Analysis and results of this tool that generates synergy and teamwork against electronic bank fraud.
by Héctor Fuenmayor, MSc*
One of the main problems facing the banking business is the high amount of electronic fraud that daily targets account deposits and electronic means of payment. Although the offer of technological solutions created to monitor crime patterns has presented attractive solutions that allow the respective warnings to be made after a transaction, each banking institute needs to move towards mitigating the threat by integrating technological resources plus human capital to give an effective, proportionate and timely response to suspicious transactions.
Below I present the concept and results of the research and development of a complementary monitoring tool for the detection of fraudulent transactional behavior, called "Transactional Risk Engine" (MRT), implemented in one of the most important commercial banks in Venezuela.
Alarming loss figures and transactional risk profiles
Since 2006 there has been an exaggerated increase in cybercrime that violated the logical environments of most banking institutes, despite the fact that they had already incorporated fraud monitoring and control platforms. With a high level of technification, criminals managed to penetrate customer accounts to consummate fraudulent withdrawals, which were transformed into claims for unrecognized operations (ONR) that accumulated very high amounts.
For a long time the authorizer of the central transactional core (core banking) has remained under permanent monitoring by a logical platform for the detection of fraudulent operational patterns, but in the face of this onslaught it was necessary to make a deep assessment that revealed security breaches (backdoors) common to almost all banks, which were exploited by criminal groups to execute attacks, raising the risk of exposure of customers, and compromising tangible and intangible assets of the banking sector.
During the investigation carried out by the security team, it was possible to corroborate that as in many other countries, Venezuela was in the crosshairs of organized crime through two high-impact modus operandi that served as a preparatory maneuver for fraud: social engineering attacks through deceptive emails (phishing), and brute-force attacks on transactional pages to discover user keys.
Security breaches and reengineering for data exchanges
The alert criteria or parameters appear at the center of the problem as triggers of greater or lesser effectiveness that induce the identification of fraud patterns, and therefore the design and establishment of barriers that prevent the consummation of the illicit appropriation of funds through the online banking services platform (homebanking). The platform of traditional banking use for the detection of fraudulent operational parameters through the high-tech transactional monitoring system, was supported by general criteria based on the casuistic data reported and analyzed over a considerable period of time, such as transfers of unusual amounts and forced regeneration of transactional authentication credentials, among many others.
However, there are also particular or atypical criteria that come from constant monitoring. These can be identified from transactional traits other than those mentioned in the previous paragraph, which cannot be induced as a general parameter because they do not apply to all transactions or to the environment of all banking institutes. It could be said that they are more "circumstantial", and that makes them invisible to the traditional parameters foreseen for the high-tech monitoring system already established in the authorizer of the central transactional core of the bank. These indicators are, for example, the use of IP addresses related to previous frauds, and transfers linked to recipients related to previous unrecognized operations (ONRs), among others. So the conceptualization challenge was fundamentally represented in the closure of such vulnerability, and gave rise to the creation of a complementary logical solution of own production (homemade) that was called "Transactional Risk Engine" (MRT).
This application consisted of a parameterized alert engine generated by the last-term casuistic information known from suspicious operations, which dealt with the authorizing module of the bank's transactional page, and was fed with the operation logs thrown by the authorizer of the central transactional core (core banking). Under this condition, the monitoring staff was responsible for creating and updating the detection references in the online banking authorizer (homebanking), and through the MRT the development of triggers (triggers) was initiated to permanently feed the data tables of the existing high-tech monitoring system, in order to integrate them so that while the new platform directed the transfer under suspicion to validation, the charge on the client's account was avoided.
The concept of complement materialized in the MRT was oriented towards closing the gap between the set of traditional parameters included in the high-tech monitoring system, and the atypical parameters generated by cybercriminals, in addition to a constant and structured exchange of records (logs).
However, the parameter management packs were kept separate to maintain assurances of compartmentalization and confidentiality that are essential for security reasons. This integration granted new monitoring alerts prior to the validation of dubious transactions, which would ensure that funds from the affected account would not be transferred to another receiving account to consummate the fraudulent appropriation.
A successful control model in the banking sector
The design and implementation of the MRT was the result of a shared effort between the banking institute's IT staff, the security personnel involved in fraud monitoring and investigation, and the contractor providing the existing high-tech monitoring system.
This tool presented an excellent performance with respect to the average handled by other solutions in the banking sector, because the macrosystem integrated through the MRT with the traditional monitoring platform on the authorizer of the central transactional core (core banking) led to minimum levels of affectation although the frequency of attack attempts was very high.
Finding a concept for the solution without affecting the operational agility of transactional validations of non-fraudulent operations was a challenge to the ability to create synergy through teamwork. This achievement was underpinned by the ability to analyze situational information that was tested on security personnel, and by the strategic ability developed to clarify objectives following the timely and accurate identification and processing of fraud patterns in online banking services.
The decision to implement the internal development of the logical platform represented in the MRT, in addition to presenting an excellent performance in the control of the fraud indicators triggered through online banking operations, was also recognized as a success in terms of flexibility, implementation cost and maintenance, in addition to the acceptance that the contractor developer and owner of the high-tech transactional monitoring system showed when proposing the integration of the new parameterization protocols to its product.
* Héctor Fuenmayor, Msc. MSc in IT Management Major in Security. He has worked for 30 years in corporate security management positions in Venezuela, for broad-based companies (PDVSA, Banco Occidental de Descuento, Protinal).