The scourge of account takeover isn't lost on Citizens Union Bank, which is involving its business customers — or rather, their biometric traits — in improving the security of their accounts.
A common method of identity verification is a phone call to ask security questions or provide some other means of conversational authentication. But when a human is on both ends of the conversation, fraudsters can use social engineering tactics to get through a bank's defenses. Biometric authentication provides a potentially safer alternative.
"The criminals behind this crime are professionals," said Kim Dodson, treasury services manager of Citizens Union Bank, a $525 million asset community bank that serves areas near Louisville, KY. "They go to work every day and run multi-million dollar companies stealing from others."
Dodson oversees business-to-business payments, and is using biometric technology to combat account takeover crime. Called Bio-Wire, the ACH Alert technology analyzes wire transfers and sends a warning if a pre-defined rule is violated. The clients make a phone call to an automated system and are authenticated by matching their voice to a prerecorded voice on file, which is designed to eliminate the opportunity for social engineering that human interaction provides.
The banks set thresholds for invoking extra voice authentication, said Deborah Peace, CEO of ACH Alert. Large or otherwise unusual transactions can be a trigger for fraud—and voice recognition of the proper business person can halt unauthorized purchases, Peace said. "Crooks can spoof the business email address of someone in authority at a business and send an email to a lower level staff member asking to make a payment to a fraudulent address."
One of the most prevalent types of account takeover occurring today is Business Email Compromise (BEC) also known as CEO Fraud, Dodson said, adding that's a scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds, Dodson said, adding most victims report using wire transfers as a common method of transferring funds for business purposes
"However, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices," Dodson said.
That type of fraud pressures business operators, especially at smaller businesses, to be aware of the transactions flowing in and out of their company, according to Dodson. "[ACH]'s customer participation model requires the customer to take action in the decisioning of ACH and wire transactions," Dodson said. "This model forces the customer to take ownership in protecting their assets while educating them at the same time."
Attacks against corporates are increasing and can result in large losses, because large wire transfers and Automated Clearing House payments are "guaranteed funds" and the bank cannot cancel the transaction or recall the money after learning a transfer is fraudulent, according to Shirley Inscoe, a senior analyst at Aite. The sending bank can notify the receiving bank of the fraud and request the money back, but he receiving bank is not obligated to do so; in most cases, that means the corporate customer bears the fraud risk, she notes.
"But many banks are improving the security over business payments to protect the customers and retain their relationship," Inscoe said. "Voice biometrics is of particular interest for banks that require a callback on transactions over a very large dollar amount."
The trend toward more companies using emerging technology to protect transactions is "encouraging," according to Al Pascual, a senior research director and fraud expert at Javelin Strategy & Research, but there is still a risk since the crooks are clever enough to identify — and thus avoid — the parameters that trigger the extra authentication. "It's definitely a move in the right direction, but banks would be wise to make more dynamic decisions as to when to institute any type of step-up authentication."