6 Steps to Reduce Online Fraud
Fraud Expert Details What Must Be Done to Protect Business AccountsMike Urban, senior director of Fraud Solutions at FICO, has studied this question and offers his observations on how institutions and customers can fight back against the risks of online fraud.
"Really, the problem is that ACH fraud can be as lucrative or even more than physically breaking into a retail establishment and stealing card data," Urban says. "It can really be lucrative for a one-time hit on a business." This puts institutions and their business customers in a "Catch-22" position, because small and medium businesses want easy access to their accounts, and institutions look at fraud detection on these accounts as an added expense. "But somehow institutions and businesses have to get closer to the middle and strike the right balance," Urban says.
Current Fraud Trends
There are three variations of fraud that Urban sees as particularly prevalent now:
- First Party - where criminals open accounts and use them as pass-through accounts to move money. Additionally, Urban says there also may be legitimate business owners who are kiting -- they create additional float so they have additional line of credit. "They're not meaning to defraud the bank, but creating float type of credit," he says.
- Internal - where employees sell information about a business' accounts to outside organizations. Another scenario is where the small business employee who is accessing the business accounts moves out money and then leaves town. One twist to detecting internal fraud is the possibility that employees who perform the transactions will muddy the trail by saying their account credentials were taken in a phishing email. "They can almost use that as an excuse, and it can't be proven unless the business has internet web logs," Urban says. "So it is hard to prove if the employee was colluding with outsiders, or their account actually was phished."
- Third party - where most of the warnings are coming in via phishing, social engineering or spear-phishing. There are even infected webpages that can compromise a user's PC. "Criminals attack the business, compromise the online credentials and move money out of the accounts," he says.
The increasing number of fraud events being reported by institutions and their business customers isn't a mystery to Urban, who sees a number of factors that increase the chances that a small business would fall prey to criminals attacking their online banking accounts.
"The fact is that businesses want easy access to their accounts, and typically small and medium businesses are understaffed and overworked," he says. Along with this is the level of trust built in those organizations, where employees are even getting access to the business's records from outside locations, even on vacation, so the financials are exposed. "This reduces the ability to enact dual controls, as the amount of trust given to employees is high," he says.
One potential solution: Businesses should designate a single computer for only online banking transactions. "Having a separate computer is costly and often unworkable for a small business," Urban says. "What if the owner needs to access or employees need to access from home or from laptop outside of the company?"
Urban says ACH fraud is only one of the indicators of how big the problem of fraud is becoming. "Cybercrime is such a pervasive problem, I don't think we even have a good picture of how big it is, and we've not gotten our arms around the size of the problem." He says the industry has seen glimpses into some of these attacks, including the Google hack, but that awareness is still an issue. "Many businesses have the mindset that 'it's not going to happen to me,' but it is growing rapidly."
Areas to Improve Security
Many institutions impose transaction limits as a way to stop fraud. Urban calls this a "stop gap measure" and suggests these additional steps:
- Account Level Check - Look at the types of transactions that are happening -- what is typical behavior, logins, when they happen. "Then if they start logging in at night or over weekend, that's a red flag to hold transactions until you can talk to the business owner, stopping fraud from taking place," Urban says. The key is to use analytics to scope "out of the ordinary" transactions. "Look across all of the customer's behavior to spot what is unusual for that account holder."
- Create Unique Account User IDs - Make sure users all have different log-in identification. Do not let them use the same user name and password. There should be a unique user names for each person in order for the institution to be able to create unique profiles of use for each of the users. "This is similar to the PCI requirements; for anyone who accesses data, they each need a separate log-in."
- Dual Control - Have two unique users approve transactions. "If you can implement that, it goes a long way in reducing the chances of criminals stealing from the SMB account with a single user logon, and it also stops the threat of internal fraud as well," Urban says.
- Multi-Factor Authentication - Even though this solution is susceptible to man-in-the-middle and man- in-the-browser attacks, Urban sees it as an effective layer of protection. "A lot of times business owners will ask 'I have so many users on the account' how many tokens will I need?' You need a unique token for every user."
- SMS Messaging - This out-of-band message to users and account owners is important. It can be bypassed if a criminal can get into and change numbers or email contacts. But Urban says an institution can get around that by contacting the old number or email when a change is requested to verify that it was the account holder -- not a criminal -- making that request. "This is something that banks already do with address changes," Urban says. "You need to realize that criminals will go in and change email and phone number contact information, so it is a heads-up that something is taking place."
- IP-Email Address Controls - Only allowing certain email address/IP locations to go to the bank's online website to do transactions is another good control to put in place. It can be overcome, but it is another good layer of control. Urban notes "What's the risk that someone has just changed their phone and email contact information and is coming in from another email IP location to make these transactions? If they're coming in from another IP address, by looking at the risk, the institution can stop and look at it and question the transaction."