Banks Vs. Identity Thieves: Who Will Win?

With phishing and related scams growing more sophisticated, financial institutions must battle back with integrated detection systems across multiple channels.

Banks may see it as a way to enhance their online customer service. By adding check images to their Internet services, banks can effectively link their paper-based and electronic channels. And for U.S. banks, placing check images online may also support initiatives around the Check 21 legislation that takes effect in October.

However, the attraction is just as alluring to today's cyber-criminals, who are primed to pounce on their unsuspecting prey.

Imagine the consequences to the ill-equipped bank that starts touting the benefits and convenience of electronic check images. Within days, the bank is hit with massive check fraud that's perpetrated by a professional thief whose high-quality counterfeit checks neatly circumvent and neutralize the bank's check-fraud defenses. 

It all starts as a “phishing” scam, a fraudulent mass e-mail campaign that urges customers to log on to a convenient link and update their personal information. As customers click on the link, a pop-up window appears with their bank's Web site in the background. To customers, the pop-up window seems to be integrated into the site. However, this is not the case. 

In fact, the pop-up window is an illegal “spoof” Web site. So, when customers log on, the site directs passwords and other personal information to the criminals.

Using the captured passwords, the thieves enter the customers' accounts. They access bank statements, take note of recent check numbers, and determine what check amounts and how many checks can be directed at the account without raising suspicion. Next, they look at recent check images, which disclose the direct-deposit account number, the type of paper stock used by the customer and, most important, an image of the customer’s signature.

At this point, the perfect counterfeit check is ready to be created.

Phishing expeditions run by offshore criminals are skyrocketing thanks to the mass-production capabilities of e-mail. The online availability of sensitive information, particularly check images, enables the criminals to customize their fraud scams to circumvent traditional systems. Although most check-fraud systems look for unusual serial numbers, amounts and frequency of checks, none of these factors is out of line in the counterfeit checks. To make matters worse, counterfeit checks with the correct check stock and a scanned signature will foil an image-based fraud-detection system.

Problem of Global Proportions

All over the world, countless examples are surfacing of people victimized by phishing and other identity-theft schemes. The figures are staggering:

• Nearly 2 million U.S. consumers have experienced illegal access to their checking accounts in the past 12 months, according to a survey conducted in April 2004 by analyst firm Gartner Inc. The cost: approximately $2.4 billion in direct fraud losses, or an average of $1,200 per victim.
• In 2003, identity-theft crimes cost consumers, businesses and government organizations $221 billion worldwide, according to market researcher Aberdeen Group. Losses are escalating at an astounding 300 percent annual growth rate — and could reach $2 trillion by the end of 2005.

Customer education is one of the most effective means for fighting phishing, but many financial institutions prefer to tread lightly for fear of emphasizing their vulnerability and driving customers away. "Although most financial institutions are well aware of phishing, most regard it as an e-mail problem and have not thought through its implications on other forms of fraud," says Elazar Katz, director, Active Risk Monitoring Practice, Unisys. "One of the ways to contain the fraud impact of phishing scams is to implement measures that detect suspicious Internet sessions without requiring customer awareness or action."

No Borders for Criminals

The resources available to identity-theft criminals are growing, making it easier than ever to steal someone's identity.

The Internet has created a worldwide market where criminals can collaborate, share secrets and exchange information through covert electronic communities. According to a recent white paper by the non-profit Honeynet Organization, these communities are alive and growing. At the same time, new automation tools and the proliferation of electronic channels are creating additional opportunities for identity thieves.

Phishing is a good example of how criminals are employing these increased resources to step up their attacks. With public awareness growing about these types of attacks, criminals are taking phishing scams to the next level, using technological tricks used by virus writers or hackers to exploit software vulnerabilities.

Through electronic communities, cyber-criminals and scam artists can exchange everything from ideas and methods to e-mail addresses and account information. The damage from phishing scams is severe, and attacks are increasing. Unique phishing attacks grew 110 percent per month from November 2003 to April 2004, according to the Anti-Phishing Working Group.

According to Katz, other popular forms of identity theft include:

• False card readers on ATMs. When the customer inserts his/her card, the devices read the information on the card's magnetic strip. In some cases, the criminals go even further and install a little camera near the ATM. The camera transmits the image of the keyboard, so that criminals can record the personal identification number (PIN) that accesses the account. That way, the criminal captures the magnetic information from the reader, as well as the PIN. 
• Key loggers on users' software. Known as worms or Trojan horses, these systems log all the keys that you enter in the computer, save it in a file, and every so often, send an e-mail to the criminal with everything that you type. So, if you enter a bank Web site, the criminal will see both the site you logged on and the information you provided. 

A Broken Chain

If organizations spend millions of dollars each year on security, why is identity theft such a problem?

According to Katz, the answer is simple: Traditional fraud systems are not designed to combat the new breed of cyber criminals.

As criminals grow more sophisticated, they are coordinating attacks of identity theft across multiple channels. The problem is that most organizations have separate systems for credit card fraud, check fraud and so on. Each of the systems has its own database and its own rules, and they don't usually communicate with each other.

For example, traditional check-fraud systems are uncoordinated with ATM systems, so a criminal could spread several activities across these systems without being detected. As a result, it's very hard for organizations to create a picture of all the activity occurring across their channels.

"Isolation of detection systems is a big problem," explains Katz. "If an organization has systems that look at slivers of behavior in each silo, then it will miss the overall pattern that the criminal has created."

Another vulnerability in fraud systems is a lack of attention to locations and points of usage. Most systems are not designed to recognize conflicting use in different geographies. So, a criminal could use someone's credit card in the Unites States and then send the information to someone in Europe for use, without the system recognizing it.

Finally, there is a lack of communication regarding elevated risk levels. When suspicious activity is detected, most systems are not designed to heighten awareness and look for other atypical events. For instance, let's say a person's wallet was stolen, but he/she has not reported it to the bank yet. When the ATM system detects suspicious activity in the account, it does not alert the credit card system to check for abnormal activity. However, if these two systems work in collaboration, the detection system could minimize damage by suspending activities across all of the person's accounts.

"Traditional systems follow the purchasing habits of separate business units," says Katz. "Since they are free from any organizational constraints, identity-theft criminals cross channels and products to exploit the blind spots between systems."

Taking up ARMS Against Fraud

To combat the problem, Unisys devised the Active Risk Monitoring System (ARMS) solution, which overcomes the limitations of traditional detection systems by integrating them to enable communication and collaboration.

"To fight identity theft, you must have a detection system that understands customers and criminals, knows how the organizations operates, and understands how these two worlds interact," says Katz.

He points to two elements that make ARMS unique:

• Ability to collect real-time information from different systems and type of data sources.
• Capacity to analyze the situation and update the profiles each time. 

As multiple sources of information flow into the detection system, ARMS performs a "long list of analyses against a transaction to see if there is potential fraud involved," explains Katz. "As part of its analysis, ARMS will not only identify a suspicious transaction, but also it will look at activity in the last week to see if a trend or scheme is emerging."

Another advantage of ARMS is its ability to deploy sensors that can be customized to monitor accounts, ATMs, locations, groups or other entities.

"Identity theft is not something you can solve with point solutions because each point solution is only part of the puzzle," explains Katz. "You need a combination of all your systems working together."

Time for Action

The financial ramifications of identity theft are obvious. But for most organizations, a potentially bigger problem is at stake: customer trust. If a customer falls victim to identity theft or a bank makes headlines for a security breach that left customer data comprised, the results could be disastrous.

"With heightened customer concerns about identity theft, organizations are much more sensitive today to loss of reputation," explains Katz.

The industry is responding. In the U.S., an association of major banks called the Financial Services Roundtable has created the Identity Theft Assistance Center to help victims. Wells Fargo & Co. will operate the center, with other financial institutions participating on a voluntary basis.

Under this initiative, consumers who believe that they're victims of identity theft will contact an ombudsman at their bank, who will alert the center. In turn, the center will gather information from consumers, credit bureau reports and other sources, and determine whether customers' accounts have been infiltrated. The center will also enlist the resources of law enforcement agencies.

As criminals grow more sophisticated, organizations must prepare for the next generation of identity fraud. Since phishing scams and other forms of identity theft cannot be completely eliminated, institutions must recognize that the only way to level the playing field is to address the shortcomings of traditional detection and fraud systems.

"The time to act is now," says Katz. "Most organizations are still struggling with solving identity theft, but the problem is not going away."

Learn more about the  Unisys Active Risk Monitoring Solution.