What do soccer (or football, if you prefer) and fraud have in common?
0 comment(s)
Javelin Strategy & Research's James Van Dyke recently wrote an interesting blog post: Security research: without study of fraud it's like analyzing soccer/football but excluding the part about scoring. An outtake, which offers a pretty good summary, is:
"Identity fraud crimes necessarily involve a pair of separate acts, yet because they are so rarely understood in tandem the criminals have an ongoing advantage. It's almost as if we were studying game film of moving the ball downfield, without ever looking for a correlation with what is more likely to put the ball in the goal! A substantial amount of quality information about the pattern of data exposure (crime number one) comes from security-sector firms, yet because this information is generally analyzed in isolation from the follow-on transactional fraud (crime number two) the practical value of such information is several limited.
I couldn't agree more about the need for a holistic approach, but I might break things out a bit more. He cites account takeover as a type of transactional fraud, but I would argue that it's another step in what is often a 3-step process – data exposure followed by account takeover followed by transactional fraud. The last one, notably, is where the financial loss occurs. A good example making headlines these days is ACH fraud on commercial (often small business) deposit accounts. A typical scheme: criminal surreptitiously obtains online banking credentials (data exposure), logs into the account to have a look around and make sure it's a good target (account takeover), and then originates an ACH payment (transactional fraud) to one or several "mule†accounts established at other institutions.
An ideal defense to threats like these involves – as Van Dyke writes – a holistic approach, with counter-measures at all three steps. What makes this difficult is that most of the time the first two (data exposure and account takeover) fall into the world of IT security, and the last (transactional fraud) is the responsibility of the fraud or loss prevention group. If these two groups don't communicate or work closely together, a holistic approach to fraud prevention will never happen, and technology can help to bridge that gap.
As an industry analyst, James is concerned about a lack of research that also takes a holistic approach. My guess is that research analysts align similarly to how many financial organizations are organized – some focus on IT and IT security, and others on business/loss prevention. But rarely does an analyst serve (and therefore understand) both groups simultaneously.