Blog article
See all stories »

Authentication is failing, so turn on the burglar alarm

The Federal Bureau of Investigation recently issued a warning about ACH and wire transfers being routed to China after discovering that millions of dollars were being lost in bogus transfers.

The scheme is aimed at U.S. small business accounts where the fraudsters are unleashing Zeus and other malware on unsuspecting commercial customers who unknowingly click on links and open attachments that expose them to fraud.

In a recent blog article by Tracy Kitten at BankInfoSecurity she mentions that fighting malware with authentication is a losing battle. Attacks like the one from China simply bypass authentication.

So are we fighting a losing battle? The rising figures for financial crime seem to imply she might be right. The UK National Fraud Authority, for example, recently put the loss to the UK economy from fraud at £38.4 billion. This is a staggering figure. This represents fraud costing each adult member of the population an average of £765 per year!

Based on such figures, the industry now knows that traditional front-end detection tools, such as ID authentication, will no longer stop criminals from getting into the system and stealing money.

This is not the case with back-end detection technology, because, no matter which channel the fraudster uses, whether it is via the Internet or using ATMs, their criminal behavior will give them away. This is one of the key benefits of back-end transaction monitoring solutions that provide behavioral profiling and pattern recognition detection techniques. It is also one of the reasons why even the regulators are recommending banks to analyze the activities of their customers to identify possible fraud. FFIEC guidelines state this very clearly, “Financial institutions should rely on multiple layers of control to prevent fraud and safeguard customer information. Much of this control is not based directly upon authentication. For example, a financial institution can analyze the activities of its customers to identify suspicious patterns.”

So, if front-end detection tools like authentication act as a lock on the door, they also need a burglar alarm to give that all important warning of suspicious activity. This alarm must have a series of systems that analyses the data received, provides early detection, investigates the suspicious activity conducted and quickly alerts the bank on whether or not to act on it.

While nobody is supposing that back-end detection tools will in themselves solve the rising figures of financial crime, it is clear from endorsements such as from the FFIEC that it is needed.

By combining front and back end detection methods, financial institutions can better align their detection activities with the way the modern day criminal perpetrates fraud across multiple channels, products and devices. With criminals finding new ways to ‘pick the locks’ of financial institutions, holistic technology is the way banks can best fight back and, most importantly, stay that one step ahead.               


Comments: (2)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 30 May, 2011, 12:12Be the first to give this comment the thumbs up 0 likes

Credit card transactions lack strong authentication - at least in the Card Present non-EMV world - so backend transaction behavior profiling systems are placed on the frontline of defence against credit card fraud. While they have proved their worth there, they still seem to be fraught with not insignificant levels of 'False Positives' i.e. declined transactions that were genuine, which results in lost revenue and customer dissatisfaction. 

On the other hand, online checking accounts have typically been using username-cum-password based single-factor authentication since their inception. Some 4-5 years after FFIEC mandated two factor authentication to boost security, it's not clear if all banks in the USA have achieved compliance to it.

Although backend behavior profiling solutions will likely be useful in the long run, more widespread adoption of 2FA might itself suffice for now in the fight against ACH fraud.

A Finextra member
A Finextra member 01 June, 2011, 15:27Be the first to give this comment the thumbs up 0 likes

Ketharaman  - you have a good point - you are right that two factor authentication would help. Yet you are probably even closer to the truth in saying that a combination of improved authentication and back-end transaction monitoring will help further.

Clearly the "multi-layer" approach advised by the FFIEC is advisable. As you mention, each approach has its challenges, so there is no silver bullet, but clearly sticking to just authentication is not enough. Thank you for your comments on this.