Bank Fraud Forum

The State Attorney General - A New Sheriff in Town

Tue, 15 May 2012 15:18:10 -0400

Without question, the federal government wields considerable power over the entire banking sector. However, it is easy to forget that state attorney generals can also exert tremendous force when they choose to do so.

Arguably the position of State Attorney General is one of the best platforms available to build a political brand. Until missteps in his personal life forced Eliot Spitzer a.k.a. the Sheriff of Wall Street, to resign as Governor of New York, the rumor mill had already mentioned “Spitzer” and “President of the United States” in the same breath. Whether Spitzer stood a chance of being elected leader of the free world is anyone’s guess. However, had he done so, many would likely agree that his position as the state attorney general would represent one of the “tipping points”. It is certainly important to note that Spitzer’s popularity stemmed in large part due to his focus on protecting consumer rights by using his platform as Attorney General to target companies that the federal government seemed unable or unwilling to investigate.

Fast forward to 2012, banks are wrestling with the revised FFIEC Authentication Guidance and the specific steps that they need to take to comply. There are few “bright lines”...

Catch Them If You Can

Thu, 26 Apr 2012 12:57:24 -0400

Frank Abagnale Jr. successfully performed cons worth millions of dollars by posing as a Pan American World Airways pilot, a Georgia doctor, and a Louisiana parish prosecutor. He did all that in the 60s and his primary crime was check fraud, as documented in the biographical movie, Catch Me If You Can. Imagine what Frank could do in today’s banking environments with all its complex cross-channels.

Today, fraudster’s schemes evolve faster than Frank Abagnales ever did. This consistent evolution of fraud schemes demands that financial institutions audit their fraud detection solutions and scenarios on a fairly regular basis.

Performing a solution audit would determine the level of effectiveness of your institution's fraud coverage. It would identify additional areas of coverage that could be achieved by fully exploiting the existing data, as well as adding new data sources to improve current detection. It would also help prioritize recommendations and ...

Fighting Fraud in Canada

Wed, 11 Apr 2012 15:03:08 -0400

Most people who have been on the good side of the Financial Crimes business know – it is easy to become cynical and suspicious of almost everyone. I guess when you are looking for criminal activity all day, you are supposed to have a 'glass half empty’ approach. To my surprise, I have found that many fraud personnel I’ve met are very optimistic…about catching fraud, that is. And, after meeting with several of them last month, I am even more aware of what a collaborative effort fighting fraud needs to be.

At the beginning of the month, Memento had our inaugural Canadian User Group meeting. Almost 30 users from our Canadian customers came together at the Toronto Board of Trade to network with their peers, discuss recent fraud events and ...

Spring Cleaning Your Fraud Scenarios

Wed, 04 Apr 2012 21:15:56 -0400

Spring has arrived, which means it’s time to put away all the winter stuff and make space for what you’ll need for the new season. Instead of just cleaning out your closets, why not take a fresh look at your organization’s fraud management system and ‘de-clutter’ your scenarios?

Reviewing your list of scenarios is important to ensure that your fraud team is focusing on the highest priority scenarios that impact your bank, and that you are getting maximum value from your enterprise detection system. Fraud schemes and schemers are constantly changing, and enterprise monitoring systems need to keep pace with new trends, government regulations, and loopholes in your bank’s systems.

The first step is to take stock of what you have, and gauge its value. If you are not already maintaining a scenario inventory, consider developing a tracking system that includes the following:

• A clear, written description of the fraud scenario appropriate for business users (a.k.a. the “English description”)
• A description of each of the data fields required to run ...

More Takeaways from the BAI Conference

Wed, 28 Mar 2012 16:05:58 -0400

Notes from Memento's Michael Wlodyka, Fraud Consultant, and Matt Doremus, Sr. Solutions Architect

Michael Wlodyka, Memento Fraud Consultant, on Reputational Risk

On day 2 of the BAI Payments Connect 2012 conference, I had the opportunity to attend a very interesting presentation by John Carlson, EVP for fraud prevention and cyber security at BITS, entitled ‘Hardening’ Payment Systems for the Next Generation. In his talk, John highlighted the fact that trust and reputation are two of the most valuable assets that financial institutions have in retaining existing customers and acquiring new clients.

Whether deserved or not, the persistent threats of account takeover, identity theft, check, card, ACH, wire, and mortgage fraud, along with continued insider and elder abuse can lead to a perception of insecurity. In order to effectively combat the increased risk of new channels, players, and products, there is a need for cooperation between and amongst financial institutions and their providers ...

Notes from 2012 BAI Payments Connect

Thu, 15 Mar 2012 20:13:03 -0400

Every year, Memento attends the BAI Payments conference to learn the latest trends in payments and fraud as well as connect with attendees, many of whom are our customers and partners. This year’s conference focused on three key areas: emerging payments, payments fraud, and check processing. Being part of the team that designs and develops the fraud detection and management software for Memento, I was very interested in learning more about the new and emerging payment channels, where FIs stand with their FFIEC/layered security strategy, and, of course, where FIs see the biggest need for innovation.

Day 1 Highlights

Payment innovation and mobile banking were central conference themes. The mobile phone is trending as a preferred channel (“top of wallet”) for small dollar payments. Banks are racing to figure out how this changes their business model and product offerings.

Some view peer-to-peer (P2P) payments as a promising new revenue stream. As a quick definition, a P2P payment uses an email address or mobile number to identify the payment beneficiary. (Examples: send a gift, settle the dinner tab, payback for a shared household expense.) Everyone agrees that P2P is emerging and malleable with flexible audiences and flexible delivery options. The offerings will most certainly also enable P2G (person to group, e.g. pay soccer team), P2B (person to business, pay small service provider), B2P etc.

Benefits for consumers:
- Convenience, convenience, convenience. Payments can be initiated anytime, anywhere.
- Timing of payments may be more immediate.

Opportunities for Financial Institutions:
- Strengthen relationship with customers and ...

The ‘Cost of Doing Business’ Trap

Wed, 07 Mar 2012 21:01:41 -0500

I was reading a comment on a Memento blog post, “2011 Fraud Trends – 3 Key Takeaways”, and it got me to thinking about what “cost effective” really means. In this case, it’s really about the cost of doing business.

It is not uncommon to take the position that fraud is “a cost of doing business”. When we view it from that perspective, we need to consider the total cost of doing business when it comes to fraud.

With regard to having insurance policies cover fraud losses, I am curious to know what exactly does this insurance cover? What are the deductibles? What other non-loss impacts does a fraud event have on the bank? Take into account customer loss, higher operational costs for customer service, reputational risk (that’s not just your reputation with ...

Ramnit, Facebook, and Password Management – Oh My!

Wed, 29 Feb 2012 21:06:31 -0500

I was reading an article about the Ramnit worm a few weeks back and a few things struck me about it. First of all, this worm is “old” technology – at least in the cyber war sense – that is evolving. It reminds me of a blog I wrote a while ago on polymorphism and the Zeus Trojan. At that time, I thought a common misconception was that once you find malware and take action against it you’re safe. It wasn’t so then and it isn’t so now.

Interestingly in this case, Trusteer, a provider of cybercrime prevention solutions, was the first to discover Ramnit’s merger with Zeus in August 2011. That tidbit combined with another point in the article about how Ramnit is being used to attack Facebook credentials is bad news. The article provided this quote to point out the danger: “Dave Jevans of the Anti-Phishing Working Group says stealing credentials from social-networking sites is big business. “We have seen...

The Data Mining Debate

Wed, 15 Feb 2012 16:43:53 -0500

It goes without saying that banks have an abundance of data. It is the job of the fraud analysts and investigators to sift through various bits of data to find anomalies and resolve fraudulent activity. These fraud subject-matter-experts usually can develop their own ad-hoc queries to find the information they are looking for. Surely, with access to disparate data and the ability to run queries, they can uncover fraud without deploying someone else’s software….right?

Most of the time, the answer is a resounding “no”. Very few banks have ...

A Holistic Approach to Fraud and Risk

Wed, 01 Feb 2012 18:00:32 -0500

Bank Technology News (BTN) ran an article on the first of the year entitled “9 Trends Reshaping Risk Software”, and Trend 8, “The bringing together of different risk systems”, caught my eye (being a fraud guy). My observation over the years is that centralized / consolidated vs. decentralized/ siloed is a cyclical thing. The idea of consolidating and centralizing keeps coming back, so that tells me it is generally considered to be a good idea. One explanation for the cycle swinging the other way might be the technical issues associated with implementing the consolidated model. A common data model goes a long way toward resolving many technical issues and systems that run disparate solutions on a single data model are promising for the consolidated approach.

The Illusion of Declining Account Takeover Attempts

Wed, 18 Jan 2012 16:21:05 -0500

In a recent Bank Info Security article, Account Takeover: Better or Worse?, Tracy Kitten interviews Doug Johnson, Vice President of Risk Management Policy for the American Bankers Association to get his expert opinion on the state of account takeovers and identity theft.

ACH fraud may be defined as many different fraud types including account takeover and payments fraud. Because there are no statistics on the total ACH losses for 2011, there may be the illusion that losses are down. In my opinion, the trend may seem that ACH fraud is decreasing due to tighter controls, but when I speak with industry colleagues, I tend to hear the opposite.

Flower Shop Fraud

Wed, 11 Jan 2012 19:40:57 -0500

Committing bank fraud is easy when you have help on the inside. That’s what the prosecutors in the UK think happened in a $2m fraud scheme involving high net worth accounts. Between July and September 2008, a gang lead by Neil Wynne targeted Barclays Bank branches throughout the middle of England. Prosecutors believe that the gang had help from a bank employee as they had an uncanny knack for picking the best accounts to target. They also had no problem overcoming the bank’s security procedures. They just can’t prove that an employee was involved – at least not yet.

Here’s the scheme… With a fake passport in hand, one member of the gang pretended to be the owner of an existing, well-funded, Barclay’s Bank account. A second member of the gang posed as the accountholder’s partner.

Once the new account was opened, the gang proceeded to ...

2011 Fraud Trends – 3 Key Takeaways

Wed, 21 Dec 2011 18:21:55 -0500

At year’s end, I like to take a step back and assess the main fraud trends I’ve seen and heard when speaking with our customers. Not only have we seen a lot of movement in the ACH area due to the FFIEC Supplement released this year, but there also have been some major events in the news this year that have driven action in fraud prevention measures overall. There are a few trends, in particular, that stand out to me more than others.

1. Internal Fraud is Here to Stay: The interest in Internal Fraud continues to be high, and without a proactive monitoring system in place, banks are at higher risk of being exposed to theft from their own employees. Some of the more common fraud strategies in Internal Fraud include ...

Year-End Transaction Volume

Wed, 07 Dec 2011 11:30:58 -0500

Depending on which news report you read, sales on “Black Friday” and “Cyber Monday” were considerably higher than last year. What does that mean for the bank fraud investigator? More transactions to wade through! Right about now, bank fraud departments around the United States are working overtime combing through billions of transactions. Unfortunately, when volume increases, so too does the volume of fraud attempts.

When transaction volumes spike, any weaknesses in a bank’s fraud detection landscape are often magnified. That’s what the fraudster wants. The more stress the bank’s fraud department is under, the more likely it will be that fraud transactions will slip through.

You can’t do that much to control the volume, but you can capture the lessons learned when you and your team are pushed to the breaking point. Consider the following questions ...

The Value of Integration and Collaboration

Wed, 30 Nov 2011 10:09:04 -0500

I recently attended part of the Orbograph user group meeting where I participated in a panel discussing the value in combining forces in the fight against fraud. The panel was moderated by Jodi Pratt, well known in fraud-fighting circles. Speaking with me on the panel was Carl Bortol of Data Support Systems. Both Carl and I represent companies that have partnerships with Orbograph. On the panel, we discussed two levels of working together, integration and collaboration.

Integration
This level focuses on integrating the fraud detection system into the rest of the bank’s systems in an operational sense. This includes core systems like DDA and CIS, and transaction processing systems like Exceptions...

Raising the Stakes for Internal Fraud

Wed, 16 Nov 2011 16:42:31 -0500

Earlier this week, Bank Info Security released an article on the Computershare civil suit against a former employee for stealing company information and shareholder data. The piece discusses the potential impact such a suit might have on the financial services industry, and I was able to contribute my two cents about the matter.

My opinion is, that in the case of data breaches and insider fraud, legal action against employees is historically rare. Most of the time these incidents are handled as internal matters; the exceptions have only been the worst or largest breaches and fraud schemes.

But, we do see a shift in how firms are approaching internal fraud. A handful of high profile internal data breaches and fraud cases (e.g., SocGen, UBS, Madoff ...

Can We Do Better?

Wed, 02 Nov 2011 16:23:36 -0400

With the new year here, I figured it was a good time to step back and take stock of our progress – as an industry – in the ongoing battle against fraud. A frank assessment: we could be doing a lot better.

Sure, there are always improvements that can be made to the organizations, processes and technologies that must come together to solve a complex issue like fraud management. But I think the more important barriers our industry faces are more fundamental and structural in nature. Specifically, I see the following:

The Boiling Frog
Our industry’s slow reaction to the growing, morphing fraud problem makes me think of the boiling frog phenomenon. If you haven’t heard of it ...

“Getting it Right” at the NACHA Mega Meeting

Wed, 26 Oct 2011 17:13:55 -0400

Last week, ACH payments and fraud prevention professionals attended the NACHA Council Mega Meeting held on the waterfront in Boston, MA. In the sessions related to quicker payment processing, the overall sentiment was that banks need to do a better job of monitoring to manage the increased exposure. Two of the hottest topics were Expedited Processing and Settlement and, of course, the new supplement to the 2005 FFIEC Guidance.

Expedited Processing and Settlement (EPS): As anyone who is involved in ACH payments knows, NACHA is proposing a new payment option called EPS, which would allow ...

Saving Trees, One SAR e-Filing at a Time

Wed, 19 Oct 2011 16:40:45 -0400

In September, FinCEN released for comment a proposal to make electronic filing of SARs mandatory as of June 30, 2012. FinCEN’s e-filing system has been available since October 2002, and about 85% of BSA reports are currently filed electronically.

If you were unaware of this...

Letter from Client Services

Wed, 12 Oct 2011 17:08:56 -0400

It’s now been three months since I joined Memento, and I want to take the opportunity to say hello, communicate some of the exciting changes which are taking place, and offer my perspective on what you can expect to see from us going forward.

Perhaps I should start with what hasn’t changed. What hasn’t changed is Memento’s commitment to, and passion for, helping its customers detect, prevent and manage fraud. This dedication spans the products we build, the consulting services we deliver, and the ongoing relationships we develop. Our goal is to help you successfully deal with your ever-changing fraud-related challenges, and ultimately enable you to reduce losses and exposure to risk.

What has changed is how we accomplish this. For starters, we recently ...

Getting in Shape for the Software Training Marathon

Wed, 05 Oct 2011 17:19:06 -0400

In my previous post “Ensuring Successful Adoption of an Enterprise Fraud Management System,” I left off at the point where I started to address training content and delivery. Anyone who has sat through hours of application training knows how painful this experience can be. And, if the training content is not in alignment with audience expectations, you end up with a roomful of frustrated users who will be reluctant to use the new fraud management system.

As someone who dabbles in athleticism on the weekends, I have found many similarities between designing a physical training program and a software training program. Before one even begins to train, he or she must understand the end goal and design a program with that goal in mind. If you support your software vendor in defining the following content areas, the participants will be more successful at using the new fraud management system and catching the fraud at your organization.

1. Set Training Goals: Make sure the software vendor understands exactly what the users are expected to do and know about the enterprise system and what fraud area they are focused on, so the vendor can build the training appropriately. For example ...

FFIEC Guidance 2011 – Where Do We Start?

Wed, 28 Sep 2011 16:52:21 -0400

The FFIEC recently supplemented its 2005 Guidance in response to what it calls an “increasingly hostile online environment”. Regardless of the size of institution, if it provides banking products online, it is a target. On almost a weekly basis, we hear of a new online fraud case that caught one or more banks unprepared. The Guidance is timely, but it stops short of providing a “step-by-step” approach. Here’s what I believe financial institutions can do in light of the Guidance:

1) Revisit the risk assessment
Not surprisingly, risk assessments are hated by most bankers and viewed as a useless exercise. I have personally spent countless hours locked in a conference room attempting to document all the types of fraud that might happen. Unfortunately, risk assessments are a necessary part of fraud prevention. Moreover the supplement to the 2005 Guidance stresses the importance of keeping the risk assessment current. Here is a suggestion ...

Data Breaches - Part Two

Wed, 21 Sep 2011 18:00:58 -0400

“We all have a part to play, and playing as a team we will be so much more effective than as individuals trying to do our solitary best.” That is a quote from a blog post I wrote back in June on how data breaches are more pervasive and premeditated than many understand. Because of this, fraud prevention specialists need to take extra precautions by having multiple security check points in addition to a robust back-end detection system. This is exactly the concept behind layered security.

At this point, many of us recognize that there are no silver bullets in the ongoing fight against fraud. Fraudsters use a variety of tools and they collaborate. Fraud prevention specialists such as ourselves need to do likewise...

Fraudsters Are Going 'Back to School'

Wed, 07 Sep 2011 19:37:53 -0400

In most college towns, this is the time of year when swarms of U-Hauls and overstuffed cars bear down onto college campuses. Students will settle into their dorms and likely kick off their social lives before their classes even begin. The funds that they have for day-to-day expenses will begin to run low, and students will look for ways to supplement their income. This is prime opportunity for fraudsters to seek out and prey upon students.

Given that, we can deduce why college campuses are a ‘hang out’ for fraudsters - because students are easy targets. The sheer volume of students makes it easy to recruit vulnerable, needy, and/or naive students. I find it interesting that the scams have not changed much since I was in college. Scams relating to fraudulent grant letters, credit cards applications, work from home, check cashing and the ever so popular ATM card scams are still thriving. It is still common for fraudsters to not only pay students to pass bad checks through their accounts for nominal compensation, but also to ...

Adding Insult to Injury: FINRA Slaps Big Bank with Big Fine

Wed, 17 Aug 2011 11:31:12 -0400

Failing to supervise employees appropriately is a recipe for disaster. In a case involving Citigroup Global Markets, that failure not only resulted in the embezzlement of nearly $750,000, it also attracted the attention of the Financial Industry Regulatory Authority (FINRA) and a fine of $500,000 for “lax supervisory practices”.

What can banks learn from FINRA’s investigation and resulting fine? Will FINRA fine other banks for similar lapses? Will FINRA’s actions trigger more aggressive enforcement by bank regulators? It’s too early to tell, but let’s take a look at the particulars of this fraud...

Ensuring Successful Adoption of a New Fraud Solution

Wed, 10 Aug 2011 16:26:58 -0400

In my previous blog entry posted at the end of June, Ensuring Successful Rollout of a New Fraud Detection Solution, I discussed how to get started with implementation and defining new business processes. In today’s post, I am going to share with you some steps to help ensure successful adoption of your new fraud solution, including product training.

When implementing a new fraud detection solution, a successful training experience will go a long way towards user adoption, so careful planning at this stage is critical. First impressions matter, and if users don’t have a positive experience with the new software at the initial training session, it will be ...

Closing the Books – Really?

Wed, 27 Jul 2011 16:16:42 -0400

In the July 1 column of “The Ethicist” in The New York Times, I came across this concern posed by an unnamed CFO of a financial services company:

“… I found our bookkeeper using the corporate charge card for her personal use. The misappropriation was approximately $47,000 over a six-month period. She forged a partner’s signature to acquire a card in her name. We fired her, and she paid back the funds in exchange for our not pressing charges. But I cannot get closure if she is not punished for this egregious betrayal. I recommended that we call her husband, as I think family humiliation would be punishment enough. Would this be ethical?”

What I find interesting here is that the question posed by the CFO was not about whether or not the agreement was ethical, but whether or not revenge was ethical. And it seems like the columnist was on the same page. In response to this query, the columnist first reminded the CFO that the financial services company had agreed to sweep the issue under the rug as long as the perpetrator repaid the money, and the CFO’s revenge-seeking was not only against the ‘agreement’ but also inappropriate. Then the columnist writes, “I have to wonder, meanwhile, about a financial-services company that allows someone to steal and then to just stroll off to the next company to do it again.”

Now, this point raises some serious questions. Did the financial institution ...

Fraud Goes Mobile

Thu, 21 Jul 2011 10:19:18 -0400

It seems like yesterday when I first saw an ATM and had to be taught how to use it. When my bank sent the piece of plastic to me called a debit card, I was ever so hesitant to use it. And forget about online banking; my fraud investigations experience would in no way enable me to use my computer to perform my banking transactions. For baby boomers like me, we have seen a dramatic shift in the way we perform our banking, especially with online and mobile banking. It appears that the face of banking is an ever changing frontier. From a consumer’s viewpoint, all of these changes make things easier. But as a fraud professional, I am very nervous about the implications.

With this evolution in the way we do banking comes new threats. Modern trojans and viruses that may infect not only our computers but our mobile devices are alive and thriving. Just as I graduated from my old flip phone to my new high tech smartphone, I heard about a variant of the ZeuS Trojan that runs on the Android phones. According to researchers ...

FFIEC Guidance for Online Authentication Evolves

Wed, 13 Jul 2011 15:35:29 -0400

As you probably have heard by now, the FFIEC has issued new Guidance for authenticating online customers, and we should expect these guidelines to take effect in January 2012. That doesn’t leave a lot of time for financial institutions to get themselves ‘in compliance’.

The new guidelines are an enhancement to those originally issued in 2005. As one banker said to me, “These guidelines aren’t revolutionary like the original ones, they are evolutionary”. As the FFIEC points out, the internet is far more risky today than it was in 2005, and criminals are much more effective at compromising accounts despite existing bank controls. The FFIEC strongly encourages banks to perform periodic risk assessments and enhance their current controls due to this new environment.

In 2005, the FFIEC ...

Facilitating Cross-Channel Fraud Resolution

Wed, 06 Jul 2011 16:42:42 -0400

In a recent Bank Fraud Forum blog post, Discussing Multi-Factor Authentication, Shirley Inscoe stated that cross-channel fraud detection enables the analysts "...to see the complete picture with regards to a customer or account, and detect suspicious events that would otherwise result in losses...” Having been an investigator as well as a manager of a cross-functional fraud team for over 2 decades, I could not agree more.

However, it must be said that even if you provide a holistic picture of fraud to the analysts, it does not do them - or your customers - any good if they are not skilled in investigating and properly mitigating cross-channel fraud alerts. For those who have worked fraud over multiple channels, there are varying rules and regulations that may entail some compliance issues, including Reg E, Reg CC, UCC Articles 3 and 4, Reg J, Check 21, Clearinghouse Rules ...

Ensuring Successful Rollout of a New Fraud Detection Solution

Wed, 29 Jun 2011 17:21:54 -0400

If you work at a bank that is introducing a new fraud management software product, you know these are exciting times. Your organization has spent a great deal of time and money selecting the right solution for your organization, and the stakes are high for a successful deployment.

Banks that approach the software implementation process with careful preparation help ensure successful adoption by fraud management teams. As someone who’s been on the front line of training users on new technology tools for many years, I’ve seen some great strategies that banks have used to help ensure a successful rollout.

Banks 1, Corporate Account Holders 1?

Wed, 22 Jun 2011 09:20:42 -0400

For those keeping score in the legal battles between financial institutions and their commercial account holders, a recent decision by Judge Patrick J. Duggan in the Experi-Metal Inc. (EMI) vs. Comerica case evened the score at one a piece for the interested parties…or did it? Two weeks ago the recommendation by the magistrate in the Patco vs. Ocean Bank case favored the bank. The District Court has yet to decide if that recommendation will be accepted, but observers have expressed the opinion it will be. With the Michigan bench opinion out, maybe not. Now we get an opposing view that the bank may be liable for the losses. This could have serious repercussions for the industry, because anyone paying attention knows that commercial accounts are regulated under UCC statutes, not Reg. E. Commercial customers and their banks are subject to the UCC4a guidelines, specifically by § 4A-202.(c), which reads, “Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.” I can see in part where ...

Data Breaches, Insiders and Fraud

Wed, 15 Jun 2011 13:53:15 -0400

When most people think of data breaches, they think of the big headline grabbers like Hannaford, Heartland, and TJ Maxx (now disappearing into the distant past, but dredged up every time a big one like Heartland occurs). There are many more, but you get the point. The naïve view of breaches is that they are accidental most of the time, but that notion should have been dispelled by the overwhelming evidence that breaches are often times the result of a premeditated attack. We have seen that these data breaches do result in fraud, sometimes quickly and sometimes as much as two or more years later.

Why can the fraudsters wait so long? Because there is a ready supply of personal data to be had in the fraud underground, a veritable secondary economy with producers, brokers, and buyers.

This ready supply is fueled not just by the “biggies”, but also by a host of largely unreported breaches of various sizes. More often than we care to imagine, these breaches are ...

Discussing Multi-Factor Authentication

Wed, 08 Jun 2011 10:32:30 -0400

A couple of weeks ago, NACHA’s Electronic Check Council hosted a Forum entitled, “Moving Beyond Well-Trodden Paths: New Maps for Combating Risk and Fraud”. In this Forum, several industry experts discussed a wide variety of risk and fraud topics related to payments.

I was honored to open the forum with a session that subsequent presenters could build upon. In my session, “After You’ve Authenticated the Customer: Transaction Monitoring”, the audience and I discussed the need for layered security on all payment systems. Financial institutions have learned that multi-factor authentication is no silver bullet, nor are systems which validate the hardware transactions are originating from, monitoring IP addresses, etc. In order to better protect themselves and their customers, it is becoming increasingly important to proactively monitor transactions to detect suspicious activity in real time.

A Community Against Fraud

Wed, 01 Jun 2011 11:35:07 -0400

Recently a group of bankers got together for the Memento Peer Bank Forum as a community against fraud to discuss and share strategies for improving fraud prevention at their respective institutions. I’ve had the pleasure of participating and hosting a few of these events, and for me there is no substitute for the types of discussion that always seem to happen when a group of passionate, determined individuals get together to compare notes and share perspectives on improving fraud prevention. Here are a couple of my takeaways from the meeting.

• A wide range of institutions attended the forum - underscoring the pervasiveness of the fraud threat facing all banks and credit unions. There is no institution immune from fraud and increasingly the fraud crosshairs are being focused on small to medium sized institutions.

• Existing fraud threats are ... Read full blog post

Publicizing of the China Wire Fraud Scheme – Too Little Too Late?

Wed, 25 May 2011 15:41:28 -0400

Was it too little too late when the FBI publicized a wire fraud scheme involving Chinese shell companies? Knowledge is power, right? Once the specifics of a fraud scheme are made public, aren’t we better prepared to prevent fraud? In the short term, the answer is yes. As banks deploy effective countermeasures, that particular fraud scheme’s success rate will decline over time. However, your bank needs to be equally concerned about the fraud schemes that the FBI is not talking about.

Let’s say your bank read the FBI’s press release ...

Are You Ready for Fraud in the NFC Space?

Wed, 18 May 2011 15:07:34 -0400

Near field communication (NFC)¹ is here to stay, according to new analysis by Frost & Sullivan, which states that NFC-enabled mobile phones will reach 53% of the overall mobile phone market, or about 863 million units, by the year 2015, as well will be the chosen method for mobile payments. To me, this is somewhat disconcerting because 2015 is not that far away, and consumers already use NFC payment devices. I wonder how much training is going on around investigating money movement within the NFC space?

Read full blog

Worst Practices in Fraud Monitoring

Wed, 11 May 2011 13:35:43 -0400

I always chuckle to myself when I see a heading for an article entitled, “Best Practices in [fill in your favorite topic here].” After all, who wants to hear about someone’s worst practices? But as someone whose job it is to educate fraud experts on how to use new technology tools for monitoring and detection, I hear a lot about practices that aren’t so effective.

Banks and credit unions, large and small, wrestle with many of the same issues when it comes to fraud management. Here are common challenges that I’ve heard:

1. Monitoring Fraud in a Silo: Fraudsters don’t usually limit themselves to one type of fraud, so why should we separate our monitoring by different fraud areas? Although it makes sense for FI’s to...

Mobilizing the Front Lines of Fraud Prevention

Mon, 02 May 2011 14:43:18 -0400

I have been in countless dialogues regarding fraud prevention with fraud and risk specialists at various management levels within financial institutions of all sizes. In my many discussions around various fraud prevention measures, I’ve come to realize that while a sophisticated enterprise fraud management system is the bank’s best line of defense, the front line employees can play a valuable role in detecting and preventing fraud.

Bank tellers are the front line of the institution, handling deposits, withdrawals, and transfers while trying to accurately account for every piece of paper and coin that passes through their hands every day. They also are human and, while they have been trained to spot alterations, counterfeits, and other fraudulent items, they also have instincts. Many times, a teller might not have physical proof of fraud but often has a ‘gut feeling’ that something just isn’t right.

Continuing the Conversation from The ABA Risk Management Forum

Wed, 20 Apr 2011 17:36:08 -0400

The ABA Risk Management Forum was held last week in Denver, Colorado, and I was glad to be in attendance and have the opportunity to present on the topic of deposit account fraud. The forum offered numerous educational sessions for financial institution employees as well as several great networking events.

Session topics covered during the forum included: implementing Dodd Frank; new risks in ATM security; cloud computing; and several other hot topics. To me, this event is one of the best annual industry events for community banks, and I am sure the larger banks in attendance were satisfied with the content as well.

Defending Your Brand

Fri, 15 Apr 2011 10:12:13 -0400

I recently read an interesting article on AmericanBanker.com entitled, Defending Your Brand 2.0: Rapping w/readers, 140 characters at a time, by Sara Lepro. In her article, Sara demonstrates the need for financial institutions to insert themselves into social media conversations in order to have more control over the ‘chatter’ and ultimately to protect and defend their brand.

Historically, banks have been concerned about negative customer experiences and the impact of customer churn, especially when it comes to customers becoming victims of fraud. With the evolution of Facebook, Twitter and other social media forums, negative feedback is not only accelerated but many times exaggerated, thereby making it more of a challenge for banks to protect their brand.

Meet Me Halfway

Wed, 06 Apr 2011 13:33:55 -0400

I admit it. I am vulnerable.

As a consumer with a bank account and credit cards, I am vulnerable to a fraud attack. I’ll even admit that up until a couple of months ago I was somewhat lazy when it came to reviewing my bank and credit card statements, especially since going paperless. When I did get around to looking them over, I was in catch-up mode, and did not spend the time carefully checking each line item. The unfortunate thing is…I’m not alone. There are many account holders just like me who aren’t on the ball when it comes to monitoring their statements in a timely fashion, if at all. Many consumers rely on their banks to do this for them.

Guide for Understanding the RSA Breach

Wed, 30 Mar 2011 13:39:15 -0400

The RSA security breach sheds new light on the strength of external security systems and the sophistication of fraud attacks. Since the breach, so much has been written about its impact on customers and what it means for the fraud prevention world that Memento has put together a list of news resources and articles that might provide additional context and help answer some of your questions. This event is another reminder that there is no perfect solution for online security.

Lessons Learned from Organized Crime Rings

Wed, 23 Mar 2011 11:33:38 -0400

Recruiting bank employees to participate in an identity theft scheme can be well worth the effort. Eleven banks in Minnesota, Arizona, and Texas, as well as 5,000 victims, learned just how damaging “flipping” bank employees can be. Over the course of five years, the ring defrauded the victims and generated more than $10 million in “revenue”.

Proposed FFIEC Changes Mean Improved Prevention

Wed, 02 Mar 2011 16:00:04 -0500

As many of you probably know, the FFIEC has drafted and is ready to unveil their guidance on ‘Authentication in an Internet Banking Environment’. It is my understanding that the focus for improvement (albeit closely aligned to the recommendations made in 2005) relates to 5 key areas for enhancing online security. One area I want to address is the possible requirement for financial institutions to incorporate ‘layered security’ controls to better detect and respond to suspicious or anomalous activity.

The Blame Game

Thu, 10 Feb 2011 13:39:20 -0500

Who is to blame when a company is a victim of wire fraud? Does the bank bear full responsibility for policing the company’s account for unusual transactions? Does the company bear more responsibility since they “own” and manage the credentials needed to login in to the bank’s website? Unfortunately, for Experi-Metal and Comerica, the answers to these questions will end up being provided by the United States District Court. The trial to decide who should assume wire fraud losses ended on January 26 and the verdict is expected any day now.

Customer catches fraud more often than not

Tue, 11 Jan 2011 10:46:28 -0500

According to the survey results recently released by Bank Info Security, the most common way fraud is detected is when a customer notifies a financial institution. Below are all responses to the question, “When is a fraud incident involving your organization usually detected?”

New Data From 2010 Payments Study

Wed, 15 Dec 2010 10:38:17 -0500

Every three years the Federal Reserve releases a study that shows macro trends in the payment choices of consumers and commercial account holders. Many in the industry consider the report to be required reading as it offers important insights and trends regarding different payment types including check, ACH, debit card, credit card and prepaid card.

Reading Into Payments Fraud

Thu, 02 Dec 2010 11:44:37 -0500

Cybercrime is justifiably getting a lot of media attention these days. From industry advisements, FBI operations and plenty of cases in the news – it is easy to see why it’s a hot topic.

When All Accounts Are Compromised

Wed, 10 Nov 2010 10:51:23 -0500

Anyone see this story on BankInfoSecurity about the Zeus Trojan that hit mobile banking users at 12 Spanish banks? In addition to providing another catchy term (Zeus Mitmo – for Man in the Mobile), this event is perhaps the harbinger of a wave of new attacks aimed to compromise remote channels, and yet another example of how nimble fraudsters will always find the open window.