See Also: Ransomware: The Look at Future Trends
We just closed out our 2013 Faces of Fraud Survey, which polled banks and credit unions, and the preliminary results show some striking trends.
If banks continue to rely on regulators' recommendations as their benchmark rather than their minimal requirement, they'll always be chasing the fraud.
Here's what stands out to me:
- Banks have made big investments in regulators' recommended controls for stronger online security, but account takeover losses have not decreased;
- Customers are often unwilling to accept additional security features;
- Banking institutions continue to focus on customer education, but it's still not having much impact on fraud losses.
Respondents to our survey ranked ACH and wire fraud as the fourth greatest fraud threat they continue to face - trailing payment card fraud, phishing attacks and check fraud.
That's in spite of investments they've made in security controls recommended by the Federal Financial Institutions Examination Council in its updated authentication guidance - such as dual-customer authorization, fraud detection and monitoring, enhanced customer education and IP reputation-based tools. Nearly half say those controls have not reduced the number of account takeover incidents they suffered in the last 12 months.
Some 65 percent of these banks and credit unions also report that customers have often resisted the controls they've implemented.
Over the past year, the vast majority of institutions surveyed say, financial losses to fraud have either increased or remained steady. Forty-six percent say the controls they've invested in have not reduced the number of account takeover incidents they suffered in the last 12 months. And 43 percent say those controls have not reduced fraud losses.
What's more, the survey also confirms that 65 percent of financial institutions learn about fraud when a customer notifies them.
Why? Banks say it's because customers don't want to burdened with dual-controls and tokens, in some cases. I get that. And, dual-authorization may not be feasible for all small businesses. Still, banking institutions need to stress that layered security is no longer an option; it's a must, and they have to get their customers to buy in.
If dual controls aren't the best option, then banks mandate that the customer enroll in something else. But just allowing the customer to decline these additional layers of security should not be an option.
The survey also shows that merchant breaches are a growing sore point for card issuers. Respondents note that merchant breaches and card-not-present compromises were most often to blame for card-related fraud within the last 12 months.
That's not a surprise. I've been writing about the retail breach trend for months (see MAPCO Express Sued Over Malware Attack)
And low-tech check fraud schemes still result in great losses, the survey shows. We talk a lot about sophisticated cyber-attacks, but we have to remember that some of the most archaic schemes continue to cause major losses.
As we sift through the final results, we'll have much more to reveal in the survey report we publish in the coming weeks.
For now, though, you can get additional analysis about the preliminary results in a survey webinar featuring industry experts. Participants are: Avivah Litan, an analyst for the consultancy Gartner; Nancy Guglielmo, who oversees the fraud reduction program for BITS, the technology policy division of The Financial Services Roundtable; and Troy Pugh of IBM's financial crimes unit.
The highlights they stress: Customers have to play a role in security, but relying too much on customer education is a mistake.
I'd like to pose this fundamental question: Why are banks failing to curb fraud losses, two years after the FFIEC issued its supplement to Authentication in an Internet Banking Environment? (See FFIEC Guidance: Has It Reduced Fraud?)
Some experts say it's because banks have been too focused on conformance, rather than security. If banks continue to rely on regulators' recommendations as their benchmark rather than their minimal requirement, they'll always be chasing the fraud.
But I'd like to know what you think. You can respond by posting a comment below.