Anti-Fraud Investments at Banks, Retailers Lagging
Julie Conroy
Account takeover fraud is growing globally, and it's not just banks that are suffering, says analyst Julie Conroy. Here, Conroy explains why fraudsters continually have the upper hand.
ACH and wire fraud will continue as fraudsters take advantage of consumers' use of common usernames and passwords for access to multiple online sites, predicts Conroy, a senior analyst with the security firm Aite who covers banking and payments fraud.
"Consumers use the same set of credentials across all of their online relationships," says Conroy during this interview with Information Security Media Group.
Clearly, logins and passwords, on their own, provide insufficient account-access authentication, as other experts have noted (see Account Takeovers Get More Sophisticated).
Too many banking institutions and e-commerce retailers have been reluctant to enforce authentication practices that place too much onus on the user, Conroy says.
"They are sensitive to putting too much friction in front of the customer," she says.
As takeover fraud escalates, however, many banks and e-commerce sites are considering expanding the use of multi-factor or out-of-band authentication, Conroy adds.
"The consumer, the end user, is the weakest link," she says. "But consumer education can only go so far."
Banking institutions continue to suffer increasing losses tied to account takeover, according to new research Aite conducted about global fraud trends. Global fraud losses linked to ACH and wire fraud for banking institutions totaled $455 million in 2012, the research shows. For 2013, those losses could be as high as $523 million, Conroy predicts. And by the end of 2016, they could approach the $795 million mark, she says (see FFIEC Guidance: Has It Reduced Fraud?).
"I'm seeing an uptick [in ACH fraud] in Asia-Pacific, particularly in corporate account-takeover fraud," Conroy says. Latin America has seen an upswing as well, and so has the U.S. That's in spite of increased investments in new authentication technologies U.S. banks and credit unions have made to comply with the Federal Financial Institutions Examination Council's updated authentication guidance issued in June 2011, she notes.
"We have 150,000 unique strains of malware being deployed every single day," Conroy says. "But the problem is they [banks] have to make a business case every time they want to invest in new technology. The bad guys don't have to make a business case when they want to make a new investment."
Although it's been two years since the FFIEC issued its update, a majority of banking institutions are just now deploying certain new technologies to conform, she says. "Some of the technologies, like behavioral analytics, have not been implemented at banks yet," Conroy says. "The bad guys just have the luxury of moving more quickly. They aren't constrained with same processes."
During this interview, Conroy discusses:
The positive impact the FFIEC's updated guidance has had on fraud prevention at banks and credit unions; Emerging cross-channel fraud risks affecting mobile and online; and Why card-not-present fraud will sharply increase throughout the world within the next two years.Conroy has more than a decade of product management experience, working with financial institutions, payments processors and risk management companies. Before joining Aite, she was the senior vice president of product management with Golden Gateway Financial, where she developed and managed new financial services lines of business. Previously, she was vice president of product solutions with Early Warning Services, where she managed a suite of fraud prevention services. Conroy also formerly led operational process improvements for NextCard, where she identified points of compromise and implemented solutions to reduce fraud and operational expenses. She began her career as a research analyst at E*Offering.