07 June 2007

Risk Visualization: Enterprise Prevention...

When bankers start talking about how to reduce fraud and other critical operational risks across the institution there is going to be plenty of debate. Where do you focus your resources and investments in order to get the best ROI and economic value? If you thought the pornographers were the leading ledge of innovation on the Internet, there is a new breed of international criminals and corporate attackers that have emerged at the top of the pyramid. Financial services organizations are taking an enterprise view of global risk prevention to try and keep ahead of these increasingly clever and technology oriented crooks:

Fraud likely has been around in some form for as long as people have been using banking services. But while the crimes remain a constant for financial institutions, the methods for perpetrating them have become just as diverse as the products and services offered by banks. Today's financial institutions have to be on their toes more than ever to keep that one important step ahead of fraudsters.

This isn't easy in a world where fraud has become the domain of organized crime rings with vast resources that often are out of reach of domestic law enforcement. "We're seeing an increase in losses across all fraud types in the context of fraud rings being more organized and sophisticated with their use of technology," says Christopher Ward, SVP and manager, payables and receivables solutions, with Charlotte, N.C.-based Wachovia ($707 billion in assets). "But [banks'] ability to detect and stop losses is growing faster than the losses themselves."

"The bad guys are more ingenious today," adds Milton Santiago, SVP, head of electronic banking products, for ABN AMRO (Amsterdam; US$1.3 trillion in assets) in Chicago. "For example, in traditional check fraud, they'd wash the entire check and alter all the information on it. Once positive pay was introduced, criminals got wise to this and just modified the payee information. So banks responded and developed payee positive pay."


Having an enterprise view of holistic risk is the "Holy Grail" and some would say that focusing on the account and not more on the customer is the wrong approach. What is clear about the online evolution of fraud activity is that social engineering is working in the exploitation game. Hardening all of the systems with two factor authentication or even IP Geolocation is just part of a layered risk strategy:

The US Federal Financial Institutions Examination Council (FFIEC) has issued guidance stating that banks must better authenticate the identity of their Internet customers by the end of 2006. There are of course a number of possible solutions. These include shared secrets, security tokens, and even biometric devices. Many, however, are cost-prohibitive and can negatively impact customers’ online banking experiences. And crucially they all fail to identify one vital element: where the account is being accessed from. This is an important indicator of whether the person accessing an account really is your customer. That’s where IP geolocation comes in.

Working from within the walls of your institution trying to figure out how to protect your assets and your customers is merely a myopic strategy. The attackers are moving too fast and have access to the same tools in their labs where they utilize their own methods and processes for exploiting the vulnerabilities in your latest applications. Now that you have spent millions on implementing that new AML or fraud detection system, are you sleeping any better at night?

True strategic analysis of risk and the convergence of relevant data makes scenario development, proactive planning and open source intelligence an area that requires consistent attention. Simulations and evaluation of possible physical and digital exploits that haven't even been detected yet could provide the proactive and preventive advantage you have been seeking. What is your latest hypothesis? Have you tested it effectively to determine the likelihood and impact of success?

Training and practicing for the unknown and unthinkable puts you and your team in a more resilient mode to survive the next attack. Whether it's through the front door, the suppliers back door or through the copper wire into your customers home or business office, detection is critical. Anticipation and deterence is imperative.

No comments:

Post a Comment