Martin Duffy, SAS Ireland
While the individual is responsible for protecting their identity from fraudsters, financial institutions should be taking a more pro-active approach to undermining tech-savvy criminals, says a leading business software provider.
Identity theft can occour in the most low-tech of scenarios with even an unshredded letter being enough for any criminal willing to sift through bins. What technology has done is provide criminals with the opportunity to gather their information in increasingly passive ways, taking security away from even the most diligent of customers.
“The two biggest types of fraud are ‘phishing’ and credit card fraud [which] traditionally were very hard to address,” says Martin Duffy, technical director at business software firm SAS Ireland. “We saw banks up the ante by introducing Chip And PIN and now criminals are responding with more advanced machines.”
Though shredding your documents and protecting your PIN is still the default position in keeping your bank details out of the hands of criminals some of the more advanced fraud technology out there means it may not be enough.
A prime example of this was seen in Ireland in August of last year, when a number of credit card terminals in shops were replaced by machines that transmitted card details via the mobile phone network to the fraud culprits. The machines in question looked exactly like standard card machines seen in shops up and down the country and were placed there by criminals masquerading as maintenance workers.
“There is an onus on the merchant to be as vigilant as the customer and ensure the system they have is correct and their staff are behaving appropriately,” says Mr Duffy. “The one group no-one is looking at in this is the bank; they can stop a transaction when they know it’s fraudulent and they need to be more pro-active.”
While such audacious attempts are still rare in Ireland they do take control out of the customer’s hands, while also allowing the beneficiaries of the crime to operate more remotely than ever before. Mr. Duffy believes a lot of the fault lies with the banks’ over-reliance on chip and PIN systems, which were intended to make things safer.
“What used to happen when payments were authorised by signature, criminals would have to create a card that looked like the real thing,” says Mr. Duffy. “Now they don’t even need to create a card as they can make purchases online or they can produce limitless plain plastic cards with your details on them and withdraw money from the ATM with them.”
When the customer’s own personal security practices are circumvented the next step in the process is with the banks, which already monitor random payments for suspicious activity. Mr Duffy says the technology is now there for banks to monitor every payment in real time, meaning nothing can slip through the cracks by default.
“We have developed a system with HSBC that allows us to profile every single transaction that goes through a bank in miliseconds and understand if it matches the normal spending pattern of the customer,” he says. “If it doesn’t then the merchant is told that more information is required, which might be a security question or a verified signature. Likewise with online banking we can monitor the way users are navigating the page, which will show if they are acting differently or entering text in a way that only a bot could do.
“Up until this point the banks have not been able to process that kind of information in enough time, so the industry standard is for about one in every 15 transactions to be fully profiled and we’ve moved that to every transaction.”
The idea of every keystroke and cursor movement being logged may unnerve users but Mr Duffy insists there are no privacy concerns as the system is fully automated and nothing more than what marketers already do.
While it’s implimentation would also require a reasonable investment by the bank in question he also insists its immediate benefits will make it worthwhile. In the case of HSBC’s roll out of the software system, there was said to be a return on the investment after three months as a result of the fraud halted.
“The scale of the fraud problem in banks is hard to quantify as a lot of fraud just gets written off as bad debt,” he says. “What is certain is that it’s an expensive reality of banking and criminals will always go for the low hanging fruit when it comes to banks they target.”
Of course banks in Ireland have made their own attempts at fraud prevention, some more successful than others. With AIB, for example, customers using online banking now need a code card to set up new transfers. The code requested could be any of 100 given to the customer, meaning a fraudster with the user’s full login details would not be able to take money out of the account – at least not directly.
However depending on the level of knowledge held by the criminal in question all that may be needed is a bank statement, which in turn can be used to set up a loan in the victim’s name.
Though merchants and banks may have the ability to do more to stop this crime, and despite all the advances at the high-end of fraud the core principles of banking security remain the same – safeguard your details, shred your documents and look out for unusual ATMs and card terminals in shops.
An edited version of this article was published in Business & Finance magazine on the 18th June 2009.