More Related Content Similar to EChannel Frauds Similar to EChannel Frauds (9) EChannel Frauds2. Executive Summary
Javelin was retained by SAS to understand the current state of e‐channel fraud among U.S. financial
institutions (FIs). Javelin Strategy conducted in‐depth interviews with risk and fraud executives from
small, mid‐size and large financial institutions to meet the research objectives. In this whitepaper,
Javelin also presents relevant elements from its proprietary consumer data to bring in additional
insights from the consumer perspective.
In summary, the study found:
Today’s anti‐fraud systems rarely track, monitor or report behavior across multiple e‐
banking channels, allowing fraudsters to move quickly from old to new channels where the
risks and vulnerabilities are not well known, and which therefore can be exploited.
All interviewed recognize a need to improve current electronic banking anti‐fraud
strategies. Nearly 70% of interviewed FI executives have implemented, or are planning to
implement, cross‐channel behavioral anomaly, predictive analytics and other advanced
detection tools to combat e‐banking fraud.
Malware‐based fraud attacks are being addressed by half the interviewed FIs who offer
customers anti‐malware software downloads.
Interviewed FIs are not aware of the potential impact of fraud in mobile banking, partly
because few have tools to identify, track and report such fraud incidents separately from
overall fraud attacks.
Card Not Present fraud is on the rise but some executives interviewed are not satisfied with
the current tools they use to combat credit and debit card fraud, calling for better
modeling and better processes using advanced technologies such as neural networks.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 2
4. II. Electronic Banking Fraud
All financial institutions agree that electronic banking is an all encompassing term, which includes
online banking, mobile banking and other e‐channels. Interviewed FI executives went as far as
stating that electronic banking includes everything except any face‐to‐face interaction. Given this,
tracking fraud by product and channel is identified as the key method for FIs to categorize and assign
electronic fraud loss and to measure their channel risks. However, what’s missing in current fraud
categorization is a method to successfully categorize cross‐channel fraud, as most fraudulent
activities are not restricted to a single channel or product type. A leading FI executive qualified the
lack of cross‐channel categorization with the following example,
“If I fraudulently enroll in online banking through the call center, login to online banking
to gain some insight into your account and fraudulently order a credit card; is that call‐
center fraud, online fraud, card fraud, or check fraud? The answer is, it is all of those, so
we need a pretty dynamic way to assign the loss and we are still assigning the loss
basically to the product used to perpetrate the actual fraud.”
As FIs struggle to identify the actual source of fraud and how to assign loss, they continue to add
more layers to their authentication and log in processes, as well as their back‐end fraud analytics
and detection systems. But today, anti‐fraud systems rarely track and monitor consumer behavior
across multiple product lines, channels, and systems. Fraudsters recognize and take advantage of
this weakness, as their techniques morph into more sophisticated and targeted multi‐area attacks,
quickly moving to newly introduced banking channels where the risks are not as well known and
where vulnerabilities can be exploited.
Malware tops current fraud trend in the online space. The online channel is a prime focus for anti‐
fraud priorities in 2012 among interviewed executives. Most FIs are dedicating about 20% of their
total fraud spending towards electronic banking threats and almost all FIs have executive
sponsorship for their fraud tools. Cybercrime threats continue to loom large and multiple FIs
mentioned an increase in man‐in‐the‐middle, man‐in‐the‐browser and other malware attacks.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 4
7.
Electronic fraud is continuing to increase in terms of volume and number of ways of attack. In
addition to malware and social engineering attacks, FI executives also need to watch for, and
combat, increases in cybercrime attacks spurred by data breaches. According to Javelin’s 2012 ID
fraud report, 15% of consumers received a data breach notification from financial institutions, and
consumers who did receive a data breach notification were 9.5 times more likely to be victims of
identity fraud than consumer who did not (see Figure 2).
Figure 2: Fraud Incidence Rate Among Data Breach Notification Recipients –
Letter Recipients are 9.5 Times More Likely to Become a Fraud Victim
Received a data
breach notification 19% 81%
letter
Did not receive a data
breach notification 2% 98%
letter
All consumers 5% 95%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent of Consumers
Fraud victim Not a fraud victim
Q2. In the last 12 months, have you been notified by a business or other
institution that your personal or financial information has been lost, stolen October 2011, n= 5,022
or compromised in a data breach? Q5. How long ago did you DISCOVER that Base: All consumers.
your personal or financial information had been misused? Past 12 months. © 2012 Javelin Strategy & Research
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 7
10. III. The Emerging Mobile Channel
Almost all institutions interviewed currently offer some form of mobile banking and several
executives report they are expanding their current mobile offerings. Consumer usage of mobile
devices, such as feature phones, smartphones or tablets, is growing steadily. New mobile payment
and banking apps further make the mobile channel very attractive for consumers. Interestingly,
however, all executives interviewed believe that mobile banking is nascent and are not yet entirely
sure about its fraud impact.
FIs uncertainty regarding the size and scope of mobile fraud can be attributed in part to how most
FIs currently track all forms of fraud. None of the FIs interviewed have dedicated fraud investments
assigned to track and curtail mobile fraud separately from overall fraud through their various
channels. Twenty percent of FIs interviewed mentioned that they have tools to identify fraud by
device type; however, it is currently accounted for under the overall umbrella of electronic fraud. FIs
are looking to increase adoption of mobile banking; however, they currently lack tools to track
mobile fraud because they don’t yet see significant enough mobile banking volume to warrant
independent tracking and reporting. This essentially puts them in a Catch 22 situation. Executives
acknowledge the need to refine their fraud tracking capabilities by channel, by device and even by
cross‐channel tracking, so as to be able to better pinpoint sources of fraud. Acquiring such
capabilities will be vital for combating fraud risks presented by the rapidly developing mobile
channel.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 10
13.
Javelin’s data also shows that 35% of mobile consumers would like to be verified by personal
security questions and 21% by fingerprint scanning or voice recognition (see Figure 5).
Figure 5: Preferred Security Features among Mobile Bankers
Ask questions that only I know the answer to 35%
My usual log‐in and password that I use for online
27%
banking
My ATM or debit PIN 25%
Require a fingerprint scan or voice print to login 21%
Additional authentication besides username and
21%
password
Show an image you previously selected always
18%
displayed at login
Mobile device authentication (only allowing my
18%
mobile device to access my accounts)
Send a special one‐time code by text message to my
12%
mobile phone
Other, please specify 1%
0% 10% 20% 30% 40% 50%
Percent of Mobile Bankers
June 2011, n= 926
Q22: Which of the following security features do you believe will make Base: Mobile bankers past 12 months.
mobile banking more secure and safe to use? (Select one only) © 2012 Javelin Strategy & Research
This shows that consumers expect FIs to provide state of the art security features to assure them of
secure mobile banking. This also means FIs will need to set a separate budget to have programs in
place for combating mobile fraud due to increased adoption of mobile banking.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 13
17. V. Fraud Prevention Strategies
All the executives interviewed are completely aware of the need to shake up and improve their
current fraud prevention strategies in the electronic banking world. Key areas for future anti‐fraud
spending and innovative fraud tracking include:
Analyze fraud across channels using an integrated approach. One of the major
problems with electronic fraud is the inefficiency of tracking crimes in silos. Tracking
fraud across channels in an enterprise view is essential for FIs to get a clear picture of
current fraud loss. FIs will need to heavily invest in this area to build a platform to
integrate departments, products and channels in order to effectively monitor, mitigate
and prevent fraud.
ID and device recognition is essential to increase adoption of mobile banking.
Javelin’s data shows that 18% of consumers who have mobile banked in the last 12
months are looking for their banks to incorporate mobile device authentication and
21% stated they expect their banks to include additional authentication besides
username and password (see Figure 6, on page 15). Consumers are willing to take
more control in their banking relationships. Indeed, mobile devices are becoming tools
to fight fraud as their use for one‐time‐password and out‐of‐band transaction
verification increases. With more robust device security and ID recognition tools, FI
executives should work to empower customers to work as partners in helping to
mitigate fraud occurring across any channel.
Performance metrics are necessary to direct resources to areas of greatest need. It’s
not enough to fight against fraud; it’s also essential to measure performance. Most FIs
use basis points—net losses compared to net sales volume—to track their return on
investment (ROI). Executives mentioned tracking all fraud tools in terms of the
numbers of accurate cases detected and total fraud losses compared to the
investment. The revised FFIEC guidelines make it clear that not only are FIs expected to
adopt advanced user identification and authentication techniques, technologies and
processes, they will need to demonstrate and document their success for the regulator
as well as for internal management reporting. This means being able to measure
attempted attacks as well those successfully thwarted, while performing analysis that
will enable redirecting resources where needed for constant improvement.
Real time fraud processing and tracking of transactional data is increasingly
important in this era of constantly changing technology and progressively
sophisticated malware attacks.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 17
18.
Be proactive and predictive vs. reactive. It is clear that current methods of tracking
fraud cannot be sustained with changing technology, especially in the mobile area. To
gain consumers’ confidence, FIs will need to step up and be more proactive in their
approach when dealing with emerging fraud in mobile, NFC and CNP areas. Predictive
analytics will increasingly drive fraud prevention techniques.
Educate consumers about malware and antivirus products. FIs are constantly faced
with the challenge of balancing the fine line between providing secure, fraud‐free
banking environment and hindering the customer experience. Over the last couple of
years, an increasing number of consumers believe that it is partially their responsibility
to protect their financial accounts from fraud (see Figure 7). If FIs step up and educate
consumers about safe practices and add layers of authentication to mitigate fraud,
then consumers should not resist the added security provided by their banks. But FIs
also need to hide some of their efforts in back‐end anti‐fraud systems which evaluate
transaction velocity, geolocation of the customer’s device, user behavior and other
performance metrics on a real time basis to stop fraud before it occurs.
Figure 7: Consumer Attitude on Fraud Responsibility, 2008 to 2011
2011 9% 4% 55% 21% 11%
2010 5% 5% 55% 25% 10%
2009 3% 5% 52% 25% 15%
2008 2%4% 51% 28% 16%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent of Consumers
Solely my responsibility 1 2 Equally shared by bank and me 3 4 Solely the bank's responsibility 5
Q37. When it comes to protecting your financial accounts from
fraud, who do you think should be primarily responsible? On a 1 to March 2011, 2010, 2009, 2008 n= ,4,961, 5,046, 2,683, 2,256
5 scale, let 1 represent "Solely my responsibility", 3 represent Base: All consumers with financial accounts.
"Equally shared by bank and me" and let 5 represent "Solely the March 2011, 2010, 2009, 2008 n= 5,102, 4,998, 2,779, 2,350
bank's responsibility". © 2011 Javelin Strategy & Research
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 18