You might be surprised by the level of sophistication and organization of today's bank thieves. Rather than holding up a branch, today's robbers use resources purchased on the dark web, the internet's underbelly, to hack accounts and drain them with fraudulent charges.
"I'm not sure the industry is staying a step ahead," says Kurt Long, the founder and CEO of data protection firm FairWarning. "It's an arms race." However, banks aren't helpless in the face of these thieves, and they are continually working to improve their systems to detect and deter fraud.
People-centric systems pose new challenges. In the days before cloud applications, it was easier to protect data. A firewall or similar system could be adequate to keep information safe from most threats. Today, it's different. "It's not as easy as putting a ringed fence around the data," Long says.
That's because millions of people are now accessing data from the cloud. Not only does a system have to keep its information safe from outside attack, but it also has to ensure all those people using it are who they say they are. These people-centric systems pose a special challenge for financial institutions. "You've got to have a multi-layer approach," says Vince Liuzzi, chief banking officer at DNB First. As a result, banks are combining machine learning and automation with old-fashioned customer contact to identify and address potential fraud.
Algorithms and AI working together. The earliest automated fraud detection systems relied on algorithms to identify potential problems. "Algorithms are sets of rules," explains Salvatore LaScala, AML practice leader and managing director for consulting firm Navigant. If a rule is broken – say a larger than normal purchase is made – the algorithm triggers a follow-up action such as a text message or phone call to the customer. "It's trying to see if I'm actually in Dubai doing something," LaScala says.
However, an algorithm alone can't adjust itself. If a customer visits Dubai every month and confirms that every purchase made there is legitimate, the algorithm will continue to flag those transactions until it has been modified to account for this customer behavior. That's where artificial intelligence, or machine learning, comes into play. "Artificial intelligence helps algorithms work more quickly," LaScala says. Rather than waiting for a person to adjust an algorithm, AI can tweak the model as new data is gathered.
"There is data provided for every card swipe," says Patrick Davie, vice president of card services for Fiserv, a technology solutions company for the financial services industry. This includes the place, time, amount and other details of the transaction. "That all gets fed into the model." Then the AI determines if and how the algorithm should change for that customer.
"Machine learning can start modeling out what are the appropriate behaviors," Long says. As a result, a large purchase overseas can pass through the system unchecked if it fits with a customer's previous purchasing behavior.
In addition to creating algorithms to flag suspicious behavior, organizations are increasingly open to using community intelligence, Long says. This means that when one bank becomes aware of a new or trending security threat, it shares that information with other institutions that may become targets.
Balancing convenience with security. The problem with bank anti-fraud measures is they often come with a level of inconvenience. "Historically, people like me were paid to stop fraud and not worry about the customer experience," Davie says.
Nowadays, that could be a costly approach for a financial institution. If a person has two or more legitimate transactions denied within a seven-month period, the average spending on that card six months after the last denial goes down 15 percent. What's more, 20 percent of people will stop using the card completely, according to a recent Fiserv analysis of 20 million cardholders.
"It's critical that you balance the automated measures with exceptional customer service," Liuzzi says. That level of service might be enough to offset any annoyance with having to verify purchases or deal with a temporarily locked card.
Still, LaScala says the risk of alienating customers is one banks have to take. "The brand has to maintain integrity," he says. No one wants to bank at an institution known for lax security.
Getting help from customers. While automated systems are doing the bulk of the work to detect fraud, financial institutions are hoping customers will help in the effort as well. Liuzzi says some things, such as the ability to search an extended account history online, are offered as a customer convenience, but they also serve a security purpose by letting people easily find questionable transactions.
Some banks are going even further by giving customers greater control over the use of their card. Fiserv's CardValet app sends alerts when cards are used, lets customers lock down a card to a certain geographic area and "turn off" cards they won't be using.
Although criminals can be sophisticated, sometimes the oldest tricks are still the most effective. "Phishing is probably one of the most prevalent ways we've seen [to commit fraud]," Liuzzi says. These scams involve sending emails to customers requesting they log in to verify account information. The messages look official, but take people to a dummy website that collects their banking information. Liuzzi says the best defense against these scams is customer education.
Bank thieves are upping their game all the time. "They are forever innovative," Davie says. But with a little help from customers and high-tech solutions, banks are hoping to keep pace and keep people's money safe.