In my last blog post I wrote about the problems banks will have with fraud detection when the three day payment process window shortens dramatically from January 2012.
Because existing risk-engine strategies do not have the benefit of knowing the real-time status of the card holder, banks struggle to determine which transactions are fraudulent and which are genuine. With a shorter time frame in which to make checks, this
problem is only going to get worse unless banks have a truly effective means of verifying the legitimacy of transactions.
One method many banks turn to is to call the customer to ask them directly whether or not they are currently trying to make the transaction in question. However, unfortunately fraudsters are an increasingly determined bunch and it may not be as simple as
For example, when the bank phones the customer, how do they know that it is in fact the customer at the other end? If a fraudster has been clever enough to, for example, infect your computer with a Trojan, steal your online banking details and change the
value and destination of your transaction, the likelihood is he may well know the answers to verification questions asked by the bank when it calls. This might sound extreme, but in fact cases of Pseudo Device Theft are on the rise. Fraudsters can not only
contaminate an online transaction (e.g. man-in-the-browser attacks), they can also assume control of the mobile phone through techniques such as SIM Swap or Call Forward Unconditional.
The bank will ask the customer to confirm that he really does want to make this exceptionally large transaction, and the fraudster, posing as the customer, will be laughing all the way to his bank.
This example once again highlights how quickly the fraud landscape changes and how difficult the challenge that banks face in keeping pace. And with more and more people banking and paying online and through a mobile phone, the problems only stand to increase
unless security is addressed from the start and built into any system by design.
Fraudsters will always find new ways of stealing customer data, so banks need to seize this opportunity to address the way they tackle fraud. The key is to have a much more effective means of properly verifying a transaction and a person’s identity, so that
even if a fraudster has stolen a customer’s details, they won’t be able to take advantage of them.