Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud

Transcription

1 Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud Conducted by Javelin Strategy & Research September Javelin Strategy & Research All Rights Reserved

2 Executive Summary Javelin was retained by SAS to understand the current state of e channel fraud among U.S. financial institutions (FIs). Javelin Strategy conducted in depth interviews with risk and fraud executives from small, mid size and large financial institutions to meet the research objectives. In this whitepaper, Javelin also presents relevant elements from its proprietary consumer data to bring in additional insights from the consumer perspective. In summary, the study found: Today s anti fraud systems rarely track, monitor or report behavior across multiple e banking channels, allowing fraudsters to move quickly from old to new channels where the risks and vulnerabilities are not well known, and which therefore can be exploited. All interviewed recognize a need to improve current electronic banking anti fraud strategies. Nearly 70% of interviewed FI executives have implemented, or are planning to implement, cross channel behavioral anomaly, predictive analytics and other advanced detection tools to combat e banking fraud. Malware based fraud attacks are being addressed by half the interviewed FIs who offer customers anti malware software downloads. Interviewed FIs are not aware of the potential impact of fraud in mobile banking, partly because few have tools to identify, track and report such fraud incidents separately from overall fraud attacks. Card Not Present fraud is on the rise but some executives interviewed are not satisfied with the current tools they use to combat credit and debit card fraud, calling for better modeling and better processes using advanced technologies such as neural networks. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

3 I. Overview Along with an increase in banking channels and electronic payment options, electronic fraud seems to be keeping a lot of risk and fraud executives on their toes constantly re evaluating E channel vulnerabilities and exploring newer ways of tackling fraud. Understanding current trends in electronic fraud, identifying key risk areas and incorporating state of the art solutions to combat fraud, will help financial institutions provide a risk free banking environment and boost customer satisfaction. This whitepaper delves into the nuances of overall electronic banking fraud, the mobile channel as an emerging area for electronic fraud and current software, programs and processes in place to stop card fraud. The whitepaper concludes with recommendations on future fraud prevention strategies as financial institutions move forward balancing increased fraud controls and analytical capabilities vs. maintaining a positive customer experience. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

4 II. Electronic Banking Fraud All financial institutions agree that electronic banking is an all encompassing term, which includes online banking, mobile banking and other e channels. Interviewed FI executives went as far as stating that electronic banking includes everything except any face to face interaction. Given this, tracking fraud by product and channel is identified as the key method for FIs to categorize and assign electronic fraud loss and to measure their channel risks. However, what s missing in current fraud categorization is a method to successfully categorize cross channel fraud, as most fraudulent activities are not restricted to a single channel or product type. A leading FI executive qualified the lack of cross channel categorization with the following example, If I fraudulently enroll in online banking through the call center, login to online banking to gain some insight into your account and fraudulently order a credit card; is that callcenter fraud, online fraud, card fraud, or check fraud? The answer is, it is all of those, so we need a pretty dynamic way to assign the loss and we are still assigning the loss basically to the product used to perpetrate the actual fraud. As FIs struggle to identify the actual source of fraud and how to assign loss, they continue to add more layers to their authentication and log in processes, as well as their back end fraud analytics and detection systems. But today, anti fraud systems rarely track and monitor consumer behavior across multiple product lines, channels, and systems. Fraudsters recognize and take advantage of this weakness, as their techniques morph into more sophisticated and targeted multi area attacks, quickly moving to newly introduced banking channels where the risks are not as well known and where vulnerabilities can be exploited. Malware tops current fraud trend in the online space. The online channel is a prime focus for antifraud priorities in 2012 among interviewed executives. Most FIs are dedicating about 20% of their total fraud spending towards electronic banking threats and almost all FIs have executive sponsorship for their fraud tools. Cybercrime threats continue to loom large and multiple FIs mentioned an increase in man in the middle, man in the browser and other malware attacks. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

5 Javelin s consumer data shows that more than 10% of the identity fraud victims who knew how their information was stolen reported that it was stolen when making purchases online; another 9% reported that their information was stolen through the computer due to stolen password or keystroke capture (see Figure 1). Figure 1: Method Used to Commit Identity Fraud Primarily Business Controlled 1% 1% 2% 7% Other 19% Primarily Consumer Controlled Physical items were stolen Moved/items sent to my old address 1% Purchases/transactions made over the phone 21% 1% Information taken from 2% statements/receipts Purchase at a gas station/restaurant/store 2% 3% 3% Items were lost (general) 8% Through the computer/stolen password/keystroke capturing Online/online purchase (general) Friend/family member/spouse/coworker had previous knowledge 9% 9% 10% Of the 46% of Victims who Reporting Knowing How Their Information Was Obtained Q25. How was your information obtained by the perpetrator? October 2011, n= 333 Base: All fraud victims who reported knowing how their information was stolen Javelin Strategy & Research Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

6 Wire transfer fraud and social engineering are not far behind in terms of leading fraud concerns in While social engineering uses trickery to gain information about customers online, phishing has evolved over time as it not only looks to steal customers credentials but also infects their machines with malware. One interesting anecdote from a small FI cited below shows how social engineering or wire transfer fraud really has less do with channels, and more to do with the fact that fraudsters have become increasingly sophisticated in their approach. In one case, the vendor representative s was compromised and a fraudster started to communicate with our customer as though they were the vendor representative. They made it very convincing because they had all the previous communication that basically convinced our customer that he had to change the wire information. Trusting this , our client sent money to a new account at their (the fraudster s) bank. This one was 100% social engineering and really nothing to do with the Internet banking fraud. But it was just as successful a loss as it would have been through Internet banking. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

7 Electronic fraud is continuing to increase in terms of volume and number of ways of attack. In addition to malware and social engineering attacks, FI executives also need to watch for, and combat, increases in cybercrime attacks spurred by data breaches. According to Javelin s 2012 ID fraud report, 15% of consumers received a data breach notification from financial institutions, and consumers who did receive a data breach notification were 9.5 times more likely to be victims of identity fraud than consumer who did not (see Figure 2). Figure 2: Fraud Incidence Rate Among Data Breach Notification Recipients Letter Recipients are 9.5 Times More Likely to Become a Fraud Victim Received a data breach notification letter 19% 81% Did not receive a data breach notification letter 2% 98% All consumers 5% 95% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Percent of Consumers Fraud victim Q2. In the last 12 months, have you been notified by a business or other institution that your personal or financial information has been lost, stolen or compromised in a data breach? Q5. How long ago did you DISCOVER that your personal or financial information had been misused? Past 12 months. Not a fraud victim October 2011, n= 5,022 Base: All consumers Javelin Strategy & Research Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

8 About half of the FI executives interviewed stated that there has been a significant increase in number of fraud attempts through various attack techniques and they have grown worse because of increased number of electronic banking channels. Given that wire transfer, which usually involves larger cash payments, is one of the leading fraud trends in electronic banking, FIs don t see a way to control their overall fraud loss. A single wire transfer fraud incident could significantly increase the total fraud loss for an institution regardless of the checks and balances in place. FIs are looking for a change and are constantly re evaluating vendors and solutions to combat electronic fraud. Nearly thirty percent of FIs interviewed named one of two leading products that they use to block malware and other FIs were considering implementing the same solutions to help stop fraud. Regardless of the tools in place, satisfaction with them runs surprisingly low among these executives. This is partly due to the complexity involved in implementing or integrating certain software and tools, and partly because of the nature of being a risk and fraud executive. They feel that if fraudsters react with more sophisticated fraud techniques each time a new tool is implemented then the executives cannot afford to be satisfied even if the latest anti fraud technology is in place. One primary concern among most executives is how these advanced fraud detection and prevention tools hinder the customers overall banking experience. Executives worry that constant prompts for downloads and updates to increase security may become cumbersome for customers and could turn them away from using electronic channels. Mostly, we have put in painful controls for customers. There s always the fine line in terms of customer pain versus fraudster access, so we continue to tweak those a lot. We focused on a lot of customer education so we offer [anti malware] to customers, starting in Our adoption rates are not what we expected but the customers who do have installed it have not had a single fraud case... Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

9 Executives believe that fraud detection works in silos. FIs want a tool that detects cross channel fraud which is easy to integrate with their systems with little or no modification. In the past two years, there has been a strong push towards incorporating behavioral, geolocation and demographic monitoring; however, not all FIs that Javelin interviewed have analytical tools built in to track fraudulent or suspicious behavior on online channels. Among the FIs interviewed, 40% mentioned having any kind of behavioral analytics or cross channel information tracking in place with a dedicated team to crunch and analyze the numbers. Thirty percent of the remaining FIs are looking to implement robust behavioral analytics to help curtail fraud using transaction analysis which looks for anomalies. In addition to educating customers on safe banking practices, executives are looking to turn towards real time vs. batch processing of transactions to help catch fraud which can occur through various channels. Further, they are looking for back end customer velocity and transaction scoring to provide more control for tracking and stopping fraud. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

10 III. The Emerging Mobile Channel Almost all institutions interviewed currently offer some form of mobile banking and several executives report they are expanding their current mobile offerings. Consumer usage of mobile devices, such as feature phones, smartphones or tablets, is growing steadily. New mobile payment and banking apps further make the mobile channel very attractive for consumers. Interestingly, however, all executives interviewed believe that mobile banking is nascent and are not yet entirely sure about its fraud impact. FIs uncertainty regarding the size and scope of mobile fraud can be attributed in part to how most FIs currently track all forms of fraud. None of the FIs interviewed have dedicated fraud investments assigned to track and curtail mobile fraud separately from overall fraud through their various channels. Twenty percent of FIs interviewed mentioned that they have tools to identify fraud by device type; however, it is currently accounted for under the overall umbrella of electronic fraud. FIs are looking to increase adoption of mobile banking; however, they currently lack tools to track mobile fraud because they don t yet see significant enough mobile banking volume to warrant independent tracking and reporting. This essentially puts them in a Catch 22 situation. Executives acknowledge the need to refine their fraud tracking capabilities by channel, by device and even by cross channel tracking, so as to be able to better pinpoint sources of fraud. Acquiring such capabilities will be vital for combating fraud risks presented by the rapidly developing mobile channel. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

11 Mobile devices are prone to more severe threats than personal computers, partially because they lack security measures that are more common on personal computers such as antimalware software, personal firewalls, and built in web browser security tools. Javelin s recent report shows that 7% of smartphone users were victims of identity fraud when compared to 4.9% of the total adult consumer population (see Figure 3). Figure 3: Fraud Incidence Rate among Smartphone Owners Smartphone owners 7% 93% All consumers 5% 95% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Percent of Consumers Fraud victim Q39A: Please indicate which of the following products do you currently personally own. Q5. How long ago did you DISCOVER that your personal or financial information had been misused? Past 12 months. Not a fraud victim November 2011, n= 5,022 Base: All consumers Javelin Strategy & Research Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

12 While FIs don t yet see the value of tracking mobile fraud separately, consumers are very conscious and aware of needed mobile banking security. According to Javelin, 22% of mobile consumers would like data encryption between the mobile device and bank as a way to make mobile banking more secure and 14% would prefer all data on their mobile device to be encrypted (see Figure 4). Figure 4: Preferred Security Features among All Mobile Consumers Encrypting data between the mobile device and the bank server Guarantee of reimbursement for fraud transactions 22% 20% Encrypting data on my mobile device Sending me an SMS or alert when there is unusual activity on my account Bank ability to suspend access to my online banking account when mobile device is lost or stolen Services such as antivirus programs or spyware blockers Ability of my mobile operator to remotely disable my phone when I report it lost or stolen Nothing/None of the above/no Preference Ability for me to track the physical location of my handset when it is lost or stolen Unsure 14% 10% 9% 7% 6% 4% 4% 2% 0% 10% 20% 30% 40% 50% Percent of Mobile Consumers Q22: Which of the following security features do you believe will make mobile banking more secure and safe to use? (Select one only) June 2011, n= 3,180 Base: All consumers with a mobile device Javelin Strategy & Research Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

13 Javelin s data also shows that 35% of mobile consumers would like to be verified by personal security questions and 21% by fingerprint scanning or voice recognition (see Figure 5). Figure 5: Preferred Security Features among Mobile Bankers Ask questions that only I know the answer to My usual log in and password that I use for online banking My ATM or debit PIN 25% 27% 35% Require a fingerprint scan or voice print to login Additional authentication besides username and password Show an image you previously selected always displayed at login Mobile device authentication (only allowing my mobile device to access my accounts) Send a special one time code by text message to my mobile phone Other, please specify 1% 12% 21% 21% 18% 18% 0% 10% 20% 30% 40% 50% Percent of Mobile Bankers Q22: Which of the following security features do you believe will make mobile banking more secure and safe to use? (Select one only) June 2011, n= 926 Base: Mobile bankers past 12 months Javelin Strategy & Research This shows that consumers expect FIs to provide state of the art security features to assure them of secure mobile banking. This also means FIs will need to set a separate budget to have programs in place for combating mobile fraud due to increased adoption of mobile banking. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

14 NFC could be a potential game changer. Mobile payment options are on the rise and Near Field Communication (NFC) technology, although touted as more secure, could leave the door open for new types of hacking attacks. At this stage the fraudsters are lying low but as the use of NFC grows in the mobile payment world, FIs and payment providers alike should watch for innovative, more targeted and sophisticated malware. One FI interviewed acknowledged the potential change for mobile fraud with NFC adoption. Once that hits, all bets are off. It certainly becomes a space that is very attractive to the fraudsters. I think there is more of a threat around the malware space on the mobile phone, since it is essentially a PC. The Fed actually released an interesting survey about consumers sentiments towards the mobile space. Their number one concern was that somebody could hack in remotely with their phone and the second was that payments could be wirelessly intercepted. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

15 IV. Credit and Debit Card Fraud Lost and stolen cards, counterfeit cards and skimming are the leading categories in credit and debit card fraud; however, what is on the rise is card not present (CNP) fraud. Approximately half of the FI executives interviewed mentioned that CNP fraud is much higher in terms of cases and dollars, with a split of about 60% CNP vs. 40% card present fraud. Javelin s data shows that online purchases continue to be the leading form of card misuse. Forty one percent of consumers affected by identity fraud through the misuse of existing or new cards admitted that the card information was misused for making online purchases and 17% mentioned that it was misused to make purchases by phone or mail (see Figure 6). Figure 6: Misuse of Information among Fraud Victims Make purchases online 41% Make purchases in person 35% Make purchases over the phone or through the mail 17% Write checks Withdraw cash from an ATM 9% 7% Buy prepaid cards or gift cards Made purchase (unspecified) Opened a new account Obtain health care Paid for utilities Tax fraud 4% 3% 3% 1% 1% 1% 0% 10% 20% 30% 40% 50% Percent of Fraud Victims Q12. How was your information misused? Was it used to...? October 2011, n= 799 Base: All fraud victims Javelin Strategy & Research Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

16 All executives interviewed mentioned that CNP fraud tracking is included in their overall card fraud tracking mechanisms and that there is no separate plan or program in place for CNP tracking despite its increase. One interesting quote from a mid sized FI sums up the current state of card fraud tools. I am not very satisfied with the tools we are using currently. I think as far as the card space is concerned, we are still using technology that s twenty years old. There needs to be better modeling, and better processing from the neural networks and so forth CNP fraud should be seen as an area of high risk because of the weak authentication processes in place. Fraud in this area could quickly worsen. Online and mobile purchasing is growing at a faster rate than in store purchasing. Additionally, as more secure chip technologies such as EMV are adopted for transacting (and until remote readers become standard consumer fare), history has shown that fraudsters are likely to quickly migrate to CNP frauds because they are relatively easier to perpetrate. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

17 V. Fraud Prevention Strategies All the executives interviewed are completely aware of the need to shake up and improve their current fraud prevention strategies in the electronic banking world. Key areas for future anti fraud spending and innovative fraud tracking include: Analyze fraud across channels using an integrated approach. One of the major problems with electronic fraud is the inefficiency of tracking crimes in silos. Tracking fraud across channels in an enterprise view is essential for FIs to get a clear picture of current fraud loss. FIs will need to heavily invest in this area to build a platform to integrate departments, products and channels in order to effectively monitor, mitigate and prevent fraud. ID and device recognition is essential to increase adoption of mobile banking. Javelin s data shows that 18% of consumers who have mobile banked in the last 12 months are looking for their banks to incorporate mobile device authentication and 21% stated they expect their banks to include additional authentication besides username and password (see Figure 6, on page 15). Consumers are willing to take more control in their banking relationships. Indeed, mobile devices are becoming tools to fight fraud as their use for one time password and out of band transaction verification increases. With more robust device security and ID recognition tools, FI executives should work to empower customers to work as partners in helping to mitigate fraud occurring across any channel. Performance metrics are necessary to direct resources to areas of greatest need. It s not enough to fight against fraud; it s also essential to measure performance. Most FIs use basis points net losses compared to net sales volume to track their return on investment (ROI). Executives mentioned tracking all fraud tools in terms of the numbers of accurate cases detected and total fraud losses compared to the investment. The revised FFIEC guidelines make it clear that not only are FIs expected to adopt advanced user identification and authentication techniques, technologies and processes, they will need to demonstrate and document their success for the regulator as well as for internal management reporting. This means being able to measure attempted attacks as well those successfully thwarted, while performing analysis that will enable redirecting resources where needed for constant improvement. Real time fraud processing and tracking of transactional data is increasingly important in this era of constantly changing technology and progressively sophisticated malware attacks. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

18 Be proactive and predictive vs. reactive. It is clear that current methods of tracking fraud cannot be sustained with changing technology, especially in the mobile area. To gain consumers confidence, FIs will need to step up and be more proactive in their approach when dealing with emerging fraud in mobile, NFC and CNP areas. Predictive analytics will increasingly drive fraud prevention techniques. Educate consumers about malware and antivirus products. FIs are constantly faced with the challenge of balancing the fine line between providing secure, fraud free banking environment and hindering the customer experience. Over the last couple of years, an increasing number of consumers believe that it is partially their responsibility to protect their financial accounts from fraud (see Figure 7). If FIs step up and educate consumers about safe practices and add layers of authentication to mitigate fraud, then consumers should not resist the added security provided by their banks. But FIs also need to hide some of their efforts in back end anti fraud systems which evaluate transaction velocity, geolocation of the customer s device, user behavior and other performance metrics on a real time basis to stop fraud before it occurs. Figure 7: Consumer Attitude on Fraud Responsibility, 2008 to % 4% 55% 21% 11% % 5% 55% 25% 10% % 5% 52% 25% 15% % 4% 51% 28% 16% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Percent of Consumers Solely my responsibility 1 2 Equally shared by bank and me 3 4 Solely the bank's responsibility 5 Q37. When it comes to protecting your financial accounts from fraud, who do you think should be primarily responsible? On a 1 to March 2011, 2010, 2009, 2008 n=,4,961, 5,046, 2,683, 2,256 5 scale, let 1 represent "Solely my responsibility", 3 represent Base: All consumers with financial accounts. "Equally shared by bank and me" and let 5 represent "Solely the March 2011, 2010, 2009, 2008 n= 5,102, 4,998, 2,779, 2,350 bank's responsibility" Javelin Strategy & Research Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

19 VI. Conclusions Combating fraud in electronic banking is a never ending story due to new attack vectors, new online banking channels, new consumer devices for accessing accounts and new banking services. Industry leaders need to think about feedback reporting and measurements as part of a cross channel antifraud strategy. Such reporting and metrics are part of an FI s responsibility to reduce fraud in order to improve ROI and more importantly, to maintain customer trust. According to this study, FIs indicate willingness and even an eagerness to adopt new, more sophisticated tools that use advanced analytics to detect new, emerging threats which are increasing in complexity, as well as continuing to fight existing fraud. These tools go hand in hand with process improvements, policies and procedures to achieve their goal of mitigating fraud to acceptable levels while balancing the overall customer experience. Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September

20 Learn how SAS can help financial institutions monitor behavior across multiple e banking channels at Current State of E channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud September SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. indicates USA registration. Other brand and product names are trademarks of their respective companies _S