Fraud Controls to Tackle the Mobile Revolution

Transcription

1 Fraud Controls to Tackle the Mobile Revolution

2 TABLE OF CONTENTS Overview... 3 Today s Challenges for Financial Institutions... 3 Mobile-Enabled Fraud Mitigation... 5 Identify & Combat Mobile-Enabled Fraud with Actimize Fraud Solutions... 6 ABOUT NICE ACTIMIZE... 7

3 Overview As the adoption of mobile banking rapidly increases, fraudsters are following fast. The media is full of stories about mobile-based fraud attacks, which vary from simple account takeover scenarios using stolen credentials on a mobile browser, to advanced mobile malware which performs automatic unauthorized transactions. While the business side of the bank is pushing to introduce more mobile and browser functionalities to satisfy consumer demand, it is the responsibility of the fraud and risk strategy groups to implement the needed controls to allow business growth while simultaneously protecting the organization from the impact of fraud. Increase in Mobile Banking Adoption By 2014, it is predicted that 89 million people in the United States will be accessing mobile banking services on their mobile phones. By 2016 that number is expected to reach 111 million Source, The Statistics Portal - US Customers from the 5 biggest UK banks used their mobile phones for 18.6 million transactions a week in up from 9.1 million in Today s Challenges for Financial Institutions Despite the constantly changing and evolving nature of the mobile fraud environment, the challenges faced by financial institutions are clear. Management of the expanded data set The mobile environment brings a whole new set of data points that need to be gathered and managed to maximize customer insight and protect the business and its customers from fraudulent activity. Effectively handling this data can be challenging for a multitude of reasons: It is estimated that up to 300 different raw attributes can typically be retrieved from a mobile device, and an additional 100 calculated or artificial attributes can be generated by a mobile security point-solution. This amount of data introduces a variety of storage, communication, and data latency challenges. Mobile devices and operating systems vary; this lack of standardization further complicates efforts to normalize data. Legal requirements must be considered, as some of the available data (such as location and personal data on the device) may evoke privacy concerns, depending on the organization s country laws. The marketing of financial services and products can be more appropriately targeted once customers are more accurately identified by transaction history and activities. Mobile phone banking transactions made by British customers have nearly doubled in a single year. Source, British Banking Association [March 2014]

4 Unknown fraud vectors Fraudsters are constantly developing sophisticated methods to overcome existing banking risk controls. As soon as the industry starts to combat one type of attack, fraudsters quickly evolve their attack methods, creating a constant state of catch-up for fraud teams. Beyond simple phishing attempts, state-of-theart malware attacks can now inject malicious code into online banking websites. Man in-thebrowser attacks have evolved largely due to the adoption of device-id techniques that authenticate the device and render them safer from fraud. Fraudsters have also developed mobile account takeover attacks where they can identify the customers latest transactions in order to pass common authentication processes through the institution s call center. Large scale adoption of the mobile channel The public s adoption rate of mobile devices and associated applications has been rapid and consumers have become used to the convenience of instant access. Financial institutions, retailers, and other businesses have seen the mobile channel as a significant business opportunity resulting in an increase in the amount of products, services and options offered to their customers. What may be a great opportunity for business is a challenge for their fraud IT teams and systems that must protect the institution. The volume of transactions and the scale of data points require robust, scalable architecture alongside an experienced technical team who can effectively deploy and manage appropriate fraud solutions. Rapid evolution of the mobile industry The financial industry has been accustomed to IT suppliers who provide regular updates as a response to changing market needs; for example Microsoft Windows has historically released a desktop operating system once every three years. These regular release cycles allowed institutions and vendors to appropriately plan resources to ensure the compatibility of their systems and processes. Today, with the proliferation of mobile vendors (both for devices and operating systems), the change cycles have become more rapid and less structured, making it difficult for financial institutions to keep up with the changes. Financial institutions (FIs) need to have adaptive systems with a clear roadmap to anticipate these changes as well as model-ityourself capabilities in order to ingest new data and create ad-hoc rules and customer profiles to address immediate issues.

5 Mobile-Enabled Fraud Mitigation The recent Aite analyst report, The Mobile Revolution: Creating Fraud s Evolution, outlines the changing mobile fraud landscape and details how, when security controls are properly applied, the mobile environment has the potential to be more secure than the online environment. The report details the results of interviews with more than 60 vendors, financial institution fraud executives, and merchant fraud executives from October 2013 through April Expanding on the concepts covered in the Aite report, outlined below are several fraud controls that financial institutions can put into place to protect against mobile-enabled fraud, leveraging enhanced fraud analytics and online fraud mitigation strategies to reflect mobile s unique aspects with a number of tactics. 1. Master effective mobile data gathering FIs must understand the opportunities and threats hidden in mobile data through effective data handling. They should identify all available attributes to provide a rich source of information to enable device identification and device risk analysis. 3. Use analytics to manage vulnerabilities Institutions should identify the device and assess its vulnerability in context of banking activities across all channels to ensure positive customer experience and prevent unnecessary disruption. A device that is infected with malware or used by multiple users may still be allowed to enable legitimate transactions between known customers and beneficiaries despite the known vulnerabilities. 4. Don t forget the money Institutional focus should not be just on the device, but also on the need to gather profiles and analyze the monetary behavior of their customers in parallel to ensure that device and channel analytics provide a holistic view of risk. 5. Future proof your fraud defenses As the threat landscape continues to develop and change, FIs must ensure that mobile banking defenses also have the flexibility to evolve to effectively protect the business and its customers against current and future threats. 2. Profile and analyze across channels Mobile threats should be considered in context of all available banking channels as malicious activity often exploits vulnerabilities from one channel to attack another. FIs can identify these vulnerabilities by leveraging cross-channel profiling and analytics to protect the entire banking environment.

6 Identify & Combat Mobile- Enabled Fraud with Actimize Fraud Solutions Actimize s Banking Fraud solutions provide true, end-to-end capabilities to support all aspects of the fraud management process; from initial detection to alert consolidation, review, investigation, resolution, and oversight. With proven, relevant experience across all aspects of remote banking fraud operations at leading financial institutions worldwide, NICE Actimize enables organizations to fill in the gaps of an existing remote channel security plan or can provide the basis for a complete fraud risk management program. Actimize Mobile Banking Fraud Key Features Unified Mobile Data Model Enable efficient ingestion of normalized mobile device data used by the financial institution, including the use of third-party mobile point solutions. Effective Cross-Channel Profiling and Analytics Perform multi-channel profiling of the customer to ensure that each and every monetary and non-monetary transaction is being identified and analyzed within the context of his or her activities across all channels. Extendible, Flexible Platform Capabilities Ingest outputs from Actimize s market-leading fraud solutions, systems enhanced or created by the institution, or from third-party providers to provide a rich and detailed view of financial crime risk. Integrated Alert and Case Management Improve investigation efficiency and accuracy with alerts that automatically aggregate across the institution s financial crime environment, providing a single view of risk and allowing analysts to view customer activity in context. The organization benefits from enhanced reporting across the enterprise, thereby improving fraud risk management and strategic planning. Holistic Vulnerability Identification Support accurate identification of any device vulnerability combined with monetary transactions and customer behavior, which enables the institution to understand the true risk. ABOUT NICE ACTIMIZE NICE Actimize is the largest and broadest provider of financial crime, risk and compliance solutions for regional and global financial institutions, as well as government regulators. Consistently ranked as number one in the space, NICE Actimize experts apply innovative technology to protect institutions and safeguard consumers and investors assets by identifying financial crime, preventing fraud and providing regulatory compliance. The company provides real-time, cross-channel fraud prevention, anti-money laundering detection, and trading surveillance solutions that address such concerns as payment fraud, cybercrime, sanctions monitoring, market abuse, customer due diligence and insider trading. Copyright 2016 Actimize Ltd. All rights reserved. No legal or accounting advice is provided hereunder and any discussion of regulatory compliance is purely illustrative. info@niceactimize.com linkedin.com/company/actimize 01SEP14 FRAUD Mobile