Multi-faceted fraud requires multi-factor authentication
There are more types of financial fraud to manage than ever before—debit and credit card, check, online banking, electronic, ACH—the list goes on. Fraudsters never give up. They keep old-fashioned, small-scale scams in play while looking for additional ways to penetrate financial institutions. An example is cross-channel or multi-faceted fraud, where information is gained in one channel and used to commit fraud in another, making it even more challenging to combat.
Multi-faceted fraudsters obtain PIN numbers through phishing or ATM skimming and use stolen data such as social security numbers, passwords, and email addresses to implement their schemes. Armed with this information, they employ social engineering to target unsuspecting customer service representatives (CSRs) and trick them into changing sensitive account data. Once they have charmed their way in, they can use any channel to commit fraud against the account.
This is one way that cross-channel fraud can occur. A fraudster obtains a list of social security numbers and begins contacting call centers with the intention of gaining the trust of the CSR—I’m on vacation and really need to make a withdrawal, but can’t remember my account number. Would it be possible to give you my social security number for verification?
If there is an account associated with the stolen social security number, bingo. The CSR gives them the information they need to gain access and drain the funds. If there isn’t a matching social or the fraudster gets denied, they keep calling until they find a hit and get in. What seems like a reasonable customer request becomes the perfect crime.
Fraud threats are escalating for consumers and financial institutions, but businesses across all industries are not immune—Primera Blue Cross, Anthem, Sony Pictures, Starwood Hotels and Resorts are just a few companies recently targeted.
In fact, the FBI reported losses of more than $1 billion from October 2013 through August 2015 as a result of business email compromises, also known as corporate account takeover. The thieves use malware to steal passwords that provide access to company email systems, then falsify wire-transfer instructions for legitimate purchases.
Businesses need to be in a position where they can detect and stop fraudsters from stealing data, changing data, or infiltrating their systems. In many of these breaches the companies didn’t know for several months that they had been compromised.
Robert Herjavec, founder of the Herjavec Group recognized as a global leader in information security and one of the leading sharks on ABC’s Shark Tank, spoke recently at a financial industry conference. His message was clear—it is impossible to stop a security breach, but it is your responsibility to know how long an adversary has been on your network and respond quickly.
Where do we go from here?
Watch for things that are out of character. If someone is attempting a large wire transfer online, send a one-time pass code via text that is necessary to finalize the transaction. This type of out-of-band authentication ensures the request is legitimate and decreases false positives.
Apply layered security. Mobile devices can be used to verify consumers (phone printing) in combination with voice biometrics. Phone printing gathers information from the phone to detect whether the call is originating from the location the caller claims as well as the phone type—cell, landline, or voice over IP (VoIP). This helps decrease call center scams by providing a list of known bad devices to prevent future attacks by the same fraudster.
Combating multi-faceted fraud takes multi-factor authentication. It can be a difficult balance for banks that want to provide a great customer experience without a lot of friction, but it is a necessary step in fighting new types of fraud.
Vigilance will be critical as transactions increasingly move online and threats continually change.