Tackling Data Breach Impact: Machine Learning

Written by

Having spent my career inside financial institutions for over twenty years, endeavoring to help those organizations prevent and solve fraud attacks, it’s been interesting to witness the recent, unprecedented media coverage of data breach activity.

This is activity that companies have been battling with for years, each and every day. Terry Lawson, head of fraud at RBS, told BBC news that the “threat of scams is growing”. That is true – and that’s off an already high base.

In the most recent cases, the people arrested for attacks on consumer companies have not, at face value, appeared to adhere to a typical criminal profile. But that’s the thing – identify theft doesn’t fit a ‘typical’ profile. Criminals know they are unlikely to be able to gather enough data from hacking one company to go on to impersonate genuine customers, with the end aim of stealing goods or funds. So they look for more data to create a complete picture.

The Takeover Threat

With enough information, a fraudster will use people and scripts to attack other data sources, such as a credit reference report. Piecing all of that data together can then be enough to convince a vulnerable individual that they are talking to their bank. Or to convince a retailer, especially online, to release goods to customers who appear genuine but aren’t – airline tickets are a favorite.

We refer to these types of fraudulent activity as ‘account takeover’ and ‘application fraud’. I have seen many account takeovers where vulnerable people are convinced they are talking to their bank and have had their entire savings accounts emptied.

It’s really tough to stay ahead of the criminals. What I’ve seen is that this often means that it’s the customer who first spots that they’ve been the victim of fraud, as a result of earlier identity theft. Fraud systems that rely on rules can’t keep up with changing attacks.

This has a direct impact on customer experience and operational costs for the financial institution involved. Figures from the RBS Group showed that 70% of customers affected by this type of fraud attack never get their money back, becoming the direct victims of the earlier data breach of personal ID from the retail merchant.

Putting Events into Context

What I’ve learnt from battling fraud is that financial institutions need to keep one step ahead by understanding every individual customer. By viewing events in context and by building a deep understanding of every single customer, monitoring every event and transaction taking place in real-time and from multiple channels, fraud attacks stand out like a sore thumb.

We’ve just seen an example of this type of thing with a fraud attack on an airline. The issuing bank was only alerted when a customer called to ask why an attempted legitimate purchase had been declined. It became apparent that the customer’s credit list had been overrun by a criminal who was making fraudulent purchases on the customer’s account. The existing fraud system hadn’t spotted that the customer’s spending habits were uncharacteristic for that individual.

With this fraud threat growing, I predict it’s a case of ‘when’ not ‘if’ for considering the next big data breach and its impact on financial services. Financial institutions know this, but they need to be keeping ahead with new solutions to beat these criminals.

The Power of the Machine

Today’s consumer is technically smart – they expect their banks to be using the latest technology developments for fraud prevention. With machine learning systems, financial organizations now have the means protect their customers from becoming ongoing victims of stolen personal ID. We can’t predict when the next data breach will happen – and how it will impact financial institutions downstream from the attack.

Luckily, what we don’t have to predict is how to solve the problem – the answer is here with machine learning. It’s up to organizations to embrace these systems and gain that vital competitive edge in protecting their customers and their reputations.

What’s hot on Infosecurity Magazine?