The Fraud Puzzle: Assembling the Pieces of Payment Security

Following our previous blog 'Rethinking AML: A Call for Innovation and Efficiency' ("https://bankloch.blogspot.com/2024/02/rethinking-aml-call-for-innovation-and.html"), where we navigated the complex world of AML and pinpointed three primary categories of malicious financial activities:

Money laundering: Transforming proceeds from illicit activities into seemingly legitimate funds.
Sanction bypassing: Circumventing governmental sanctions.
Payment Fraud: Exploiting stolen or fake payment details to illicitly acquire goods or funds.

Focusing on Payment Fraud, we discern two principal categories: insider (internal) fraud, conducted from inside an organization by its own staff, and external fraud, perpetrated by outsiders like customers or suppliers. This blog delves into external fraud within the financial sector, particularly the unauthorized extraction of customer funds. This subset of "Payment Fraud" can be further split-up in several types, depending on the tactic used for the fraud:

Phishing: A social-engineering strategy that deceives individuals into revealing sensitive information. This category encompasses a broad spectrum, from widespread email phishing to more personalized attacks like Spear Phishing and Whaling, extending to SMS (Smishing), voice (Vishing), and QR codes (Quishing).
Skimming: The use of skimmers by fraudsters to capture credit or debit card data at ATMs or sales terminals.
Identity theft: Unauthorized use of someone’s personal information for fraudulent transactions or account openings.
Chargeback fraud: Customers falsely disputing a legitimate charge, claiming non-receipt of goods or services, or denying the transaction altogether. This type is also known as "friendly fraud".
Business email compromise: Unauthorized access to business emails to initiate fraudulent transfers.
Card-not-present fraud: Fraudulent transactions conducted online or over the phone using stolen card details.
Credential Stuffing: Utilizing stolen credentials, typically collected from data breaches and sold on the Dark Web, to access accounts under the assumption of reused passwords.
SIM Card Swapping: Persuading a mobile carrier to reassign a victim’s phone number to a new SIM card, undermining two-factor authentication (2FA) measures.
Malware: Installing malicious software to hijack bank accounts.
Man-in-the-Middle Attacks: Intercepting communications between a financial institution and its clients.

Many of these fraud types fall under "Account Takeover Fraud" (ATO), where cybercriminals gain control of a victim’s account. However, fraud can also occur without direct account access, as seen in "Spoofing" scams, where fraudsters impersonate legitimate entities to deceive victims into making transfers to their accounts. E.g. a cybercriminal could counterfeit an invoice of a customer’s supplier. If done well, almost no difference can be identified with a legitimate invoice, except of course that the IBAN does not belong to the supplier but to the cybercriminal. This type of fraud is becoming increasingly common, a reason why the new European directives on PSD3 and Instant Payments will force banks to execute IBAN-Name checks.

The extensive list of techniques described above shows that cybercriminals use a variety of techniques to gain access to the money of their victims. As such, addressing Payment Fraud necessitates a multi-faceted approach, combining technological solutions with vigilant practices.

A foundation element to better identify the customer is MFA or Multi-Factor Authentication, which significantly reduces unauthorized access by requiring multiple verification factors (something you know, something you have and/or something you are). For further insights on this, check out my blog "Multi-Factor Authentication and Identity Fraud Detection in the Financial Services Industry" - "https://bankloch.blogspot.com/2020/02/multi-factor-authentication-and.html")

Beyond MFA, Risk-Based Authentication (RBA) offers a dynamic layer of security by adapting authentication requirements based on the user’s behavior and context, enhancing both security and usability. This approach may involve:

Behavioral Biometrics & Analytics: Analyzing user behavior patterns, such as typing speed, the way the user moves his mouse over the screen, the way the user holds his mobile phone in his hand, the typical flow the user follows in the banking app…
Device & Network settings: Monitoring IP addresses (e.g. known or new IP address, geo-location of the IP), device types (incl. browser type), and network characteristics (e.g. VPN used or not) for anomalies.
User activity: Evaluating the nature and history of user actions to assess risk.
Transaction data: Scrutinizing transaction details (e.g. transaction amount, existing or new counterpart, sector of counterparty…) for irregularities.
Timing: Considering the usual timing of user interactions for any anomalies.

By adopting a holistic view of user activity, banks can impose additional controls as needed, striking a balance between security and convenience.

Improving the identification and evaluation of counterparties involves various controls and alerts, including:

IBAN - Name Checks: Verifying the match between IBAN and counterparty names.
Customer Profile Alignment: Assessing whether transactions align with the user’s typical behavior.
Sanction and Blacklist Screening: Comparing counterparties against official and internal lists (i.e. allow customers to report themselves also malicious IBANs and counterparties).
Risk and Financial Scoring: Evaluating the counterparty’s credibility and trustworthiness using public (e.g. published annual reports) and private records.
Improved KYC and AML screening for customer onboarding, i.e. if malicious customers cannot open a bank account, it adds an additional burden to do payment fraud.

The rise of cybercrime emphasizes the need for robust fraud prevention strategies within the banking sector. The advent of innovative technologies, particularly from RegTech firms, is crucial. Yet, their effectiveness depends on the availability of comprehensive, real-time, and historical data.

As financial institutions grapple with data silos, dismantling these barriers is essential for improving fraud detection and securing the financial ecosystem. By creating an environment where data from various sources can be seamlessly integrated, banks are better positioned to address the growing challenge of cybercrime.

Comments

Transforming the insurance sector to an Open API Ecosystem

1. Introduction "Open" has recently become a new buzzword in the financial services industry, i.e. open data, open APIs, Open Banking, Open Insurance …, but what does this new buzzword really mean? "Open" refers to the capability of companies to expose their services to the outside world, so that external partners or even competitors can use these services to bring added value to their customers. This trend is made possible by the technological evolution of open APIs (Application Programming Interfaces), which are the digital ports making this communication possible. Together companies, interconnected through open APIs, form a true API ecosystem , offering best-of-breed customer experience, by combining the digital services offered by multiple companies. In the technology sector this evolution has been ongoing for multiple years (think about the travelling sector, allowing you to book any hotel online). An excellent example of this

Are product silos in a bank inevitable?

Silo thinking is often frowned upon in the industry. It is often a synonym for bureaucratic processes and politics and in almost every article describing the threats of new innovative Fintech players on the banking industry, the strong bank product silos are put forward as one of the main blockages why incumbent banks are not able to (quickly) react to the changing customer expectations. Customers want solutions to their problems and do not want to be bothered about the internal organisation of their bank. Most banks are however organized by product domain (daily banking, investments and lending) and by customer segmentation (retail banking, private banking, SMEs and corporates). This division is reflected both at business and IT side and almost automatically leads to the creation of silos. It is however difficult to reorganize a bank without creating new silos or introducing other types of issues and inefficiencies. An organization is never ideal and needs to take a number of cons

RPA - The miracle solution for incumbent banks to bridge the automation gap with neo-banks?

Hypes and marketing buzz words are strongly present in the IT landscape. Often these are existing concepts, which have evolved technologically and are then renamed to a new term, as if it were a brand new technology or concept. If you want to understand and assess these new trends, it is important to reduce the concepts to their essence and compare them with existing technologies , e.g. Integration (middleware) software ensures that 2 separate applications or components can be integrated in an easy way. Of course, there is a huge evolution in the protocols, volumes of exchanged data, scalability, performance…, but in essence the problem remains the same. Nonetheless, there have been multiple terms for integration software such as ETL, ESB, EAI, SOA, Service Mesh… Data storage software ensures that data is stored in such a way that data is not lost and that there is some kind guaranteed consistency, maximum availability and scalability, easy retrieval and searching

IoT - Revolution or Evolution in the Financial Services Industry

1. The IoT hype We have all heard about the "Internet of Things" (IoT) as this revolutionary new technology, which will radically change our lives. But is it really such a revolution and will it really have an impact on the Financial Services Industry? To refresh our memory, the Internet of Things (IoT) refers to any object , which is able to collect data and communicate and share this information (like condition, geolocation…) over the internet . This communication will often occur between 2 objects (i.e. not involving any human), which is often referred to as Machine-to-Machine (M2M) communication. Well known examples are home thermostats, home security systems, fitness and health monitors, wearables… This all seems futuristic, but smartphones, tablets and smartwatches can also be considered as IoT devices. More importantly, beside these futuristic visions of IoT, the smartphone will most likely continue to be the center of the connected devi

Neobanks should find their niche to improve their profitability

The last 5 years dozens of so-called neo- or challenger banks (according to Exton Consulting 256 neobanks are in circulation today) have disrupted the banking landscape, by offering a fully digitized (cfr. "tech companies with a banking license"), very customer-centric, simple and fluent (e.g. possibility to become client and open an account in a few clicks) and low-cost product and service offering. While several of them are already valued at billions of euros (like Revolut, Monzo, Chime, N26, NuBank…), very few of them are expected to be profitable in the coming years and even less are already profitable today (Accenture research shows that the average UK neobank loses $11 per user yearly). These challenger banks are typically confronted with increasing costs, while the margins generated per customer remain low (e.g. due to the offering of free products and services or above market-level saving account interest rates). While it’s obvious that disrupting the financial ma

PFM, BFM, Financial Butler, Financial Cockpit, Account Aggregator… - Will the cumbersome administrative tasks on your financials finally be taken over by your financial institution?

1. Introduction Personal Financial Management (PFM) refers to the software that helps users manage their money (budget, save and spend money). Therefore, it is often also called Digital Money Management . In other words, PFM tools help customers make sense of their money , i.e. they help customers follow, classify, remain informed and manage their Personal Finances. Personal Finance used to be (or still is) a time-consuming effort , where people would manually input all their income and expenses in a self-developed spreadsheet, which would gradually be extended with additional calculations. Already for more than 20 years, several software vendors aim to give a solution to this , by providing applications, websites and/or apps. These tools were never massively adopted, since they still required a lot of manual interventions (manual input of income and expense transaction, manual mapping transactions to categories…) and lacked an integration in the day-to-da

Can Augmented Reality make daily banking a more pleasant experience?

With the increased competition in the financial services landscape (between banks/insurers, but also of new entrants like FinTechs and Telcos), customers are demanding and expecting a more innovative and fluent digital user experience. Unfortunately, most banks and insurers, with their product-oriented online and mobile platforms, are not known for their pleasant and fluent user experience. The trend towards customer oriented services , like personal financial management (with functions like budget management, expense categorization, saving goals…) and robo-advise, is already a big step in the right direction, but even then, managing financials is still considered to be a boring intangible and complex task for most people. Virtual (VR) and augmented reality (AR) could bring a solution. These technologies provide a user experience which is more intuitive, personalised and pleasant , as they introduce an element of gamification to the experience. Both VR and AR

Beyond Imagination: The Rise and Evolution of Generative AI Tools

Generative AI has revolutionized the way we create and interact with digital content. Since the launch of Dall-E in July 2022 and ChatGPT in November 2022, the field has seen unprecedented growth. This technology, initially popularized by OpenAI’s ChatGPT, has now been embraced by major tech players like Microsoft and Google, as well as a plethora of innovative startups. These advancements offer solutions for generating a diverse range of outputs including text, images, video, audio, and other media from simple prompts. The consumer now has a vast array of options based on their specific output needs and use cases . From generic, large-scale, multi-modal models like OpenAI’s ChatGPT and Google’s Bard to specialized solutions tailored for specific use cases and sectors like finance and legal advice, the choices are vast and varied. For instance, in the financial sector, tools like BloombergGPT ( https://www.bloomberg.com/ ), FinGPT ( https://fin-gpt.org/ ), StockGPT ( https://www.as

From app to super-app to personal assistant

In July of this year, KBC bank (the 2nd largest bank in Belgium) surprised many people, including many of us working in the banking industry, with their announcement that they bought the rights to broadcast the highlights of soccer matches in Belgium via their mobile app (a service called "Goal alert"). The days following this announcement the news was filled with experts, some of them categorizing it as a brilliant move, others claiming that KBC should better focus on its core mission. Independent of whether it is a good or bad strategic decision (the future will tell), it is clearly part of a much larger strategy of KBC to convert their banking app into a super-app (all-in-one app) . Today you can already buy mobility tickets and cinema tickets and use other third-party services (like Monizze, eBox, PayPal…) within the KBC app. Furthermore, end of last year, KBC announced opening up their app also to non-customers allowing them to also use these third-party servi

Eco-systems - Welcome to a new cooperating world

Last week I attended the Digital Finance Summit conference in Brussels, organized by Fintech Belgium, B-Hive, Febelfin and EBF. A central theme of the summit was the cooperation between banks and Fintechs and more in general the rise of ecosystems. In the past I have written already about this topic in my blogs about "Transforming the bank to an Open API Ecosystem ( https://www.linkedin.com/pulse/transforming-bank-open-api-ecosystem-joris-lochy/ ) and "The war for direct customer contact - Banks should fight along!" ( https://www.linkedin.com/pulse/war-direct-customer-contact-banks-should-fight-along-joris-lochy/ ), but still I was surprised about the number of initiatives taken in this domain. In my last job at The Glue, I already had the pleasure to work on several interesting cases: TOCO ( https://www.toco.eu ): bringing entrepreneurs, accountants and banks closer together, by supporting entrepreneurs and accountants in their daily admin (and in the f

Bankloch

Search This Blog