People’s United Bank Top Fraud Expert Speaks Out on FinCrime Trends and Geolocation’s Value in Fighting Fraud
We are pleased to welcome Karen Boyer, VP, Financial Crimes & Fraud Intelligence, People’s United Bank, for this Q&A session, as part of our thought leadership series with industry experts and regulators.
Q: What are the top indicators of fraud you see in your work, and what types of fraud are most common?
A: Money mule fraud, hands down. The inflation of mule accounts increased significantly with the pandemic, and in multiple ways. Here are only three:
Romance scams. These are nothing new, but quarantining created a larger audience to prey on. The pandemic diminished our ability to spend free time with friends and entertainment options diminished, magnifying the vulnerability of the lonely. With the world in quarantine, more and more victims – desperate with loneliness and isolation – sought any type of companionship they could find.
COVID relief funding. The vast amount of government assistance being dispersed throughout the U.S. and the world has made it easy and lucrative for criminals to commit fraud and move money. Crime rings perpetrating UI/unemployment fraud, SBA Paycheck Protection Program (PPP) and other relief program fraud quickly realized they needed to scale the number of fraudulent accounts in order to better control the increased movement of illicit funds.
Bad actors use additional accounts both for making deposits and as additional sources for money laundering in an effort to mask the origins or ultimate destinations of fraudulent funds. These additional accounts are related to some of the “new” romance scam victims, but also to other unwitting mules found through a variety of other scams (employment, loans, credit applications, etc.) who provide access to their accounts – not realizing their role in funneling fraudulently obtained government-relief funding.
Synthetic IDs. Although the first two types of mules aren’t by any means scarce, sometimes it’s easier to create fictitious identities to apply for, receive, and deposit fraudulent funds. This is true for three reasons:
- Bad actors don’t need to rely on another individual to follow their instructions.
- One “real” person can use multiple synthetic identities to multiply their “winnings.”
- A synthetic identity creates one more layer of anonymity since there is no actual person who can be arrested for the crime.
Q: What are the top indicators for these types of fraud?
A: For new accounts:
- The account is opened online and has multiple other inquiries to other banks around the nation in the same day/week.
- The account is funded with the minimal amount, lies dormant for a while, and then is later funded with a larger deposit. However, logins continue throughout this process.
- The device used to open the account is different from the one used to access the account after it is opened.
In all circumstances:
- Multiple devices are attached to one account.
- Multiple accounts are attached to one device.
- The device’s geolocation does not match its IP and/or consumer address.
- The IP address is attached to a known proxy, VPN or other anonymizer.
One way to identify suspicious accounts is to track the number of multi-factor authentications (MFAs) attached to a customer profile. Multiple MFAs indicate that multiple devices are being used to access the same account.
Q: What are the most important data points you use for detecting fraud?
A: Device attributes, including:
- Indicators of geo-spoofing
- An IP address, in conjunction with these data points:
- Anonymization indicator/internet service provider (ISP)
- Device language
- MUID/IMEI (a device’s identification number)
Q: What are the limitations of IP addresses for fraud detection?
A: IP addresses are spoofed left and right. They’re even now spoofed to appear to belong to the residential ISPs or cell networks associated with the location the fraudster is pretending to be located.
With some research and experience, one can determine the subnetwork (subnet) range of the “true” residential IPs versus the spoofed subnets, but that still is an extra step that was not necessarily needed many years ago.
Not until recently have we seen the spoofing of “reputable” ISPs such as AT&T, for example. If you saw a residential ISP like Comcast/AT&T you could rely on the fact that information was true. Now you need to be more knowledgeable of what the legitimate IP subnets are for these ISPs, so you can conversely identify when there’s an IP outside of that range – it’s most likely fake.
And although you can still determine fraud with an IP, the number of “legitimate” customers who now use the same anonymizing services are almost neck in neck with the number of fraudsters.
Q: What are better location data points for fraud detection? Why are they better?
A: One of the best detection tools to validate a true customer or identify an impostor is the ability to determine the physical longitude and latitude of a device that is accessing a consumer’s profile. This data can be used to determine if the device is in the vicinity of where the customer should be.
Even if the customer is traveling, using the device attributes to validate upfront at enrollment the customer’s device, the customer can travel without additional MFA – even to a high-risk country. Using this data with additional biometrics at the authentication level, one can prevent account takeover (ATO) in the event a consumer’s device has been stolen. This allows for passive authentication, a happy path and a frictionless journey regardless of the customer’s location.
If possible, banks can also leverage this data to authenticate additional transactions outside of the app, for example card-present transactions, while the verified device is within range.
Geodata isn’t a silver bullet – it can still be spoofed – however, there are typically indicators of when a spoofing app is being used on the device. So although you may not be able to determine the exact location, you can at least react differently when this indicator is detected.
Q: How would a financial institution go about adding these new signals to their fraud detection and risk engines?
A: I can appreciate that all of this is easier said than done. If these signals are not already readily available, finding the data, ingesting the data, and then creating an infrastructure of workflows is a lot of work and time. I would say step one is to determine where this data lives in your organization – who holds the logs and attributes. If you own your logs and session data, analyze it to see what you may be missing. If a third party or core processes this data, work with them to determine what attributes they’re gathering, and partner with them to leverage this data for you and your customer’s benefit.
This goes beyond device profiling and sending a one-time password (OTP) to the customer when a new device has been detected. With the vast success of social engineering, customers are the weakest link, and the OTP or MFA can’t be a reliable deciding factor of legitimacy. Because of this, the analytics at the institution level should be used to validate a bad actor versus the true consumer.
Q: What are the most significant challenges/opportunities the new AML Act of 2020 have for financial fraud, compliance and risk professionals?
A: Speaking at a very high level, the more data one can provide to law enforcement, the more likely they will be able to make progress and arrests. FinCEN only started to really integrate cyber activities just a few years ago. The amount of money laundering that occurs from app to app and device to device is completely underestimated. The continuous introduction of fintech apps and constant acceleration of RTPs that enable real-time digital payments makes us look foolish to only be really reporting on cash transactions – we’re missing a giant gap of money movement.
I’ve always stated that consumer authentication should not be considered a competitive advantage for FIs and apps. Another issue is that legacy systems using knowledge-based authentication (KBA) should be eliminated completely. Despite the understanding of this by multiple vendors in this space, as long as FIs pay for the service, they will not sunset it even though it is admittedly completely inadequate.
If this new reform (AMLA 2020) generates that push for FIs to be required to collect, analyze and report geolocation data, that will help everyone be on the same page, have the same advantage, and stop the same criminals. We’re all fighting the same fight, maybe this can help everyone start at the same starting line.