The Fraud Puzzle: Assembling the Pieces of Payment Security

Following our previous blog 'Rethinking AML: A Call for Innovation and Efficiency' ("https://bankloch.blogspot.com/2024/02/rethinking-aml-call-for-innovation-and.html"), where we navigated the complex world of AML and pinpointed three primary categories of malicious financial activities:

• Money laundering: Transforming proceeds from illicit activities into seemingly legitimate funds.

• Sanction bypassing: Circumventing governmental sanctions.

• Payment Fraud: Exploiting stolen or fake payment details to illicitly acquire goods or funds.

Focusing on Payment Fraud, we discern two principal categories: insider (internal) fraud, conducted from inside an organization by its own staff, and external fraud, perpetrated by outsiders like customers or suppliers. This blog delves into external fraud within the financial sector, particularly the unauthorized extraction of customer funds. This subset of "Payment Fraud" can be further split-up in several types, depending on the tactic used for the fraud:

• Phishing: A social-engineering strategy that deceives individuals into revealing sensitive information. This category encompasses a broad spectrum, from widespread email phishing to more personalized attacks like Spear Phishing and Whaling, extending to SMS (Smishing), voice (Vishing), and QR codes (Quishing).

• Skimming: The use of skimmers by fraudsters to capture credit or debit card data at ATMs or sales terminals.

• Identity theft: Unauthorized use of someone’s personal information for fraudulent transactions or account openings.

• Chargeback fraud: Customers falsely disputing a legitimate charge, claiming non-receipt of goods or services, or denying the transaction altogether. This type is also known as "friendly fraud".

• Business email compromise: Unauthorized access to business emails to initiate fraudulent transfers.

• Card-not-present fraud: Fraudulent transactions conducted online or over the phone using stolen card details.

• Credential Stuffing: Utilizing stolen credentials, typically collected from data breaches and sold on the Dark Web, to access accounts under the assumption of reused passwords.

• SIM Card Swapping: Persuading a mobile carrier to reassign a victim’s phone number to a new SIM card, undermining two-factor authentication (2FA) measures.

• Malware: Installing malicious software to hijack bank accounts.

• Man-in-the-Middle Attacks: Intercepting communications between a financial institution and its clients.

Many of these fraud types fall under "Account Takeover Fraud" (ATO), where cybercriminals gain control of a victim’s account. However, fraud can also occur without direct account access, as seen in "Spoofing" scams, where fraudsters impersonate legitimate entities to deceive victims into making transfers to their accounts. E.g. a cybercriminal could counterfeit an invoice of a customer’s supplier. If done well, almost no difference can be identified with a legitimate invoice, except of course that the IBAN does not belong to the supplier but to the cybercriminal. This type of fraud is becoming increasingly common, a reason why the new European directives on PSD3 and Instant Payments will force banks to execute IBAN-Name checks.

The extensive list of techniques described above shows that cybercriminals use a variety of techniques to gain access to the money of their victims. As such, addressing Payment Fraud necessitates a multi-faceted approach, combining technological solutions with vigilant practices.

A foundation element to better identify the customer is MFA or Multi-Factor Authentication, which significantly reduces unauthorized access by requiring multiple verification factors (something you know, something you have and/or something you are). For further insights on this, check out my blog "Multi-Factor Authentication and Identity Fraud Detection in the Financial Services Industry" - "https://bankloch.blogspot.com/2020/02/multi-factor-authentication-and.html")

Beyond MFA, Risk-Based Authentication (RBA) offers a dynamic layer of security by adapting authentication requirements based on the user’s behavior and context, enhancing both security and usability. This approach may involve:

• Behavioral Biometrics & Analytics: Analyzing user behavior patterns, such as typing speed, the way the user moves his mouse over the screen, the way the user holds his mobile phone in his hand, the typical flow the user follows in the banking app…​

• Device & Network settings: Monitoring IP addresses (e.g. known or new IP address, geo-location of the IP), device types (incl. browser type), and network characteristics (e.g. VPN used or not) for anomalies.

• User activity: Evaluating the nature and history of user actions to assess risk.

• Transaction data: Scrutinizing transaction details (e.g. transaction amount, existing or new counterpart, sector of counterparty…​) for irregularities.

• Timing: Considering the usual timing of user interactions for any anomalies.

By adopting a holistic view of user activity, banks can impose additional controls as needed, striking a balance between security and convenience.

Improving the identification and evaluation of counterparties involves various controls and alerts, including:

• IBAN - Name Checks: Verifying the match between IBAN and counterparty names.

• Customer Profile Alignment: Assessing whether transactions align with the user’s typical behavior.

• Sanction and Blacklist Screening: Comparing counterparties against official and internal lists (i.e. allow customers to report themselves also malicious IBANs and counterparties).

• Risk and Financial Scoring: Evaluating the counterparty’s credibility and trustworthiness using public (e.g. published annual reports) and private records.

• Improved KYC and AML screening for customer onboarding, i.e. if malicious customers cannot open a bank account, it adds an additional burden to do payment fraud.

The rise of cybercrime emphasizes the need for robust fraud prevention strategies within the banking sector. The advent of innovative technologies, particularly from RegTech firms, is crucial. Yet, their effectiveness depends on the availability of comprehensive, real-time, and historical data.

As financial institutions grapple with data silos, dismantling these barriers is essential for improving fraud detection and securing the financial ecosystem. By creating an environment where data from various sources can be seamlessly integrated, banks are better positioned to address the growing challenge of cybercrime.