Wednesday, April 7, 2010

6 Steps to Reduce Online Fraud

What Must Be Done to Protect Business Accounts

What can - and should - a banking institution do to help protect its business customers?

Current Fraud Trends

There are three variations of fraud that is commonly seen as particularly prevalent now:

First Party - where criminals open accounts and use them as pass-through accounts to move money. Additionally, there also may be legitimate business owners who are kiting -- they create additional float so they have additional line of credit. They're not meaning to defraud the bank, but creating float type of credit.

Internal - where employees sell information about a business' accounts to outside organizations. Another scenario is where the small business employee who is accessing the business accounts moves out money and then leaves town. One twist to detecting internal fraud is the possibility that employees who perform the transactions will muddy the trail by saying their account credentials were taken in a phishing email. They can almost use that as an excuse, and it can't be proven unless the business has internet web logs, So it is hard to prove if the employee was colluding with outsiders, or their account actually was phished.

Third party - where most of the warnings are coming in via phishing, social engineering or spear-phishing. There are even infected webpages that can compromise a user's PC. Criminals attack the business, compromise the online credentials and move money out of the accounts.

Areas to Improve Security

Many institutions impose transaction limits as a way to stop fraud. This is a "stop gap measure" and these additional steps should be followed:

Account Level Check - Look at the types of transactions that are happening -- what is typical behavior, logins, when they happen. Then if they start logging in at night or over weekend, that's a red flag to hold transactions until you can talk to the business owner, stopping fraud from taking place. The key is to use analytics to scope "out of the ordinary" transactions. Look across all of the customer's behavior to spot what is unusual for that account holder.

Create Unique Account User IDs - Make sure users all have different log-in identification. Do not let them use the same user name and password. There should be a unique user names for each person in order for the institution to be able to create unique profiles of use for each of the users. This is similar to the PCI requirements; for anyone who accesses data, they each need a separate log-in.

Dual Control - Have two unique users approve transactions. If you can implement that, it goes a long way in reducing the chances of criminals stealing from the SMB account with a single user logon, and it also stops the threat of internal fraud as well.

Multi-Factor Authentication - Even though this solution is susceptible to man-in-the-middle and man- in-the-browser attacks, it is still an effective layer of protection. A lot of times business owners will ask 'I have so many users on the account' how many tokens will I need?' You need a unique token for every user."

SMS Messaging - This out-of-band message to users and account owners is important. It can be bypassed if a criminal can get into and change numbers or email contacts. But an institution can get around that by contacting the old number or email when a change is requested to verify that it was the account holder -- not a criminal -- making that request. This is something that banks already do with address changes. You need to realize that criminals will go in and change email and phone number contact information, so it is a heads-up that something is taking place.

IP-Email Address Controls - Only allowing certain email address/IP locations to go to the bank's online website to do transactions is another good control to put in place. It can be overcome, but it is another good layer of control. What's the risk that someone has just changed their phone and email contact information and is coming in from another email IP location to make these transactions? If they're coming in from another IP address, by looking at the risk, the institution can stop and look at it and question the transaction.

No comments: