The Fraud Blog with Tracy Kitten

Fighting Fraud: Device Behavior Can Thwart Hacks

Fighting Fraud: Device Behavior Can Thwart Hacks

There's no headline data breach such as the Heartland Payment Systems incident so far this year. But that doesn't mean data breaches are going away - not by a long shot.

In fact, as of June, we're aware of 325 breaches, 39 of which involved financial services companies, that have occurred this year. Reported incidents have already outpaced 2009, when a total of 62 financial breaches were reported.

A number of factors feed this trend - cross-border collaboration among cybercriminals, an increase in skimming incidents and smarter, more insidious forms of malware, to name a few.

Clearly, it's hard for the financial industry to keep up. Layered security with enterprise-level perspectives is really the only way to combat the breach trend. Comparing and aligning fraud incidents that occur across different channels are good first steps. Yet many institutions are not even doing that. Instead, they rely on siloed transaction views that keep fraud detection and security practices in the Dark Ages.

Granted, investment in analytical tools is expensive. And I appreciate the balance between losses and investment. For many institutions, the scales have not tipped so far to the side of financial losses that investment in costly analytical tools is warranted. Yet.

But let's look at a story that posted earlier this week: Pay-At-The-Pump Skimming on the Rise. These attacks are becoming a serious problem for merchants and banking institutions, particularly out west. Just ask Chuck Groat, the vice president of bankcard risk management at Zions Bank in Utah.

Zions, which has over $50 billion in assets, has seen card compromises skyrocket. Over the past year, the number of counterfeit cards created from skimmed Zions' customers has increased 200 percent, and Zions has pinpointed pay-at-pump terminals as the sweet spot for criminals.

How did Groat and Zions figure out where cards were getting compromised? Software analytics.

In February, Zions discovered that 180 pay-at-the-pump terminals had been compromised with skimming devices. The bank tracked the points were the cards were skimmed using FICO Falcon Fraud Manager, an analytical product that has been on the market for years. Sixty-five percent of the world's credit cards are protected by Falcon, FICO says, and the product suite recently gained four additional patented solutions.

One patent that caught my attention relates to terminal behavior. This new feature extends what Falcon has done on the user profile side to terminal devices, such as the POS or ATM. Behavioral profiles for users have long been relied upon to track card fraud. Now, device profiles fall into the fold.

"We can rank how those terminals might be compromised in the future," says Mike Urban, senior director of fraud product management for FICO.

A profile is created for each terminal, and the system uses variables to recognize when the terminal is acting out of character. The system also ranks which cards are likely to be compromised or used fraudulently in the near future, based on the tied-together profiles of the cards/users, the merchants and the terminals.

"We can predict the likelihood of fraud taking place in the future at a certain location or at a particular terminal," Urban says.

Some of the other new patents are designed to detect specific types of fraud, and not just in the financial space. The financial industry has its battles, no doubt. But other industries are facing data breach challenges, too.

In fact, so far for 2010, breaches at commercial operations and within the healthcare industry and government have outpaced those at financial services institutions. Only 11.1 percent of the year's reported breaches have hit the financial industry. In contrast, 36 percent have hit business, 29.2 percent have hit healthcare and 16.9 percent have hit government and the military.

Maybe the financial space can teach these other sectors a thing or two. And maybe we all can learn something about fraud detection from the devices we use to transact business.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.