Using Big Data for Fraud DetectionWhy Mid-Sized Institutions Could Benefit the Most
Gartner analyst Avivah Litan says big data will be a hot item on every institution's mind in 2014. And mid-sized institutions may be in the best position to implement new data analytics technology, she says.
"They're just the right size," Litan says in the second part of a two-part interview with Information Security Media Group [transcript below].
"They're not too small, where they're dependent on a third party; and they're not too big, where it's really difficult organizationally" (see Gartner's Litan on Fixing Authentication).
But big data analytics is getting a lot of attention from institutions of all sizes, she says. But for many, it's so far more talk than action.
During this interview, Litan discusses:
- Leading fraud trends for 2014;
- Layered security and technology challenges;
- How big data can aid fraud detection at mid-sized institutions.
At ISMG's 2013 Fraud Summit, Litan addressed these fraud topics in great detail. A video of her session is now available.
Litan is a recognized authority on financial fraud. She has more than 30 years of experience in the IT industry and is a Gartner Research vice president. Her areas of expertise include financial fraud; authentication; access management; identity proofing; identity theft; fraud detection and prevention applications; and other areas of information security and risk. She also covers security issues related to payment systems and PCI compliance.
TRACY KITTEN: From a technology standpoint, would you say that the systems that are available are up to par?
AVIVAH LITAN: That's a really tough question, because there's no shortage of innovative technologists that are doing interesting things. But when you talk to the banks, they can't find a good real-time fraud detection system that does what they need to do across transactions, across channels, and find fraud in real-time. There are vendors that have good statistical models and the ability to serve these banks real-time, but somehow it's not all coming together. Even if you've invested a lot of money in real-time fraud detection, the false-positive rates are too high and the detection rate is too low. I think the banks are really struggling to find a good real-time fraud detection system that works across different products and channels to do what they need to do.
Having said that, there's a lot of technology out there, these different layers we talked about, that do catch a lot of bad guys and are working. But it's a never-ending continuum of having to update, having to patch and having to integrate. If you put yourself in the shoes of a large financial institution, there are so many moving parts; there are so many organizations that have to cooperate; there's a lot of different siloed systems. Getting everything integrated and talking to each other is a big organizational process issue as well as a technology issue.
The solutions that are going to win are the ones that are really easy to put in, don't require much system integration, don't disrupt operations and can find fraud in real-time. Those are competing concerns and competing requirements. Today, I don't think you can find a solution that can do all that, that's easy to put in no disruption and can find fraud in real time. You talk about finding fraud in batch, you can put something in that meets that. Or if you just want to find malware on a desktop real-time, you could probably do that easily today. But if you're trying to score a wire transfer and correlate that with a call-center transaction and correlate that with a DDoS attack all in a split second, there's nobody out there that can do it today without a ton of work. That's on the high end in terms of how difficult it can be.
We're also seeing some of the smaller financial institutions that rely on third-party processors getting hit. It's really up to the third-party processors to spend some money and invest in better fraud prevention, and some are doing that better than others. At the big-bank level, [there's] lots of attacks, lots of organizational complexity and solutions that don't quite meet this real-time detection interest that they have. At the small-institution level, there's a lot of reliance on third-parties that aren't always that vested in finding the right solutions. Having said that, there's a lot of innovation and it's not all that bleak, but it's not an easy position to be in if you're a fraud manager.
Fraud Trends in 2014
KITTEN: What about fraud trends or fraud prevention for 2014?
LITAN: Let's talk about the trends and the solutions separately. Some of the trends they should be looking for in fraud include more social engineering of employees and customers, in person or on the phone, not just online; more mobile spam and phishing, targeting those mobile devices with spam, not necessarily account takeover malware, getting people to give away information using their mobile devices. I think there are going to be more attacks against VRU [voice response units], telephony banking and call centers.
I think we'll continue to see low-and-slow DDoS attacks for distraction purposes. I'm not a political analyst, and I can't tell if Iranians are going to be back at this point, but I can tell you DDoS is here to stay, and it's being used for distractions. It's the same with low-and-slow attacks of any kind: setting up new accounts, channeling through existing accounts and doing surveillance. We'll see more of that.
We'll see continuing attacks against all types of money transfers, not just corporate payments; for example, HELOC loans, transferring money from a line of credit for a home equity loan over to a bank account; ACH debits as opposed to credits, pulling money from someone else's account into your bank's customer account and then taking it out that way. That's just a summary of some of the trends.
In terms of the solutions, we get a lot of calls on identity proofing that's related to the KBA [knowledge-based authentication] issue we spoke about, and it's related to more than that. The know-your-customer processes aren't working as well as they should be, so there's a big hunger for better identity proofing on new accounts and also for high-risk transactions. I think we'll see a lot of innovation there and are already hearing a lot of vendors build up their data networks where they put attributes of information together so you can bounce an attribute up and see if it belongs to something that was fraudulent before. We'll see more consolidation in the industry in that regard. We've seen a lot of innovative web-fraud detection get bought by big companies. Since Oct. 31, 2012, four of the vendors I follow that were rated highly got bought up: Silver Tail Systems, Trusteer, VeriSafe and now 41st Parameter. These innovative vendors are getting bought up by the big guys; we'll see how that pans out.
With big data analytics and cybersecurity, [there's] a lot of talk about that to help banks find the needles in the haystack. I think there's more talk than action, but there's some action. ... The mid-sized banks are probably in the best position for implementing successful technology projects because they're just the right size. They're not too small where they're dependent on a third-party, and they're not too big where it's really difficult organizationally. It's more contained; it's just the right size. They have the resources and they're more likely to succeed at all of these projects. We'll see a lot more of threat intelligence emphasis, networks popping up with good threat intelligence that the banks can use, and continuing education campaigns for staff and customers. Along with that, I think we'll see more organizational alignment across the fraud, security and customer service units.
I also think we may see some revolutionary technology pop up this year where it kind of scrambles web code. I'm keeping an eye out for that. If you think about a lot of the online attacks, they're enabled because HTML code is in the clear and any bad guy can do some surveillance and figure out how your website works. Attempts to make that obfuscated are out there and I think we may hear about those this year.