Migration of Fraud to New Channels

by Geoff Noble | ASM | July-August 2008

In the June 2008 issue, Geoff Noble discussed the emergence of phishing as a form of online fraud. In this issue, he considers the threats facing telephone banking.

Despite the exponential growth of online banking in recent years, telephone banking remains a robust channel for many customers. According to Javelin Strategy and Research, 67 per cent of banking customers have used the phone channel to conduct a transaction in the last 12 months. In addition, with the implementation of strong authentication in the online channel, fraudsters have migrated to more vulnerable channels that are not as well-protected, including telephone banking. Leveraging the knowledge they gain through phishing attacks and other credential-gathering mechanisms, fraudsters are increasingly attacking IVR systems and Call Centres, both of which typically have weaker processes established to authenticate customers and are more prone to social engineering.

Protecting telephone banking transactions in order to reduce fraud has become a high-priority issue for financial institutions. According to “The State of Online Banking Security” report published by Aite Group in April 2007, many financial institutions are concerned about the threat posed by phone fraud and plan to implement stronger telephone banking authentication within the next 24 months.

In fact, according to the survey, 48 per cent of the Top 100 US banks are either “concerned” or “very concerned” about the threat of cross-channel fraud. This sentiment is no different in Australia and New Zealand. With an increase in fraudulent phone banking transactions and a desire to meet the FFIEC Guidance FAQ issued in August 2006 (in which applying protection to the phone channel is specifically addressed), the need to protect telephone banking transactions has become both critical and necessary.

Addressing Multi-Channel Fraud

Because online and telephone banking channels are often disconnected operational units within the structure of most financial institutions, multi-channel fraud is often overlooked.

Thus, identifying fraud attempts across channels remains a challenge.

According to Celent, “It is important for banks to take a multi-channel approach to security. Banks should also make use of multi-channel behavioural analysis tools that can help pinpoint potential fraudulent activities. Unusual account activity should raise a red flag.” [Source: Celent, “Multifactor Authentication: Forging Ahead in 2007,” July 2007]

Financial institutions that have already implemented protection of some form in their web platform would be wise to leverage that investment to implement multi-channel fraud analysis and authentication via a phone protection solution. This enables multi-channel sharing of risk assessment information in order to help financial institutions obtain a complete view of all banking transactions - regardless of the remote channel that the customer chooses to conduct those transactions. This multi-channel analysis of user behaviour and risk scores provides a comprehensive view of the customer’s typical banking activity patterns.

Such multi-channel risk analysis and fraud detection is further optimised when a financial institution also has risk-based transaction protection deployed to determine the specific patterns and suspiciousness of web activities which occur after the initial login. For example, let’s consider a fraudster that attempts to transfer $5,000 out of an account and is challenged to provide additional authentication. He fails the additional authentication and attempts to contact the Call Centre to do a transfer over the phone. The system – being able to draw on the recently failed attempt – automatically flags the activity as high- risk and refers it to the appropriate Customer Service Representative (CSR) to manually authenticate the caller, depending on the security policy of the financial institution.

The Solution: Preventing Multi-channel Fraud

A risk-based authentication solution to protect telephone banking transactions works by collecting phone activity data, analysing current and historical activity patterns, and generating a risk score which can be used by the financial institution. The risk-based scoring is transparent to the caller. And because only high-risk transactions are challenged, most callers proceed uninterrupted.

Risk-based Transaction Protection (for the Phone)

In addition to the protection it provides against emerging threats in the online channel, risk-based transaction protection can also be applied to the phone channel. When considering a risk-based authentication solution for the phone channel, financial institutions should consider the number and kinds of phone-specific risk parameters being measured such as:

  • Phone access patterns: Have we seen this Automatic Number Identification (ANI) before? Are its characteristics consistent?User behavioral profiling: Is this behavior (timing, amounts, channel, frequency, payee, etc.) typical?
  • Phone number spoofing: Is the call coming from a spoofed company or site?
  • Multi-channel fraud detection: Is there unusual Web activity associated with this account?
  • Transaction analysis: Is the activity inherently suspicious (e.g., is it a high-value transaction or fraudulent payee)?

Knowledge-based Authentication

One of the ideal ways to authenticate high-risk users or those committing suspicious transactions in the telephone banking channel is through a form of identity proofing known as knowledge-based authentication (KBA). With knowledge-based authentication, a customer is presented with a series of top-of-mind questions utilising relevant facts on the individual obtained by scanning public records.

The answers to the questions are scored in real-time and a confirmation of identity is delivered within seconds without requiring any prior relationship with the user. An identity proofing solution such as knowledge-based authentication offers tremendous opportunities to increase revenue, improve customer satisfaction, protect against fraud, and enhance security. By using knowledge-based authentication, financial institutions rely on swift and accurate access to public records to authenticate users in real-time, without requesting intrusive information or impeding on their privacy.

Some knowledge-based authentication solutions offer the capability to adapt the level of difficulty of the questions based on certain high-risk events or business rules; some also automatically adjust for minor input errors, name variations and inconsistencies in public data.

Solution Requirements

  • Relies on self-learning risk analytics, supports dozens of pre-defined transactions and custom “user-defined” activities
  • Provides visibility into previously unknown multi-channel fraud patterns (Web and Phone)
  • Behind-the-scenes monitoring for telephone banking with no change to the caller experience
  • Minimal operational impact and overhead due to low challenge rates
  • Leverage of existing deployment, contract, and vendor relationship

Conclusion

Financial institutions continue to face several challenges related to the telephone banking channel—the growing threat of phone fraud, increased regulatory requirements, the rising costs associated with manually authenticating callers, and ongoing pressure to attract and retain customers.

As long as the phone channel continues to be a key vehicle for financial institutions to interact with their customers, it must be assigned the same level of importance in terms of security as the online channel. Protecting this channel with increased security can help reduce fraud, address regulatory requirements, and reduce operational Call Centre costs—all while providing an improved user experience for telephone banking customers.

 

About the author: Geoff Noble is a banking and finance specialist with security vendor RSA, the Security Division of EMC.

 

Article Added: 21/08/2008

« Back