Corporations, not consumers, are coming under increasing attack from fraudsters reaping results from a bumper crop of information stolen in a wave of major data breaches within the past two years.

The biggest breaches shook consumers' confidence and hurt the reputations of such brands as Sony and Citibank (see story).  But analysts say the greatest damage is occurring behind the scenes as thieves use stolen data to steal funds directly from businesses, including banks, corporations and e-commerce marketers.

Anecdotal reports of fraud incidents involving corporations have increased sharply in the past six to nine months alone, Julie Conroy McNelley, a senior analyst at Aite, tells PaymentsSource.

"We haven't experienced anything previously like the recent onslaught of attacks, which suggests thieves may be leveraging the type of data stolen in major breaches involving big names like Heartland (see story)  and Global Payments" (see story), she says.

Much of the fraud involves thieves deploying malware against small and midsize businesses to capture bank-account and payment-login data to reroute funds to bogus parties, McNelley says.

Such break-ins require elaborate engineering and spear-phishing tactics, but assiduous thieves are succeeding, particularly in corporate accounts that have deeper pockets than the average consumer, she says.

And banks are particularly vulnerable to losses from corporate customers because they are not required to reimburse corporations the way they must make consumers whole after a fraud loss, Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner, tells PaymentsSource.

"Corporate-account losses are usually much higher than consumer-fraud losses, and while banks may not be required to reimburse corporations, they risk losing that customer and a lot of other business if fraud occurs," she says.

Because attacks are occurring at many levels, one of the best ways to counter such invasions is arming corporate employees and corporate bank accountholders with better tools to track account activity as it happens, analysts say.

Mobile phones and tablets may emerge as the leading weapons in the war against fraudsters, Litan says.

"The main threat is account takeover, and if each accountholder or customer has methods of validating transactions, it could improve fraud protections significantly," she says.

Increasingly, smartphones and tablets are providing a way for banks and corporations to equip accountholders with tools to monitor accounts through an out-of-band, or separate, channel from the one where the transaction is taking place to verify whether it is legitimate, Litan says.

Authentify Inc., Entrust Inc. and EMC Corp.'s RSA Security Solutions are among the vendors providing technology adaptable to smartphones and other devices to enable corporate accountholders to monitor a broad range of transactions, she says.

Such account-monitoring products typically trigger a text or computer message notifying a corporate customer or bank accountholder of transactions, including funds-transfers. They particularly focus on any request to add a new payee to payrolls, which is how many fraudsters are beginning to steal funds.

"The area of adding a new payee is where we're seeing a lot of fraudulent transaction growth," Peter Tapling, CEO of Chicago-based Authentify, tells PaymentsSource. "It's a relatively newer and growing area that can cost corporations a great deal of money when a bogus payee is added to an account and overnight thousands of dollars are paid out to a crook."

Authentify's 2CHK product is an example of the type of tool banks and corporations can use to battle such fraud, Tapling says.

Designed to protect so-called "man-in-the-middle" fraud attacks, 2CHK enables users to verify transactions via cell phones or a secure channel on a computer by displaying transaction details for approval before execution. If the details are suspicious, the user can immediately cancel the transaction.

Such tools also are getting more uptake lately from banks because they coincidentally are helpful in satisfying the Federal Financial Institutions Examination Counsel's new Internet authentication guidelines, which took effect in January, Litan says.

The guidelines require banks to perform risk assessments and fraud-prevention measures and to increase customer awareness of risks in online transactions (see story).

"We're seeing an increase in tools that equip accountholders with methods of preventing fraudulent transactions as banks map out strategies to respond to the new federal institutions guidance," McNelley says. "Little by little, these tools are helping companies make headway against the bad guys, who are always working to stay ahead of us."

What do you think about this? Send us your feedback. Click Here.

 

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry