The years may change, but one thing in financial services remain the same: the threat of fraud. John Buzzard, fraud executive expert of CO-OP Financial Services, joined Karen Webster to reflect on financial services in 2016 and what fraud threats should and shouldn’t be on the radars of industry players as the new year rolls on. From issues with magstripe to why humans remain the weakest link in fraud protection, Buzzard shares his insight into the state of fraud and security in the financial services realm, particularly as it relates to the credit union market.
New year, new payments technology, same old mag stripes.
And that, John Buzzard, fraud executive expert of CO-OP Financial Services told PYMNTS, means that the financial services industry must continue to deal with the challenges and security risks associated with magstripe payments as well.
For as long as there are magstripe cards in circulation, there will have to be readers available to accept the payment method. While the shift away from plastic cards as a preferred payment method will surely take time, Buzzard made it clear it’s not an entirely impossible notion.
“It’s a slow-moving tide,” he noted, adding that as the industry continues to move forward, there will be a coexistence between magstripe and other payment methods.
But even with the introduction of EMV chip–enabled cards, magstripe still brings about its own set of fraud risks.
“One thing that we’ve done a really poor job of as an industry is we’ve missed the point about tokenized payments, because there are benefits for keeping the criminals at arm’s length away from the payment card information,” Buzzard explained.
He added that in order to get over the hurdle and achieve a critical adoption level for chip cards in the U.S., industry players will have to nurture and support one another, both on the issuer and merchant sides.
“When we hit that 75 percent and up level of chip readers out in the U.S., that’s when we’ll really see some great benefits,” he noted.
While there are payment cards on the market that have the multifunction NFC capability but still offer tokenized transactions using magstripe, Buzzard said he would rather see the focus go into a shift toward mobile and promoting other standard tokenized products in the market.
Mobile wallets like Apple Pay provide the consumer with implied convenience, but the byproduct of that is stronger security. Unfortunately, many consumers unknowingly have devices that are infected with key loggers and malware, which can still put their payment data at risk.
“Sometimes we scratch our heads about this because it becomes so big that often the only thing we are sure of is that we see fraud, but we don’t really know where it’s originating from — in a lot of cases it’s originating from devices that are infected,” Buzzard explained.
Monetization Of Personal Data
No longer is stealing and selling payment data the top motivation on a fraudster’s mind.
Today, the value of personally identifiable information far outweighs that of financial data, and fraudsters are using increasingly sophisticated schemes to retrieve it. Buzzard said that the potential value that looms over data like logins, passwords and addresses will be a bigger concern for accurately identifying customers and distinguishing between synthetic IDs and legitimate information.
Whether financial institutions (FIs) like it or not, they now play a role in authenticating consumers and verifying identities. While banks and credit unions are a part of the equation, Buzzard explained that the onus of “issuing” an authenticated identity should not fall solely on the institutions
Instead, FIs should be actively and aggressively authenticating with the best tools and services available to validate legitimate identities.
“We want bankers to understand how to manage and grow a consumer base, but we also want them to have a Rolodex of good products and services in their back pocket that they are using to authenticate,” Buzzard said.
Humans Are The Weakest Link
Humans make mistakes.
But in the case of financial services, those mishaps by an employee can have dire consequences when it comes to security and fraud prevention.
However, Buzzard pointed out that there are many occasions in the fraud prevention world where a little common sense goes a long way.
This is why empowering workforces to be not only innovative when necessary but also innovative thinkers is so important in address security in financial services.
Buzzard shared a story of a successful but eventually convicted hacker who was invited to speak at a recent conference as part of his parole agreement to provide educational outreach in the community. When asked about his biggest roadblock in hacking, he mentioned that it was a very large credit card issuer that allowed their employees to make risk decisions on the spot.
Meaning that if an employee thought they may be talking to a fraudster pretending to be a customer, they could put the person on hold and quickly place a call to the customer in order to verify identity by seeing if they were the person already on the phone.
“It was a crazy ‘A-ha’ moment where I think everybody realized that you can have fabulous fraud fighting tools, but if you don’t have any common sense and you haven’t empowered your workforce to make reasonable decisions, you miss a lot,” Buzzard said.
The Machine-Learning Hype
A big area of focus in payments security, particularly for financial services players such as credit unions, is identity verification. Being able to authenticate a consumer can reduce or mitigate the incidences of false-positives and determine whether someone has a legitimate identity or not.
Buzzard said that while this is a large part of the fraud prevention work that the financial services sector must focus on, there’s also another big part of using logical behavioral analytics and machine learning to help combat fraudsters.
“In theory, these help to build really logical transactional behavior that also walks in tandem with the fundamentals of identifying the true identity of the consumer, such as verifying the devices that we use,” he explained.
Since fraud has quickly moved away from the era where the right algorithm could fix everything, it’s essential for financial services stakeholders to utilize a fraud strategy.
“If you don’t know what you’re trying to prevent, then it’s largely impossible to just write a strategic rule on that,” Buzzard noted.
“We’ve been exploring and learning a lot about machine learning, and we’re hoping that that sort of logical approach working in tandem with scoring is really going to be a homerun for credit unions. With big investments in machine learning, we’re hoping that that’s going to be a golden moment for fraud fighting.”
However, is machine learning really living up to its buzzword hype?
While the technology behind behavioral analytics and machine learning has been around for years, Buzzard said there are now great things that can be derived from its use.
“It’s been perfected to the point that we can build and view a logical bed of transactional behaviors for a customer, which is something we haven’t really been able to do in the industry before,” he explained.
“If you’re adopting machine learning, it’s going out to learn, look and derive logical patterns so that we can bring down as many false-positives as possible.”
The Power Of Card Controls
While much of the security solutions and fraud prevention tools in the financial services sector may require significant time and investment to implement, Buzzard identified some low-hanging fruit that FIs can use today to stop some of the perpetuation of fraud within their organizations.
The first is re-evaluating the products and limits given to consumers that they may not actually need. For example, for some consumers, having a $5,000 open line of credit or the ability to withdraw high-value transactions from an ATM may not be what they need financially and can leave them vulnerable if a cybercriminal were to take possession of the account.
“Today, any card issuer would be best served by exploring the number of customers they have carrying cards and whether that type of card serves them best. It’s all about knowledge and understanding what’s in the marketplace, and I think that sometimes we all struggle with that,” Buzzard said.
Card control products, such as enabling a customer to turn off their debit card from a mobile device, are also highly favored as useful tools that consumers typically have in their possession through their banking website.
The responsibility of safeguarding financial information — whether that falls solely on the FI or if the consumer should take responsibility — is a line that can sometimes become very blurred.
However, Buzzard said the line isn’t so much blurry as it is solid and dotted.
“The solid line is the absolute manifesto that customers have entrusted financial services with their money and financial transactions, and in exchange for that, we’re going to deliver you best-in-class service that’s solid and secure. And if you’re missing any money after we investigate it, we like to say you’re made whole,” he explained.
“The dotted line that sort of runs parallel to that is what can we do to nibble into the consciousness-piercing activity that draws the customer in a little closer,” he said, noting that sometimes this is under the guise of conveniences and even a little fun, because those things will eventually take away from fraud losses.
For example, if a customer is sent their account balance alert every day, the customer may see it as a convenient service while the FI sees it as drawing the consumer in and making it easier for them to notice if something doesn’t look right, so a potential fraud can be mitigated faster.
“I would say the greater balance of credit unions today are truly running [businesses], and they’re far more sophisticated than they have ever been, so they offer things to consumers that are identical to what they may have experienced elsewhere, like account alerts,” he said.
. . . . . . . . . . . . . . . . . .
To download the full report “Security Innovations for the Changing Face of Fraud” please complete the form shown below: