The recent breach of 25 million records of personal information and 10 million account numbers held by British citizens is one of the highest profile data risk events to date.
And yet large-scale data leakage is not as uncommon as some might think given recent similar attacks such as TJX and others in the US. Given the magnitude of this breach, banks should assume that major attacks are on the horizon, if not underway, and should implement the strategies and technologies required to minimize firm and customer losses.
While information in the press has been useful with regard to responsible consumer behavior in the aftermath of the breach, it generally falls into the category of things that every responsible banking customer should be doing: keeping an eye on your credit score, being wary of communications claiming to be from a financial institution that asks for additional personal information and keeping a close eye on your current banking and brokerage accounts.
In order to minimize the risk associated with the theft of personal identifying and financial information, it is important to understand:
What are fraud criminals likely to do once they have the information?
– Current account fraud
– New account and identity fraud
– Cross channel and phone fraud
– Trading of credentials in the black market
What are typical challenges with current fraud infrastructure?
– Watch lists and false positive rates
– Front door assumptions
– Cross channel challenges
What can banks do about it in terms of current and new measures?
– Automated compromised account monitoring with low false positive
– Cross-channel correlation
– New account continuous risk rating
– Look for test transactions
Expected attack vectors
Current account fraud
The UK data breach is particularly notable for the relatively high concentration of current account information in the data that is now out in the open. Although there have been other large compromises of credit card data, the ubiquity of credit card fraud detection systems has minimized the impact of those breaches. Checking, saving and brokerage accounts can be accessed by a rapidly growing number of channels – be it online, phone or mobile based – and in general are protected by comparatively immature fraud detection platforms. As such, the major current account channels represent a very significant risk.
Given the number of current accounts compromised in the breach via their account number, it is very likely that fraud criminals with access to the data will directly target existing customer accounts. The criminals will be aware that the half life of that account list is relatively short and as such may attack them much more quickly than in a data breach involving only personal information. As such, it is reasonable to expect a rise in current account fraud, whether via online channel, paper check, phone banking or ATM banking.
New account fraud/identity fraud
It is Actimize’s experience that any time very detailed and complete files are lost, there is a higher practical risk of identity theft. When a data source with relatively complete customer files is lost (i.e., those including names, addresses, birth dates, national insurance numbers and bank accounts), there is a comparatively higher risk that that information may be used to establish new credit accounts with financial institutions under false pretenses, whereas a data breach involving name and address is hard to use in this regard and involves legwork on the part of the criminal to “complete the customer file”.
In the final stage of attack, it is likely that the criminals will engage in identity fraud using the personal information either as a whole or in combination as a synthetic identity to open current and loan accounts in order to get access to bank credit, either via advances or unsecured loans. These attacks have the potential for extremely high losses to the banking industry. Synthetic identities used for new account fraud is already a major problem in the UK, this breach can turn it into a much more sever problem if the information gets into the hands of the fraudster community.
Cross-channel/phone channel
Due to the depth of the UK data breach, the phone channel is also at risk. Phone banking operators typically verify a number of key data points to ensure that they are talking to the actual customer. When many or all of those data points are compromised, the phone channel can be a particularly easy access point for fraudsters. The real danger in this exposure is in part because of a belief in the security of authentication coming as a result of “personal” interaction.
Actimize research and work with the banks demonstrates that there is commonly very little fraud analysis done of banking activity conducted via the phone. As a result, it is possible for a criminal to compromise online banking and brokerage accounts, ATM accounts, credit card, loan and many other bank accounts via the phone channel.
Actimize’s experience indicates, for example, that around 25 percent of online banking fraud attacks are preceded by a compromise at another remote channel, typically the phone channel. A data breach of this depth constitutes a very high risk and it is likely that attacks will also be cross-channel.
The information that was compromised is significant, but is not sufficient to launch a comprehensive fraud attacks against all of the accounts involved. Criminals are likely to collect additional information, perform test attacks across channels and fully penetrate via multiple channels or payment mechanisms in order to maximize their returns.
Trading of the credentials in the black market
Criminals tend to be as specialized in function as any other industry. For example, identity thieves sell information to other criminals who go about defrauding financial institutions by conducting transactions or opening new accounts under false pretenses.
These transactions typically occur on the Internet in small bundles of accounts and information, large volumes of information trading often begins with online introductions and is consummated offline or on using proprietary electronic transfers.
With a large amount of information like this on the black market, one can expect this information to be broken up and sold to criminals around the globe with small transactions taking place on the Internet black market. As in other past cases, the fraudsters will usually attempt to verify the accuracy of the information and perform test transactions online, at unmanned gas stations, or other anonymous channels. Test transactions can be successfully profiled and once they are detected they can teach an institution a lot about what the scope and nature of future attacks may be on the compromised accounts and customers.
Typical challenges with current fraud infrastructure
Working with many banks in the U.S., Europe and other parts of the world, there are some common gaps in both fraud strategies and technology relating to this case. There are a number of factors that, depending on the nature of existing infrastructure and processes, may make the existing anti-fraud solutions more vulnerable to attacks that result from a data breach such as to the one just witnessed in the UK.
Watch lists and false positive rates
In general, past experience in a number of geographies has shown that once a significant percentage of a population’s data has been compromised and placed in a watch list, the false positive rate involved in simple monitoring of that list is extremely high. Without an effort or system to monitor the customers and accounts for behavior that is likely to result from the criminal use of compromised data, any monitoring system will produce so many alerts that financial institutions will be forced to choose between significantly impacting legitimate customer transactions or simply ignoring the great majority of alerts on the compromised list; neither of these are good outcomes and both leave customers at risk.
Financial institutions should make stronger demands of the in-house or third-party analytics partners with regard to the false positive performance of systems designed to monitor watch lists. One needs to ask – how effective have my existing methods for monitoring watch lists been, even prior to this major data compromise event?
Front door assumptions
In addition, because many of the highest profile fraud attacks have involved the online channel, some financial institutions have placed a significant bet on the effectiveness of front door, authentication-based solutions. While authentication is a critical part of any anti-fraud scheme and must be invested in, once criminals have a significant amount of customer data as a result of a data breach like this one, it is much easier for criminals to bypass authentication systems via customer service representatives and automated password recovery mechanisms.
Because existing detection systems rely, in some banks, too heavily on authentication to block fraudsters, financial institutions can be extremely vulnerable to losses resulting from data-driven compromises. One needs to ask – how much ‘weight’ am I giving to my authentication infrastructure compared to other measures and should it be changed following today’s breach?
Cross-channel challenges
Finally, although fraud detection schemes are increasingly robust, Actimize has witnessed very few institutions that have the ability to correlate suspicious activity across channels. Per above, online activity may not be correlated with phone-based activity or ATM activity may not be correlated with risk associated with deposit activity. Fraud as a result of data compromise is likely to move rapidly across boundaries and given the extent of the data breach, financial institutions may find that their current cross-channel plans need to be accelerated in order to avoid major loss events.
One should ask – what is our ability to detect a test transaction done in an ATM or a call to the call center resetting a password followed by an online account take over?
Minimize the impact of the data breach
Automated compromised account monitoring with low false positive
First, employ a practical, efficient method for monitoring the accounts and personal data that has been compromised while maintaining a low false positive rate. Financial institutions need to employ a means of monitoring the individuals and accounts that have been compromised in a practical fashion; this is to say that it is not appropriate to either wait for the fraud to happen, based on the idea that given the scale of the breach there is nothing that can be done, nor over compensate for the breach on those accounts by unfairly impacting innocent customers.
There are a number of ways that financial institutions may deploy a practical scheme for monitoring those accounts across the likely points of compromise without unfairly impacting affected consumers. While this sounds like an obvious conclusion, it is our opinion that this massive breach will result in a catch-22 problem: most banks will either over monitor resulting in too many false positives and a negative customer experience, or will not monitor enough leading to fraud at familiar breached accounts leading again to a negative customer experience.
Financial institutions should explore their options for introducing effective data compromise capabilities into their existing detection solutions and look, in the longer term, to deploy a solution focused on the phenomenon across the enterprise.
Cross-channel correlation
Second, increase expectations of cross-channel monitoring systems and accelerate plans for true cross-channel monitoring. Because attacks are now more likely to propagate across multiple channels, financial institutions should expect that the solutions they have in place are able to monitor risk across all relevant channels. In particular banks should be prepared for account takeover attacks involving combinations of the online, phone and branch channels as well as attacks involving components of deposit and ATM fraud.
New account continuous risk rating
Third, since we believe that the likelihood for new account fraud has increased along with the effectiveness of these potential attacks, banks should look for a way to practically coordinate the primary point of compromise for identity theft and the account opening process with transactional analysis of new accounts and existing accounts.
Risk rating at account opening must be used to not only make a go-or-no-go decision regarding the opening, but must also be used to monitor high-risk accounts in the first six months or longer of account deposit and credit usage activity.
Look for test transactions
Lastly, it is Actimize’s experience that a data beach of this magnitude will result in the black market trade of stolen credentials. When criminals sell data to one another, one should expect to see a rise of test transactions as leading indicators of more comprehensive fraud attacks.
Effective monitoring of these types of transactions, as well as education of the fraud operations group regarding such leading indicators of account compromise, can result in tangible benefits and will likely be a good return on investment over the next 18 months.
