Security Experts:

Having a Fraud Department isn't Enough - It Needs "Teeth" so it Can Bite

Mitigating fraud isn’t just about identifying patterns of fraudulent transactions and identifying compromised merchants.

Working for a company in the security industry, focusing specifically on anti-fraud solutions, I am exposed to multiple fraud departments of various financial institutions. All these teams, without exception, are manned by intelligent people who are as passionate about combating fraud as they are knowledgeable of their trade. Yet, some departments are more effective than their counterparts in stopping fraud, while some struggle. It’s not just because they’re using different solutions - these differences often stem from the amount of power entrusted to these departments by their organizations. Without this power, implementing effective policies for combating fraud is impossible.

Fraud MitigationMitigating fraud isn’t just about identifying patterns of fraudulent transactions and the on-going work of identifying compromised merchants. Mitigating fraud is also about identifying the weakest links which fraudsters can exploit and making the necessary changes to plug those holes. After all, fraudsters are actively searching for vulnerabilities in financial institutions to exploit, weak links that allow them to easily transfer funds from compromised accounts without getting the transfer blocked.

These “vulnerabilities” are not necessarily what computer experts often refer to when they say “vulnerabilities” - exploitable segments of code that allow attackers to gain unauthorized access to systems (although that may happen too). Instead, the vulnerabilities fraudsters seek are usually gaps in the organization’s process. For example, fraudsters may learn that a certain financial institution enables opening an account online, while only asking for a limited amount of identification documents that are easy to fake. Such a process enables fraudsters to open up multiple mule accounts they control, increasing the demand for compromised accounts of the bank. Another example is the CVV code, an embedded security code within a credit card’s magnetic stripe which is supposed to prevent duplication of the card just by asking the card holder for the card’s details. However, several years ago fraudsters learned that some banks do not actually check the CVV code (some banks didn’t check the CVV in certain situations while others never bothered to check the validity of the code) and immediately went on a Phishing spree to gather card details for duplication.

Some of these vulnerabilities, such as checking the CVV code, are as easy to remedy as changing the rules in the bank’s systems. However, some of these gaps may require making changes to the process of how things are done. If another department has intentionally created the process of opening an account online as easy and straight-forward as possible, setting competitive goals for new account volumes, an attempt to change the process may encounter resistance. Even if there is no resistance for changing a process, financial institutions are often very large organizations where every small change creates a butterfly effect. Making any necessary changes to a process in order to react to fraud may take a long while – during which the fraudsters could potentially milk the organization of its customers’ funds.

A bank that will fail to give fraud departments the power to make the necessary changes to its internal processes, may end up in a situation where everyone knows how and why fraudsters are stealing money from their bank – yet nothing can be done to stop it. Obviously, fraud mitigation is not the only aspect that has to be taken in every situation, but the more power the fraud department gets to influence processes, the better the bank will be positioned in mitigating fraud – especially when fraudsters identify such a vulnerability at the organization.

view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.