Combating Technology Fraud with Analytics

Date:   Monday , April 02, 2012

Over the last two years, risk landscape has changed. There have been a number of high profile attacks across the globe which has been financially motivated. Nature of attackers has also changed from individual attackers to hacker syndicates working towards significant financial gains. These hacker syndicates are using a combination of domain (Banking, Telecom) knowledge, technology and insider information to execute fraudulent transactions.

Traditional controls including firewalls, IDS, infrastructure attack monitoring, URL filters, application security controls are not effective in detecting and mitigating these new risks. Hence, transaction monitoring has emerged as a critical function in banks given the increase in fraud from internal and external sources.

Banks are used to the concept of transaction monitoring for credit cards. However hacker syndicates are now targeting other channels, including Internet banking, ATM, mobile banking and hence transaction monitoring needs to be extended to other channels. In the following sections we discuss the role of transaction monitoring in managing these risks and also look at the possible options for transaction monitoring.

Detecting Fraud using Transaction Analytics

Transaction monitoring serves the objective of detecting suspicious transactions early, thereby containing large scale fraud. Using transaction monitoring all banking channels including branch can be monitored for suspicious transactions. Suspicious transactions can be detected using exact rule match or using advanced technique of neural networks for learning the transaction patterns and detecting deviations. Though neural networks based detection is beneficial, one needs to exercise caution since these systems do not deliver the right results unless the volume of transactions matches the data required for learning algorithms to work. More pragmatic approach is to go for rule based matching systems. Some examples of fraud rules across Internet Banking, ATM and other channels can be-

Sample fraud rules in Internet Banking

Illustrative rules/scenarios that can be captured using transaction monitoring systems to detect frauds:

* Money transfer beyond a predefined value.
* Money transfer to transferee on blacklist. An example of transferee on back list is a mule account.
Mule accounts are intermediate accounts used by phishers for transferring money.
* Money transfer from blacklist IP addresses.
* Money transfer that is higher than average for the user.
* Logins/transactions from different cities in short period.
* New payee registration followed by high value transaction.
*Change of email address and transfer funds to external payee or accounts.
Sample fraud rules in ATM

The following are some illustrative rules/scenarios that can be captured for ATM channel:

* ATM location not matching customers profile of access.
* Same ATM card being used for transactions in geographically dispersed ATMs within a short time.
* ATM hood opening during odd hours.
* ATM cash chest opening during odd hours.
* ATM withdrawals that are higher than average for the user.

Sample rules for cross channel transaction monitoring

Increasingly cross channel fraud detection is becoming critical. Cross channel fraud detection requires the solution to have a view of transactions across different banking channels to detect fraud. This is still a nascent area though solutions that support cross channel fraud are available now. Some of the sample scenarios that can be captured using cross channel transaction monitoring:

* High value transfer through Internet banking channel and withdrawal through ATM within a short time.
* IVR based transfer followed by ATM withdrawal within a short time.


Architecture for transaction monitoring solutions can vary with the solution. There are solutions that sniff transactions; as an example for Internet Banking, there are collectors that sniff traffic coming to the web server. Collectors then transfer the transactions to a central manager for processing. There are also solutions that have agents installed on the application to capture transactions and transfer to central manager for processing. As an example, an agent would be installed on the Base24 ATM switch to capture transactions. There are also options where database is replicated to the fraud monitoring system for fraud analysis. Hence architecture can vary with the solution that you adopt.

Solution Options

An enterprise that decides to embark on transaction monitoring can select from a number of possible solution options. The fact that there are different options, some very different from the other is also a reflection of the fact that transaction monitoring solutions are still evolving to final maturity levels. This is true for non-credit card transaction monitoring including Internet Banking, ATM, Mobile banking. At the same time, an enterprise by selecting the right option will get the required ROI. The solution landscape along with options is captured below:

*Extend Security Information and Event Management (SIEM) solutions to monitor banking channel transactions. This approach is useful for banks that have already made high level of investment in SIM solution. Not all SIM solutions support development of custom agents for transactions. If the enterprise already has a SIM solution that supports custom development of connectors, this is an option. The drawback is that rules requiring historical or baseline analysis will be difficult to capture. As an example, user transacting higher than average value. However given that the incremental investment is low, this can be an effective solution for rolling out basic form of transaction monitoring immediately. Best suited for medium size enterprises who have invested in SIM technology and do not have high threat profile.

* Second option is to implement specialized solutions for each channel. There are specialized vendor solutions for each banking channel. For example, one product for Internet Banking and another for ATM. This approach supports rules that require historical analysis and some products also support neural based analysis. This approach cannot detect cross channel fraud. Effectiveness is high and investment required is also high. Best suited for large enterprises.

* Implement cross channel transaction monitoring solution. There are solutions available though still at its nascent stage. This kind of solution detects frauds on individual channels as well as fraud that extend across channels. Effectiveness is high and investment required is high. Best suited for large enterprises.

* Avail of service model from information security companies. Information security service providers today have a managed service model for transaction monitoring. There are multiple providers for Internet Banking but limited providers who can provide services for other channels or cross channel fraud detection. Effectiveness is high and investment is moderate. Best suited for small and medium enterprises.

* Avail service model from third party transaction acquirers/processors. Third party processors today offer transaction monitoring as a value added service. These providers lack skills in IP based technologies including Internet Banking, Mobile banking. Effectiveness is moderate and investment is moderate. Best suited for small and medium enterprises that are outsourced to acquirers with this capability.

The best approach will vary with transaction volumes, enterprise size and the risk appetite.

Business Benefits

Implementing the right transaction monitoring solution provides direct as well as collateral benefits, such as-

* Early detection of transaction fraud and containment enables reduction in monetary losses
* Protection from new risks that banks cannot implement controls in near term (e.g. financial malware) and which are difficult to detect using other mechanisms
* Demonstrates higher assurance to customers, which can lead to higher adoption of these channels and provide the bank with competitive edge
* Reduces operational risk through tighter controls over transactions
* Better compliance to regulations

Paladion Networks is a global Service managed provider of security solutions encompassing security assurance, compliance, monitoring, and management services to over 600 customers in Banking, Finance and
Insurance, IT and Consulting, Telecommunications, Research and Development and
Government Industries across Asia, U.S., and Europe.