/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsAt a time when financial fraud is on the rise by the day, there is a pressing need for enterprises - large and small - to assess their security protocols and evolve a long-term fraud risk management framework to deal with the potential consequences.
In the future, cyber crime, Intellectual property (IP) fraud, piracy and counterfeiting, remote banking fraud, and identity theft are the key fraud risks, points out IT solutions provider Unisys. Enterprises also have to be wary of mobile frauds, as 20-30 percent of all financial transactions are carried out through mobile devices, which is expected to reach 50 percent by 2015.
What are the major online fraud attacks faced by enterprises in India currently?
Globally, account take-over is the primary fraud attack on remote banking channels, such as telephone, online and mobile banking; India is likely to be in line with this trend. It occurs when customer login information is compromised and used to perform unauthorised withdrawals.
Account take-overs often extend into identity theft, when the perpetrator applies for new account privileges (checks, cards, overdrafts) or products - cards, lines of credit or loans). As a result, these fraud attacks often involve multiple channels.
The first step in performing an account take-over is to steal access information. Access information varies by channel, but usually involves something one has, like a card, or something one knows, such as a password.
Access information is mainly stolen through employee fraud, which is when bank or merchant employees with access to customer data use it themselves or sell it to others for profit. It also occurs through social engineering, which is a collection of techniques used to manipulate people into performing actions or divulging confidential information.
Access information could be stolen through several fraudulent techniques, including:
Phishing: Invitations to fake websites that trick users into disclosing their username, password, and other personal information.
Vishing: A variation of phishing, where customers are called (voice) and tricked into divulging access information. It can also result in a kind of enrolment fraud, where the fraudster persuades the customer to establish credentials for the fraudster.
Pharming: A hacker redirects a website's traffic to another, bogus website. It usually occurs through the exploitation of vulnerabilities in DNS server software.
Man in the Middle: An attacker uses a program that appears to be the server to the client and appears to be the client to the server. The program may be used simply to gain access to a customer's access credentials or enable the attacker to modify the message before retransmitting it, allowing the attacker to steal funds.
Man in the Browser: A variation of Man in the Middle, where malware in the Web browser interjects itself between the user and the browser to modify transaction data. Once access information is stolen, the perpetrator moves money out of the account electronically.
How can enterprises safeguard themselves against such attacks and thefts?
The first step for businesses is to continually educate customers and employees on how to avoid compromising their own and others' information. This includes ensuring that they keep their virus protection up-to-date, do not click on suspicious links or accept unexpected downloads from websites. Further, they should never give their PIN information to anyone, even an individual who claims to be from the bank. If someone says they are calling from the bank, say you will call them back. Always call the bank call centre through published phone numbers.
Secondly, financial institutions need to have strong policies in place for the use and protection of customer information. For instance, they should provide access to sensitive data on a need-to-know basis only; keep comprehensive logs of all customer data access, even inquiries; have stricter password policies; and lock down PCs (for instance, prevent usage of external USB devices, disable print screen options, etc).
Thirdly, they should ensure that their Know Your Customer (KYC) policies and procedures are up-to-date and easily available to their employees. Further, it is recommended that they refresh customer profiles reflecting recent changes in their demographics, at least once in a year.
How does one go about fraud detection and subsequently, management?
Sophisticated fraud detection software works in several ways, such as maintaining 'fingerprints' of customer PCs to be able to detect changes that may indicate the presence of malware. We also look at patterns of behavior, such as unusually quick inputs from a customer, which may indicate the presence of 'man in the browser' code performing functions in the background, or differences in the sequence, in which Web pages are accessed.
If we track the financial profiles of transactions to track normal behavior for customers and devices, we can detect both normal and abnormal actions and determine risk levels.
In addition to detection, we also set policies and procedures as to whether to block, delay or allow certain transactions based on the company's risk appetite and desired end-user experience. Lastly, we have various tools to perform investigations and also find the root cause of cases, for instance, by looking for common factors in incidents across multiple customers - triangulation.
What are the kind of fraud detection and management solutions offered by Unisys?
Unisys fraud solutions are based on a unified Financial Crime Prevention platform that spans products, channels and business units to deliver superior detection, investigation, protection and recovery. We can develop customised solutions around fraud detection and anti-money laundering to address the specialised needs of organisations, based on their strategic imperatives.
We have specific solutions to address multiple modes of fraud in a consistent way. These include for banks: Internet and mobile banking, debit and credit cards, retail and commercial payments, employee fraud, deposit fraud (like cheques kiting); for e-commerce merchants, pre-screening of the transaction prior to submission to the payment gateway; and for insurance, claims fraud.
One of Unisys's solutions, Secure Document Delivery, ensures that the ever-increasing volume of business communication and documents are managed through e-mail in a manner that is safe, secure, and convenient for the receiver. This solution delivers rapid reduction in paper, production and postage costs, and enhanced customer experience by revolutionizing how high-volume documents are delivered, responded to, or paid.
We also have a unique Identity Management solution that helps clients efficiently manage and audit user access to information systems, thus protecting valuable financial information and assets. The solution allows businesses to centrally manage digital user identities and is based on deep experience in designing, integrating and operating complete life-cycle identity management systems.
Is the policy framework for cyber crime in the country adequate to deter hackers/miscreants from any indulging in financial fraud?
Policy is an essential component, but criminals will always do their best to earn a living and will look for the weakest links, so governments, businesses and the public need to cooperate to minimize the risk of losses.
In India, policies instituted by banks and financial institutions are often the weakest link and the most attractive entry point for hackers. Also, lack of employee awareness adds another layer of vulnerability.
Taking into account the sheer volumes of accounts managed by banks and financial institutions and the ever-increasing trend in online channel adoption, these organisations must enforce strong policies to curb cyber crime, while maintaining customer satisfaction.
A good way for businesses to do this is by building awareness through regular seminars/knowledge sharing sessions for their staff and customers on their cyber crime policies.