To catch a thief
As our lives are digitally transformed, banking fraud continues to grow, in both digital and analogue ways. What can be done to combat this?
My wife received a call from the bank informing her that there had been an incident of fraud on her credit card. She was asked to provide the last twelve digits of her card number and the three-digit security code on the back. Sceptical by nature and wary of fraud, she was reassured to find that the telephone number on her mobile phone screen was indeed that belonging to the card issuer. She realised something was wrong when a few minutes after hanging up she received a One Time Password (OTP) requesting authorisation for an online transaction. Her mobile phone continued to ring incessantly as the fraudsters tried to make contact again. This is but one example of social engineering and telephone number spoofing.
Duping customers and robbing banks are nothing new. The tools and craftsmanship of the trade have become more nuanced. With the omnipresence of card payments, e-commerce and digital banking, fraud that once required brute force and bravado now requires a blend of technical prowess and guile. As banks digitise vast tracts of their businesses, they must contend with ever more fraud sophistication and ingenuity. For a sustainable digital future, customers need to continue to trust their banks and the infrastructure underpinning commerce. They might tolerate the occasional scam, but if fraud becomes endemic, trust will fade, and nervous customers will retrench from digital commerce.
Attempts to defraud customers can be broadly classified into two groups — unauthorised financial fraud across payment channel or instrument and authorised push payments. Financial fraud losses across various payment types were greater than £1bn in the UK alone in 2019. While the financial losses generated from unauthorised fraud has roughly stayed constant over the last few years, intricate and wily social engineering schemes have contributed to a marked increase in authorised push payments. Covid has energised fraudsters to enter the fray in larger numbers and with greater zeal.
Unauthorised fraud covers schemes such as cheque fraud, lost & stolen cards, interception of new / replacement cards, payment card skimming, compromising point-of-sale terminals, ID theft and a host of social engineering schemes is aimed at illegally obtaining card details from unsuspecting customers. Authorised push payments, on the other hand, is when fraudsters use social engineering schemes to con customers into transferring funds of their own accord to a fraudulent bank account.
In the early 2000s, I was living and working in Singapore and had recently returned from a business trip to Italy. A few days following my return, I used my bank card to withdraw cash from an ATM machine and was surprised to find that the balance was significantly depleted. Panic struck. I looked up my recent transaction history and found that regular withdrawals were being made over a 48-hour period to drain my account. I called my bank’s fraud division immediately — luckily, the withdrawals were being made in Italy while I was in Singapore. Subsequent investigations pin-pointed the compromised point of sale to an ATM that I had used during my trip just off the Spanish Steps in central Rome. Many years later, in London, I received a call early one morning from my bank asking if I had spent £1000 on a pair of Jimmy Choo shoes. Not my preferred brand of footwear! My wife had not made the purchase either. I was compensated on both occasions, but the experiences brought home the realities of card skimming and ATM fraud.
For decades now, banks have been enthusiastic adopters of technology in their efforts to combat fraud. A gradual phasing out of cheques in the industry in favour of card & digital payments has meant that this category of fraud has shrunk into insignificance. The UK was one of the first countries globally to mandate the adoption of EMV guidelines and Chip & Pin in the early 2000s, phasing out cards with magnetic stripes, contributing to the lowering of card skimming fraud. The pooling and sharing of data related to fraud amongst banks and with law enforcement agencies has helped in an industry-wide coordinated campaign. Despite a significant increase in digital commerce, banks in the UK have been able to keep fraud levels low as a percentage of the total value of transactions. Banks in the UK had already introduced additional levels of authentication for card-not-present payments or access to online banking; the Strong Customer Authentication (SCA) mandate introduced by the EU as part of Payment Services Directive 2 (PSD2) regulation required all participants in the payment chain to implement and adopt a host of multi-factor authentication measures to ensure that payers were asked to validate payments with a combination of unrelated data points (identification questions, OTPs, etc.) that only they would have access to or knowledge of. Fraud detection engines have gotten better at spotting anomalies in customer’s transactional behaviours and the advent of more advanced artificial intelligence and machine learning (AI/ML) have made banks more nuanced and predictive in fraud detection. Banks, card issuers, merchants and payment firms fully realise that these measures are crucial to maintaining customer trust in digital commerce. This is a fine balance to strike as additional security measures requires a trade-off with convenience. Banks have complemented their technological efforts with a robust communications campaign to caution customers against social engineering schemes. They have also signed up voluntarily to insure customers against unauthorised fraud losses.
Authorised push payments make the situation trickier. When innocent customers are duped into authorising payments, the checks and balances above are of little use. It also makes it difficult for banks and law enforcement agencies to sift the gullible from the guilty. Here too, some banks have signed up to a voluntary code insuring innocent customers against fraud losses. A debate is currently underway to determine whether this should be mandated across the industry in the UK and whether the burden of the liability should be jointly shared across banks and merchants. The advent of Internet of Things (IoT) will herald a new chapter in customer convenience and fraudster zeal, with the exponential flourishing of end points delivering user experiences, generating data, and effecting payments.
My final year thesis at university was on the use of self-learning and auto-pruning neural networks. The constraints of relatively limited data, storage, and compute capacity that we had to contend with then are virtually non-existent today. The ability to ingest and process vast amounts of structured and unstructured, historical, and live streaming data, makes fraud detection one of the most exciting and challenging use cases for cloud computing in financial services.
As banks and financial institutions adopt cloud at scale, they will also have at their disposal the most advanced AI/ML capabilities. Whether it is on social media, browsing the web for the latest fashion trends, doing their weekly grocery shopping, paying for a meal at a restaurant or a book at the local bookstore, the daily lives of customers leave digital footprints and generate vast tracts of data. Assuming privacy considerations are factored in, this data is a gold mine when looked at holistically, because it allows banks to detect patterns, predict behaviour, detect anomalies, and ultimately prevent fraud pre-emptively or in real-time.
Several banking software vendors have been touting this potential for years. Significant progress has been made as their solutions have matured from rule-based engines to intelligent predictive machines. The technology is getting better at reducing the number of ‘false-positives’ — where legitimate transactions are flagged as potentially fraudulent, causing them to be blocked and customers left hanging until they are successfully validated. As more applications and data move to the cloud and digital end points such as mobile phones and IoT devices proliferate, security considerations of data from point of generation through transfer to storage will assume even greater importance. Breaches are serious events — as many of the data elements are ever-green and might be of use to fraudsters for years to come.
Banks, financial institutions, regulators, payment, and technology firms recognise this. Research & development in solutions are being accompanied with consideration to regulatory frameworks and customer education so that the emerging digital ecosphere is a safer place for cards and payments. Just as industry participants are looking at joint liability for authorised push payments, technology product vendors and service providers can look at options where their revenue streams are tied to reduction in fraud outcomes in their customers’ businesses. Banks can play a proactive leadership role in the emerging fields of edge-computing and the regulatory and security considerations for the use of IoT devices so that their rise to ubiquity is not accompanied with a corresponding increase in fraud. Technology giants who play a central role in our digital lives can collaborate amongst themselves, with banks, regulators and customers, to share data and pool forces in the fight against fraud.
I have a soft corner for Alfred Hitchcock thrillers. My all-time favourite is To Catch a Thief, where Cary Grant, an old-fashioned cat burglar snoops in and out of expensive hotel rooms, helping himself to precious belongings of the well-heeled residents of the French Riviera. If only today’s fraudsters were in plain sight and as straight forward as Cary Grant’s burglar, banking executives and customers would sleep easy.
