The 1920s were big on criminal mystery novels; this was the decade of Agatha Christie’s Hercule Poirot. Who, like many other famous detectives of his time, had to unlock devious puzzles involving the most twisted criminal schemes.
“And the butler did it, at least for the first hundred mystery novels or so. Everyone’s a suspect, and it’s always the least likely person, and after the first hundred or so, the butler wasn’t anymore... so they had to switch to unlikely criminals. You know,
the harmless old lady or the vicar’s wife, that sort of things, but it didn’t take the reader long to catch on to that, and they had to resort to having the detective be the murderer, and the narrator… The hero did it, only he didn’t know it” [from: To Say
Nothing of the Dog, by Connie Willis]
***
One morning Mrs. X received a phone call from her mobile carrier. Hello there, we’re calling to inform you that you’re late on your fees and we’ll need to disconnect you unless you pay the balance.
Mrs. X didn’t argue; she pulled out her debit card and made the payment.
Five minutes later she got a call from her bank. It was the fraud team, reporting a suspicious activity in the account. Who did you pay to? Said the fraud investigator. My mobile provider, said Mrs. X.
No, it wasn’t, says the fraud rep. It was someone else, and you just paid them 60 pounds… using your debit card. Which - not sure you’re aware - is actually connected to your bank account number? That’s quite risky so we’ll need to switch you to a new account
number. Let’s do it straight away: please log in to online banking, we’re going to give you a new bank account number, and please move ALL OF YOUR MONEY to this new bank account number.
Mrs. X, now quite alarmed, went to her computer and logged into online banking. But then she hit a snag: she actually had too much money in her bank account. She can’t possibly move all of that in one go! Don’t worry, said the helpful fraud rep. We’ll move
it in chunks. Lets first move 9,000 pounds; I will check it’s safely in the other bank account, and then we can continue to do the rest of the transfers.
It was a very long call – 45 minutes – during which Mrs. X has made a total of four payments.
This is a real story. And if you now have a silly grin on your face, maybe it’s because you think – who the hell is silly enough to fall for something like THAT?
APP or Authorised Push Payment fraud is now officially the largest source of online banking fraud losses in the UK. It far surpasses ‘regular’ fraud types such as Account Takeover, malware, remote access attacks and all other forms of unauthorised online
fraud combined.
According to UK Payments, app fraud levels in 2017 were a staggering GBP 236 million. That’s over twice the volume of all other types of online banking fraud
combined. There were about 43,000 reported incidents; if you do the math, it’s almost GBP 5,500 pounds per victim, which is pretty impressive. Most of this money is never returned to victims, but regulators aren’t happy about that and are likely to enforce
a change of policy in 2019.
Meanwhile, APP fraud is actually growing. The total number of cases in the first half of 2018 jumped 76% when compared to the similar period last year – some of it because more banks began reporting the figure, and some because of the fact it’s so damn hard
to detect.
Think about it: this is not an unauthorised payment. No criminal hand moves the funds. It doesn’t come from an untrusted device, it isn’t done by some malicious script, there’s no remote access. Hell – it’s not even a fraudster doing it. The REAL user is
both the thief AND the victim, like in a particularly twisted Agatha Christie plot. What on earth can banks use to raise a red flag?
Anomalous payment patterns or a lengthy time to complete a payment are pretty much the only signs of foul play the industry came up with so far, and the false positives for those are quite horrible.
But this is changing. The science of behavioural biometrics is now being called to the rescue: the general idea is that something about the WAY the user interacts with the digital site was different. They were under duress, following the guidance of a con
man talking to them over the phone, and the situation might have produced some subtle differences when compared to the normal way they pay online.
Subtle is the operative word here, making the exercise far easier said than done.
But difficult as it may sounds, some UK banks are already making good progress in using behavioral biometrics to combat APP fraud. They’re leveraging a model that looks at subtle traces of human duress or unexplained changes in the way the user moves money
online.
Another measure coming up is an agreed infrastructure called Confirmation of Payee, designedfor Payee name verification: this real time interface, which the bank has agreed to develop in 2019, will allow the originating bank to query the receiving end for
the beneficiary’s name. In the case of Mrs. X, she’ll see that the money is actually transferred to a Mr. C. Criminal, and this should stop at least a good portion of the scams.
And if you believe THAT, you probably haven’t seen how cyber criminals defeated each and every line of defense deemed insurmountable at the time.
They did this to the iron-clad IT security deployed by the banks to protect the digital channel: the bad guys stopped attacking the banks and instead hit the end-users with Phishing attacks.
They did it to Strong Authentication implemented in 2007 across the entire UK banking system: fraud levels
tripled within 3 years, as Trojans like Zeus became the financial sector’s menace, lurking until the user passed the 2FA and THEN automatically moving funds.
They did it to dynamic linking, Real Time Hardware Based Challenge-Response smart card readers: malware authors developed a MITB capability to present fake pages and ask the user to pass the challenge.
Then they did it to state-of-the-art malware detection tools: fraudsters moved to Remote Access, which isn’t malware, and Social Engineering.
The bad guys are a shifty, creative and resourceful bunch. If you ask me, they’ll probably begin by concentrating the APP fraud attacks on malware victims; this will allow them to collect better intelligence on their victims, make sure they have lots of
money in the account, and then hide or alter the name presented on the screen using some stealthy malware scripts. This will allow them to completely evade the effect of the payee name verification.
Which is why fraud teams are not going to rely on such technical measures; they recognise the adaptive nature of their foes, and equip themselves with next-gen defenses that can solve the immediate problems but can also adapt to emerging threats. They implement
AI based decisioning systems that can integrate and amplify small signals. And they recruit data scientists and machine learning people so they can tackle some of the hard-to-crack cases faster and more effectively.
It’s never boring in the fraud fighting front!