Presentation is loading. Please wait.

Presentation is loading. Please wait.


Similar presentations

Presentation on theme: "Slide 1 ENTERPRISE FRAUD PREVENTION & DETECTION. Slide 1 DRIVEN BY PROBLEMS THAT CONTINUE TO GROW IN SCALE, COMPLEXITY AND IMPACT Increasing laws and."— Presentation transcript:


2 Slide 1 DRIVEN BY PROBLEMS THAT CONTINUE TO GROW IN SCALE, COMPLEXITY AND IMPACT Increasing laws and regulations Complex structured and unstructured data containing increasingly valuable intelligence Growing compliance and operational risks Increased threat of loss to organized fraud, crime and corruption Expanded liability with significant fines Limited expert resource

3 Cross-Channel Fraud Solution Suite Enterprise wide protection - true enterprise-wide financial crime platform

4 Enterprise-Wide, Cross-Channel Solution New channels add new profiles Customer and Account profiles are shared across all solutions Solution should provide fraud and channel coverage across all silos

5 Users Profiles Cross-Channel Fraud Solution Cross-channel solution profiles all remote channel activity at multiple levels 25% of attacks begin in one channel and end in another Fraud and channel coverage across all silos Account Profiles Devices Profiles Payee Profiles Customer Profiles

6 Older Threats Still Prevalent As the web becomes more secure, fraud will migrate To the path of least resistance – the phone channel and beyond The phone channel has significant fraud exposure Internal fraud Multiple layers of customer authentication Susceptible to social engineering Compromised customer information is used via the phone To request new cards, checks, products

7 New Channels Present New Risks Mobile Banking “…there are significant differences in the way viruses on the mobile channel can operate and proliferate.” Javelin Research Email Money Immediate funds transfer to an email address Recipient gets instant access to funds

8 New Fraud Threats To The Online Channel “Man in the Middle” variation Malware in the web browser interjects between user and the browser to modify transaction data Trojan on a victim's PC capable of modifying user's transactions as they occur in real-time Authentication cannot prevent this type of fraud

9 Fraudsters Enlist Advanced Technology Trojan Horse: Zeus, TorPig etc. Distributed via malware platforms Installs itself and conceal location Steals sensitive information Generate lists for Man-In-The-Browser attacks Sends messages to the controller Man-In-The-Browser a Trojan that infects a web browser and has the capabilities to modify display, message content, initiate independent transactions and overcome session monitoring and security. Man-In-The-Middle A form of sophisticated eavesdropping, in which the attacker relay messages between two parties making each believe that he communicates directly with the other.

10 Billions Lost to Online Fraud Source: Mindwave Research based on US and Canadian online merchants

11 So What Does This All Mean? The industry is experiencing increases in Multiple channels and access devices Subscriber numbers Speed of funds transfer Sophistication of fraud attacks Cross-channel fraud Protection will require much more than authentication Real-time decisions Cross-channel customer level monitoring User configurable profiling Advanced analytics

12 How can we fight back? Device fingerprint? IP Address hot-list? Low amount transaction filtering? Restricting customers? Harder Authentication? RSA Token? 100% True Real Time Transaction level Monitoring Profiling Out of band authentication Interdiction Management

13 Major Fraud The Remote Banking Fraud solution addresses a number of major fraud types : Account Take over Phishing Vishing Whaling Pharming Man in the Middle Man in the Browser Enrollment Fraud Identity Theft Unauthorized Access Pump and Dump Fraud

14 Benefits of using Fraud Detection and Prevention Solution Reduce financial losses Phase-based analytic models stronger than rule-based solutions Self-learning capabilities improve detection over time Stop fraud in real-time Makes decisions on the current transaction Allows customers to transact while blocking fraud attempts Detect fraud across channels Connects the online and phone channels Not just web or partial call center support Analyzes both channel and transaction specific data

15 Benefits of using Fraud Detection and Prevention Solution Streamline fraud operations & investigations Alert management interface, workflows and dashboard Block or unblock transactions from Case Manager Policy manager allows powerful policy rule management Investigation tool facilitates research and root cause analysis Deploy rapidly IT friendly software Multiple connectors to legacy systems No special hardware or database requirements

16 KEY INDICATORS example Financial Services Monetary Activity with New Payee Burst in New Beneficiary Bank Activity First Transaction for Customer Activity with Rounded Amounts Transaction to New Foreign Country Suspicious Amount Dormant Account Activity Services Recent KYC Change Recent Enrolment New Card/Cheque Requests Recent Information Change

17 Session Unusual Activity from New Device Suspicious Activity from Same Device Access from Multiple Locations Implausible/New Location One time Password used Phone Unusual Activity from New Phone Number Activity from New Foreign Country Access from Multiple New Area Codes Lists and References High Focus Bank/Customer Access from High Focus Device/ISP Safe Bank KEY INDICATORS example Financial Services

18 Analytics Unique Phase-Based models permit sophisticated analytics on the right set of trx Phase-Based analytics calculate: Safe Score to allow legitimate activity Threat Score to prevent fraud as attack evolves Transactions 0 100 Threat Score 60 80 90 0 -100 Safe Score

19 Reduce Financial Losses – Analytic Models Payment Fraud Models Internal Transfer Fraud Model Bill Payment Fraud Model Wire Fraud Model Interbank Fraud Model – ACH/BACS Remote Access and Services Models Online Access – Session Detection Model Phone Access – Call Center/IVR Detection Model Mobile Access – Mobile Session Detection Model Services – Account Services Detection Model Services – Enrollment Model

20 Stop Fraud in Real-Time – The Process Risk Case Manager Remote Channels Login Online Score 80 Block Transaction Phase-Based Analytics Alert Presented to Fraud Analyst for Bad IP Customer Contact Auto Dialer Fraud is prevented because fraud is detected - bill payment is prevented at the same time. Confirmed Fraud Password is Reset X Customer Profile + Known Bad IP Web Bill-pay Request Block Transaction Score 90 Customer Profile + Failed Authentication

21 The Opportunity – Simple example Online Access 08:43:23 Session 178870 12:29:02 Session 830923 12:44:23 Session 830923 …. First opportunity to stop occurs across multi-channel/product activities Cross-channel attack mixed with legit activity frustrates siloed systems  Cost of late detection is high Online Access 08:43:23 Session 178870 12:29:02 Session 830923 12:44:23 Session 830923 …. IVR Access 07:16:02 (415) 822 0122 11:22:56 (718) 502 9874 13:18:42 (718) 502 9874 …. Account Services 07:17:51 Bill Pay Enrollment 12:34:18 Email Change … ICT Transactions 08:43:23 ACH $788.88 12:29:02 ACH $128.34 12:44:23 ACH $98.15 …. Bill Pay Transactions 08:55:21 Recurring - $248.00 11:28:01 Recurring - $315.00 13:22:56 One Time - $495.25 ….

22 Example 1 Customer logs into online banking System verifies session information, blocks entry based on known bad IP Score 80, alert generated Customer tries to pay a new bill System requests re-authentication (What is your pet’s name?) If customer fails re-authentication attempt System blocks the channel preventing online access until the customer is verified out of band

23 Example 2 – Cross Channel Customer logs in from a new foreign IP System verifies session information and allows entry Score 40, no alert Customer views account and statement information No high risk activity is involved so inquiries are allowed Score 45, no alert Customer calls into call center to move funds System blocks transfer if the customer only uses statement information to pass authentication Score 70, alert and block

24 Example 3 – Cross Channel Customer Save Customer enrolls for online banking System verifies session information and allows entry Score 20, no alert Customer views account and statement information No high risk activity involved, inquiries allowed Score 30, no alert Customer calls, sets new funds transfer to new account System blocks transfer; Knows that customer already moved funds to this account via the other (phone) channel Identified as a false positive; Customer is allowed to transact Score 10, no alert

25 1. Monitor & Access Data Lists or negative files Black lists, customer white lists, suspicious address, ISP, etc. Customer data All demographic data such as address (including changes) Account data Data such as account open date and balance Changes to account status such as collection status, limit Transaction data Electronic deposits and withdrawals via branch or ATM Channel data Session and call information for phone channel

26 2. Analyses Key Indicators KIs are the analytics building blocks Each KI is a complex calculation KIs are influenced by entity-level historical profiles For example, a large wire to a foreign country May appear suspicious in isolation Profile information can show similar past behavior Will reduce the risk of the current transaction

27 3. Predicts & Detect Suspected Activity Remote banking - primary fraud models Internal transfer detection model Bill payment detection model Wire detection model Interbank detection model Remote banking - additional fraud models Online access - session detection model Phone access - call center/IVR detection model Mobile access detection model Services - account services detection model

28 4. Take Action When an alert is raised, the system should be able to: Block – stop the transaction Hold funds – delay processing the transaction Authenticate – via bank’s authorization solution Alert – pen an investigation and initiate workflow

29 ATM Threats

30 Mass Compromise - Counterfeit Card Fraud The stolen card track data can be encoded onto counterfeit cards by creating duplicate magnetic stripes POS purchases Card Not Present Biggest risk is ‘organized crime’ Current fraud rate is 1-2% Stolen data is currently sold off in batches of a few hundred cards New schemes to steal from accounts with little or no funds Fake deposits are used to artificially inflate available credit

31 Mass Compromise – Identity Fraud and New Account Identity Theft Establish new credit accounts with financial institutions under false pretenses These attacks can lead to extremely high losses to the banking industry Online, phone, and mobile channel are most susceptible but credit cards are the ultimate goal New Account Fraud Synthetic identities are created to apply for new accounts Criminal ‘bust out’ when target credit threshold is achieved

32 Mass Compromise – Identity Fraud and New Account Skimmers Spy Cam Bluetooth transmission Chip & Pin POS Terminal Interceptor (It is a prototype device which sits between a POS terminal in a shop and the Chip and PIN card carried by a customer. It listens passively to the electrical signals – "the conversation" – between the chip card and the terminal, and from this can retrieve and store the customer's account number.) Manufacturing Capabilities: Plastic card embedding High resolution printers Hologram creation... Online Markets (equi. & trade)...

33 Relay Attach- CHIP & PIN Alice is the innocent customer who is about to be defrauded from her savings. Bob is a crook. He is now employed as a restaurant waiter. Carol is Bob's accomplice who is loitering at a jeweller’s shop waiting for Bob's signal to participate in the attack. She is carrying all the equipment needed for the attack in her backpack. Dave is an honest merchant who operates a jewellery shop and is not associated with Alice, Bob, or Carol.

34 Relay Attach- CHIP & PIN Alice, our innocent customer, is about to pay $20 for a meal in a restaurant. Unbeknownst to her, Bob, the crook waiter, presents her with a terminal which looks and behaves like a real Chip & PIN terminal, but is secretly relaying a transaction with Alice's card to Bob's partner in crime – Carol. This is done by using a hidden laptop hidden behind the counter. Carol is in Dave's jeweller’s shop about to buy a $2 000 diamond. Just as Alice inserts her card into the restaurant's terminal, Carol is notified via a radio link or SMS message to insert her specially modified card into the jeweller’s shop's reader. As Alice keys her PIN, it is read out to a earphone worn by Carol. All communication from the jeweller’s shop terminal will be sent through Carol's card and Bob's terminal to Alice's card, and vice versa. Dave will see that the transaction has succeeded and will hand Carol the diamonds that will be charged to Alice's account. Alice leaves the restaurant thinking she paid $20 for a meal, while her statement will show $2 000 for a diamond. As the malicious terminal will never communicate with the bank, Alice will not be changed for the meal. Alice will have used a terminal which looks perfectly normal and it will have shown $20 on the display. Dave will see that the transaction went through without any problem. The bank will see that Alice's card appeared to have been used with the correct PIN. Carol and Bob, however, have walked away with a $2,000 diamond without paying for it.

35 How can we fight back? Anti Skimming Devices (Mechanic & frequency)? Chip & PIN? Block Cross Boarder transactions? Block Online Transactions? Block POS terminal? Buy insurance? 100% Real-Time monitoring Multi level Profiling (Customer, Card, ATM, POS...) Monitoring NON monetary transactions Enterprise View of Fraud

36 Card Fraud Solutions system to cover Card Fraud – Issuer Identifies fraud across all plastic card transactions – credit, debit, more Monitors all channels – online, CNP, ATM, POS, and more Provides multi-tenant support for processors and networks Card Fraud – Acquirer Identifies fraudulent merchant activity Monitors monetary transactions – credits, debits, chargebacks, and retrievals Fraud Operations Management Provides complete loss management capabilities with automated regulatory reporting (SAFE, FRS, etc.) Fully supports chargebacks and dispute management

37 Card Fraud Solutions system to cover Full card fraud protection Protects all transactions conducted with plastic cards Includes issuer, acquirer, and processor models Phase-based analytics, consortium derived Predictive analytic models Consortium of billions of transactions, from tens of thousands of FIs Leverage customer input Customer notifications Customer selected risk limits Real-time decisions Stop the first fraud attempt Allow genuine transactions after fraud

38 Example of Card Fraud Models Lost & Stolen Cards Focus on deviation from the card holder ordinary behavior, and on comparison to known fraud cases One view of all channels (ATM, POS, CNP) Counterfeit Cards In addition to the above, this module will analyze the Deviation from the Device ordinary activity (multiple cards on the Device) Comparison to HF skimming sources list Account Takeover Non monetary changes followed by high risk transaction activity Point of Compromise Correlate between fraudulent activity and previous common activity Based on confirmed fraud and POU alerts Historic activity using ATM / POS / CNP with high probability to be part of a Skimming scam is saved Point of Use Detect and maintain HF Merchants Re-Evaluate previous cards activity at HF merchants

39 Phase-Based Analytics Unique Phase-Based models permit sophisticated analytics on the right set of transactions. Phase-Based analytics calculate: Safe Score to allow legitimate activity even after the first fraud attempt Threat Score to prevent fraud as attack evolves Compromise score to identify Point of Use and Point of Compromise Transactions Threat Score 0 100 60 80 0 -100 Safe Score 90 Compromise Score

40 Multidimensional Profiles All transactions are evaluated across multiple profiles Every profile level compares the current transaction with past behavior Allows early identification of fraud attacks Reduces false positives

41 Alert Presented to Fraud Analyst for Card 1 Alert Presented to Fraud Analyst for Card 2 Stop Fraud in Real Time – The Process Payment Platform Risk Case Manager ATM Withdrawal Card 2 ATM Withdrawal Card 1 Block Transaction ATM Withdrawal Card 3 Block Transaction 60 Customer Profile Score 60 30 Terminal Profile 60 Customer Profile Score 90 40 Terminal Profile 60 Customer Profile Score 100 Block ATM Alert Presented to Fraud Analyst for Card 3 Customer Contact Confirmed Fraud Auto Dialer New Card Issued Phase-Based Analytics POU Analysis POC Analysis Compromised Cards Added To List Confirmed Fraud X

42 The Fraud Triangle Motive – perception of an immediate and un-shareable financial need – Alcohol/Drug abuse – Extreme Debt – Spending disorder – Illicit romantic relationship Opportunity – perception that one will be able to conceal the theft of funds based on a trusted relationship. Reward/Rationalization – Sincere belief that a crime has not been committed or is perceived to be justified and that the rewards outweighs the risks. Opportunity Motive Rationalization

43 Access Opportunity Incentive Employee Fraud Challenges Employee access to systems & knowledge of institutional practices Personal economic pressure creates incentive, leading to increased risk of incidents Institutional & customer financial losses Risk of negative impact to brand and reputation

44 Range of Employee Fraud Incidents Occur a few times a week Mainly policy violations Includes simple account takeover and embezzlement Substantial time for FI to resolve Sophisticated Incidents Day-to-Day Incidents Cost – tens of thousands of dollars Cost – negative brand impact Occur a few times a quarter Includes theft of bank or customer assets, data leakage/theft, collusion, fraud rings Harder to detect for FI Cost – millions of dollars

45 Challenge: Detecting Complex Fraud Incidents Policy violations can be prevented with rules, but: Rules are based on a single organization’s experience Creation of rules requires IT resources and time Complex fraud such as general ledger manipulation or collusion is exceedingly difficult to detect with rules only Data theft/leakage can’t be detected without analytics Rules/scenario-driven detection can't uncover new fraud patterns A combination of rules and analytics is needed to effectively detect and manage employee fraud

46 Employee Fraud Solution Systematic and prioritized detection Business-user scenario management Rich investigation and data exploration capabilities Protection from theft of assets and theft of data

47 Proven Analytics – Targeted Models Targeted analytical models to manage: Self dealing Account takeover Theft of customer assets Theft of bank assets Data theft Account segmentation to monitor at-risk accounts: Activity bursts in dormant accounts Recent address changes High value accounts Elder accounts

48 Examples of Employee Fraud Models Employee Related Account Address change to employee address Excessive credits to employee accounts High focus activity on employee related account Suspicious Activity Multiple GL transactions to same account Activity with long distance customer Activity with new branch customer Reference / List Data Activity with VIP customer Safe employee / branch High focus employee / branch Previous alerts status – fraud / not fraud HR Indicators Employee risk indicator Employee status New employee Sensitive Accounts Ratio of query only activity with sensitive accounts Activity with dormant account Peer Profiling Ratio of high focus debit Unusual activity for peer group Sequences Suspicious transfer balance query sequence Suspicious monetary query sequence Fraud Correlation Activity on account with confirmed fraud High focus activity on account with confirmed fraud Logical Access Out of hours activity Close proximity unusual terminal logins Multiple login attempts denied for employee

49 Proven Analytics – Relationship Discovery Creation of multi-dimensional profile of employee-account interactions Identification of high risk patterns for individuals and groups of employees Correlation of external fraud cases with employee activity to identify employee facilitation of external fraud

50 Thank You !!!


Similar presentations

Ads by Google