Lies, damned lies, and fraud statistics

14 June 2012

Card and banking fraud is a topic that sadly won’t go away, says Pat Carroll, chief executive of ValidSoft, but measuring it can be contentious. Some of the latest figures and reports this year, from CIFAS and PwC for instance, show that the problem is growing, while still others, such as the Financial Fraud Action UK figures, show it is not because counter measures are improving. Whatever figures you believe serious identity theft and data breach threats are out there, but they can be negated with strong authentication to prevent information being used fraudulently.

There are always a lot of statistics about whether or not data theft, privacy breaches and subsequent fraud is rising, falling, or indeed changing as technology continually advances. In fact, with so much data readily available, it is sometimes difficult to pinpoint what is really happening in the information security trend arena, but I think that some recent reports provide helpful pointers to the real state of play.

I was particularly struck by two recent reports: PwC’s Information Security Breaches Survey and the CIFAS First Quarter Trends.

What is especially interesting about PwC’s survey is that criminal methodologies around fraud are changing. The PwC survey, covering last year, found that cybercrime is now the second most commonly reported economic crime affecting companies in the financial services sector.

A startling 91% of large organisations and 70% of small organisations experienced malicious breaches in 2011. Of the companies surveyed, 69% of the large organisations, and 44% of the small organisations had experienced a “significant attempt to break into the organisations’ network” – proof, if that were needed, that criminals are determined to steal valuable data. Phishing attacks (experienced by 36% of large organisations and 9% of small organisations) and identity theft (30% of large organisations and 6% of small organisations) were also among the types of fraud that saw an increase in activity.

CIFAS’ First Quarter Trends Report for 2012 revealed that fraud in the UK was up 30% in the first three months of this year compared to the same period in 2011. This statistic is obviously worrying. This report found that identity fraud, which included impersonation and the takeover of accounts by a criminal, were the main drivers for this increase. The figures are perhaps not surprising in a recession when crime figures tend to go up but the increase is large.

Behind the numbers
How can these reports be reconciled with others, however, that suggest a completely different picture? Financial Fraud Action UK, for instance, has also released a report this year, but it claims that card fraud fell in 2011 by 7%, to an 11-year low. The UK Cards Association (UKCA) figures show a similar decline in this segment.

The truth is that it is quite conceivable that while fraud is on the rise, banks are stepping up their rate of transaction declines, preventing data breaches becoming frauds. To illustrate this point, in the case of cross-border transactions, on average nine out of ten declined transactions is considered to be genuine, but banks like to ‘play it safe’ even though this has negative customer service connotations.

Banks base their decision to decline transactions on historical data and the past behavioural patterns of customers. If a transaction looks unusual, especially abroad, the bank will simply block it from going through. Often the customer could, in fact, merely be overseas on holiday or business, and is now at a huge inconvenience because they don’t have access to their money, or worse they may be hugely inconvenienced if they are trying to pay an accommodation or food bill.

What’s more, merchants and banks lose out too in the form of lost revenue, interchange fees and administration costs from these false positive occurrences.

A fresh approach to security
So what is the answer? Underneath the numbers, what we can see is a constant factor in all of these surveys – namely that – criminals are determined, they are innovative and they move quickly with the advantage of ever-developing technology to find new methods of stealing data, as the PwC survey revealed. Criminals will always look and find the weakest link in any chain, especially when it comes to mobile banking, m- payments or other innovative new fields.

I believe that the security industry needs to tackle fraudsters from a fresh and different angle. Instead of trying to prevent the criminals from stealing the data, the security processes should work on the premise that they will obtain it, one way or another. What banks can do, however, is prevent them from using the stolen data, by strengthening the authentication procedures when confirming a transaction.

A blend of visible and invisible layers of security for the authentication process is key to stopping criminals from succeeding. Visible layers of security include using a one-time password (OTP), a biometric voice print that is unique to the customer and very difficult to impersonate or replicate digitally, and something the bank customer is likely to have, which can be a mobile or smartphone, IP address or whatever.

Invisible layers of security involve using the mobile or smartphone for Proximity Correlation Logic, so that a bank can determine whether the customer is near the purported scene of the transaction, and increasing the chances that it really is the said customer authorising the transaction. And a great thing about Proximity Correlation Logic is that it respects the customer’s privacy because it merely confirms that the customer is in the vicinity of the transaction. It is not the same as Location Based Service technology such as GPS or Lat/Long resolution which pin points the customer’s exact location.

This sort of multi-layer authentication and transaction verification approach to information security needs to be done in real-time, and thankfully the technology exists to enable that. If a fraudster falls at any one of the multi-layered hurdles – and the chances are that they will – the transaction is immediately declined, with the customer and their bank’s fraud department alerted straight away. So from start to finish, the multi-layered, real-time authentication only takes a few seconds, cutting down on customer dissatisfaction and intrusion.

This approach to securing monetary transactions (and any electronic transactions for that matter) has obvious advantages compared with banks’ traditional analysis of historic data because it can accurately identify the genuine account holder, prevent money from being illegally moved or withdrawn, and dramatically reduce the number of false positives and expensive exception management procedures.

I suspect that future surveys on fraud will reveal continuing change in the types of fraud being committed. However, whether or not fraud statistics go up or down, we should always try and look behind the numbers to see what is happening in reality.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development