Comment: Connecting the dots on insider fraud

Linking and analysing data provides the basis for insider fraud detection
Linking and analysing data provides the basis for insider fraud detection

In 2009, two particular areas of fraud saw large increases in activity; disclosure of customer data to a third-party – which almost doubled according to data from CIFAS (UK Fraud Prevention Service) staff fraud database members – and an escalation in the number of victims of identity fraud, where CIFAS members saw a 31% increase.

It’s no surprise that these two fraud types may be linked, and the recent recession has the potential to exacerbate the problem.

When attempting to detect and prevent the compromise of customer data, financial institutions may be too quick to look outside their organisation for the cause. They could certainly be forgiven for thinking this way, particularly as we see more and more database compromise events hit the press, such as Heartland Payment Systems and the recent compromise in Spain.

There is also the problem of staff members sometimes not believing that ‘helping’ a family member or friend successfully open an account or submit a ‘below the radar’ loan application, or passing small snippets of customer data to a third party, constitutes fraudulent behavior.

Experience suggests that financial organisations should also ensure they are well-defended against internal compromises. This can be more difficult than it sounds – effort is frequently focused on preventing employees from stealing personal information, such as restrictions on emailing, printing and photography, but rarely do these restrictions pose a serious threat to the most determined fraudsters or employees with little or low regard of correct processes or behavior.

So how can organisations detect employees disclosing customer data or using it for their own personal gain without restricting them from doing their day-to-day jobs?

Every action leaves a fingerprint

The first step in detecting this type of fraud is ensuring that fraud analysts have access to account maintenance log data from across the organisation. This data should include logs of every time a staff member touches or accesses a customer account.

Particular care must be given to ensure all account activity, including changes and account views, are captured by the logging system. A fraudster only needs to write down the pertinent information from an account view to commit identity fraud. In addition, it is worth adding descriptors of the overall net worth of the account owner to the analysis data – fraudsters are smart and will frequently deliberately target high-worth individuals.

The next steps are to identify the patterns of activity of employees opening customer accounts and look for anomalies. One should try to detect when a customer’s details have been potentially used in a fraudulent manner. For credit and debit card information, for example, there are two key touch points to detect – testing of the card details and the actual unauthorised use.

Test point identification

Card details are usually ‘tested’ by the fraudster to ensure validity before either selling the card details or using them directly for unauthorised transactions, particularly if the intent is to use the details in a card-not-present environment. As internal fraudsters become more organised and create ever larger data thefts, they are faced with the prospect of needing to test large volumes of cards at once. As a result, they often turn to technology and use automated processes to check the cards’ validity and record the outcome.

This modus operandi can be spotted using anomaly detection – this technology detects potential card testing by monitoring merchants for odd, repeated authorisations or spikes in activity.

Fraudulent card usage

Whether it is through direct notification from the customer or a third-party fraud detection system, fraudulent card usage gives the strongest indication that a customer’s card details may have been compromised. It is important, however, to remove or de-prioritize events where the customer believes the activity is due to loss of the physical card.

Identity-theft notifications

Discovering theft of customers’ information that doesn’t relate to card details can be more complex, as stolen personal information is typically used to gain credit with other financial institutions. Regardless, there are some warning signs that should be included in fraud analysis. For example, a sudden drop in a customer’s credit reference agency score, particularly due to a recent successful application for credit, could indicate that a criminal has successfully committed ID fraud.

Joining the dots

Once organisations are armed with logs of account views and changes, potential card testing events, third-party fraud events, and potential ID theft events, a network-based system should be used to join up and analyse the data.

By using advanced social network analysis platforms, disparate data sets can be brought together, each event can be networked and weighted accordingly, and a holistic view of all interactions can be created, allowing early intervention.

If any potential compromises are found, then not only should an investigation be started, but any other customers viewed by the employee (particularly ones that have potentially been tested) should be placed on a watch list or contact-and-replace strategy.

Looking ahead

Too often it is assumed that effective insider detection requires all the data about every activity of the employee – no matter how removed from their business role – be aligned with complex analytics. However, truly effective insider detection only requires targeted information that relates to the organization’s particular business processes and systems. A tailored solution to the organization’s business processes yields far better results on a more manageable scale. After all, the ‘insiders’ tailor their attacks to the environment they operate within.

Sophisticated database compromises and smart hackers may grab the headlines when it comes to ID theft, but as CIFAS research shows, financial institutions also need to look internally. The right tools and access to the right data can provide your organisation with the ability to detect more internal fraud before significant loss and reputational damage occur.


Matthew O’Kane is a senior manager in Detica’s NetReveal product development operations. He has been involved in anti-fraud, credit risk and advanced analytics for more than eight years. O’Kane’s current role is head of Financial Services Analytics Detica NetReveal, where his primary focus is leading the creation of new products with particular emphasis in the retail banking fraud space. Matthew has a BSc in mathematics from Newcastle-upon-Tyne University.

What’s Hot on Infosecurity Magazine?