access convenient for customers, it also made it convenient for fraudsters.
One example of the compounding risk effect is the display of both monthly statements and check images online. Monthly statements provide insights into the financial behavior of the account holder, and check images provide insights into the visual aspects of the checks, including stock type, customer penmanship, and even a signature image.
Not all banks are currently presenting check images online, but the trend is likely to expand due to new legislation. Called Check 21, the new regulation allows banks to convert paper checks to digital images. Since customers will not receive their paper checks back, they are likely to request to see their checks online.
If hackers find a way to access this information, it would provide fraudsters with valuable clues on how to create counterfeit checks that are difficult to detect. Since most online accounts today are protected only by a username and reusable password, hackers have found ways to obtain access—such as by sending account holders spoof e-mails that trick them into giving out that information. When the hacker then types in the username and password, the bank has no way of knowing that it is not the true account holder doing so.
To help reduce the risk posed by increased availability of online information, companies need a new protection model. Among the issues to consider are: more stringent authentication practices, pattern analysis, better methods for detection of intelligence gathering activities, a holistic approach to the detection process, and methods for automated detection.
Authentication. The first layer of security is to restrict access, making sure that only authorized users can get to account data. This has proven a difficult challenge in the online world where users cannot be screened face to face. Usernames and passwords have been the traditional means of granting entry, but they do not offer true authentication, because anyone who has that username and password will “look” like an authorized user to the system.
Hackers have multiple means of stealing usernames and passwords. For example, through phishing schemes, they trick users into giving away this personal information by making the users think that they are dealing with their own bank or other known party. Trojan worms that record the users’ keystrokes and e-mail them to the fraudsters are another method.
In the past, the use of passwords for authentication has been considered a reasonable compromise between security, cost, and customer convenience. Given today’s evolution in fraud automation and the growing potential for large-scale theft of passwords, stronger authentication may be unavoidable.
It is likely that stronger authentication will involve some increase in customer inconvenience. Banks may, therefore, want to consider involving the customer in the decision to create authentication that is above and beyond the minimum requirements mandated by the bank. In an ideal world, businesses could allow each customer to choose between using basic authentication or incorporating tokens, biometrics, or other means to enhance this process.
It is conceivable that customers may even have the option of accessing their account with varying levels of authentication for different requests. A customer may wish to use only a password when checking a balance, but may choose to require more stringent authentication for viewing check images or transferring funds.
While these added security practices would increase the cost of authentication for the banks, the institutions would likely reap benefits not only from reduced fraud losses but also from greater customer trust.
Pattern analysis. In addition to encouraging customers to move toward more secure means of authentication, banks and others involved in e-commerce should expand pattern analysis for added security. Thus, even if someone does subvert the authentication process and get through the front door, there will be secondary hurdles that may prevent them from successfully collecting information or committing fraud.
Pattern analysis is already applied to the detection of fraudulent transactions. Credit card companies, for example, analyze user purchasing patterns to detect purchase requests that seem to fall outside the pattern. Two additional areas where pattern analysis could be applied include the detection of intelligence-gathering activities relating to identity theft and the detection of multi-account, cross-channel scams.
Monitoring for intelligence-gathering. Most fraud-detection systems today look for evidence that fraud has been committed, but they ignore the criminal’s intelligence-gathering activities, which generally predate the fraudulent transactions. That’s a mistake.
As noted earlier, it is now relatively easy for hackers to gain unauthorized access to a consumer’s personal information, such as address and spouse’s name. They can also view check images and capture signature images. If no money is stolen during this intelligence gathering, fraud detection teams would probably take no notice, because the actions fall within the purview of normal customer behavior.
Even once money is taken, it may not be noticed by the bank as an aberrant transaction, because automated surveillance and customization techniques allow criminals to structure their activity to closely resemble the behavior of the account holders.
To extend the analysis to potential intelligence-gathering events, additional access request parameters would have to be captured and evaluated based on the history and patterns of each user, location of the PC, and time of requested access.
Multi-account pattern analysis. The high productivity of automation enables criminals to launch attacks that involve smaller amounts in large quantities, spread out and hidden over multiple transactions. In such an environment, detection based on customer spending-patterns becomes less effective. In such an environment, pattern recognition should be extended to include activities across multiple accounts and channels.
Holistic approach. Companies should take a holistic approach when looking for fraud. Most detection teams are tasked with detecting fraud related to specific business units, products, or channels. Invariably, for example, different check-fraud teams are tasked with detecting credit card, check, and Internet fraud.
Criminals, on the other hand, are capable of crossing the boundaries and have access to credit card numbers and other information. When a company’s fraud detection groups are isolated, their ability to see this type of cross-channel fraud is limited.
Implementing a holistic approach to fraud requires not only organizational but also technological changes. A holistic fraud-detection system would enable both data collection and analysis to be done across business units.
Automated detection. Most fraud detection departments are made up of a team of investigators who must evaluate the alerts generated by the fraud-detection systems. Today, these teams use a largely manual process, which includes access to multiple internal applications and various Web sites or outside databases. This manual process works reasonably well to prevent fraud.
With the advent of automated fraud, however, the inefficiencies of the manual processes will be accentuated. Two problems in particular are likely to emerge. The first is that the sheer number of fraudulent transactions may overwhelm the sluggish process.
For example, currently fraud-management units review only a portion of suspicious alerts. This practice has worked because historically the bulk of the losses were concentrated in a small number of large transactions. Investigators today often must enter the customer’s Social Security number or account number multiple times as they move from application to application, slowing their ability to respond to multiple quick hits.
The second problem is that as the fraud process becomes more and more automated, fraudsters are better able to spread the fraud over a larger number of smaller transactions. As losses are spread over multiple accounts and transactions, each transaction becomes less atypical, and some of today’s detection systems may not be capable of detecting the smaller transactions.
To prepare for the growing threat of automated fraud, detection teams must review their investigation process and look for ways to eliminate rekeying of data and toggling between different systems and windows. A streamlined operation will increase a company’s ability to cope with large-scale quick hits and increase the chances of confronting the smaller transactions before they accumulate and cost customers millions.
Technology. Various technologies exist that can significantly reduce the amount of time spent analyzing data. To understand the process, it is important to first understand the intricacies involved in any successful fraud-management solution.
To be effective, the system must be able to “sense” the problem. For Internet sessions, this sensing would involve detecting where the login is coming from, as well as detecting various parameters that identify the user’s PC. Similarly, for checks, the process might involve identifying information about multiple attributes of the check—both relating to the transaction itself and the physical image of the check.
Once the information is sensed, it is analyzed for suspiciousness at a “local” level. For an Internet session, “local” could mean both the individual parameters of the session as well as the behavior across multiple sessions.
A system might analyze as suspicious 30 different identities emanating from the same computer within 30 minutes. Likewise, the local level for checks could mean suspicious elements on the check or atypical commonalities across accounts, such as multiple payments to the same payee across unrelated accounts.
Once local suspicions are raised, they can be communicated across business channels, such as a check-fraud unit and an Internet-fraud unit. For example, if 30 different identities were viewed from the same PC within 30 minutes, the Internet unit could communicate the information to the check-fraud unit, which could look for commonalities in checks related to these accounts, such as a common payee. But this manual process is cumbersome and often results in disconnected views of the fraud environment.
To combat this problem, several new technologies have been developed that have the ability to dynamically update profiles with behaviors indicative of fraud. The technology keeps tabs on which parameters affect the detection algorithm and watches for changes in these parameters.
Such profiles can be attached not only to accounts but also to devices or locations. For example, an ATM profile might analyze the average transaction amounts for 10 sequential users at a given ATM location and time of day. An unusually high average withdrawal for the time of day could distinguish between a normal line of people and a fraudster milking the ATM.
Unlike the traditional method, which requires copying the data into multiple data warehouses prior to analysis, this technology allows for these profiles to be updated in a timely manner. While this technology does not eliminate the need for data warehouses altogether, it does eliminate the need to create one or more additional dedicated data warehouses to act as “staging areas” for the computation of statistics. It also reduces the need to create duplicate sets of data for each fraud-detection unit.
Another benefit of this approach is that these statistical monitoring devices are automated, so if investigators decide that they need to monitor a certain behavior on an hourly rather than daily basis, adding the required profiles can be done by simply adjusting the analysis parameters.
Such a requirement can arise, for example, if it is found that users at an ATM withdraw on average less money during the lunch hour than in the evening. Instructing the system to create hourly profiles can significantly improve the accuracy of the detection.
Fraudsters continuously and purposefully change their methods of operation to avoid detection. And they are increasingly able to automate their attacks. Only by understanding the new fraud environment and automating defenses in response can financial institutions hope to outflank this formidable enemy.
Elazar Katz is a director in the Global Financial Services group at Unisys, where he oversees the active-risk-monitoring practice that specializes in technologies and solutions that address fraud, money laundering, and other compliance risks.