Features : Fighting Frausters From Winthin


New technologies and greater understanding of the mechanics of online fraud are helping corporations beat the bad guys.


The 2002 film “Catch Me If You Can” was based loosely on a book penned by Frank William Abagnale Jr., a former con artist who in the 1960s used aliases to pass bad checks worth more than $2.5 million. When Abagnale committed the bulk of his crimes, check fraud was probably the biggest thing companies and banks had to worry about.

Today, however, the perpetrators of financial crime are more organized and sophisticated, and banks and multinational corporations are paying the price for what has become a global pandemic. Often fraudsters are not acting alone but are part of criminal gangs that are capable of launching “velocity attacks” on banks via a PC using multiple identities. “Twenty years ago, if you wanted to rob a bank, you got in a JCB [mechanical digger] and drove through the front of the bank,” says David Porter, head of security and risk at Detica, a consultancy specializing in security issues. “Now it is done through a computer keyboard. Fraudsters have become more intelligent, using electronic, high-tech methods, and are now much more pervasive. It has become an arms race as the bad guys have upped the ante.”

According to Detica, the UK economy loses approximately £14 billion a year due to financial crime. “The data explosion and the Internet have enabled criminals to steal identities and commit serious crime with increasing sophistication. Globalization and the explosion in social and corporate networking also mean businesses are far more vulnerable to seemingly remote disruptive events,” says Fred Chedham, head of Detica’s Business Resilience Services.

Online fraud, particularly in the banking sector, has become so pervasive that a UK parliamentary report on personal Internet security described the Internet as a “playground for criminals.” The report cited some damning statistics to back up its claim. UK payments association APACS recorded more than 1,500 “unique” phishing attacks directed at UK banks in September 2006, up from just 18 in January 2005. US banks are reportedly the most targeted by phishing, with their losses totaling approximately $2 billion.

But it is not just the banks that are affected by fraud. At the beginning of 2007 hackers accessed internal systems used to process and store customer transaction data, including credit card, debit card and check details, at US retail giant TJ Maxx. The incident cost TJ Maxx $256 million plus the additional compensation it paid to Visa card issuers. Money aside, the reputational costs of such an incident are difficult to quantify.

Who Pays the Price?
In a number of cases it is the merchant or banks that bear the brunt of the cost for fraud. “Who pays for the fraud is determined by an arcane set of rules,” explains Paul Collins, vice president, BasePoint Analytics, a provider of predictive analytic fraud solutions to the banking industry. “Thirty-three percent of the time, however, the merchant is responsible for chargebacks, and two thirds of the time it is the bank’s loss.”


Geoff Hogan, Imprivata: “There is a lot of password sharing.”

In an effort to prevent incidents like TJ Maxx occurring again, the leading credit card brands—MasterCard, Visa, American Express and Discover—collaborated to create the Payment Card Industry–Data Security Standard (PCI-DSS), which sets out rules for merchants to follow to prevent theft and misuse of credit card information. The PCI-DSS standard features broad requirements, the first being that card issuers, merchants and acquirers must install and maintain a firewall. “The fundamental principle of the standard is to help our customers build an environment that would prevent a compromise from occurring but also to be able to detect and react to a potential compromise,” explains John Verdeschi, vice president of MasterCard’s payment system integrity group.

Verdeschi acknowledges the challenges in eliminating fraud completely, but he says that if PCI-DSS is implemented globally, it can greatly reduce the risk of customer and transaction data being used for fraudulent purposes. It is mandatory for businesses with more than 100,000 transactions a year to either be PCI-DSS-compliant or be able to demonstrate plans to become so, says Paul Meadowcroft, head of transaction security for the e-security division of Thales. Yet, according to Meadowcroft, 79% of companies fail a PCI-DSS audit because they inadequately protect stored cardholder data.

When it comes to securing transactions on the Internet, Steve Brunswick, strategy manager for the e-security division of Thales, says that financial institutions are already considering stronger security in the form of two-factor authentication (something physical, such as a smartcard, for example, and something non-physical, such as a password). A survey of UK banks conducted by Thales found that 84% of banks involved in the UK Faster Payments initiative, which will reduce the clearing cycle for electronic payments from three days to less than two hours, plan to roll out two-factor authentication to combat the increased risk of fraud.

A few years ago, pin and password was the most common way of authenticating someone in an online transaction. However, pin and password are not only difficult to remember but easily shared. “There is an enormous amount of password sharing,” says Geoff Hogan, senior vice president, business development and product management, for Massachusetts-based Imprivata, which provides ID management and information access solutions to banks. Imprivata uses “multifactor authentication.” “Users can set up a policy that says once a user has securely authenticated to a network, or once they launch a particular application, for example, it may ask for another form of authentication such as a fingerprint or biometric,” explains Hogan.

But how could such technologies address the risks highlighted by the recent case of the rogue trader Jérôme Kerviel of Société Générale, who was able to hide fraudulent transactions from risk and security systems? Imprivata suggests that banks could use its technology in a trading situation, for example, where the trader would swipe his fingerprint whenever a trade is conducted. Even if the trader was able to create multiple accounts, Imprivata says that the fingerprint would provide an audit trail.

Porter of Detica says smart cards, two-factor authentication and biometrics are examples of preventative technologies that protect the corporate perimeter. However, he cautions that no security measure is entirely foolproof and that companies should have a backup in case someone manages to break through the perimeter. “You need a strong fence,” he says, “but when the burglars get through, you need network detection that goes hand in hand with preventative devices. Banks need to take both into consideration.”

Traditionally, much of the focus in eliminating fraud was on protecting the corporate perimeter from an external attack. Yet, increasingly, banks and companies in general are focusing on internal threats, which can take many forms: a malicious attack by a disgruntled employee, an employee looking to hide fraudulent transactions or an employee who lost a work laptop with customer details on it.

Hogan of Imprivata says that its banking customers are looking for solutions to authenticate employees on whatever network they utilize and then to be able to monitor them in terms of what applications they access. Porter says that the threat from an external “bogeyman” is somewhat of a red herring. “Mildred in accounts is probably as dangerous as a hacker,” he says.

Given that there are so many different solutions to help companies thwart fraudsters, it seems only fair to ask, Who is winning the war on fraud? Collins of BasePoint Analytics maintains that credit card fraud is declining as a result of techniques and procedures that have been put in place to reduce it. However, he says debit card fraud is increasing, as is general cash fraud. “Banks are not going to totally eliminate fraud,” he says. “The minute you reduce fraud in one place, it pops up somewhere else.”

Porter says some of the more innovative firms are on the front foot. He points to the exciting work being done by the Insurance Fraud Bureau (see box), which developed a computer system featuring details of insurance claims data across the United Kingdom. “Banks should also share information,” he says. “This is the power.”

Following rising levels of card fraud and illegal withdrawals of funds from customer accounts, victims of fraud, the Japanese National Police Agency and the Japanese Bankers Association encouraged the banking sector to introduce biometric technology. Recognizing the limitations of biometrics such as finger or retinal scans, which can easily be faked, Hitachi developed Finger Vein Technology, which is based on finger vein patterns that are unique to each person and difficult to forge. According to Hitachi, 75% of accepting banks in Japan will implement its Finger Vein Technology. More than 20,000 ATMs will be equipped with Finger Vein scanners, and more than 500,000 smart cards with biometric applications will be deployed by the banks.

The technology works by creating a biometric template from scanning the fingers. LEDs inside the scanner transmit infrared light into the finger, which is absorbed by the hemoglobin, creating an image for capture. The image is used to create a finger vein pattern that is digitized, compressed and stored within a smart card.


David Porter, Detica: “Banks should share fraud information.”

Bogus and inflated insurance claims cost the UK insurance industry more than £1.6 billion a year. Insurance fraud ranges from policyholders exaggerating claims to organized criminal gangs inducing “innocent” motorists to crash into the backs of fraudsters’ vehicles. In a number of cases criminal gangs may have submitted bogus insurance claims to a number of insurers at the same time.

In an effort to combat this, following a six-month pilot the Insurance Fraud Bureau (IFB) was established in July 2006. David Porter, head of security and risk at UK risk-based consultancy Detica, says that the IFB, which comprises 46 members, uses a central computer system that features claims data from across the United Kingdom. The IFB analyzes the details of insurance policies and claims records of all participating insurers to identify suspicious activity.

According to the IFB, by sharing information on insurance claims, it has highlighted previously unidentified fraud risk where there is a combination of actual and anticipated savings in the region of approximately £8 million. In its first year the IFB issued 370 intelligence reports to members relating to 2,069 claims.

Anita Hawser