Preventing Fraud with a Multi-Channel Approach

Editor's Notes

• #5: Keystroke logging malware and man in the middle browser attacks. FFIEC came out with new guidelines for multifactor authentication. Star One realized even with the new MFA members were not protected from online fraud. Keystroke logging malware and man in the middle browser attacks would continue and make members vulnerable to fraud. We also knew that education would not solve this problem either. Ultimately, any fraud or losses would be Star One responsibility and we would make our member whole. Our view was that all members pcs are compromised and to built a security strategy to protect members and detect criminal online activity. In late 2006, GA called to pitch a new fraud monitoring system that was not solely based on rules but in their concept also included behavioral detection. We were intrigued as we knew that the MFA wasn’t a fraud solution so we invited GA in and they pitched their idea and we were sold. Not only did their behavioral analysis made them different, they also promised less false positives, ….and here we are today!! When Guardian Analytics was founded in 2005, the original founders had determined that financial institutions, and their customers, were not adequately protected from fraud.   At that time, FIs were relying on rules-based systems that could not keep up with the changing tactics from fraudsters. In addition, the rules were unnecessarily cumbersome for legitimate customers trying to conduct banking transactions.   The abundance of alerts generated by overly conservative rules resulted in some fraud analysts ignoring alerts, which allowed persistent fraudsters many opportunities to breach customer accounts.   Ultimately a new approach was needed and this paved the way for machine learning.   Guardian Analytics developed the first fraud detection platform that used machine learning and behavior-based anomaly detection to help financial institutions prevent fraud.   Through machine learning and behavioral analytics, the Guardian Analytics platform is able to automatically adapt to new types of fraud, reduce false positives, and remove friction between financial institutions and their customers.
• #6: Criminals can get past controls (limits, authentication, email alerts) Cross-channel fraud starts online (check fraud, call center fraud, faxed wire fraud)
• #7: Most FI’s at that time didn’t realize that some of the payment fraud originated with compromised online banking logins and focused where the fraud occurred not where it generated. Star One learned that lesson when working with Guardian during the beta realizing that some of the online banking credentials were compromised resulting in fraud through other channels as wire fraud or ACH. Most of the FI at that time thought that MFA would suffice. A few signed up with another competitor in the space which was rule based alerts and generated a lot of false positives. I like to use a phrase from my web service manager, our members can tattoo their account logins on their fore head and they are protected. By using guardian we are protecting our members from themselves. We can catch fraud before it occurs by an alert from GA and as we contact our members to validate the login we can block the fraudster from using the information or if a request comes through we already know that the members has been compromised. Any unusual requests via online or faxes for large $ withdrawal (wire, Ach, Transfer or check requests) staff would check with Web services against the alerts from Guardian. We have that much confidence in the tool we raised our mobile deposit limit from $ 25K to $200 k and have now eliminated the limit completely. We also at that time knew that behavior analysis was the key, not transactional.
• #9: Discovery: Our member noticed that their Bill Pay account had a new entry and a charge for $4,500 that she did not authorize. Setup: A fraudster performed an unauthorized login into our members online account and set up a new Bill Pay payee/payment for $4,500 (sent to a person he met in an online romance internet chat room). Result: The fraudster obtained our members login info, we feel, from a Phishing e-mail and used the existing Bill Pay account to send his chat companion $4,500. The fraudster then asked the unknowing chat accomplice to wire him $4,500 from her account to pay him back. After we put the funds back into our members account and reversed the transaction, the unknowing accomplice was out the $4,500. Takeaways: The source of this fraud was the Phishing e-mail and the entry into Online Banking. If we would have had the Guardian Solution in place at the time of this fraud, we feel, it would have been prevented and would have revealed the suspicious activity at the time of the initial unauthorized login.
• #10: Discovery: Our member noticed there was $98,000 missing from his Savings Account and that it had been transferred into his HELOC and then the funds were withdrawn. All of this occurred over a 5 day period. He noticed it after reviewing his monthly statement. Setup: A fraudster performed an unauthorized login into our members Online account and viewed his cleared drafts over and over (in order to learn and copy the signature of our member). The fraudster then transferred $98,000 into the HELOC account using Online Banking. The next day we received a signed faxed request for a Wire Transfer in the amount of $98,000 to a bank in Texas. We performed the normal due diligence (verified signature and contacted our member based upon our host system info) and completed the transaction. Result: The fraudster obtained our members personal info and used social engineering and our call center to change the phone number of record (changed to his number) and the Online Banking password. Thus when we did our due diligence, we ended up calling the actual fraudster to confirm the transfer as well as confirming the signature. Upon the member alerting us (in a panic), we asked Guardian to reconstruct the login analysis of this member (we were in beta testing with their pilot program at the time). The results were stunning. On the initial date of the login (1 day prior to the call center manipulation), FraudMap discovered the online profile anomaly and alerted “Red”. Takeaways: The source of this fraud was the public/private info the fraudster had in order to social engineer our call center. We feel, and have the proof, that the Guardian solution would have discovered this fraud even though it involved both online and offline activity.
• #11: Discovery: Guardian alerted “Red” for a login into a members account. Further investigation revealed that the person who performed the unauthorized login looked at check images and changed the password and Multi Factor question. Setup: The fraudster, we believed at the time, used a Trojan or key logging program or a Phishing e-mail to gain the users member number/password/Multi Factor question and answer. Because the check images were viewed, we felt that further fraud might be brought to this account. Result: We placed contacts on the account and contacted the member. The member was sure that it was not anything on his system because he claimed he kept his PC clean and practiced good security. We recommended he run an adware or malware program to further clean the machine. Upon doing so, he in fact found a key logger on his system and couldn’t thank us enough. Takeaways: Even practicing good security habits can leave a PC vulnerable. With a solution in place that really guards against unauthorized logins, we feel we have extended the security on our valuable Online Banking members who are amongst the most savvy and profitable to us.
• #12: Discovery: A member filled out a Visa dispute form for charges that she claimed she or her daughter had not authorized. Oddly, she claimed that some payments to her Visa had also been made online. Setup: The member actually disputed a large number of transactions until we used the Guardian system to find out that there were no unauthorized logins and in fact the profile was quite normal for the dates she claimed withdrawals and payments were being made. Result: Upon realizing that we were not completely sure that there was fraud involved, the mother “remembered” that she in fact had made the purchases and payments for her daughter and rescinded her affidavit after pressure from her spouse. Takeaways: The Guardian system helped us detect when there was no fraud present. We feel that after explaining our methods of investigating online fraud and specifically the use of the login analysis tool, that our member realized that we have were aware of actual verified logins performed by the daughter and mother at the time she clamed there was fraudulent activity.
• #13: an approximately 2,760,000 login attempts. Of those, 1,745 were red alerts and 5295 were yellow alerts representing a combined 0.26% of our total logins. This resulted in approximately 19 (red and yellow) events per 7540 login events on average per day. On a typical mid-week day, we see on average 5-7 red alerts. Those are highly qualified alerts and the low false positive figure allows us to concentrate staff time on investigation real probable fraud scenarios. Of those Red/ Yellow events 236 required qualifying. Of those, 41 were qualified action events (required follow up /placing a contact on the host or contacting the member).
• #14: Bill Pay alerts - 9 transactions, $160,469.41 Reg E ACH Disputes - 40 transactions, $197,179.64 Wire Transfer fraud - 4 transactions, $878,471.84 Additional Results 2017 – received wire form from a suspicions IP address Wire Fraud attempted $230,000 2016 – suspicious login, call center social engineering Fraud attempted $130,000 2015 – suspicious alert, member confirmed fraudulent Fraud attempted $65,000 2013 – suspicious login, compromised computer. EFT and BP. Fraud attempted $322,000, loss sustained $65,000
• #15: Let’s talk a little bit about how machine learning actually works to identify fraud.   Machine Learning models follow a well-defined pattern that is used across Data Science.  The model collects user data from online activity and transactions. This data allows the model to learn the behavior of each user.  Each new user activity provides the model with more information to learn (such as location from where transactions is being made, amount of transactions, type of computer, type of browser, recipient, etc.).    When a new transaction is made by the user, the Machine Learning model compares the behavior of the new transaction against the already learned behavior across many data points (is this a new type of computer, is the location different, etc.).  If the behavior is anomalous – meaning it doesn’t fit the pattern that the system has seen in the past from that user — the system flags the transaction so that it can be reviewed. This allows fraud analysts to take action to mitigate the risk and learn from it.   Thus, our platform knows that Customer A uses a PC and only logs in to online banking from home on Friday nights. When the system detects this customer trying to log in from an iPhone in Italy, it knows that the behavior is highly unusual for him, even if it wouldn’t otherwise be noteworthy for a different customer.
• #16: Having the online protection and saw how it protected our members and Star One, it was an easy decision to incorporate the mobile channel when GA came to us for testing. Even though our fraud is low compared to some other FI’s we wanted to ensure that all channels had some type of monitoring. GA knew that Star One processed a lot of wires and any wire requests was checked against online logins for unusual behavior. That protected online members not all. So when GA came out with a wire fraud tool Star One was first in line again as well as for ODFI ACH. Even though our originating ACH files are small they are at higher risk so we implemented ODFI as well. We really wanted the RDFI, that’s where our volume is. We feel that all these tools work together and provide a good picture of our members transaction behavior so looking to GA for an AML solution was second nature. We have one in place currently because GA didn’t have one, but we would love to switch over AML to GA as well. We like the Omni channel analytics but to be honest we haven't signed up for it just yet. We use FraudMAP for external funds transfer name mismatch validation and additional context We monitor account activity We investigate Bill Pay signups We validate member “claims” about activity, for example: Email address changes by ex-wife “Fraudulent” Bill Pay by members “Account takeover” by member’s mother
• #17: Fraudulent transactions (bill pay, wire, etc.) Account reconnaissance (view check images, change email address, etc.) Guardian has allowed us to take more risks and make our members happier Full range of online and mobile services Increase external transfer limits Increase RDC from $2,500 to $200,000
• #18: The benefits that Star One described are representative of what we are seeing across our customer base. To validate these results, we engaged Nucleus Research Group who worked directly with our customers to analyze the impact from using Guardian Analytics.  As you can see the benefits are impressive. Based on our customer data, fraudulent transactions were cut by 90%, False positives reduced by 5x, and Callbacks reduced by 80% -- all of which lead to helping FIs capture Fraud before it occurs.
• #19: Our financial crime prevention platform provides end-to-end protection to financial institutions and their customers.   We provide Visual Analytics that allow fraud teams to get a 360-degree view of customer behavior. And our increasingly comprehensive views of multi-channel activity bring us closer to making true Omni Channel a reality for our customers. We cover the whole scope of banking interactions, from login to the actual transactions. These insights into customer behavior provide advanced protection and real-time control over fraudsters and fraud risk.  And it’s all built on the industry’s leading behavioral analytics and machine learning risk engine.    Our Enterprise API enables machine-to-machine integration and gives our customers the best protection against fraudulent attacks. On top of all of this, our new business intelligence dashboard, Fraud Cockpit, provides full business insights into Fraud Operations.
• #20: We truly mean business when it comes to protecting our customers’ financial assets.  With more than 450 financial institutions as our customers, ranging in scope from millions in assets to $600Billion, we analyze the behavior of over 40M commercial and retail account holders, and protect over $5B in banking activities each year, making us the #1 behavioral analytics platform for Fraud detection.