Banking fraud poses a serious threat to the customer confidence, efficiency of the payment system, and the bank’s bottom line. To
mitigate fraud risks, the banks are going on overdrive to deploy security solutions
An RTI query has revealed that depositors in India have lost close to Rs. 27000 crore in the last five years due to fraud. But this amount is just an estimate, the final figure of the loss is much higher. Recently, the Parliament was informed about the RBI data, which shows that close to 9,300 cases of fraud involving ATM cards, internet banking were reported in April-December 2014. Internet Banking/ ATM fraud, e-Banking fraud and Identity fraud are the three key areas of concern for bankers today.
Know Your Customer
While there is significant rise in the number of sophisticated cyber attacks, the frauds are also happening due to the flouting of Know Your Customer (KYC) norms. There are increasing instances of fraudsters using forged/tampered documents. Banks have detected many cases of document forgery where the fraudsters pose as genuine customers. Speaking at a BFSI event in Mumbai, Sanjay Rai, Additional Director, Special Frauds Investigation Office (SFIO), said,”There is lack of care on the part of banks on whether KYC norms are followed.” He also spoke about a case where a single customer managed to defraud multiple banks by flouting the KYC guidelines.
Arun Gupta, Managing Partner & Director at Ingenium Advisory and Technology Advisor, UNIKEN, says, “The issue fortunately or unfortunately is about scale. Banks are adding new customers at a faster pace. In the rush to enrol new customers there can be a slippage. Even few such mistakes can lead to fraud. Auditors scan random samples; they do not review every form. KYC being done by some junior officer or outsourced staff leads to mistakes, which can be genuine or intentional.”
“The major part of the KYC defaults happen in the private sector, where the focus is entirely on business development. The business development model is partly outsourced. Even the frontline counter staff have targets for opening accounts. People are forced to cut corners,” says Diwakar Gupta, Senior Advisor, Aditya Birla Financial Services and Former MD, CFO, State Bank of India (SBI).
The Enemy Inside
The security framework can become much weaker if there is a culprit working inside the bank’s perimeter. What if the bank employees join hands with external fraudsters! They can take advantage of the blind spots in the system to siphon money. At times, the fraudsters target the dormant accounts. “There are old people with significant balance in their account, which is mostly inoperative. They rarely come to the bank. The bank employee who knows about such inactive accounts can withdraw the money. It is possible that no complaint may get filed in such cases,” says Diwakar Gupta.
The risk of frauds engineered by their own employee is one of the biggest challenges that banks face. In order to curb instances of insider frauds, banks have started adopting Privilege Identity Management Solution (PIM). “Some of the top Indian Banks – both public and private have implemented PIM. We are working on about a dozen RFPs floated by banks, “ says Anil Bhandari, Director (Chief Mentor), ARCON. PIM allows banks to protect the critical Information assets like databases, servers, network devices and storage devices from unauthorised access. The solution runs a dynamic password generation algorithm which changes and rotates the passwords on IT assets and stores them in a secure vault, which is protected by several layers of proprietary technology. Further access to all critical devices or applications through any super user-id is controlled and access is provided only on need basis. The solution maintains a complete session recording of all user activities and is also vaulted for future reference.
PIM and Privilege Access Management (PAM) reins in the super user in terms of access rights. The kind of applications he can enter. “The root user or the super user of a system, has total control over a system, and this is where most of the traditional security technologies failed. The need was to control and monitor the actions of this super user. This is where the PIM/PAM solutions come in handy.” says Devendra Parulekar, Practice Leader, India – Information Security and Privacy, E&Y. Many organisations are moving towards mapping who their users are, what they are accessing and what they need or don’t need to access. The companies don’t want to find themselves in a position where, they are breached by an insider, because the applications are misconfigured with reference to access rights.
ATM & Card Frauds
According to the data from the Banking Ombudsman scheme (BOS), released by the RBI, the complaints regarding ATM / Debit / Credit cards in the year 2013-14 amounted to 18,474 vis-a-vis 17,867 in 2012-13. ATM fraudsters are coming up with innovative ways of hijacking the ATM – there have been instances where they have installed malware in the machines to conduct their frauds. Some fraudsters are also using social engineering techniques.
Bharat Panchal, Head- Risk Management & Audit, CISO, National Payments Corporation of India (NPCI), says, “Fraudsters are using Social engineering techniques, especially in the rural areas to defraud innocent villagers.” Here is one of the scenarios by which the scam is often carried out—A villager goes to an ATM—he has no clue about how to get cash out of the machine. The fraudster, who is loitering close by, offers help. He takes the ATM card from the farmer and changes it with a fake card that he already has. He inserts the fake card in the machine and asks the farmer to enter the PIN. The fraudster sees the PIN being entered and he remembers it. When the farmer leaves the ATM, the fraudster withdraws the money from the farmer’s account.
In case of malware attacks, the ATMs get delinked from the bank’s network. The system will not recognise that the cash chest has been emptied. In a recent malware attack on an ATM, the fraudster connected a USB to the front panel of the machine. He switched it off and then switched it on again. The ATM was then booted up with the malware—this resulted in the complete decoupling of the machine from the bank’s network. The fraudster subsequently gave certain commands and the ATM flooded the money out from the chests! In case of such crimes, no debit entries are generated as the system doesn’t recognise that the transaction ever happened.
NCR Corporation is India’s largest ATM manufacturer and service provider. Navroze Dastur, Managing Director, NCR India, says, “Three types of attacks on ATMs are becoming common, these are: black box, man in the middle and malware.” He informs that the malware fraud has been reported from several countries: Russia, Mexico, Malaysia, Europe and India. Man in the middle attack involves the compromising of the network infrastructure and placing of the malware within a bank’s network. In a black box attack, the fraudster bypasses the ATM’s core processor and connects an electronic device to the cash dispenser. He then sends unauthorised commands to dispense cash from the ATM.
Controls, Processes & Technology
IT can play a critical role in minimising and combating fraud, but there are many other aspects that the banks have to take care of for ensuring overall security in their establishments. Arun Gupta of Ingenium Advisory says, “Banks should have the required controls, processes and technology in place. It is a combination of these three that will finally succeed because one without the other does not work.” This approach can be applied by banks to manage KYC and document-tampering related frauds. A number of technology tools for detecting fraud are available, but the best results can only be achieved from these devices when there is a comprehensives system for red-flagging the issues and alerting the employees.
Diwakar Gupta provides information on the centre for investigation of suspicious transactions that is being run in Jaipur by a prominent public sector bank. “There are about 100 people working there. The list of suspicious transactions is generated by the software. The officials analyse the transactions and decide what kind of action should be taken in each case.” The IT solution can only throw out the suspicious transactions based on set rules. The rest has to be done by the respective personnel.
Diwakar Gupta is of the view that a common registry, from which the KYC delinquencies can be reported to all the banks, is a must. The challenge in case of such systems lies in creating the pool of skilled manpower to track these cases. RBI is expected to issue norms for setting up a central fraud registry to share information on unscrupulous borrowers and wilful defaulters.
Analytics for Safe Banking
Analytics can play a crucial role in unearthing and filtering out suspicious transactions. A survey by Deloitte shows: “One in three survey respondents were not entirely satisfied with their current fraud detection / analytics solution.”
The new analytics tools not only support detection, analysis and management of fraud across users, accounts, channels, products and other entities (e.g., kiosks), they also monitor user’s activity and behaviour inside an application and watches what transpires inside and across accounts using any channel available to the user or program. “Analytics tools monitor and manage alerts across multiple systems, correlate them with one another, and feed them into enterprise case management systems,” says Anmol Singh, Principal Research Analyst, Gartner.
HDFC bank has implemented rules, which are based on statistical models developed in-house, for monitoring transactions on credit and debit cards. “The model takes into account various transactional & customer demographic related attributes along with the fraud trend. Periodic review of these models is carried out in terms of false positives and relevance to the existence of the fraud trends and necessary actions are taken,” says Sameer Ratolikar, CISO, HDFC Bank. The Bank has invested in enterprise level solution for digital banking, such as monitoring of net Banking, credit, debit cards and merchant acquiring transactions with the capability to decline transactions with the fraud trend.
Big Data is another technology that can protect the bank from fraudsters. “Big Data can be used for mining transactions to develop information on behaviour patterns that are likely to follow most fraudulent activities,” says Diwakar Gupta. According to Gupta, a suspicious transaction may not necessarily be a fraud but it puts up your antenna to suggest that something seems to be wrong. The exception reports should be looked at to make sure, the customer is not doing exceptions again and again. There is a big role for analytics and reports to tackle frauds.
The banks are realising that they have to join hands to curb instances of fraud. IDRBT has started Indian Banks- Center for Analysis of Risks and Threats (IB-CART). It is a portal based centralised repository of information security incidents reported by banks.
If you have an interesting article / experience / case study to share, please get in touch with us at firstname.lastname@example.org