Security Experts:

Having a Fraud Department isn't Enough - It Needs "Teeth" so it Can Bite

Mitigating fraud isn’t just about identifying patterns of fraudulent transactions and identifying compromised merchants.

Working for a company in the security industry, focusing specifically on anti-fraud solutions, I am exposed to multiple fraud departments of various financial institutions. All these teams, without exception, are manned by intelligent people who are as passionate about combating fraud as they are knowledgeable of their trade. Yet, some departments are more effective than their counterparts in stopping fraud, while some struggle. It’s not just because they’re using different solutions - these differences often stem from the amount of power entrusted to these departments by their organizations. Without this power, implementing effective policies for combating fraud is impossible.

Fraud MitigationMitigating fraud isn’t just about identifying patterns of fraudulent transactions and the on-going work of identifying compromised merchants. Mitigating fraud is also about identifying the weakest links which fraudsters can exploit and making the necessary changes to plug those holes. After all, fraudsters are actively searching for vulnerabilities in financial institutions to exploit, weak links that allow them to easily transfer funds from compromised accounts without getting the transfer blocked.

These “vulnerabilities” are not necessarily what computer experts often refer to when they say “vulnerabilities” - exploitable segments of code that allow attackers to gain unauthorized access to systems (although that may happen too). Instead, the vulnerabilities fraudsters seek are usually gaps in the organization’s process. For example, fraudsters may learn that a certain financial institution enables opening an account online, while only asking for a limited amount of identification documents that are easy to fake. Such a process enables fraudsters to open up multiple mule accounts they control, increasing the demand for compromised accounts of the bank. Another example is the CVV code, an embedded security code within a credit card’s magnetic stripe which is supposed to prevent duplication of the card just by asking the card holder for the card’s details. However, several years ago fraudsters learned that some banks do not actually check the CVV code (some banks didn’t check the CVV in certain situations while others never bothered to check the validity of the code) and immediately went on a Phishing spree to gather card details for duplication.

Some of these vulnerabilities, such as checking the CVV code, are as easy to remedy as changing the rules in the bank’s systems. However, some of these gaps may require making changes to the process of how things are done. If another department has intentionally created the process of opening an account online as easy and straight-forward as possible, setting competitive goals for new account volumes, an attempt to change the process may encounter resistance. Even if there is no resistance for changing a process, financial institutions are often very large organizations where every small change creates a butterfly effect. Making any necessary changes to a process in order to react to fraud may take a long while – during which the fraudsters could potentially milk the organization of its customers’ funds.

A bank that will fail to give fraud departments the power to make the necessary changes to its internal processes, may end up in a situation where everyone knows how and why fraudsters are stealing money from their bank – yet nothing can be done to stop it. Obviously, fraud mitigation is not the only aspect that has to be taken in every situation, but the more power the fraud department gets to influence processes, the better the bank will be positioned in mitigating fraud – especially when fraudsters identify such a vulnerability at the organization.

view counter
Idan Aharoni is the Co-Founder & CEO of threat intelligence provider IntelFinder. He is a cyber security and intelligence veteran, with over 15 years of experience developing and managing cyber intelligence operations. In 2019, Idan received a “Legends of Fraud” award for his role in creating one of the world’s first fraud intelligence services, which monitored the Dark Web on behalf of financial institutions worldwide, as part of his work as Head of Cyber Intelligence at RSA, The Security Division of EMC.