Polymorphism and the case for transaction monitoring
Poly what?! While doing research for a presentation on cyber-threats in relation to ACH fraud (I highly recommend fraud professionals to bone up on this topic since the nexus between fraud and on-line security is becoming so strong – watch for a post with reading suggestions) I came across the concept of polymorphism, and it scared me. Here’s why…
Polymorphism as defined by Merriam-Webster is:
“the quality or state of existing in or assuming different forms: as a (1) : existence of a species in several forms independent of the variations of sex (2) : existence of a gene in several allelic forms; also : a variation in a specific DNA sequence (3) : existence of a molecule (as an enzyme) in several forms in a single species b : the property of crystallizing in two or more forms with distinct structure.” Merriam-Webster Online Dictionary
As you can see, it is a well known term for biologists, chemists and other scientists, but it’s the meaning related to cyber fraud that is scary. It is applied to malware, most notably trojans, and in particular for our purposes; banking trojans (see we even get our own classification). A polymorphic trojan is one that changes its “signature” every time it is generated. Why is this important? Because anti-malware software works by identifying a trojan, determining its signature, putting a detection routine in the anti-malware software, and getting all clients to update their copies.
See the problem?
Malware detection companies have always had to play a game of catch-up. Detecting malware first requires that you find it. Who knows how long it has been doing damage before you do. Then you have to do the other things I mentioned above, all of which take time, while the malware is continuing to wreak havoc. In the past malware has been static. Once it’s out there its signature stays the same. But with polymorphic trojans the rate of incidence of new trojans increases significantly.
The Zeus banking trojan is an example. Last December I went to a presentation by Laura Mather Ph.D., a well known personality in information security circles. It was called “Dissecting Zeus the #1 Banking Trojan”, and at that time she reported as I recall that there were at least 310 variations of the Zeus trojan. I shudder to think how many exist today. She also said that only 37% of anti-malware software detected the version her company was infected with (yes, her company), and they are security professionals! I didn’t understand it at the time, but this is because of polymorphism.
So what’s the moral of this sad tale?
Do all that you can to bar the front gate, but be sure to be watching what is going out the back door.
What I discovered, or rediscovered, is that on-line security is a sophisticated and ever escalating war. It is critical that you keep up to date, because every round ups the ante, and if you don’t do everything you can, you will be more vulnerable and overwhelmed. Once a bank decides to get into the on-line banking game, and we pretty much all have, there’s no going back or getting off the on-line security train. Watching what goes out the back door, of course, refers to looking at the transactions that your “customers” are generating, such as ACH file origination and wires. Do they make sense, or do they deserve some attention from your fraud team?
Let The Chips Fall Where They May
I recently returned from the BAI Combating Payments Fraud Conference, held earlier this week in Florida. As usual, the highlight for me was the opportunity to talk to many industry professionals - bankers, vendors and consultants – about the latest trends in bank fraud and fraud prevention.
At the Bank Fraud Forum and Memento booths, we invited visitors to take part in an informal survey that we called “Which Fraud Threat Costs You the Most?”. The purpose of the survey was to gauge where banks are investing their fraud prevention resources. Each visitor was given 10 poker chips, and told to place them in any of 6 glass jars labeled by the following fraud areas – ACH, check, debit/credit, employee, online and wire. Their task was to allocate the chips according to the fraud area that costs their institution the most in terms of resources (people, technology, time, etc.).
More than 75 bankers and fraud professionals participated in the survey, and the results are shown in the photo below.
To be honest, these results were striking, but not all that surprising. Check fraud is characterized by never-ending attempts and significant losses. High false positive rates mean check fraud alerts require armies of analysts at the big banks, or take up way too much of the fraud team’s day at smaller institutions. And so check fraud continues to dominate the bank fraud landscape from a resource investment, operational expense and opportunity cost perspective.
While the outcome is admittedly unscientific, the survey results do seem to validate what we’ve been hearing from banks and credit unions for a long time now… the industry needs better approaches for solving this longstanding problem.
How would you allocate your chips? Do the results from BAI surprise you? Please share your thoughts.
If you are interested in On-Us Fraud, sign up today for Memento’s webinar on March 25th!
ACH - Rolling The Dice Or Investing In Prevention?
Most banks and fraud experts agree that Automated Clearing House fraud (ACH fraud) results in large part due to the customer’s failure to protect their data and then appropriately monitor and reconcile their account activity. Certainly, the customer can, and should do more to protect themselves against ACH fraud. Many of the steps needed to reduce a company’s exposure to ACH fraud are not all that complex. For example, ensuring that employee passwords are changed frequently, as well as reconciling accounts (ideally on a daily basis) can go a long way to reducing ACH fraud risk.
Given the state of the economy, most companies are focused on survival, not building in layers of security for a fraud that may, or may not happen. Just like many types of fraud, until the probability of fraud losses resulting is sufficiently high enough, companies will continue to “avoid the bullet” that may be coming their way.
If customers are not feeling a sense of urgency, or are unable or unwilling to increase their defenses around ACH fraud, are banks filling the void? Well, the answer is “it depends”. I recently visited ten job boards (monster, hotjobs, etc) and entered “check fraud” in the search terms. The list of results was often 3 to 4 pages long. I did the same for “ach fraud” as well as “wire fraud”. The results were far less impressive and typically did not exceed 1 page, and included less than 5 jobs. Does this mean that ACH fraud is not a priority for banks? I am not sure, but the lack of jobs with ACH fraud as a component is certainly interesting. It could be that banks roll ACH fraud under check fraud and choose not to detail in a job description. Maybe, but that also infers that ACH is not “top of mind”…
From my experience, “big banks” are well aware of the threat and have staff dedicated to ACH fraud detection. Mid sized banks are hit or miss. Some recognize the threat and have dedicated resources to combating ACH fraud. Others don’t really know how to approach the problem and seem caught in a “no man’s land” – the losses are large enough to justify concern, but not large enough relative to other loss types to justify action.
In either case, ACH fraud is a hot topic these days and one that Bank Fraud Forum has devoted significant coverage to. Below are some additional articles that I encourage you to read for more information if you are interested.
Does your bank have investigators dedicated to investigating ACH fraud? Are they tasked with both ACH and wire fraud? If the volume of ACH fraud continues to climb, can you easily re-task those investigators from check fraud? What tools do you use to detect ACH fraud? Is ACH fraud even on your bank’s radar?
My Thoughts After Reading Insidious
Bank Fraud Forum would like to welcome guest blogger Tom Chmielewski, VP Product Management at Lexis Nexis. Tom shares Bank Fraud Forum’s belief that open discussion and collaboration ultimately lead to improved fraud detection. He recently finished reading Insidious and had these comments.
Using Kiting Systems To Improve Customer Relationships
I previously wrote an article on check kiting and promised a follow-up entitled, “How banks can use their kiting system to improve customer relationships”. Well, here goes.
Under Attack: Threats to Deposit Accounts
All fraud fighters attending the upcoming BAI conference have the opportunity to attend a great preconference session which will cover major threats to deposit accounts daily. A number of industry experts have committed to cover a wealth of information, and all BAI attendees are eligible to attend!
Check Kiting
The ABA in part defines check kiting as “the process of floating worthless checks between accounts established in two or more banks.” I personally like the FBI’s definition:
Mining Fraud News
I’d like to share a resource that I find valuable in my day to day work, and I hope you will, too. The resource is the Fraud News section of Bank Fraud Forum. I suspect that some of you are familiar with this section of the site, but not everyone. And even if you are familiar with it, there might be additional uses of the information that can give you more value. Here are some of the ways that I and others in the industry use fraud news.
Managing Data For Better Fraud Detection
In previous posts, we have discussed data in terms of its value and its characteristics. In those posts we have touched on data management, but I’d like to focus on it more. Mike Braatz characterized data as the bedrock of “enterprise software in general, and fraud prevention in particular”. If data is the bedrock, then data management is the foundation.
Subscribe via Email
Most Popular
Most Recent
