Appeared in American Banker, September 8, 2009
Tuesday, September 08, 2009
Its name makes it sound a bit like a game. But "man in the middle," as the swindle is known, is an example of a modern, cutting-edge form of theft that victimizes banks and their customers.
The crime begins when a bank customer enters his personal information on what appears to be his bank's Web site - but is actually a convincing copy fabricated to snare data. Having "phished" passwords and other key information, the criminals can then wire funds from the customer's checking account to their home country. Or they can use an automated clearing house transaction to send the money to the bank account of a fictitious business, and then withdraw it.
"It's all about getting in the door one way and getting the money out a second way," said David Nussenbaum, a vice president of global risk solutions at ACI Worldwide. "The individual transactions seem innocuous, but together they are a tip-off to fraud."
In 2009, conventional swindles like check fraud continue to mushroom. But banks are increasingly concerned with what's known as cross-channel fraud: theft from deposit accounts by way of multiple points of access - whether branch, automated teller machine, call center, debit card, online banking, ACH or wire.
"We have made the ability to conduct transactions across a wide variety of channels much more easily accessible to the customer," said Doug Johnson, a vice president of risk management policy for the American Bankers Association. "When you provide that customer convenience, you provide the same level of convenience to those who wish to defraud the customer or the financial institution."
The biggest institutions have the deepest pockets when it comes to fighting them, and have already sealed most of the chinks in their armor, experts say. Community banks appear not to have been major targets thus far, but they should not get complacent, experts say.
As bigger, richer banks' investments in antifraud technology deter criminals, the crooks are likely to target institutions that aren't so well defended. Indeed, many small banks are too lax about dealing with even old-school fraud, said Bob Roth, a senior director at Cornerstone Advisors, a financial institutions consulting firm. Many lack conventional deposit fraud safeguards, and some are vulnerable to things like electronic funds transfer fraud, he noted.
Cross-channel fraud has become a serious concern across the industry only over the past few years. Though solid statistics are hard to find, a survey released two years ago by the ABA suggests the problem is already widespread.
Losses in 2006 from cross-channel fraud were reported by 93% of the regional banks surveyed, 89% of the money-center banks, 63% of the midsize banks and 39% of the community banks. However, cross-channel fraud losses accounted for just 5% of overall deposit-account fraud losses at the average community bank. At midsize banks the figure was 25%, while it was 35% at regionals and the largest banks.
These days, any bank that has experienced a significant level of debit card, check card or check fraud will have encountered criminals who have used multiple channels to pull off the swindles, Johnson said.
Cross-channel fraud has caught on for several reasons. First, the decline in check usage has sent criminals scrambling for new schemes. At the same time, technology is evolving and the price of committing fraud is falling, adds Nick Holland, a senior research analyst at Aite Group. Meanwhile, criminals are becoming more sophisticated and better able to find and exploit the holes in banks' security nets.
The weakness that thieves have discovered arises from the fact that different units within banks are often responsible only for their own security. "Identifying and recovering fraud almost always works better if it's centralized," Roth said. "The problem is that the line-of-business managers are only responsible for their little world."
That can make it impossible to detect, for instance, a fraudulent transaction in which a crook sets up a new account using a false identification, three weeks later makes a crooked ACH transfer into that account and then tries to get the money at the teller line, Roth said.
Indeed, even long after the criminals have divided up their booty, banks may not realize they've been victimized by cross-channel fraud. That's because many banks in general, and smaller ones in particular, track cases of fraud in "silos" - that is, they record fraud activity in categories - the check category, the debit card category and so on, said Mike Braatz, vice president of marketing at Memento Inc.
Despite the growing concern about cross-channel fraud, the scarcity of solid data makes it hard to say how serious the problem is, Roth said.
Cross-channel fraud is often carried out by rings of crooks, and it can be quite ingenious. Fraudsters might, for instance, obtain customer information by phishing and then use that information to access a check image, from which they can copy the signature.
A criminal might open an account online, then deposit 10 fake checks at an ATM. A cohort might then wire money out immediately. Cross-channel fraud can involve a brazen hustle over the phone: Once a crook has a portion of a bank customer's information, he or she can talk a bank employee into disclosing more information, Nussenbaum said.
Cross-channel fraud first became a concern among larger banks, but it has become a more serious concern over the past 18 to 24 months for small banks, according to Braatz. "We began hearing more and more from smaller banks that they were being hit with kinds of fraud they had never been hit with before," he said.
Memento, whose initial roster consisted of some of the nation's largest banks as its clients, has expanded its recruitment of community banks and credit unions to the point that they now make up two-thirds of its clients, Braatz said.
Small banks should not feel less vulnerable to cross-channel fraud because they have fewer channels, Roth said. It's true that bigger banks have more mobile banking and commercial banking, in which huge sums come into the banks from means such as ACH transactions and merchant capture, he said. But even banks with a mere $100 million of assets can have Internet banking, wire transfers and debit cards.
Community banks have their own vulnerabilities. For instance, crooks looking to defraud the friendly neighborhood bank may find themselves on the phone not with a call center rep trained to spot fishy behavior, but with a well-meaning, unprepared branch employee, Roth said.
Perhaps the best solution for thwarting cross-channel fraud is software that matches up suspicious behavior in one channel with suspicious behavior in another channel. By supplying that information, the sophisticated software can allow banks to block theft or move quickly to recover the funds. But the cost of the broadest solutions, known as enterprisewide fraud-management systems, has until recently been prohibitive for small banks. The largest institutions might not blink at shelling out $1 million for the software, but that's a huge expense for many community banks, experts say.
But vendors have started to market more affordable versions aimed at smaller bank clients. Memento is among them; a bank with about $1 billion of assets could pay around $50,000 per year for the company's fraud-detection package, which covers cross-channel, as well as traditional, fraud, Braatz said.
Paying for the best fraud-detection tools that a bank can afford is worthwhile because it's a way to minimize "leakage of the revenue stream," Roth said. "They almost always pay for themselves."
Community banks may have a built-in advantage as they begin to confront cross-channel fraud, however. Because they face resource constraints, they often must use a single fraud prevention and investigation unit for the entire institution. Indeed, the ABA report notes that many larger banks are voluntarily following suit by desiloing their fraud teams in order to oversee multiple channels and business lines. In a 2008 survey by Aite Group of 23 large banks and credit unions, 46% said they expect their fraud departments to be centralized in three years, up from 30% at the time of the survey.
"The nice thing about smaller banks is that they often have three to five people in a single fraud group, and they all report to one person," Braatz said. "I do think that cross-channel fraud is going to end up driving a more centralized, holistic view of fraud and compliance."
BYLINE: Steve Garmhausen