|
|
Frank W. Abagnale has a message
for CIOs who think automation will save loads of money and protect their
companies from fraud. Abagnale, the muse for the movie Catch Me If You Can,
is the notorious con man who kept the FBI at bay for decades while he
embezzled millions of dollars out of unsuspecting individuals. His message:
Automation—business processes run automatically without human
intervention—could actually make fraud easier and cost more in the long run.
"What I did 40 years ago as a teenager is 2,000
times easier to do today," Abagnale says now. "Every day, criminals
are realizing that crime is getting easier than the day before because
corporations are going digital."
Why trust a former fraudster, you might ask? Because he
and other fraud experts can prevent you from being defrauded by criminals who
attack corporate networks for information that they can harness to steal on a
large scale. And indeed, Abagnale is among a growing army of consultants who
are working with CIOs at some of the nation's largest banks to fight what
many believe will be a surge in check fraud, already at $19 billion a year,
as banks move from processing paper checks to transporting digital check
images to other banks and customers.
The Check Clearing for the 21st Century Act (Check 21), a
federal law that allows for the creation and processing of digital check
images and substitute checks, is one of the more significant business process
automation transformations in the private sector. It is expected to save the
banking industry $2 billion to $3 billion a year in labor and transportation
costs, which include flying 42 billion checks around the country every year.
Yet Check 21 also creates a higher risk of fraud and abuse. As banks make
digital images of checks available to customers online, criminals can more
easily gain access to the information they need to create counterfeit checks.
All they have to do is obtain a customer's user name and password.
|
|
|
"Criminals are realizing that crime is getting easier
because corporations are going digital."
- Frank Abagnale
|
Fraud is affecting not only the financial industry but
other industries as well. Health care, transportation, utilities, retail,
government, entertainment and others are all vulnerable. Indeed, any business
that operates a network to process payroll, employee personnel information,
contracting or financial reporting could be a victim of fraud. And if you
don't think it will happen to you, think again, warns Toby Bishop, president
and CEO of the Association of Certified Fraud Examiners (ACFE). "This is
only going to get worse," Bishop warns. "Pretty soon we will have
war rooms with technologists working 24/7 fighting fraud."
The bad news is that completely eliminating fraud from
business is impossible, experts say. The good news is that CIOs can minimize
the potential for losses by developing antifraud strategies in the initial
design phase of an automation project, and continuing to make it a high
priority throughout daily operations. But this requires a revolutionary shift
in thinking and culture for many organizations. That's because too many CIOs,
including most of the executives we interviewed, don't consider fraud
prevention a high priority. They tend to be much more focused on the ROI of
business automation and the improved service to customers rather than the
vulnerabilities a new electronic process creates.
As IT automation becomes more critical to corporate
revenue, an entirely new mind-set is necessary. Mark Tizzard, vice president
of strategic integration for Wachovia Bank, admits as much.
"Sometimes you roll out programs and see what
happens," Tizzard says. "But this is different. People need to be
prepared."
Denial Ain't Just a River in Egypt
For the vast majority of CIOs interviewed for this
article, preventing fraud is simply not a top priority. Nor is it something
many are willing to talk about. About a dozen CIOs we contacted in the
retail, investment and manufacturing sectors refused to talk to us about how
they are defending themselves against fraud—if at all.
Of those who did talk to us, many have the mistaken
perception that automation will reduce fraud. One CIO for an insurance
company told us that when company executives agreed to deploy a new
electronic process to handle claims, the business argument behind the system
was not only to lower costs but to reduce the incidents of fraud as well. The
executives had not considered the possibility that the system could create
opportunities for new, more virulent means of fraud. "I really haven't
given it a whole lot of thought," he says.
|
|
|
"I don't think we know yet where all the fraud
opportunities can or will manifest themselves until we get further into
digital check processing."
- Wilton Dolloff, Huntington Bancshares
|
Many CIOs are also hampered by misperceptions about who
commits fraud. For instance, while executives think that fraud is typically
committed by outside criminals, research shows that about 85 percent of all
fraud is perpetrated by employees. These inside fraudsters will account for
an estimated $660 billion in losses this year, up from $600 billion in 2002,
according to the ACFE. The typical employee who commits fraud has many years
with the company, is an authorized user, is in a nontechnical position, has
no record of being a problem employee, uses legitimate computer commands to
commit the fraud and does so mostly during business hours.
For all of these reasons, CIOs seem to be seriously
underestimating the potential for fraud with automation. According to a 2003
KPMG survey, 43 percent of IT executives believed fraud would decrease in the
future. By comparison, only 7 percent believed fraud would increase. As a
result, CIOs are underequipped to deal with the problem. Only one-third of
companies have a comprehensive fraud program in place, according to a recent
survey by PricewaterhouseCoopers.
Yet at the same time, more than 80 percent of companies
reported that attacks on their networks have increased, and one in five said
a hacker has infiltrated their company's network, according to the Computer
Security Institute. What's troubling about these statistics is that
corporations are now automating processes directly linked to generating
revenue and profits. In years past, CIOs focused on easier, less critical
processes, such as electronic employee expense forms and giving employees the
ability to sign up for vacation time online. Now, CIOs are automating the
processes central to a business's operations. This promises to bring a higher
rate of ROI, but also a higher risk of fraud and abuse. It's as if CIOs are
playing a version of the arcade game whack-a-mole, only a more costly one.
CIOs use automation like a hammer to smash fraud in one place, only to see it
pop up unexpectedly in another place.
Automated systems, particularly when they are
enterprisewide, are vulnerable for a number of reasons. First, they require
significant changes in work processes and cultural shifts throughout the
company. Employees are not used to the new processes, and therefore not
attuned (nor trained) to see anomalies that indicate fraud. In addition,
these new processes tend to be highly complex, which makes weak links in the
system more difficult to identify. This could explain why some Russian
hackers were successful at hacking into personal accounts at major U.S. banks
and online payment services in the latter half of the 1990s, when that online
business was relatively new.
"CIOs tend to underestimate the potential for fraud
when they change business processes," ACFE's Bishop says. "They
tend to fight yesterday's battles," designing defenses for schemes that
they know about.
Scamming Digital Checks
Take Check 21, for example. Banks invested in Check 21
for two reasons. First, it will save the industry an estimated $2 billion a
year in paper check processing costs. Second, bank CIOs and their executive
colleagues believe the automation will cut into the $20 billion that banks
lose to check fraud every year. Their reasoning is sound. If a criminal
presents a fraudulent check, within hours the bank takes a digital image of
the check and sends it to the issuing bank. Using software algorithms, the
issuing bank looks at certain aspects of the check—such as the check number,
the payee, handwriting and the dollar amount of the check—to quickly
determine if the check is valid or not. Under the paper process, the issuing
bank wouldn't receive the paper check for days, and the criminal would be long
gone with the money.
|
It's as if
CIOs are playing a version of the arcade game whack-a-mole, only a more
costly one. They use automation like a hammer to smash fraud in one place,
only to see it pop up unexpectedly in another place.
|
But Check 21 also creates new opportunities to perpetrate
fraud. Criminals can more easily steal information from customers' online
bank accounts to create authentic-looking counterfeit checks. All they need
is the customer's user name and password. Such information can be obtained
through phishing schemes that send official-looking e-mails and Web links to
a bank's customers, asking them to update their user names and passwords. By
breaking into an online bank account and viewing a customer's check images,
criminals now have access to far more damaging information that they can use
to circumvent a bank's traditional methods of fraud detection. For example,
the criminal potentially could:
- Find out what check numbers
the customer is using (if check numbers are significantly out of
sequence, it can be an indication that the check is fraudulent).
- Get an exact digital replica
of the customer's signature, which can be downloaded and easily copied
using off-the-shelf computer equipment and printers.
- Mimic the customer's style
in writing the date—such as mm/dd/yyyy—and their handwriting style in
general.
- Obtain the names of people
to whom the customer frequently writes checks (payees that show up
often—such as a mortgage company, a spouse or a dependent—typically do
not indicate fraud).
- Obtain the typical dollar
amount that checks are written for so that large dollar amounts don't
raise a flag.
Criminals may also gain online
access to a customer's credit card accounts and stock and bond investments.
Once this information is obtained, "they really have the keys to the
financial kingdom of the customer," says Ori Eisen, CEO and president of
The 41st Parameter, an Internet, telephone and mail-order fraud prevention
company.
Banks claim they will be able to stop payment on
fraudulent checks faster because an issuing bank will receive the check image
faster. But the speed with which checks will be processed also will reduce
the time that a bank's fraud examiners have to identify a fraudulent check.
Moreover, most banks plan to destroy the paper check after the image is
created. Some banks plan to shred checks immediately, while others will hold
on to paper checks for a few weeks or even months. When a check is destroyed,
any evidence not captured by the image—such as fingerprints or detailed
security features—is lost. Finally, the check image is made on a gray scale,
which means it does not show details as well as the physical paper check or a
color image of the check. Details in the gray image that could tip off banks
that the check is a fraud may be lost.
All these new vulnerabilities lead Frank Liddy, partner
in the North American banking practice at the consultancy Unisys, to conclude
that bankers have yet to fully realize the extent to which they are
susceptible to increased fraud with Check 21. "This is bigger than any
bank or banker can realize," he warns.
How to Outwit the Bad Guys
Despite such loopholes, Check 21 and other automated
processes are here to stay. So what can CIOs do? A lot, it turns out.
The answers do not lie in better technology for detecting
fraud, although that is important, but rather in planning fraud detection for
whatever automated process is being installed, and then preparing the entire
company for the change through frequent meetings. CIOs will have to reach out
to the executive in charge of fraud detection, typically the CFO, and to
other executives who play important roles in the work process. They will have
to lead the effort to make antifraud strategies one of the key drivers in
creating new automated business processes that work.
That's exactly what Tizzard, who led Wachovia Bank's
Check 21 implementa-tion, did.
Tizzard says the bank approached the move to Check 21 as
it would a merger with a large bank. Even before the law was signed, Wachovia
made plans on how it would roll out Check 21, which won't be fully
implemented until late 2006. After the law was signed, Tizzard and a small
team of other Wachovia executives traveled nationwide to involve everyone in
the discussion—from the CEO to department leaders (especially the risk
management and loss management groups) to the bank's IT shop and product
groups. "Everyone had an input on what the law would do," Tizzard
says. "We knew this could be a Pandora's box. We overprepared."
Tizzard and the other Wachovia executives educated
managers on how the new automated process would work and what the change
meant for them and their customers. Showing bank tellers how to recognize
legitimate substitute checks was particularly important. "We were not
exactly well-received, but once we began meeting with them, we frequently
stayed another hour," Tizzard says.
Wachovia has experienced a 120 percent increase in the
number of fraud attempts in the past two years, yet the bank has been able to
marginally decrease the monetary value of losses during that same period,
says Brian McGinley, senior vice president and director of loss management at
Wachovia. However, McGinley reports that the sophistication of the fraud is
increasing, and fraud attempts by organized crime are on the rise. As a
result, antifraud processes are more important than ever to Wachovia and the
banking industry.
To mitigate the risk of fraud from Check 21, McGinley
organized a task force within his department to identify what in the new process
could potentially create additional fraud vulnerabilities and which of the
antifraud measures Wachovia already had in place (both manual and automated
processes) could be applied to solve those new issues. For example, McGinley
says the encryption techniques and other security applications that protect
customer accounts and identities should be able to protect individual check
images from hackers.
However, other issues did come up. Bank loss management
teams, for example, are not sure how sensitive to make the digital check
scanning system that the bank plans to deploy as an antifraud measure. The
system will use biometrics to compare a genuine check—such as a check written
for a small amount to, say, the electric company—with newly written checks under
the same account. For example, the system will compare signatures, as well as
the placement and accuracy of the Wachovia logo, and verify the Magnetic
Image Character Recognition (MICR) line, which is the magnetic ink that
prints the router and account numbers at the bottom of the check.
Wachovia can program the system to send questionable
checks back for nonpayment or to a database and fraud queue so that an
analyst in the group can examine the check for accuracy. But customers often
do not follow predictable behavior, such as using sequential checks. And with
joint accounts, business partners or husbands and wives will have different
handwriting styles and may use different series of check numbers, both of
which make identifying the exceptions more difficult, McGinley says. So the
question remains: Just how sensitive should the automatic scanning system be
for picking up deviations?
Wachovia also has to decide how the scanning system
should interface with other antifraud systems. For example, Wachovia operates
an application that scans for deposits that are unusually large, which may
indicate fraud. Wachovia plans to link the deposit analysis application with
the check scanning analysis, so that if a check scan picks up an anomaly in a
signature, for instance, it could link that to an unusually large deposit
flagged by the deposit application analysis. Taken in isolation, the
difference in the signature may not be significant enough to raise concern,
but when matched with the largest deposit in another account, it could
increase the likelihood that the check is kicked out for further analysis.
Wilton Dolloff, executive vice president of operations
and technology at Huntington Bancshares in Columbus, Ohio, says banks must
cooperate in order to trust each other's processes for taking images,
analyzing the images and sending what they believe to be lawful checks. That
may mean allowing other banks, including competitors, to view check
processing operations, and "to know if something breaks on your side or
my side, what are we going to do?" Dolloff says.
Dolloff and Tizzard both say that the full impact of
Check 21 will not be known for several years. While some steps can be taken
to reduce fraud and prepare for it, no amount of planning will eliminate fraud
altogether. "I don't think we know as an industry yet where all the
fraud opportunities can or will manifest themselves until we get further into
it, until we see it on a larger scale," Dolloff says. "We simply
don't know how we are going to be attacked." 
Senior Writer Allan Holmes can be reached at aholmes@cio.com.
|
|