Episode

September 20, 2018
Fraud Miniseries Part 1
It’s A Scary World Out There
Eric and co-host Garrett talk us through the scary facts of fraud, and provide a glimpse into upcoming episodes. from fraud-as-a-service to commoditized fraud, the fraud marketplace is growing and the bad guys have some significant advantages in the field.
Eric [00:00:30] Today we’re going to be covering the fascinating progression of an age old business model: fraud. Welcome to the Finance Frontier, a podcast covering the bold, brave and brainy topics within the realm of financial technology firms, banks, and all up financial services. Joining us in the studio today, is one of our producers Garrett Stevens. Garrett has been knee deep in analyzing fraud within the financial services industry for the last six months. Welcome Garrett.
Garrett: Thanks Eric, glad to be here.
Eric: [00:01:00] Glad to have you. So, you and I have had the opportunity over the last couple of months to delve into the topic of fraud. We had the opportunity to do a webinar together. Today we’re gonna dive in a little more detail, and talk really kind of about the progression of fraud, and how it’s come about. But, I think the other day we were talking, you had some pretty fascinating overall statistics of kind of, just some numbers about where fraud has come over the last couple of years.
Garrett:
Yeah, fraud has grown exponentially, it is rampant, and not just in financial services, but rampant across the board, but in the financial services industry in particular we’re seeing this exponential growth, you know. Two hundred thirty five million records breached in 20171, and the impact to consumers alone was 16.8 billion dollars in financial services, and that’s just consumers, I mean it is a huge problem.2
[00:01:30] Eric: Yeah that doesn’t even include the institution, I mean those numbers go even higher than that interestingly enough, as they’re trying to combat fraud.
Garrett: Oh yeah, and that’s just direct financial impact to consumers, that doesn’t take into account the costs that the institutions are incurring as they go to fight fraud, the losses that they’re writing off, it’s a really significant financial problem.
Eric: [00:02:00] And that’s really something we’re gonna be kind of address in this miniseries I guess of fraud that we’re gonna be talking about with some of our guests coming down the road, and today even a little bit, about how not only how fraud is affecting both the consumer and the institution, but how to go about combating that.
Garrett: Yeah, definitely topics that we’re gonna address, but, you know, I think it’s important to take a step back and try and understand, how did all this come about, I mean, that’s a little bit of a snapshot of the state of the union, but, how did all this fraud get started?
[00:02:30] Eric: An interesting book I was reading a couple months ago about the history of fraud, you remember back when there was a snake oil salesman that would pull into town in his buggy with the horses and he had a number of remedies that he would pull out, have his faithful assistant and they would sell to the local town. Remedies for a head cold, whatever it may be.
Garret: [00:03:00] You bet, yeah, going from town to town, selling their snake oil. Which, obviously didn’t actually help fix anything, it was just a way for those guys to make some money and then skate on out of town.
Eric: Right, it was that first concept of, you know, the typical what we call today shyster or conman, if you wanna call it that.
Garrett: (laughs) Sure, sure.
Eric: [00:03:30] Well, so, you know it’s come a long way since then, I think when interestingly enough, it also talked a little bit about the first time that the federal government got in in regulating fraud, and that came about near the end of the 1800’s and it actually started with mail fraud, interestingly enough. Which was the first time that it went outside of the sort of physical aspect of selling something and really went broader than that, which, as we have moved into the digital economy, we have seen that growth be exponential as we talked about earlier.
Garrett: [00:04:00] Yeah, I think that’s important to note, you know, it’s no longer something that a snake oil salesman has to be in your town, and you have to walk down main street and be interested in what they’re doing, I mean, the digital economy and the change in the channels that both consumers and financial institutions are using are increasingly digital, they’re going right to a phone, it’s something that everybody has, some people have two of them. So it’s made it a lot more easy for fraudsters to kind of dive in and have a personal impact on you, or me, or anyone of our listening audience, without having to be physically present.
Eric: Well and it’s interesting that, you know, if we go back to that example that we’ve talked about with the snake oil salesman, lets call him Henry …
Garrett: I like it.
[00:04:30] Eric: [00:05:00] And (laughs) Henry has actually begun his own business now, it’s become not only just a small business interestingly enough anymore, it is a full blown enterprise. Henry has taken his entire model and put it online, to a point where, you don’t have to be a hacker, you don’t have to have that technical knowledge, you can literally go be a part of Henry’s business and create the model of fraud however you want, whether it’s buying data, whether it’s actually implementing a fraudulent attack, whatever it may be. So it’s really come full circle now, where, Henry and his business are actually competing with other businesses out there.
Garrett: [00:05:30] Yeah, that’s scary. And when you look at the volume of dollars going into that, and the volume of records breached, there’s a lot of money to be made, billions of dollars, so there’s a strong financial incentive for someone who’s criminally minded to step in and adopt, maybe become a franchisee of Henry. I think you has some really interesting information about how fraudsters are kind of hiring other people, or making their services available.
Eric: [00:06:00] Yeah, so you can take it to the next level of fraud is a service. Or as a platform per say, where, you know, you can go onto the web now and you can hire these services, you can hire platforms, you can hire bot attacks, you actually, to the point of hiring hacker rings to go out and create some of these attacks. One of the fascinating things recently is the fact that some of these hacker rings are reporting that their so busy, they can’t even keep up with the demand.
Garrett: Hmm, that’s scary.
Eric: And one of the other things I heard the other day, or was reading about the other day, was service level guarantees, on some of the things that you purchase. So if you’re purchasing data, that might be a credit card number or whatever it may be, and it’s not real data, you can actually get your money back.
[00:06:30] Garrett: [00:07:00]
Wow. And it’s not like it costs a lot of money to purchase these things, I mean, you can buy a social security number, a stolen social security number, for a dollar. One dollar. I don’t even think you can buy a hamburger for that kind of money anymore. But, you can get online payment services logins, anywhere from twenty to two hundred bucks, credit or debit card numbers, those are cheap, five, hundred dollars, somewhere in there. If you want that actual validation number, that three digit code, that’s gonna cost an extra five bucks. Bank info, fifteen dollars. Medical records, now that seems to be a pretty lucrative channel for fraudsters, anywhere from one to a thousand dollars, but when you think about the kinds of fraud that you could do with somebody’s full medical records, it starts to look appealing, as a criminal.3 So, understanding the availability of that, what people are willing to pay for it, I think that’s a pretty important thing to keep in mind.
[00:07:30] Eric: So, one of the things Garrett that we talked a little bit about was Henry, the snake oil salesman.
Garrett: Yep.
Eric: [00:08:00] [00:08:30] And, I wanna come back to Henry, one of the things that’s fascinating towards the business of fraud has gone, I spoke on a panel a few months back with a gentleman who ran the fraud department of a large financial institution in the states, and he talked about how many of these fraud rings have for years been getting their people hired into organizations. So that, no longer is it just the young teenager in a basement that’s trying to start up a hacking business, or a group of people trying to steal credit card numbers, you may find there’s a disgruntled employee that comes out and, just angry at an organization, and wants to do an attack on an organization, and these rings have almost sleepers that they can wake up inside the org. And that to me, it’s so dangerous, how in the world does an organization fight against something like that?
Garrett: [00:09:00] Yeah, I have no idea, I mean, that’s not the sort of question that I’ve ever been asked in an interview process, have you ever been asked that? (laughs) Or are people even asking that? I don’t know how you fight it, I think there are a number of tactics companies can employ to help fight the online fraud that they’re seeing, there are a number of different solutions out there but when you’re talking about the human element, that becomes a lot more difficult to really wrap your head around, and be able to identify and stop, so, I don’t have a good answer for that.
Eric: [00:09:30] Yeah, and so I think, you know, the expense of trying to combat fraud is not only from within interestingly enough in your internal systems, but also externally. Lets break off a little bit and talk about some of those external ways that organizations are trying to fight against the Henry’s, or the snake oil salesman of the world. And it really comes down to, I think a lot of financial technology firms now that have newer technology, their focusing on different types of data breaches, and fraudulent breaches, and so it’s gone past the types of things like biometrics, or thumbprint scanners, or eye scanners, which I know have been in the market for a year or two now, not all devices have them, but it even goes further now, doesn’t it?
Garrett: [00:10:00] [00:10:30] It does, yeah, it goes a lot further than that, I mean, some of the tactics that financial institutions are using to help fight fraud are really born of the evolution of the tactics that fraudsters are using. And, you know, I think it’s really important to note that the vast majority, ninety percent of financial institutions are extremely worried about fraud, and evolutions in fraud. Things like, artificial intelligence, things like compromised biometric information. Those are very difficult to combat, and so putting in place things like behavioral biometrics, or, using artificial intelligence internally at the institution would be how banks, financial institutions, fintechs, how they can help fight fraud from their side.
Eric: [00:11:00] [00:11:30] You know, you bring up artificial intelligence, which is a term that we’ve all been hearing in the market recently, you know, robots and that kind of new development that’s happening, and what’s incredible to me is as artificial intelligence is being implemented to combat fraud, on the front end of an institution, the fascinating part of this like anything else, is that the fraudsters are now developing their own AI to address and fight the AI that’s being created by the institution, which again, just comes back to that age old saying of what comes up must come down. I don’t think that’s gonna happen with fraud anytime in the near future, you talk about the number of breaches that have occurred, I think those breaches are going to continue. I know Marissa Mayer had mentioned, who was the CEO of Yahoo, mentioned that it’s no longer about if your data will be breached, it’s really about when your data will be breached.
Garrett: [00:12:00] [00:12:30]
Well and, it’s important to know too that even with breaches, the impact of that you might not see it immediately, so we had, you know, two hundred thirteen million records breached in 2017.4 Of those, I would be willing to wager that far less than half are seeing direct and immediate fraudulent activity. Fraudsters will often time hold onto that information for two, three, five years, before they go and try and commit crimes with it. So you as a consumer, or a financial institution might be aware of a major breach that happens, but, you might not see any impacts until three or four years down the line after you’ve forgotten about it, and that kind of continuous news cycle, and then all of a sudden it’s there and something that you have to deal with. And so that’s important to note too that the actions happening today, might start to drive impacts down the line.
Eric: [00:13:00] Well and that’s a great point when you look at those, the ramifications of those breaches, when someone uses that data to hack into or get inside an organization, the problem is is a lot of time an organization won’t know it’s fraudulent for months, if not years, before that payback occurs, or is necessary, and doesn’t happen. That’s when they finally find out, and so I think you’re right, it’s gonna take years before those implications come to market.
Eric: [00:13:30] So as we talked a little bit about combating fraud, as Henry, again, coming back to sort of our theme of the snake oil salesman, has gone down the digital path. That is going to continue in society, moving more towards mobile interactions with your bank account, with institutions. I think web traffic on computers is decreasing dramatically, and it’s increasing at exponential rates on more of mobile devices.
Garrett: Mm-hmm (affirmative)
Eric: [00:14:00] And I think as we see that, one of the statistics that was fascinating to me just in the first quarter of 2018, almost eighty percent of fraudulent ecommerce transactions, came from new devices or burner phones.5 And so, as we move to that digital transaction, as we’re seeing more of those transactions from an institutional perspective, be fraudulent, combating this is going to be more difficult. So how do we go about really looking at using some of the technologies that are out there to combat the Henry’s of the world?
Garrett: [00:14:30]     [00:15:00] Yeah, that’s tough, I mean when you’re looking at increases in volume across the board, and you’re looking at what, for all intents and purposes, appears to be a genuine transaction, but just a new one, it becomes quite difficult. Fortunately, companies are figuring out some pretty good solutions for that, I mean, their typical, you know your customer and anti money laundering things that banks will follow as part of their overall process, but there are also new solutions, new ways for institutions to tackle that idea of fraud. Things like geo fencing, understanding where a phone is coming from, if you know that there’s hotspot of activity in central Asia, maybe you really examine the transactions coming out of that environment. Things like, biometrics, using fingerprints, using iris scans, those types of things. Now that’s very sensitive information and if you’re housing a database full of fingerprints, or iris scans, that’s a pretty attractive target for a fraudster too, but, there are other things like behavioral biometrics. You were telling me just the other day about some information that you had uncovered on behavioral biometrics.
[00:15:30] Eric: Yeah, you know, one of the things with biometrics or, let me take a step backwards, as you talk about all of these different types of activities to fight fraud. I guess where it came up with behavioral biometrics is some of the newer technologies that are out there, is how do we increase the institution’s ability to fight fraud, but not impact the customer, and that’s one of the things, and increasing the friction in that customer journey, right, when I’m …
Garrett: That’s a big deal for customers.
[00:16:00] Eric: Yeah, when I logon to my phone, I don’t wanna have to go through nine different steps to get into my account, I want it to be easy and I want it to be fast.
Garrett: Yeah.
Eric: And that’s where behavioral biometrics comes in. It’s about how do you behave on that device, you behave differently than I do for instance.
Garrett: No doubt.
Eric: And now that their starting to have these artificial intelligence engines that can basically see that, that can manage that and say hey, this is really the person that’s supposed to be involved in this account.
Garrett: Mm-hmm (affirmative)
[00:16:30] Eric: And so that’s one of the newer ways of doing this but, to decrease that sort of overall friction in the customer journey, one of the things that, I think we’ve talked about a little bit is really layering, and that’s what institutions are having to start to look at, is how do they layer these different types of fraud combatant technologies without creating friction in that customer journey.
Garrett: [00:17:00] [00:17:30] Or, layer solutions to create friction, when they need to. Right? Maybe a flag goes off in that first layer, another flag goes off in that second layer, and all of a sudden they say hey, we need to hit the friction brakes, this looks like it could be fraud. So, understanding how to get those views, and when it’s appropriate to increase friction, I agree, I don’t wanna have to do anymore than necessary to login and manage my financial life, but for an institution it makes a lot of sense to be able to put those different pieces in place, and then use those flags or those check marks to either hit the brakes, or streamline the customer experience.
Eric: [00:18:00] And I think sometimes it’s also gonna be a case of education, you know. I don’t know about you, but I’ve actually been hit recently with fraudulent behavior on a credit card, where the bank had to shut that card down and I immediately got a little frustrated but at the end of the day they were protecting my money, they were protecting my identity. And so, I think as education enhances for both the customer and the institution, it’s gonna be important that both understand that this activity is going to get worse, and they’re gonna have to continue to fight it some way.
Eric: [00:18:30] [00:19:00] [00:19:30] So I wanted to wrap back around Garrett to Henry, our snake oil salesman who sold his buggy, sold his horses, no longer needs to invest in that kind of technology anymore, no longer has to travel to these towns. With the digital realms he’s created an enterprise business worth billions of dollars, and we have sort of gone through where fraud has come. The interesting thing is where’s it going? We’ve heard terms of blockchain, we’ve heard artificial intelligence, and as we move, or as technology continues to move, more and more rapidly, quicker, so as it develops you know in the next year, we’re going to see more development of fraudulent activity that has taken place over the last year. And as we’ve seen moves into those with cryptocurrencies, for instance, we’re seeing some organizations out there starting to develop new technologies to combat different types of fraud, as those fraudulent individuals are also increasing their technology. So, I think over the next year it’s gonna be very interesting to see where this business goes, and see the different types of ways that both technology firms and companies combat.
Garrett: [00:20:00] [00:20:30] Yeah, it will be interesting, I mean you’re talking about some pretty heady stuff, I was reading an article earlier today about how IBM and a number of financial institutions are investing in blockchain initiatives, the distributed ledger technology to put it to a practical application in financial services. I think it’s also important to remember, we’re still seeing check fraud. People are out there, their able to make fraudulent checks happen, get paid on that, but, to your point, the digital channels, the changes in how consumers are interacting with financial institutions, the changes in how financial institutions are managing their business, it’s going to change. And, you know, as long as fraudsters are able to be successful with something like check fraud, that will exist. Those are, you know, there are pretty standard, time tested, and proven methods for fighting that. Fraudsters are going to exploit new technologies, and that’s how banks and other institutions are going to improve is having to deal with that unfortunately, but you mentioned it earlier. What goes up must come down, that just doesn’t hold true with fraud because there will be more channels, and there will be advances in technology that make it easier for fraudsters to exploit things happening at those institutions
[00:21:00] Eric: And I think that’s a great point, I mean, age old methods of fraudulent activity occur to this day, and at billions of dollars of damage still. So I think one of the big things that is coming out of this is that if firms aren’t investing in combating fraud, they’re gonna be at a disadvantage. And very potentially are going to have a struggle in being successful down the road.
Garrett: [00:21:30] Yeah, well you know you mention a couple of things, we talked a little bit about the implications of those technology changes, things like blockchain, the proliferation of devices. We’ve got a couple of guests coming onto this podcast who are gonna address those topics in particular.
Upcoming Guest: If any of us are, about to, you know, cement in a set of tools and practices for the next five or ten years, we’re making a big mistake. Because fraudsters will change on a dime.
Upcoming Guest: [00:22:00] We’d always get together after work and go and do our gambling, and then, it got a little out of control. And then, we’re like, wow, where we gonna get the money to cover these checks? (laughs) Everybody told me, oh no you’re not going to prison, don’t worry, you’re not going.
Eric: All that and more on the next few episodes of the Finance Frontier.

Citations:

  1. Gemalto, & Breach Level Index. (2018). 2017 The Year of Internal Threats and Accidental Data Breaches (p. 11, Rep.).
  2. Pascual, A., Marchini, K., & Miller, S. (2018, February 06). 2018 Identity Fraud: Fraud Enters a New Era of Complexity. Javelin. Retrieved April 28, 2018, from https://www.javelinstrategy.com/coverage-area/2018-identity-fraud-fraud-enters-new-era-complexity
  3. Stack, B. (2018, April 09). Here’s How Much Your Personal Information Is Selling for on the Dark Web. Experian. Retrieved May 19, 2018, from https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/
  4. Gemalto, & Breach Level Index. (2018). 2017 The Year of Internal Threats and Accidental Data Breaches (p. 11, Rep.).
  5. RSA. (2018). RSA Quarterly Fraud Report (Vol. 1, Q2 2018, p. 10, Rep.).

 

Contact

Love the show? Want to be featured as a guest? We’d love to hear your questions and comments and welcome guest recommendations. Our producer Sara Tatnall can be reached at sara.tatnall [at] zootweb.com.

Never miss an episode

Never miss an episode

Join our mailing list to receive the latest news and updates from the Finance Frontier.

(Episodes published every other Wednesday)

You have Successfully Subscribed!

Share This