Fighting fraud with social network analysis


Fraud from organized criminal groups hurts financial institutions the most, the best way to fight a criminal network is to take it down as an organization and analytics software helps institutions do this by providing insight into the big picture, according to Chris Swecker.

The former assistant director of the FBI , who retired in 2006 after 24 years of service and moved on to become the director of corporate security for Bank of America Corp. until 2009, sat down with ComputerWorld Canada to discuss the financial industry, fraud and analytics software on a recent visit to SAS Institute Inc. in Toronto.

Swecker, currently an independent consultant on enterprise financial crime strategies, regulatory compliance and control measures for business and government, views fraud as an enterprise in general.

“I don’t mean to say that all fraud is network. There is a lot of opportunist, one-off fraud that is taking place every day. But the ones that are hurting the financials the most are the networked organized groups,” he said.

A lot of activity, especially on the Internet, is organized criminal activity, according to Swecker. “You’ve heard of sensitive credit card information being stolen and sold on the Internet in these deep, dark carding Web sites … that’s a criminal network,” he said.

These groups have a type of supply chain, he explained. They steal the data, sell it to another group that repackages it and sells it to another group that uses it to steal money one way or another from a channel the financial institutions provide like an ATM or teller, he said.

Swecker suggested going after fraudsters as “a broader fraudulent network” and working with law enforcement to dig it up by the roots. “That’s where the analytics part comes in – it helps you put some context around the content of your data so you understand your data better,” he said.

The best way to fight a network, according to Swecker, is to be able to see it. “Just like in good law enforcement, when you’re working on an organized crime case or you’re working on al-Qaeda or working on a gang or working the la Cosa Nostra, you have to understand who the participants are,” he said.

“Instead of taking them off one-by-one for a traffic violation, you take them off as an organization and you take them off all at one time and the only way to do that is to have good intelligence information, good data and then run really powerful analytics against it to see the whole picture,” he said.

SAS’s new Social Network Analysis (SNA) tool literally does this, according to Wesley Gill, executive lead for enterprise risk management at SAS Canada.

Introduced by SAS earlier this year, SNA software gathers data from multiple sources, links individuals who share key pieces of information or engage in transactions with each other and then presents the associations using “a unique network visualization interface.”

It takes massive amounts of data, performs the links and visualizes the associations so investigators can see the various participants and the relationships between them, explained Gill. “You literally will see rings show up and where it is organized activity or not,” he said.

SNA is one of four parts of SAS’s “fraud framework,” which includes business rules, anomaly detection and predictive models that work together to score and flag individuals, accounts, products and networks.

The framework consolidates alerts from multiple systems and provides an “enterprise view of fraud exposure and risk.” This hybrid approach increases fraud detection and reduces the number of false positives, according to SAS. The framework is geared to banks, insurance and government.

Banks, insurance companies and government have massive amounts of data on individuals, Gill pointed out. What SNA does is take all the information people have provided through the proper course of business, and through analytics and data integration capabilities, links the data to find out where there are commonalities, he said.

An organization can take something as simple as a cell phone number and quickly process it against all the other information it has stored on every else to see if there is any relationship between the number and past fraudulent activities or activities that behaved like fraud activities, he explained.

Swecker refers to SNA as “looking for the malignant social network.” Criminals are committing fraud 24 hours a day, so generally, what you find when you build it out is a broader fraud network such as an organized Russian crime group, he said.

“We all have social networks and they are generally benign social networks, but if you lock onto somebody who is an Internet criminal and you have enough data at your disposal, you can actually link out their social network,” he said.

SNA also analyses behaviour that is indicative of fraud, which can help with internal fraud cases by detecting actions that are inconsistent with appropriate behaviour, such as accessing databases they shouldn’t, coming in after hours, transferring large amounts of data, etc., noted Swecker.

Meanwhile, predictive analytics can be used to determine the likelihood of an individual becoming a bad customer and whether the individual is too much of a risk to even begin conducting business with, Gill pointed out.

“You don’t need large amounts of data, but the more data you have, the better the results,” said Gill. As your data becomes richer, your ability to predict becomes better and you get fewer false positives, he said. “The idea is it continually self-learns as you go,” he said.

Predictive models are continually evolving, noted Gill. “We actually work with institutions in terms of monitoring how well the modules works such that when the model deteriorate over time, they can go back in and be re-cast or re-tuned to the current behaviour that’s going on,” he said.

“If you can predict it, you can prevent it,” said Swecker. 

Being predictive goes hand in hand with being preventative, he pointed out. “Everybody wants to be preventative now and when they are successful, you won’t hear anything about it. It’s the bad thing that didn’t happen,” he said. 

Analytics have a big role to play in fighting crime, according to Gill, who suggested SNA is leading edge in terms of the technology. But it must continue to evolve, he added. “Social networking is here today. It’s leading edge. But we don’t want to keep stagnant with it,” he said.

“The other thing you have to remember is that whole area of criminal activity continues to evolve … those trying to protect against it are going to have to move as fast as the criminal side because they are sophisticated,” said Gill.

Cybercrime is traditionally under-reported, under-prosecuted and under-investigated across all industries, according to Swecker. “Historically, it’s difficult to prosecute. Nobody likes to put their vulnerabilities out there for the public to see,” he said.

In the U.S., if a sensitive piece of customer data is compromised, it becomes a privacy event and must be reported, he explained. But if an institution is not required to report the breach, they will generally just fix the problem, he said.

There is legislation that requires activity over a certain dollar level to be reported to the federal government and also legislation requiring the reporting of suspicious activity that doesn’t make the threshold, noted Gill. “Institutions very quickly notify customers because they know it is in their best interest, because if they get a bad reputation or they don’t do that, they are going to lose business,” he said. 

Swecker gives financial institutions an “A” in terms of cybersecurity in general. A lot of institutions have really good firewalls and great protection, and it’s become very hard to physically hack in without the help of an insider, he said.

But more can always be done to protect institutions from insider activities like data theft, he noted. “Data is more valuable than money. It is money and it’s more damaging when you take it and steal it and sell it then if you just embezzled money right out of the bank,” he said.

Gill also gives the banks an A grade. But while banks “may be doing well today,” they must continue to invest in what they are doing, he warned. “The criminals on the other side, they are always looking for new ways to come in and to undertake activities … the whole area continues to evolve,” he said.

The financial industry is probably the most critical of the critical infrastructures and a target of “just about everybody,” Swecker pointed out. This includes organized crime rings, cyberterrorists fixed on economic targets, terrorists seeking to fund their activities and hostile foreign governments.

One offensive strategy organizations can take, according to Swecker, is to inject some uncertainty into the sale of customer data. One of the biggest vulnerabilities cybercriminals have is trust in each other in their carding sites, he said.  

Cybercriminals rely on trust, their relationships and the names they use on the Internet, said Swecker. “If you can undermine that and create uncertainty in their own black markets, I see that as a vulnerability,” he said.

“If you look at an FBI investigation called Dark Market, they actually created the seeds of distrust between several Russian carding Web sites and at least temporarily knocked the carding sites out and took out some major players,” said Swecker.

Financial fraud is the third fastest rising breach category, according to a 2009 joint study on Canadian IT Security Practices from the Rotman School of Management at the University of Toronto and Telus Corp., which reports an 88 per cent increase in the past year. 


Many organizations absorb fraud into their operating expenses and see it as a part of their everyday business, but as fraudulent activities increase and the costs grow, organizations will have to start focusing more on this area, noted Gill.

Follow me on Twitter @jenniferkavur.


Related Download
3 reasons why Hyperconverged is the cost-efficient, simplified infrastructure for the modern data center Sponsor: Lenovo
3 reasons why Hyperconverged is the cost-efficient, simplified infrastructure for the modern data center
Find out how Hyperconverged systems can help you meet the challenges of the modern IT department. Click here to find out more.
Register Now