The phone call to Chad Sapieha was the final stage of a technology-led fraud detection system. Ten minutes prior to the call, someone had purchased gas on Sapieha’s credit card and the call to him at his office was to verity if he had indeed made the purchase. He had not.
The war against fraudulent use of bank client cards and credit cards is an ongoing one. As the technology to detect fraud gets better, so too does the technology to defraud. Much like the malicious code war, this one is slowly swinging in the favour of the financial institutions that issue the cards, and technology is playing a large role.
Sapieha, a business development manager with Shore Consulting in Toronto, lost his credit card. In an unfortunate turn of events he did not realize it until the telephone call. Several purchases were made, which were flagged as suspicious by the bank. But unlike a few years ago when purchases were batch-processed at the end of the day and sent to branches, today everything is done in real time.
“From the point of the customer, presenting a card at a banking machine, all the way to its presentation to a fraud analyst, takes less than one second,” said Nubar Mangoyan, group manager e-business at the Royal Bank in Toronto.
To detect fraud, the bank uses a combination of IBM’s MQSeries and Microsoft Transaction Server on Windows 2000 running both Computer Associates and homegrown applications. Client data, including all transactions from any electronic delivery channel (ATM, telephone, Internet banking), is pulled from the bank’s IBM RS/6000 series servers.
A fraud threshold is set up for each individual customer based on their transaction history. For those who use their card in a fairly consistent manner – cash withdrawals once a week and gas purchases – the threshold will be quite different from a business traveler who users her card for all manners of purchases all over the world.
“The key to the system is the ability to calculate what is a normal behaviour for a particular client, so when there is a deviation, that is when an alarm is raised,” Mangoyan said. “But I cannot give you any more specific information for security reasons.”
Once a card is flagged for potential fraudulent use, humans intervene. A fraud analyst looks at the pattern and makes a decision. This can be anything from shutting down card access, asking the client to speak to the financial institution from the purchasing location or, as was the case with Sapieha, calling the individual after the purchase to verify it.
“They still allowed it to go through because it is a customer service issue,” said Gord Jamieson, director of risk and security with the Visa Canada Association in Toronto.
Depending on an individual’s level of customer service, “a financial institution may not want to bother a client with the embarrassment of getting called in the store,” Jamieson said. “So they (the bank) may get stung for that first transaction.”
The technology is there to reduce fraudulent use of copied or stolen cards to almost zero, customer service notwithstanding.
“Counterfeit activity in the last couple of years has declined,” Jamison added. In December 1999 credit card fraud reached an all-time high of $123 million in Canada, he said. It is now down to $66 million.
“[In] that time a lot of our members have deployed neural networks, rules-based monitoring systems that have gone a long way to reducing their exposure to fraud,” he explained.
There is a great need to deploy these sorts of technologies because the technology that fraudsters use is getting better by the day. Card skimming is a favourite. Hardware the size of a pager can scan the magnetic strip of a credit card (say at a restaurant) and a duplicate card can be made.
“You can actually buy pretty much all of your tools (to make copies) at Radio Shack,” said Rene Hamel, vice-president, forensic technology services with KPMG in Toronto. Even the holograms are easy to purchase. “Obviously organized crime has all the connections to get all the stuff very easily.”
Since the problem is global, most financial institutions also have distance calculators in their neural networks. If you make a purchase in San Francisco at 10 p.m. local time and another at midnight in Paris, they are certain the card is being fraudulently used since it is impossible to make the trip in two hours. The customer service problem is deciding which is the fraudulent use, so often the solution is to call the client to clarify the situation and issue a new card.