I was reading an article about the Ramnit worm a few weeks back and a few things struck me about it. First of all, this worm is “old” technology – at least in the cyber war sense – that is evolving. It reminds me of a blog I wrote a while ago on polymorphism and the Zeus Trojan. At that time, I thought a common misconception was that once you find malware and take action against it you’re safe. It wasn’t so then and it isn’t so now.

Interestingly in this case, Trusteer, a provider of cybercrime prevention solutions, was the first to discover Ramnit’s merger with Zeus in August 2011. That tidbit combined with another point in the article about how Ramnit is being used to attack Facebook credentials is bad news. The article provided this quote to point out the danger: “Dave Jevans of the Anti-Phishing Working Group says stealing credentials from social-networking sites is big business. “We have seen...

Depending on which news report you read, sales on “Black Friday” and “Cyber Monday” were considerably higher than last year. What does that mean for the bank fraud investigator? More transactions to wade through! Right about now, bank fraud departments around the United States are working overtime combing through billions of transactions. Unfortunately, when volume increases, so too does the volume of fraud attempts.

When transaction volumes spike, any weaknesses in a bank’s fraud detection landscape are often magnified. That’s what the fraudster wants. The more stress the bank’s fraud department is under, the more likely it will be that fraud transactions will slip through.

You can’t do that much to control the volume, but you can capture the lessons learned when you and your team are pushed to the breaking point. Consider the following questions ...

With the new year here, I figured it was a good time to step back and take stock of our progress – as an industry – in the ongoing battle against fraud. A frank assessment: we could be doing a lot better.

Sure, there are always improvements that can be made to the organizations, processes and technologies that must come together to solve a complex issue like fraud management. But I think the more important barriers our industry faces are more fundamental and structural in nature. Specifically, I see the following:

The Boiling Frog
Our industry’s slow reaction to the growing, morphing fraud problem makes me think of the boiling frog phenomenon. If you haven’t heard of it ...

In most college towns, this is the time of year when swarms of U-Hauls and overstuffed cars bear down onto college campuses. Students will settle into their dorms and likely kick off their social lives before their classes even begin. The funds that they have for day-to-day expenses will begin to run low, and students will look for ways to supplement their income. This is prime opportunity for fraudsters to seek out and prey upon students.

Given that, we can deduce why college campuses are a ‘hang out’ for fraudsters - because students are easy targets. The sheer volume of students makes it easy to recruit vulnerable, needy, and/or naive students. I find it interesting that the scams have not changed much since I was in college. Scams relating to fraudulent grant letters, credit cards applications, work from home, check cashing and the ever so popular ATM card scams are still thriving. It is still common for fraudsters to not only pay students to pass bad checks through their accounts for nominal compensation, but also to ...

In the July 1 column of “The Ethicist” in The New York Times, I came across this concern posed by an unnamed CFO of a financial services company:

“… I found our bookkeeper using the corporate charge card for her personal use. The misappropriation was approximately $47,000 over a six-month period. She forged a partner’s signature to acquire a card in her name. We fired her, and she paid back the funds in exchange for our not pressing charges. But I cannot get closure if she is not punished for this egregious betrayal. I recommended that we call her husband, as I think family humiliation would be punishment enough. Would this be ethical?”

What I find interesting here is that the question posed by the CFO was not about whether or not the agreement was ethical, but whether or not revenge was ethical. And it seems like the columnist was on the same page. In response to this query, the columnist first reminded the CFO that the financial services company had agreed to sweep the issue under the rug as long as the perpetrator repaid the money, and the CFO’s revenge-seeking was not only against the ‘agreement’ but also inappropriate. Then the columnist writes, “I have to wonder, meanwhile, about a financial-services company that allows someone to steal and then to just stroll off to the next company to do it again.”

Now, this point raises some serious questions. Did the financial institution ...

It seems like yesterday when I first saw an ATM and had to be taught how to use it. When my bank sent the piece of plastic to me called a debit card, I was ever so hesitant to use it. And forget about online banking; my fraud investigations experience would in no way enable me to use my computer to perform my banking transactions. For baby boomers like me, we have seen a dramatic shift in the way we perform our banking, especially with online and mobile banking. It appears that the face of banking is an ever changing frontier. From a consumer’s viewpoint, all of these changes make things easier. But as a fraud professional, I am very nervous about the implications.

With this evolution in the way we do banking comes new threats. Modern trojans and viruses that may infect not only our computers but our mobile devices are alive and thriving. Just as I graduated from my old flip phone to my new high tech smartphone, I heard about a variant of the ZeuS Trojan that runs on the Android phones. According to researchers ...

In a recent Bank Fraud Forum blog post, Discussing Multi-Factor Authentication, Shirley Inscoe stated that cross-channel fraud detection enables the analysts "...to see the complete picture with regards to a customer or account, and detect suspicious events that would otherwise result in losses...” Having been an investigator as well as a manager of a cross-functional fraud team for over 2 decades, I could not agree more.

However, it must be said that even if you provide a holistic picture of fraud to the analysts, it does not do them - or your customers - any good if they are not skilled in investigating and properly mitigating cross-channel fraud alerts. For those who have worked fraud over multiple channels, there are varying rules and regulations that may entail some compliance issues, including Reg E, Reg CC, UCC Articles 3 and 4, Reg J, Check 21, Clearinghouse Rules ...

When most people think of data breaches, they think of the big headline grabbers like Hannaford, Heartland, and TJ Maxx (now disappearing into the distant past, but dredged up every time a big one like Heartland occurs). There are many more, but you get the point. The naïve view of breaches is that they are accidental most of the time, but that notion should have been dispelled by the overwhelming evidence that breaches are often times the result of a premeditated attack. We have seen that these data breaches do result in fraud, sometimes quickly and sometimes as much as two or more years later.

Why can the fraudsters wait so long? Because there is a ready supply of personal data to be had in the fraud underground, a veritable secondary economy with producers, brokers, and buyers.

This ready supply is fueled not just by the “biggies”, but also by a host of largely unreported breaches of various sizes. More often than we care to imagine, these breaches are ... 

Near field communication (NFC)¹ is here to stay, according to new analysis by Frost & Sullivan, which states that NFC-enabled mobile phones will reach 53% of the overall mobile phone market, or about 863 million units, by the year 2015, as well will be the chosen method for mobile payments. To me, this is somewhat disconcerting because 2015 is not that far away, and consumers already use NFC payment devices. I wonder how much training is going on around investigating money movement within the NFC space?

Read full blog

I recently read an interesting article on AmericanBanker.com entitled, Defending Your Brand 2.0: Rapping w/readers, 140 characters at a time, by Sara Lepro. In her article, Sara demonstrates the need for financial institutions to insert themselves into social media conversations in order to have more control over the ‘chatter’ and ultimately to protect and defend their brand.

Historically, banks have been concerned about negative customer experiences and the impact of customer churn, especially when it comes to customers becoming victims of fraud. With the evolution of Facebook, Twitter and other social media forums, negative feedback is not only accelerated but many times exaggerated, thereby making it more of a challenge for banks to protect their brand.