The landscape of financial transactions has undergone a sea change over the last couple of years. What was done inside the protective environs of a bank, is now being done by the customer in his or her palm on their smartphones. Online transactions, added with the after-effects of demonetisation has ensured that a lot more people are conducting financial transactions at their own convenience.

With so many people suddenly jumping on the online transactions bandwagon, it has also made this field a honeypot for fraudsters who have become more intelligent in their ways of committing frauds. Gone are the days of the 619 scam. Enter scams such as smishing, vishing, first party frauds and much more.

Recently the WannaCry ransomware sent shivers down everyone’s spines when it was learnt that ATMs may have been infected as well.

We spoke to Jay Floyd, principal fraud strategy consultant for ACI Worldwide and Mahesh Patel, President and Group CTO, AGS Transact Technologies on the concerns that surround financial fraud. Floyd, who comes from a banking background, has looked at financial fraud cases for close to 18 years now. Here are the insights from the interaction.

On the WannaCry ransomware attacks affecting bank customers

Wannacry-ransomware-hacker-reuters2-720

Banks or any financial institution should already be fully prepared to take care of this type of attack or similar style attacks (e.g. DDoS). They should be ensuring their systems are fully protected and have up to date software and security measures in place. That said, there are reports that Russian Bank(s) have been affected. Typically, this type of attack can occur when the resources are thin on the ground (early hours/holiday periods/weekends). The danger now is that institutions may have their attention in the wrong place.

An attack on the scale of “WannaCrypt” (or WannaCry) is a wake-up call for all countries including India, which is on the cusp of digital revolution. It brings to the fore the collective need for Indian companies to be more vigilant and treat cybersecurity as one of their highest priorities.

For end customers, we recommend that they undertake simple precautions like avoid opening emails or attachments from unknown sources as well as be wary of clicking unknown links and downloading or installing unknown software. We also highly recommend updating an Antivirus software on all systems and performing regular backups of critical data in separate devices.”

How has the landscape of financial fraud changed over the years?

Financial fraud comprises a huge, extensive list that we can talk about all day. We will, however, focus on some of the major global trends.

Image Credits: REUTERS
Image Credits: Reuters

One thing that is picking up in Europe and just about starting to hit India is vishing or voice phishing. This is pretty much in the digital space. What happens is that there are huge fraud gangs that operate their own call centres and pose as bank customer staff. A customer would think that the call is coming from his or her bank, but it is the fraudster who is calling. So they will identify themselves as bank staff and ask to check some financial transactions that you conducted in the recent past. They have good information on you and they use that to dupe the customers into sharing their online banking details. This makes use of social engineering.

Smishing is text based SMS phishing, which works with the same modus operandi.

Something that has not hit India yet is the SIM swap scam. In this case, fraudsters call up your mobile carrier and using some high-level information on you, convince the carrier that you need a SIM change. Once they get the new SIM, which is tied to your mobile number, they effectively own your mobile number. They then use that to commit fraud. Now, especially, with the digital payments boom kicking off in India, that does leave an opportunity for scamsters, and hence security needs to be looked at there. It is quite huge in certain parts of Europe, Middle-East, and Africa regions.

ATM fraud and card fraud is still big and it continues to rise globally. Skimming is still very prevalent. What we are now seeing are more sophisticated attacks on ATMs, where it is infected with malware.

The darknet has a lot of fraud forums, and you can actually buy fraud solutions by scamsters.

Are frauds specific to geographies? Or do they follow patterns and are region-agnostic?

There have been times when fraud attack patterns follow from one region to another. I have seen it happen from Australia to South Africa, for one bank I was consulting for. So you do see fraud migration patterns globally. Gangs will target a country, they will cause as much damage as they can and then move to another country.

How prepared do you think India is for these kinds of frauds, considering there is a concerted push towards a digital economy?

I think the fraud in India has been quite typical over the last few years. But as you put it, India is going into mobile and digital wallets. So ACI works with a lot of banks in India to ensure safety. We are working with AGS to bring solutions to the market. We want to bring the right technology and the right expertise to the market.

But there are times when the customer is the culprit

Image: Getty Images
Image: Getty Images

In a wallet situation where it is a closed loop — and there is no OTP between the issuer and the acquirer as in most cases, both happens to be the same wallet provider. So there can be a lot of disputes that could arise due to that. As a lot of people use wallets for shared services, and they might keep disputing that the transactions were sanctioned by them. It’s alright if this is a one-off case, but if it is chronic then there has to be an ability to shut off these guys.

In Europe, we have this thing called First-party fraud, where the customer is lying and is complicit in this fraud. A classic example is ATM fraud. So say, for instance, the customer withdrew Rs 500 from his ATM, and then quickly goes to another ATM some distance away and withdrew Rs 5,000. While the customer is conducting the second transaction, he will make a call to the bank saying that his card was stolen and that he wants to block it. The bank will then confirm his last transaction (which the customer may say was the withdrawal of Rs 500) and he has no idea how the Rs 5,000 was withdrawn. Of course, there can be genuine cases where a customer may be robbed and the fraudster may have seen the PIN number while looking over the customer’s shoulder. But the scary thing is that a lot of genuine customers have become wiser to this scam and are exploiting this loophole to commit fraud. Yes, there is video footage, but one can fox that easily. It is popular in Europe, but not so much in India.

In India, a lot of people used to take advantage of the loophole where only some notes out of an entire bundle would be taken and then customers would wait for the ATM to retract the remaining notes. They would then complain to the bank that they did not withdraw any money. Since then, the regulator has passed a resolution that notes once dispensed will not be retracted. So that fraud has stopped.

On behavioural profiling of customers

One way to take care of fraud is by profiling a customer. We profile customer behaviour for two reasons. One is to ensure that we do not interfere with the customer’s transactions. So that the transactions go smoothly because we know the customer behaviour and that matches with our database. The other side of profiling is to look for any change in behaviour, to notice anomalies. So profiling is about keeping statistics, recording events about the customer to look for changes in behaviour.

So say for instance I am a customer who does regular financial transactions using an ATM card in London, my location will be around London, the ATM locations will be pretty much the ones I regularly visit and so on. But if there is a request to withdraw money from say, Sydney, then we look at other profiling data — if the customer a business traveller, does he or she often use their ATMs abroad and so on. We do these and many more behavioural profiling in the background, and that helps us notice anomalies quickly so as to prevent fraud. This is a major part of our system. But it is also pertinent to ensure that the customer does not face any problems due to this profiling feature.

Image Credit: TCS
Image Credit: TCS

Another feature called cross-channel profiling strategy looks at behaviour across mediums. So say, for instance, you withdraw money from an ATM in Mumbai at 8 PM tonight, so we have your transaction details and the location of the ATM lodged in our systems. But if we notice that another mobile wallet app is using these same banking details from a location in Chennai at 8:30 PM, then we are looking at two completely different channels. But when we look at it together, through correlation and our cross-channel strategy, then we notice an anomaly. One of these transactions is definitely a fraud one as the customer cannot be at two locations which are so far away, simultaneously.

Without fraud-monitoring measures, there are only hard rules such as ‘if a customer does a transaction over Rs 50,000, then decline it’ or ‘if a customer transacts from outside India, decline it’ and so on. These brute force rules create a lot of customer dissatisfaction. Constant fraud monitoring helps in minimising the false positives. You don’t want 100 customer transactions declined to catch one fraud transaction.

How important is artificial intelligence in detecting fraud? Is it becoming mainstream or does one still need human intervention when it comes to financial transactions?

Analytics and Rules, both have their places. We do use the client profiling techniques that I mentioned earlier and have rules-based systems, but we also use analytics capabilities which let us bring in fraud scores, machine learning models and so on. The artificial intelligence bit is still a growing field. It is still early days for fraud detection though. We do have machine learning capabilities where a bank might be looking at continually updating their fraud detection techniques. We would call that continual machine learning, not necessarily artificial intelligence.

Have the fraudsters reached a stage where they can preempt all the behavioural profiling techniques that may be fed into a machine learning algorithm? Is there a way to game the ML algorithm?

Yes, fraudsters could get savvy to determine what can get declined and what can get approved. This is where the dangers of the darknet come in, as there are a lot of fraud forums out there which discuss these cases and exchange information to fox the systems. Of course, this information is not available in the public space, it goes on the deep web. It happens, but it is not a global pandemic according to me. What a fraudster does not know is the customer’s historical behaviour. That’s where we have an advantage.

An example of an ATM skimmer. Image: Wikimedia
An example of an ATM skimmer. Image: Wikimedia

AGS are in a fine position, because of the collaboration with ACI. So let’s say you have several banks processing through AGS. Now, these banks may have the expertise. But with AGS, they can identify an issue with one bank such as ATM fraud, false geo-locations and so on, and then they can anonymously share that information with other banks to prevent frauds at their ends. So this collaboration may help Bank B, C, D, E learn from the issues observed in Bank A for instance.

But how prepared do you think Indian banks are? Is the fraud detected instantly or it takes a while before it is brought to the bank’s notice and corrective measures are taken.

There will always be some banks which are great with pre-empting fraud and others which aren’t that good. So it would be unfair to make a blanket statement in this regard. But the way a bank reacts to the fraud shows its maturity. For instance, in the Hitachi data centre fraud story, the reaction showed a lot of immaturities. It was slow and the bank has to have a checklist and policy in place to define what needs to be done once the fraud has been detected. Building a risk policy, updating it constantly, implementing the policy on a real-time basis. It is not just software skill sets but also a lot of expertise that will be needed to guide this.

What are the partnerships that ACI has with AGS Transact?

ACI is quite aware of this whole digital transformation that is happening in India at the moment. At AGS, we want to ensure that the software assets we have are not only used in payment systems but also want to participate in implementing the new use cases that will emerge out of the huge stack of infrastructure that is being laid out in the country. This can be Aadhaar, IMPS, UPI and even problems like payments at toll booths, at the metro stations and so on. The ability to execute something on this scale is critical. AGS can bring in the underlying software assets, the ability to tailor that to ensure that it is relevant to the Indian marketplace is what AGS will bring to the table. The ability to execute these use-cases is relevant and that is where the partnership with ACI comes in. As a partnership, we want to ensure that the market gets it as a cloud offering, so investments are minimal.

Publish date: May 18, 2017 5:27 pm| Modified date: May 18, 2017 5:27 pm

Tags: , , , , , , , , ,