ACI Worldwide Inc.

08/12/2020 | News release | Distributed by Public on 08/11/2020 23:37

Defense in Depth: Fighting Fraud in India with a Multi-Layered Approach

Defense in Depth: Fighting Fraud in India with a Multi-Layered Approach

Wednesday, August 12, 2020

Posted by Kaushik RoytoPayments Risk Management

Share this:

There's a quip, albeit ironic, making the rounds as forwarded emails and messages - 'Who's driving digital transformation among enterprises: CEO or CIO? The correct answer is COVID-19.' Going beyond impacting global well-being, COVID-19 is pushing the corporate world to rapidly introduce new measures for business continuity. Diametrically opposite to continuity, the black swan event of the novel coronavirus is creating disruption in terms of exploitation and fraud perpetration - especially in the banking and financial sector.

Fraudsters are on the prowl and are increasingly looking to exploit the weakest links, whether in underlying technologies or among humans. The modus operandi is to execute multi-pronged attacks - from system hacks to social engineering - to overwhelm fraud prevention sub-systems and fly under the radar.

Fraud galore

There is a steady increase in impersonation fraud incidents, whether online phishing via social media accounts, or the conventional route of emails, to obtain login and KYC credentials or to execute transactions. Phishing attacks are also on the rise, preying upon gullible victims to extract sensitive personally identifiable information to compromise bank accounts or carry out card-not-present (CNP) fraud. SIM swaps, web and ATM skimming are further fueling such attacks, which were otherwise being mitigated with two-factor authentication as per the Reserve Bank of India (RBI) guidelines.

In the COVID-19 era, real-time payments fraud is also becoming more prevalent. For instance, dubiously similar account names, UPI IDs and SWIFT codes for emergency relief accounts are mushrooming to dupe unsuspecting victims. Case in point, the 'PM Cares Fund' fake UPI ID scam, where instead of the correct UPI ID [email protected], fraudsters are creating fake IDs such as [email protected], [email protected], [email protected] and more.

Fraudsters are exploiting the fact that consumers may find it harder to verify fraudsters' claims with financial institutions, given the restrictions on physical movement and disrupted help desks. Moreover, with overall transaction volumes being vastly reduced, fraud perpetrators are hoping to exploit the shorter window of time before banks recalibrate their trigger thresholds for patterns that rely on volume.

System hacks and zero-day attacks are also getting increasingly sophisticated. For example, a new malware - EventBot - is targeting over 200 financial apps on the Android OS, abusing its accessibility features to access data stored in the financial apps and intercept text messages that are used for two-factor authentication (2FA) to log onto bank accounts.

Similarly, Cerberus - a new Android banking Trojan - is making the rounds, not only compromising financial apps, collecting information and harvesting 2FA messages, but also using pedometer functions of a smartphone to avoid detection. It activates only when it counts specified steps of a person holding the smartphone to ensure it has infected a real user, while it remains invisible if it's installed on sandboxes or test environments set up by malware analysts.

Banks and financial institutions must therefore evolve their fraud strategies to battle emerging security threats across multiple channels. Today's fraud scenarios underline the need for a dynamic and secure fraud management system with a multi-layered approach to minimize risks. It is evident that the conventional siloed approach of implementing channel-specific monitoring solutions, without building integrated defense-in-depth at the enterprise level, will simply be ineffective and inadequate against attacks from multiple sources.

Layers of augmentation

A stronger fraud strategy demands a combination of deep human insights and experience, coupled with the use of advanced tools and technologies. As customers use different real-time payments methods to make purchases, pay bills and conduct other routine transactions online, granting frictionless and secure access to users is one of the biggest challenges banks and financial institutions face.

The next crucial step in thwarting fraud in real time is therefore reliant on a bank's ability to identify its legitimate customers. Financial institutions need to ramp up usage of relevant technologies across multiple channels to help quickly determine whether consumers' transactions and accounts are legitimate. While rules- and signature-based anomaly detection technologies work best against most common security threats, the increasing digitization of payments and sophistication of identity or credential theft (and proliferation of synthetic IDs) require a more advanced approach. A combination of artificial intelligence (AI), biometrics, machine learning (ML) and big data analytics can increasingly help financial institutions flag up such fraudulent transactions.

An added layer of behavioral biometrics technology to a bank's fraud management can analyze and build base profiles of its online banking users by studying over 2,000 behavioral parameters in real time. A more comprehensive profile is built based on detailed behavioral data of a user assessed across multiple channels. Combining an enterprise-wide single version of the 'truth' of a customer with confirmed fraud intelligence, banks and financial institutions can analyze the customer - instead of just the transaction - to determine fraud.

With AI-powered user behavior analytics (UBA) in the arsenal, financial institutions can detect and deter sophisticated attacks. Going beyond static ML, adaptive UBA in fraud management systems allows banks and financial institutions to assess micro behavior patterns such as a swipe on the phone screen, tap on the keyboard, a stroke of the touchpad or wriggle of the mouse. Users respond to invisible challenges that are subtly introduced into online sessions to provide additional unique behavioral data that helps distinguish a real user from a fraudster - whether human or robotic.

Additionally, a more democratized approach to ML enables risk managers to build, test and deploy ML modeling tools on their own. Banks and financial institutions can therefore develop a better and more accurate understanding of users' behavior, their reactions and consumption of various features across multiple channels. This is especially important with changes in consumer behavior during the COVID-19 pandemic. With such model scores combined with positive consumer profiling, financial institutions can not only block fraud attacks but also enhance customer experience, improve conversion rates and maximize revenue.

Looking ahead

While a multi-layered approach to fraud is crucial in warding off malicious elements, real solutions will come only when financial institutions, banks and the larger ecosystem come together to put serious thought into how anti-fraud measures are implemented. Considering a shorter window for fraud prevention with real-time payments and a lesser chance of recovering a fraudulent payment, the RBI's recent initiative to enable banks to report and access fraud information from a central payments fraud registry will ensure collaborative learning and faster response times. The latest fraud trends and patterns from the central repository will help banks to augment their analytics sub-systems and fraud management processes to build more defense in depth against future frauds, especially with fast-evolving trends in the COVID-19 era. This will go a long way to facilitating cross-industry collaboration and thus transforming customer experience.

Financial institutions are finding new ways to increase the scope of machine learning for fraud detection. Find out more in our eBook 'Expanding horizons of fraud detection.'