Global Fraud Trends: How to Avoid the ScamsInterview with Mike Urban, Sr. Director, FICO
Mike Urban, Senior Director of Global Fraud Solutions at FICO, discusses:
Urban has 15 years experience in fraud management. He currently serves as senior director, Fraud Solutions, for FICO. He analyzes fraud issues and trends to provide continuous improvements in fraud detection technology. He also regularly works with law enforcement to help prosecute criminals and has been responsible for uncovering several crime rings in the US.
As a renowned industry expert, Urban regularly speaks about fraud trends, best practices and solutions to industry groups. He has been quoted in numerous publications including the New York Times, MSNBC, Computer World, American Banker and ATM & Debit News. He has also written articles that have appeared in such publications as DM Direct, Bank Technology News and the ISSA Journal.
He is also a founding executive committee member of the Global ATM Security Alliance (GASA), and is a member of and the American Society of Industrial Security (ASIS). Urban is a steering committee member for the Santa Fe Group Vendor Council, which is a collaborative forum of fraud, risk and compliance vendors who work as industry activists on non competitive fraud issues.
His industry recognition includes GASA Crime Fighter of the Year 2005 and ATMIA Most Influential Member of the Year 2004.
NOTE: FICO World 2010 is upcoming in Miami, April 13-16. One of the event speakers will be Tom Field, editorial director of Information Security Media Group, discussing the latest research on fraud trends and other key topics.
TOM FIELD: What are the key trends in fraud in 2010? Hi, this is Tom Field, Editorial Director with Information Security Media Group, and I am talking about fraud with Mike Urban, Senior Director of Global Fraud Solutions with FICO. Mike, thanks so much for joining me today.
MIKE URBAN: Hi, Tom, thanks for having me. I really enjoy listening to your podcasts, and it is my pleasure to be here with you today participating on one.
FIELD: Well, that is great. Mike, just to get us started, maybe you can give us just a little bit of an introduction to yourself and talk a bit about your background and your role today with FICO.
URBAN: Sure. I have been with FICO for about 14 years, and my focus has been on identifying transactional financial fraud across multiple areas.
FIELD: Well, Mike, our audience, particularly in the banking side, is talking all about ACH fraud and ATM fraud today. What are the trends that you are most seeing?
URBAN: So, I think maybe the question should be what trends aren't we seeing? But seriously I think what we are looking at from a larger perspective is we are really seeing a broad range of fraud attacks that are increasing in size and velocity against financial institutions. And this is really directly related to the growth of organized criminals making financial fraud a major revenue stream for them, and for relatively small investments criminals can get a pretty significant return on investment in just their first successful attack.
So some of the areas that we are seeing: of course, perennially, card compromises, some of the new or growing techniques -- there is a particular hacking technique in point of sale terminals where criminals are hacking into smaller merchants and able to get inside the point of sale terminal through a hacking attempt to actually be able to compromise the card data. There have been several attacks outlined over the last couple of months. We are not really sure exactly what it is that they are doing, but we know that they are morphing those attacks. And, of course, ATM skimming attacks against financial institutions -- we have been seeing dramatic increases in that.
Another area is really around the use of social media information on attacks, and this is ranging from phishing attacks on social media users to account takeovers. It is something that I call TMI, which is too much information. I think from a societal perspective we are still getting used to social media and really how much information we should be putting out that is really broadcasted to the world and then recorded in search engines for very long periods of time. You have probably heard of a website called HYPERLINK "http://www.pleaserobme.com" www.pleaserobme.com, and that is where some people got together, and it is not really to rob people, but it is to demonstrate the amount of information that is out there. They are targeting a specific application where people update when and where they are traveling, and when they are traveling that means that they are not at home. So it is something that we really need to pay attention to and be aware of. Certainly, the wave of attacks related to the Zeus Trojan and others targeting small businesses, as well as consumers, is another area of concern. The writers of Zeus have continued to make it easy for people to buy the application and customize it in many, many ways that makes it difficult for virus signatures to pick it up. And obviously we are seeing a significant increase in attacks on business accounts because generally business accounts hold more money than personal accounts.
Also, I think finally to speak a little bit about first party fraud. That is an attack where the criminal is coming into a financial institution either as themselves or as someone else with the intention of defrauding the financial institution.
FIELD: Well, Mike given that landscape, and it is a broad one, where would you say that organizations are most vulnerable to these fraud scams today?
URBAN: Well, it really depends on the financial institution and the particular schemes which are targeted at them. You know, every financial institution has different strengths and weaknesses, and that alters their attack surface. You can have a very strong attack surface, but for instance an insider stealing account information can slip right through that attack surface.
Criminals will accelerate attacks where and on whom they make the most money, and so the key is really understanding a customer's behavior across the channel and a lot of financial institutions just don't have the technological capability to do that yet. So, let's say that a criminal has compromised debit card track information somewhere. There are many of those compromises -- in fact several really massive ones over the years -- but they don't have a PIN. So they may try to call that particular banking center and attempt to guess the PIN, so that they can then withdraw cash from an ATM.
So these multiple attempts to guess the PIN are not tied to a risky ATM transaction that takes place shortly thereafter. So maybe the telephone banking side of the financial institution was aware that there was an excessive number of PIN attempts through the telephone channel, but there was no way to connect that information to the card authorization system and stop the ATM withdrawal before the money was dispensed.
So, the authorization was a result of what I would call a disconnected decision. So the key is the ability to correlate unusual behavior for the customer with a fraudulent transaction pattern and then stop the transaction in real-time.
FIELD: Mike, what would you say the biggest challenges are to preventing fraud? Are they human? Are they technological? Or are they really both?
URBAN: Well, I think financial institutions are in a Catch 22, right? Their customers want easy access to their funds, but they also want the vault-like protection. Creating and maintaining a balance of easy customer access and strong fraud detection is really the biggest challenge to financial institutions today. So, part of this challenge is having real-time detection of threats across payment channels. What we see today are efforts to consolidate fraud alerts from disparate systems into a single work flow, and it is good to at least get the fraud alerts coming together into a single place, but the key to effectively managing that risk is not just bringing those alerts together, but enabling real-time analytic analysis and decisioning strategies that stop the payments for the right reason before the money moves.
This increases efficiency and lowers false positive rates and prepares financial institutions for the next type of attack. Criminals know the capabilities of each financial institution, and they have a profit and loss perspective on their attacks. An attack doesn't work on a particular financial institution; they target others where the payback is larger.
FIELD: So, I know at FICO, Mike, certainly you are involved with helping your customers to be able to detect and prevent fraud, maybe you can offer an example of how one of your customers has particularly been able to prevent being a victim?
URBAN: So again, real-time transaction decisioning, which includes looking at a customer's behavior score and the fraud risk score and every transaction, whether it is a monetary transaction or a non-monetary transaction such as an address change. And by combining these views of your customer, you are able to serve your customer better and identify more instances of fraud.
So some examples around this, one would be Banamex, which is owned by Citigroup, in Mexico, had card fraud losses of around 100 basis points and they were running at a false positive rate of about 50 to 1. So, for every fraud that they caught, they had to reach out to 50 different customers. Since implementing Falcon Fraud Manager, running in real-time, they were able to lower their fraud losses to 8 basis points at an 11 to 1 false positive ratio.
So the benefits are really lower fraud, less dollars in fraud lost, lower operational costs, there are fewer people contacting customers, more transactional income because you are getting more transactions that are legitimate transactions taking place and taking interchange and other fees, and higher customer satisfaction because they are not getting touched so often, and there is actually less fraud on their accounts.
From a first party fraud standpoint, we worked with a large international financial institution that deployed a FICO custom model at the point of loan acceptance and was able to detect over 45 percent of the first party fraud cases at a 2 percent review rate and a false positive rate of less than 2 to 1. So. bringing advanced analytics to the fraud problem allows you to respond to real and growing threats in real time and I think that is what FICO brings to the table.
FIELD: Mike, one last question for you. If you could boil it down and offer just a single piece of advice to an organization looking to reduce fraud today, what would you advise?
URBAN: You know, stepping back a little bit to the big picture. Again, we have got local and criminal groups who are targeting financial institutions from multiple points. So my one piece of advice is to bring in outside fraud consulting expertise to perform a health check on your fraud operations; generally there are going to be several within a financial institution.
This process will access your operational performance and ensure that you are taking advantage of the tools and knowledge that you have already got in-house in a coordinated and effective way. And then you can identify specific fraud loss areas that can be targeted for improvement, and each of these improvements should be part of a larger roadmap that is leading to a rea- time transaction monitoring and decision environment.
FIELD: Very good, Mike. I appreciate your time and your insight today. Thank you so much.
URBAN: Thank you, Tom.
FIELD: We have been talking with Mike Urban, Senior Director of Global Fraud Solutions with FICO. For Information Security Media Group, I'm Tom Field. Thank you very much.