Online and mobile banking have forever transformed the way people bank, but the digital evolution has a dark side: it is increasingly creating new opportunities for fraudsters to hack into accounts.
Text messaging and email are increasingly becoming vehicles for phishing scams in which fraudsters send phony messages to bank customers and fool them into providing login credentials or account information. Mobile check deposit is touted for its convenience, but it has also created opportunities for "double-dipping" in which thieves scan images of checks into one account and cash the physical checks elsewhere.
"In the banking industry, we compete on how easy it is for new customers to find us and make deposits with us, to switch from their previous financial institution to our bank," points out Aaron Glover, senior analyst for fraud risk management at SunTrust Banks in Atlanta. "By making it easier for our customer, we may be inadvertently making it easier for fraudsters."
Of course, fear of fraud has been a concern since the dawn of Internet banking, but these fears have escalated as technology has advanced and consumers have grown more comfortable accessing their accounts and communicating with their banks through multiple channels.
Meanwhile, thwarting attacks is an ongoing challenge. Fraudsters have become more sophisticated and more knowledgeable about banks' practices for instance, they know when and how they call customers to verify fund transfers and banks, whose technology budgets are stretched thin, sometimes struggle to put up adequate defenses.
Still, some banks are coming up with some creative approaches to security, developing programs in which they are setting traps for criminals and hiring people with nontraditional skill sets to be fraud analysts.
Others are more focused on educating customers on how to detect scams and to be more vigilant about protecting their information.
James Gordon, the chief technology officer at the $1.2 billion-asset Needham Bank in Massachusetts, says he wants to develop a code of ethics that would spell out all the ways the bank would or would not communicate with customers. For instance, he says the bank would never ask for a customer's Social Security number via text message or email, so if customers were to receive messages asking for such information they would know instantly that it's a phishing attempt. Gordon envisions distributing this code as an in-branch brochure that would be handed out to new customers, or as a statement stuffer.
"The multitude of channels offered text message, phone call, email, voice call is a confusing point for customers," says Gordon. "They don't know exactly how you might reach them next and they're unprepared for what the channel or the tone will be," making it harder to discern fake messages from real ones.
Online account opening is one point of vulnerability. Here the customer does not have to go into a branch but opens a deposit relationship with a bank straight from its website. Much of the information a bank would use to verify a customer is in databases such as LexisNexis's repository of legal and public records-related information.
Atlanta, Ga.-based LexisNexis was breached last year by an identity theft service that sells Social Security numbers, birth records, and other sensitive information on U.S. citizens. Anybody who was able to grab or buy this stolen data could potentially open an account using someone else's identity.
Mobile check deposit is another point of potential weakness fraudsters are more actively testing. In one recent case of double dipping, a man in Louisville, Ky., apparently used mobile remote deposit capture and a Bank of America account to deposit 32 Western Union money orders, then took those money orders to a Kroger grocery store and got cash for them.
There's also been a rash of fraudulent online wire transfers lately, with criminals using call forwarding to make sure that when the bank calls the customer to verify a transfer, the call actually goes to the criminals themselves or their associates.
"Phone number forwarding has been a huge challenge for our bank and others because it's outside of our control," Glover says.
In March, a Bank of Montreal customer shared with the Huffington Post his story of being a victim of wire transfer fraud and losing $87,500 of inheritance money.
The customer, Bruce Taylor, a Canadian engineering consultant who lives and works in Texas, was in a Houston hospital having open heart surgery while his account was being drained. He had inherited money that was held in BMO term deposits, then automatically deposited in a Canadian savings account when the investments matured.
In August, someone emailed Taylor's BMO investment adviser, using Taylor's email address, saying he needed the money wired to his cousin immediately. (The email and follow-up faxes contained spelling and grammatical errors.) The bank asked for a phone number to verify the transfer and got a phony one.
After the confirmation call, a BMO employee approved and sent two wire transfers, for $47,500 and $40,000, four days apart.
In cases of wire transfer fraud where call forwarding is used, "We only find out a few days later, after the client reports they haven't been receiving phone calls in the last couple of days, that they've had an account takeover and have been exposed to check fraud," Glover says, adding that it's the bank that eats the loss.
One regional bank has made an interesting counterintelligence move against wire transfer fraud with a program called Honey Banker. The bank sets up a trap or a honeypot by listing the names and email addresses of fake bankers on its website names no real customers would be given. When people call those pseudo-bankers and ask for a wire transfer, the bank knows that it's an attempted fraud.
Another solution many bank security officials have been discussing of late is better information sharing, both among different departments in a bank (such as wire transfer and anti-money laundering compliance) and among banks and nonbanks, including Internet service providers and telecommunications companies. Analytics performed across multiple data silos can turn up suspicious patterns of behavior that would not be detectable in one data source alone.
A third line of defense is sturdier authentication methods, such as taking a blueprint of the customer's voice, iris, fingerprint or palm print, and requiring them to match what's on file every time they log in. Many banks, including Wells Fargo and ING Direct Canada, are experimenting with such biometric security.
A fourth measure is hiring fraud analysts with the right set of skills to find emerging threats. Traditionally the thinking has been that fraud analysts ought to have fraud experience, but that's not necessarily true, according to Glover. SunTrust, for example, has hired a website developer who was versed in hadoop and Big Data, as well as security. Although he also did not have a fraud background, he has helped the bank build a new data architecture for bringing information together from different sources for fraud detection.
You can teach fraud, but you need to hire people who are curious, who have a natural facility with data, and who understand what they're doing," Glover says.
Penny Crosman is Editor in Chief of Bank Technology News and Technology Editor of American Banker.
- Tellers Become Guides and Storytellers in High-Tech Branches
- Advisors Beware: Single Data Breach 'Can Bring Down' a Practice
- IBM's Anti-Fraud Push Strikes a Chord with Banks