Data breaches and fraud
Current infrastructures may be insufficient to deal with fraud resulting from a data breach.
Having to deal with the fall-out from a data breach is becoming a regular duty for fraud prevention professionals in financial services, but there are some common gaps in both fraud strategies and technology relating to data theft that banks should be addressing.
It is becoming almost inevitable that from time to time a bank will have to deal with the fall-out from a compromise of financial data. This may be no fault of its own systems. The data may have been stolen from a third party processor, or even a retailer. It may have been gained via the internet, through hacking of any number of merchant or financial sites.
So what should a financial institution do to limit the fall out, in terms of reputational damage, cardholder confidence, and financial loss?
Paul Henninger, director of product management, fraud solutions for Actimise advises that between 25% and 35% of cardholder data in the UK is out in the open, and in the US, this is even higher, at between 30% and 50%.
The challenge, says Henninger, is to limit the amount of fraud that can take place on cards and accounts that have been compromised, while at the same time, keeping costs and customer disruption to a minimum.
Henninger suggests that it is no longer possible to reissue cards every time a breach happens. This is because they happen so frequently, and also because it is hugely disruptive. He gave the example of a bank in Dubai which went as far as to change account numbers for all customers after a breach, and it resulted in massive loss of consumer confidence, with queues outside branches.
Instead, he suggests, banks should work hard to monitor vulnerable accounts, especially in the period shortly after the breach, to watch for any unusual spend, and to try to identify batches of cards that may have been sold on by the fraudsters.
He explained: “It is not possible to put out an alert every time any card is used to buy a flatscreen television, but banks should monitor for fraud by raising the level of sensitivity on compromised accounts without generating a massive volume of administration.
“If it is possible for the bank to watch for when cards from the compromised database are in flight, or active, then it may be possible to see if a batch has been sold on,” he said.
Henninger explained that there is always an order to cards on a database, whether it is by last transaction or name, so it is usually possible to monitor the cards sequentially in this way.
“There is always an order. Card criminals don’t take the trouble to randomise the list and this is the essence of their failure.”
A white paper written by Paul Henninger on strategies following data loss can by found at www.actimise.com.
Henninger says that through working with many banks in the US, Europe and other parts of the world, it has been possible to identify some common gaps in both fraud strategies and technology relating to these cases.
There are a number of factors that, depending on the nature of existing infrastructure and processes, may make the existing anti-fraud solutions more vulnerable to attacks that result from a data breach such as to the one witnessed last year in the in the UK and most recently in the US.
Traditional approaches to deal with data compromises need to be evolved to account for the magnitude of the data stolen. Replacing large numbers of debit and credit cards is expensive and impacts consumer confidence in the card payment channel.
Watch Lists and False Positive Rates
In general, past experience in a number of geographies has shown that once a significant percentage of a population’s data has been compromised and placed in a watch list, the false positive rate involved in simple monitoring of that list is extremely high.
Without an effort or system to monitor the customers and accounts for behavior that is likely to result from the criminal use of compromised data, any monitoring system will produce so many alerts that financial institutions will be forced to choose between significantly impacting legitimate customer transactions or simply ignoring the great majority of alerts on the compromised list; neither of these are good outcomes and both leave customers at risk.
“Financial institutions should make stronger demands of the in-house or third-party analytics partners with regard to the false positive performance of systems designed to monitor watch lists,” says Henninger. “One needs to ask – how effective have my existing methods for monitoring watch lists been, even prior to this major data compromise event?”
Front Door Assumptions
Because many of the highest profile fraud attacks have involved the online channel, some financial institutions have placed a significant bet on the effectiveness of front door, authentication-based solutions. While authentication is a critical part of any anti-fraud scheme and must be invested in, once criminals have a significant amount of customer data as a result of a data breach like the one in the UK, it is much easier for criminals to bypass authentication systems via customer service representatives and automated password recovery mechanisms.
Existing detection systems rely, in some banks, too heavily on authentication to block fraudsters, financial institutions can be extremely vulnerable to losses resulting from data-driven compromises. The question here should be – how much ‘weight’ am I giving to my authentication infrastructure compared to other measures and should it be changed following today’s breach? suggests Henninger.
Finally, although fraud detection schemes are increasingly robust, Actimize has witnessed very few institutions that have the ability to correlate suspicious activity across channels. Per above, online activity may not be correlated with phone-based activity or ATM activity may not be correlated with risk associated with deposit activity. Fraud as a result of data compromise is likely to move rapidly across boundaries, financial institutions may find that their current cross-channel plans need to be accelerated in order to avoid major loss events. One should ask – what is our ability to detect a test transaction done at a Point of Sale or a call to the call center resetting a password followed by an online account take over?