The customer experience (CX) is something that the financial sector has focused on over the last few years. The reason for this focus is that customers are digitally savvier than ever before, demanding a great CX. One way to enable a fantastic user experience is to provide services across multi-channels. The Covid-19 pandemic has acted to drive this multi-channel option with an increase in the use of online transactions, eWallets, and contactless payments. Mechanisms such as digital wallets are expected to explode in use in the coming years. Analyst Juniper Research predicts that almost half the world will be using digital wallets by 2024, with the amounts transacted using this mobile medium to increase by 80% to more than $9 trillion per year.
The trouble is that multiple channels, whilst delivering on the expectations of customers, also open new attack surfaces and exploitation avenues for cybercriminals. Fraudsters follow the money, and if that money is traversing across web, mobile, IoT, and other transaction pathways, the fraud exploits used, will also become multi-channel.
Multi-channel attack fraud metrics and tactics
Fraud is big business, and any business that makes its owners money will continue to be supported and its core service/product innovated. This is as true for cybercrime as it is for any legitimate business. Fraudsters put effort into evading detection. The longer they can carry out nefarious tasks, the better. Advanced Persistent Threats (APTs), for example, can exfiltrate data and credentials for months, even years, before being detected. This stealth allows fraudsters to operate seamlessly, stealing data and money. Wherever possible, fraudsters will use legitimate mechanisms, tools, and processes to carry out fraud, so that the crime can remain undetected. Multiple channels of operation provide more ways for cybercrime to hide in plain sight. A prime example of this is the cybercriminal gang, Evilnum. The gang recently developed an innovation in the PyVil RAT (Remote Access Trojan) that uses fake KYC documents, disguised in a PDF document, along with other legitimate software tools, as a basis for an attack against European Fintechs and FIs.
These types of tactics, that focus on certain parts of the payment and account transaction ecosystem, are common. Multiple channels, where payment processing and messaging systems, as well as front-end delivery of those services, are integrated and presented in a multi-channel way, create an even more diverse ecosystem for FIs; each touchpoint can be used as an open door for a fraudster to enter. Entry points exist across the entire customer lifecycle. According to the Experian 2020 Global Identity and Fraud Report, 57 percent of businesses are reporting higher losses associated with an account opening and account takeover fraud in the past 12 months, compared to 55 percent in 2018. Because of the high stakes, fraud is a top issue for FIs: A 2021 Global Insights report from Experian found that 55% of businesses plan to increase fraud management budgets.
The pandemic and multi-channel fraud
The pandemic has added another dimension to payment fraud, money laundering, and similar financial crimes. Social distancing and stay-at-home orders have meant that customers are turning to mobile device payments and online shopping to make purchases. FIs and banks have adjusted to this by fast-forwarding delivery across multiple channels. The EU Council report in 2020, that looked at aspects of Card Not Present (CNP) fraud, stated:
“Concerning card payment fraud, criminals are changing their approach. Not only by changing to more high-tech frauds like APT, but also a part of the criminals is reverting to old school types of fraud such as lost and stolen, sometimes in combination with social engineering. As e-commerce is still on the rise, CNP fraud remains a significant factor for fraud losses.”
Data breaches during 2020 are feeding cybercriminals with data to carry out fraudulent transactions across these channels. The 37 billion data records breached in 2020, offer plenty of scope to use legitimate ID data to fool verification checks and validation processes. These data can then be used to commit fraudulent events across the entire 360-degree surface of a payments ecosystem, no matter what device or channel is used to carry out a transaction.
Also, internal systems are under strain from remote working. A Financial Action Task Force (FATF) report to Covid-19 related financial fraud issues states:
“Criminals finding ways to bypass CDD measures by exploiting temporary challenges in internal controls caused by remote working situations, in order to conceal and launder funds.”
Adding channels to processes only increases this strain.
KYC and the synthetic customer
Synthetic identities, created using a mix of invented and stolen legitimate data, add even more complexity to fraud prevention. A 2020 Federal Reserve Insights report found that 2.7% of all new accounts approved by FIs turn out to be synthetic identity-based. Traditional anti-fraud models, based on hard-coded rules, are not designed to detect these synthetic identities. Research shows older models are ineffective at catching 85% to 95% of likely synthetic identities.
Spotting synthetic identities is an issue as Know Your Customer (KYC) checks are not only costly, but they can add friction to the customer experience. Corporate bank customers can take upwards of 90 days to onboard. Compliance requirements around KYC/AML can mean that larger FIs need (on average) 307 employees to work on the standards.
A 360-degree fraud problem and a multi-channel defense plan
Fraudsters take advantage of the fact that FIs and banks have taken a lead on customer experience innovation, employing an API-based, flexible, and multi-channel ecosystem. However, the protection across these channels is still lagging. Cybercriminals understand this and exploit gaps in protection or weaknesses in security processes and technologies: fraud is often automated and industrialized and therefore even more difficult to detect.
The use of single-channel fraud-prevention technologies has created gaps in the now more dynamic, API-enabled, multi-channel, ecosystem. These real-time systems are an ideal playground for fraudsters. The situation is compounded by the massive volume of transactions that now take place, as CNP, via eWallets, online, etc.
A multi-channel delivery program requires a multi-channel defense: Smart technologies used to spot anomalous behavior in real-time, are used to resolve this conundrum. Machine learning is the basis for these smart anomaly-detection technologies. Traditional, rules-based, systems can neither handle the massive volume of transactions/events nor cope with the multiple channels, flexible ecosystem, of modern banking.
Intelligent monitoring of financial ecosystems needs a layered approach. Each part of the ecosystem across multiple channels has its own set of vulnerabilities. Every possible part of the lifecycle of an online transaction should be monitored, from the account creation to end-user account attack points to real-time transactions to account takeover and so on. The detection and interception of suspicious activity in real-time must be balanced against the incidence of false positives. Smart detection needs to work with the human operator to ensure that alerts are contextual, appropriate, and actionable. The self-learning mechanisms inherent in AI-enabled monitoring systems, ensure that a constant data stream is used to train the algorithms. Using a layered approach to multi-channel fraud and applying machine learning to detect attacks in real-time is the only way to achieve fraud prevention whilst maintaining a frictionless customer experience.
Adapt and prosper
Disruption is a force for good in the financial sector; the Fintech innovators have presented a compelling reason to take financial transactions down a multi-channel road. But online and offline wallet payments, internet banking, credit card, contactless payments, and so on, all create a real-time threat problem. Multi-channel ecosystems operate across a complex web of interactions, and many depend on open APIs and third-party products. Underpinning this is customer digital identity and authentication/authorization; the whole creates a system of many moving parts, each of which is a potentially exploitable entry point for fraudsters. Fraud prevention within this multi-party/multi-channel system must be done in real-time across these layers. Machine learning offers the intelligence to handle such a massive surface, using behavioral patterns to spot unusual activity before it becomes a fraud event.
Adaptation is a crucial part of staying ahead of the competition in the financial sector. The modern FI needs to be able to offer any new channels that come along to stay competitive and meet customer expectations. To ensure that multi-channels remain an option as the technology landscape changes, smart machine learning-based anti-fraud solutions are a must have to keep fraudsters out of those channels.
Eastnets PaymentGuard is a robust, real-time, and multi-channel fraud prevention solution. Learn more.
