Breaches point to need for broad protection

The recent and highly visible payments breaches should emphasize that banks need also to protect against all varieties of digital crime that perpetrators attempt, including money laundering, identity theft, and check fraud, say a couple of industry experts.

“What we’ve seen is that it’s not just about the payment card data. We see breaches where, yes, significant amounts of payment card data are compromised, but along with it there’s also quite a bit of personally identifiable information that includes email addresses, phone numbers, and address information,” said Mike Urban, director, Financial Crime Risk Management, Fiserv, in an interview with Banking Exchange.

“What this does is, it extends the attack vector that criminals can take,” he says. For example, with the phone number, email, and physical address data—which do not expire or get changed upon reissuance of a card—the potential victim can be exposed to spear-phishing attempts.

“They [the criminals] could send an email to an individual that says the order that was just placed at this particular merchant is on hold and that the recipient needs to click on a link to add some information. Then the criminals can leverage that, but the customer of the institution thinks everything is okay,” Urban says.

As financial institutions strive to bolster their defenses they also must cope with budgetary considerations, he says. One avenue to explore is to construct a common defensive platform versatile enough to cope with the various forms of cybercrime, instead of installing individual systems each devoted to single types of crime.

“You need to be able to have the technology in place, as well as the people and processes. You need to be able to consolidate what they are looking at in terms of financial crime today,” Urban says. “There’s usually a collection of technology. You have a card fraud solution, which may be provided by your card processor. You might have a check fraud solution in place. You might do some risk management around your ACH from an origination perspective.

“All of these different technologies create gaps as criminals are looking to cross into demand deposit and business account-type frauds. In order to close those gaps you need a technology that enables you to look at all of these different types of risks and respond back as the risks are starting to build,” he says.

Matt Herren, fraud specialist at CSI, agrees. In a separate interview with Banking Exchange, he said, “Similar types of platforms can conceivably be used for money laundering, account takeover, ACH fraud. It’s the same type of thing. If you’re looking for card fraud from Russia, or wire transfers out of Russia, or ACH transfers out of Russia, it’s all the same type of idea. They’re all pretty much doing the same stuff. It’s really about getting money.

That is a good way of justifying consolidating cybercrime defense systems, he said.

[Note: several payment solutions from Fiserv are endorsed by the American Bankers Association’s Corporation for American Banking subsidiary. Read more.]