In Broad Daylight

One reason for this disconnect could lie in how companies view fraud and organize to combat it. The poll found that businesses employ various approaches ' and it revealed some potential impediments to stronger protection. Companies that believe they are adequately protecting themselves by meeting anti-fraud regulatory requirements can still be fleeced, even in the broad daylight of compliance. This article examines some of the potential problems with common anti-fraud approaches and offers steps companies can take to overcome them.

Where Is the Disconnect?

Ultimate responsibility for anti-fraud efforts in many businesses resides with corporate counsel or the chief risk officer, who oversees the activities of those charged with ongoing fraud detection and response. When asked who is responsible for handling day-to-day anti-fraud activities, respondents indicated anti-fraud compliance and internal auditing functions together account for about one quarter of these operations, and another quarter are housed in the information technology (IT) department. Individual business units handle the function in some cases, and the rare organization, fewer than one in 10, has an enterprise fraud group.

Whichever function is responsible, one of its primary charges is to ensure that the necessary rules and analytics are in place to maintain compliance with anti-fraud regulatory requirements. But compliance alone may not be what is practically needed to prevent actual breaches and fraud.

Consider the case of a credit card processer that diligently complied with payment card industry (PCI) requirements for data protection. The company didn't store credit card data in any format, so it was compliant with PCI rules. However, its systems remained vulnerable to attack, and hackers installed software that enabled them to siphon millions of dollars from customer accounts.

The company adhered to security and privacy mandates, but it was unable to identify, detect and mitigate malware penetrating its systems. To understand why, it's helpful to consider that businesses typically handle fraud management at the customer account level and that online customer interactions can be either monetary or nonmonetary.

Monetary transactions move money from one account to another, such as a bill payment. A company's anti-fraud operation typically focuses on such transactions, guided by established parameters. For example, is the value of a transaction above the norm, or have there been inordinately frequent transactions in the past several days?

Nonmonetary encounters include customer activities such as online balance lookups and password resets. Usually, nonmonetary transaction logs reside with the IT group, and they may not be shared with the anti-fraud group for a variety of reasons: the fraud group may not think they're useful and doesn't request them; or the IT group, which isn't attuned to fraud prevention in the same way as the anti-fraud group, doesn't think it's necessary to share them.

Another impediment is that log files typically cannot be populated into enterprise data warehouses because they are unstructured data. Those log files, however, can be critical to fraud detection and prevention. They can help differentiate between a legitimate customer and an account that has been hacked. They can help provide a broad-based view of a customer that alerts the broader enterprise that an account has been compromised.

Strengthening Anti-fraud Capabilities

As the Deloitte poll indicates, many businesses are either modestly increasing anti-fraud investment or maintaining current levels. This is not necessarily surprising, as upgrading anti-fraud capabilities can be a transformative process. And if a company has not experienced much fraud, its leadership may not be receptive to investing money or resources to develop a comprehensive anti-fraud framework.

However, as noted at the beginning of this article, one major breach can create havoc, including financial, regulatory and reputational damage, so it is crucial to thoroughly identify and address vulnerabilities. Such an effort should begin with alignment of policies and standards at the corporate level. What defines normal fraud versus serious fraud? What are the security gaps? What is acceptable risk? What are the escalation procedures for critical events?

It is also important to recognize that no single solution is usually able to prevent fraud. Instead, a layered defense approach that includes strong authentication and comprehensive analytics and behavioral monitoring can provide a useful framework for fraud mitigation:

• Authentication. A simple password, for example, is simply not enough. Multifactor authentication can provide improved gate-keeping, requiring users to not only enter a password but also answer qualifying out-of-wallet questions.
• Analytics. Targeted analytics and behavioral monitoring can help create a “digital fingerprint” for each customer logging in. The fingerprint captures a variety of data, such as account-level information; authentication data; historical transactions (both monetary and nonmonetary); Internet Protocol (IP) addresses used by the customer; the pages the customer usually views; and perhaps even cursor movements. This thorough analysis can help determine whether it's a real customer online or a “bot” unleashed to attack customer accounts.

Hiring and retaining capable talent is also a key to establishing robust analytics and monitoring capabilities. Vital skills include the ability to mine both structured and unstructured data, as well as establish methods and rules to flag high-risk transactions. To capitalize on this talent, infrastructure is needed, including systems to bring together monetary and nonmonetary transaction data. Also important are tools to conduct link analysis ' identifying characteristics of current transactions that match them to previous fraud instances, ideally in real time.

Another beneficial step is educating customers about the seriousness of fraud and the importance of their adopting an anti-fraud mindset. This can be challenging, as many consumers may be indifferent to the threat, assuming that merchants, financial institutions, and credit card companies will cover their losses.

Finally, establishing an effective anti-fraud framework should start with better alignment between IT and the groups responsible for compliance and fraud prevention. As we've seen, IT can bring skills, insights, and resources to bear that can significantly strengthen the anti-fraud effort.

Staying Ahead of The Bad Guys

Fraudsters don't need a business case to come up with a new scheme. The corporate groups involved in anti-fraud efforts should understand the threats that exist, be constantly concerned about what they don't know, and be aware of emerging patterns and schemes. Also, liaising with law enforcement and commercial groups committed to the fraud fight can provide information on new schemes and the tools available to combat them. Tapping these resources can help companies gain a clearer picture of their fraud risks and what it takes to combat them.

About the Online Poll

More than 2,400 professionals from industries including financial services, consumer and industrial products, technology, media and telecommunications, life sciences and health care, and energy and resources responded to polling questions during an Aug. 22, 2013 webcast, titled “E-commerce and Payments Fraud on the Rise: Protection Techniques for Banks and Consumers.” (The webcast is archived at http://bit.ly/1eSFAOe.)

Prakash Santhana, Director, Deloitte Transactions and Business Analytics LLP, leads the analytic forensic technology practice for payments, banking and securities. He has worked in the fraud and risk management groups of large credit card issuers and payment startups for over 20 years. Santhana has extensive experience in the types of fraud committed and the analytics required to detect fraud at the point of sale, including credit and debit card fraud, ACH fraud, check fraud, online fraud and online application fraud. The statements in this article reflect our analysis of survey respondents' responses and are not intended to reflect facts or opinions of any other entities. All survey data and statistics referenced and presented, as well as the representations made and opinions expressed, unless specifically described otherwise, pertain only to the participating organizations and their responses to the Deloitte survey. Copyright '2014 Deloitte Development LLC. All rights reserved.

e-Commerce and payments fraud schemes such as phishing, e-mail hacking, and malware attacks are an ongoing, growing threat across industries. While some fraud is inevitable, a major incident could cause incalculable damage to a company's finances, regulatory standing and reputation. And with the use of mobile payments and e-commerce on the rise, the danger is increasing.

A recent Deloitte online poll suggests that companies recognize the growing risk. Nearly half (47%) of the executives and managers from consumer-facing organizations who participated said fraud is a “high priority” for their organization.

But intention doesn't necessarily mean action. The poll results showed that many companies' investments in fraud solutions were modest over the preceding 12 months, with only 9% of respondents reporting substantial budget increases.

One reason for this disconnect could lie in how companies view fraud and organize to combat it. The poll found that businesses employ various approaches ' and it revealed some potential impediments to stronger protection. Companies that believe they are adequately protecting themselves by meeting anti-fraud regulatory requirements can still be fleeced, even in the broad daylight of compliance. This article examines some of the potential problems with common anti-fraud approaches and offers steps companies can take to overcome them.

Where Is the Disconnect?

Ultimate responsibility for anti-fraud efforts in many businesses resides with corporate counsel or the chief risk officer, who oversees the activities of those charged with ongoing fraud detection and response. When asked who is responsible for handling day-to-day anti-fraud activities, respondents indicated anti-fraud compliance and internal auditing functions together account for about one quarter of these operations, and another quarter are housed in the information technology (IT) department. Individual business units handle the function in some cases, and the rare organization, fewer than one in 10, has an enterprise fraud group.

Whichever function is responsible, one of its primary charges is to ensure that the necessary rules and analytics are in place to maintain compliance with anti-fraud regulatory requirements. But compliance alone may not be what is practically needed to prevent actual breaches and fraud.

Consider the case of a credit card processer that diligently complied with payment card industry (PCI) requirements for data protection. The company didn't store credit card data in any format, so it was compliant with PCI rules. However, its systems remained vulnerable to attack, and hackers installed software that enabled them to siphon millions of dollars from customer accounts.

The company adhered to security and privacy mandates, but it was unable to identify, detect and mitigate malware penetrating its systems. To understand why, it's helpful to consider that businesses typically handle fraud management at the customer account level and that online customer interactions can be either monetary or nonmonetary.

Monetary transactions move money from one account to another, such as a bill payment. A company's anti-fraud operation typically focuses on such transactions, guided by established parameters. For example, is the value of a transaction above the norm, or have there been inordinately frequent transactions in the past several days?

Nonmonetary encounters include customer activities such as online balance lookups and password resets. Usually, nonmonetary transaction logs reside with the IT group, and they may not be shared with the anti-fraud group for a variety of reasons: the fraud group may not think they're useful and doesn't request them; or the IT group, which isn't attuned to fraud prevention in the same way as the anti-fraud group, doesn't think it's necessary to share them.

Another impediment is that log files typically cannot be populated into enterprise data warehouses because they are unstructured data. Those log files, however, can be critical to fraud detection and prevention. They can help differentiate between a legitimate customer and an account that has been hacked. They can help provide a broad-based view of a customer that alerts the broader enterprise that an account has been compromised.

Strengthening Anti-fraud Capabilities

As the Deloitte poll indicates, many businesses are either modestly increasing anti-fraud investment or maintaining current levels. This is not necessarily surprising, as upgrading anti-fraud capabilities can be a transformative process. And if a company has not experienced much fraud, its leadership may not be receptive to investing money or resources to develop a comprehensive anti-fraud framework.

However, as noted at the beginning of this article, one major breach can create havoc, including financial, regulatory and reputational damage, so it is crucial to thoroughly identify and address vulnerabilities. Such an effort should begin with alignment of policies and standards at the corporate level. What defines normal fraud versus serious fraud? What are the security gaps? What is acceptable risk? What are the escalation procedures for critical events?

It is also important to recognize that no single solution is usually able to prevent fraud. Instead, a layered defense approach that includes strong authentication and comprehensive analytics and behavioral monitoring can provide a useful framework for fraud mitigation:

• Authentication. A simple password, for example, is simply not enough. Multifactor authentication can provide improved gate-keeping, requiring users to not only enter a password but also answer qualifying out-of-wallet questions.
• Analytics. Targeted analytics and behavioral monitoring can help create a “digital fingerprint” for each customer logging in. The fingerprint captures a variety of data, such as account-level information; authentication data; historical transactions (both monetary and nonmonetary); Internet Protocol (IP) addresses used by the customer; the pages the customer usually views; and perhaps even cursor movements. This thorough analysis can help determine whether it's a real customer online or a “bot” unleashed to attack customer accounts.

Hiring and retaining capable talent is also a key to establishing robust analytics and monitoring capabilities. Vital skills include the ability to mine both structured and unstructured data, as well as establish methods and rules to flag high-risk transactions. To capitalize on this talent, infrastructure is needed, including systems to bring together monetary and nonmonetary transaction data. Also important are tools to conduct link analysis ' identifying characteristics of current transactions that match them to previous fraud instances, ideally in real time.

Another beneficial step is educating customers about the seriousness of fraud and the importance of their adopting an anti-fraud mindset. This can be challenging, as many consumers may be indifferent to the threat, assuming that merchants, financial institutions, and credit card companies will cover their losses.

Finally, establishing an effective anti-fraud framework should start with better alignment between IT and the groups responsible for compliance and fraud prevention. As we've seen, IT can bring skills, insights, and resources to bear that can significantly strengthen the anti-fraud effort.

Staying Ahead of The Bad Guys

Fraudsters don't need a business case to come up with a new scheme. The corporate groups involved in anti-fraud efforts should understand the threats that exist, be constantly concerned about what they don't know, and be aware of emerging patterns and schemes. Also, liaising with law enforcement and commercial groups committed to the fraud fight can provide information on new schemes and the tools available to combat them. Tapping these resources can help companies gain a clearer picture of their fraud risks and what it takes to combat them.

About the Online Poll

More than 2,400 professionals from industries including financial services, consumer and industrial products, technology, media and telecommunications, life sciences and health care, and energy and resources responded to polling questions during an Aug. 22, 2013 webcast, titled “E-commerce and Payments Fraud on the Rise: Protection Techniques for Banks and Consumers.” (The webcast is archived at http://bit.ly/1eSFAOe.)

Prakash Santhana, Director, Deloitte Transactions and Business Analytics LLP, leads the analytic forensic technology practice for payments, banking and securities. He has worked in the fraud and risk management groups of large credit card issuers and payment startups for over 20 years. Santhana has extensive experience in the types of fraud committed and the analytics required to detect fraud at the point of sale, including credit and debit card fraud, ACH fraud, check fraud, online fraud and online application fraud. The statements in this article reflect our analysis of survey respondents' responses and are not intended to reflect facts or opinions of any other entities. All survey data and statistics referenced and presented, as well as the representations made and opinions expressed, unless specifically described otherwise, pertain only to the participating organizations and their responses to the Deloitte survey. Copyright '2014 Deloitte Development LLC. All rights reserved.