IE: What are the new types of threats that the Indian businesses face?
Ian Selbie (IS):
Globally, account takeover is the primary fraud attack on remote banking channels such as telephone, online and mobile banking. India is likely to be in line with this trend. It occurs when customer logon information is compromised and used to perform unauthorised withdrawals. Account takeovers often extend into identity theft and as a result, these fraud attacks often involve multiple channels.
The first step in performing an account takeover is to steal access information which is done when a bank employee with access to customer data uses it themselves or sell it to others for profit. Once access information is stolen, the perpetrator moves money out of the account electronically. IE: How equipped are Indian companies to tackle this?
Policy is an essential component, but criminals will always look for the weakest links. So governments, businesses and the public need to cooperate to minimise the risk of losses.
In India, policies instituted by banks and financial institutions are often the weakest links and most attractive entry points for hackers. Also, lack of employee awareness adds another layer of vulnerabi-
lity. Taking into account the sheer volumes of accounts managed by banks and financial institutions and the ever increasing trend in online channel adoption, these organisations must enforce strong policies to curb cyber crime, while maintaining customer satisfaction. A good way for businesses to do this is by building awareness through regular seminars/knowledge sharing sessions for their staff and customers on their cyber crime policies. IE: What makes an effective anti-fraud strategy?
An effective anti-fraud strategy seeks to prevent or reduce the risk of fraud from occurring in the first place, proactively detects any instances of fraud and takes swift, corrective action when fraud does occur.
Sophisticated fraud detection software works in several ways, such as maintaining ‘fingerprints’ of customer PCs to be able to detect changes that may indicate the presence of malware. Behavioural patterns such as unusually quick inputs from a customer, which may indicate the presence of ‘man in the browser’ code performing functions in the background, or differences in the sequence in which web pages are accessed are taken into account. Financial profiles of transactions are tracked to detect both normal and abnormal actions and determine risk levels.
In addition to detection, policies and procedures are set as to whether to block, delay, or allow certain transactions based on the company’s risk appetite and desired end-user experience. IE: What are the long term measures that need to be taken by companies?
The first step for businesses is to continually educate customers and employees on how to protect their own and others’ information.
Secondly, financial institutions need to have strong policies in place for the use and protection of customer information. For instance, they should provide access to sensitive data on a need-to-know basis only; keep comprehensive logs of all customer data access and have stricter password policies.
Thirdly, financial institutions should ensure that their Know Your Customer (KYC) policies and procedures are up-to date and easily available to their employees. Further, it is recommended that they refresh customer profiles reflecting recent changes in their demographics, at least once in a year. IE: Which sectors are most affected by these crimes?
According to Ernst & Young’s India Fraud Indicator report , the financial services sector has been hit the
hardest by fraud, with more than 63 per cent of the total fraud cases reported in 2011–12, followed by the technology and transportation sectors. In the financial services sector, banking was the major victim with 84 per cent of the total number of reported fraud cases.
IE: How can fraud through mobile phones be curbed?
In organisations, the most common threats to mobile security include malware, loss and theft of mobile devices and increasingly exploitation and misconduct on the part of employees. Organisations need to ensure that they are monitoring and supporting all company-liable and employee-owned devices 24x7 as to prevent data breaches, while ensuring convenience and ease of access to the enterprise network.
A multifactor authentication, where the employee is identified not only by ‘what they have’ (a known/trusted mobile device) and ‘what they know’ (a PIN or password) but also by ‘who they are’ (a biometric such as a fingerprint or face scan) to protect sensitive assets is recommended. Yet a truly effective security approach requires a combination of strong policy and technology as well as the means to enforce both.
A sophisticated new approach to security is attribute-based access control, an emerging technology that grants access based not only on the nature of the data and the individual requesting access but also factors in the location from which access is being requested and the method used to authenticate identity. IE: Please explain Unisys’ approach to fraud detection and prevention.
Unisys fraud solutions are based on a unified Financial Crime Prevention which helps to customise solutions around fraud detection and anti-money laundering.
One of Unisys’ solutions, Secure Document Delivery, ensures that the ever-increasing volume of business communication and documents are managed through e-mail in a manner that is safe, secure, and convenient for the receiver. This solution delivers rapid reduction in paper, production, and postage costs, and enhanced customer experience by revolutionising how high-volume documents are delivered, responded to, or paid.
We also have a unique Identity Management Solution that helps clients efficiently manage and audit user access to information systems, thus protecting valuable financial information and assets. The solution allows businesses to centrally manage digital user identities and is based on deep experience in designing, integrating, and operating complete life-cycle identity management systems. n