Fraud involving financial services transactions is on the rise. There are multiple reasons fraud is increasingly a concern. First, the volume of transactions is growing by double digits annually and the transaction volume is huge. In 2012, e-commerce worldwide surpassed $1 trillion dollars. Second, the pace of change is increasing. New products, that are often quite complex, are being introduced and new technologies have increased the potential for access by employees, contractors, and others.
Third, the economic downturn and lack of employee engagement increased the potential for fraud. The maxim, “Idle hands are the devil’s workshop,” is truer today than ever. Under-employed and unemployed individuals may devote time to fraudulent rather than productive activities. Employees that feel less engaged can be more likely to rationalize that fraud is acceptable. In 1953, criminologist Donald. R. Cressey identified three elements of fraud--opportunity, pressure, and rationalization--as the fraud triangle to explain why individuals commit fraud.
A fourth reason could be the cost of fraud to organizations conducting business via e-commerce. At the current time, many organizations simply estimate potential losses as part of their business model. In 2012, retailers in the US and Canada using e-commerce lost around $3.5 billion due to online fraud according to CyberSource, a provider of payment processing and risk management services. Better preventive controls could help businesses reduce their losses due to fraud. Papers offering models with relevant ideas on reducing fraud should be welcomed.
This is potentially one such paper. It is divided into five sections: “Introduction,” “Related Work,” “Proposed Fraud and Crime Detection Model,” “Risk Points Calculation Method of the Fraud Detection Model being Proposed,” and “Conclusion.” It includes tables and figures to illustrate key points. In Section 4, the authors provide a flowchart to outline the model’s key components and decision points. A table is also provided of items of active data collection, names of forensics tools, and user terminal analysis methods.
The model works by calculating risk scores by analyzing the customer device used for the transaction, and by examining prior behavior and transaction patterns. If a factor in the current transaction is out of scope when compared to normal prior transaction behaviors, the financial company may apply additional authentication. If two or more factors are out of the norm, the company may apply transaction blocking.
In reading the paper, one has to ask how it contributes to the understanding of the topic. Does it offer unique insights? It’s interesting to compare the theory of the paper with what is commercially available. The paper appears to have been published in late January 2014, just before a commercial enterprise, Kaspersky Labs, announced its new fraud prevention platform in February 2014. Kaspersky’s offering is aimed at the protection of electronic payments on computers and mobile devices. The solution is aimed at banks, financial organizations, and companies in the e-commerce sector. Kaspersky conducted market research to determine the need.
Kaspersky’s product appears to use a more advanced model than that addressed by this paper. Kaspersky’s product addresses customers using devices other than Windows computers, with support for Mac and mobile (iOS and Android) devices included. One of the deficiencies of the paper is that it focuses solely on the Windows platform; devices using the *nix platform, Apple’s operating system, and mobile devices are not discussed. More customers are using mobile, with over 20 percent of financial transactions conducted using a mobile platform in 2013, according to Gartner.
Kaspersky also appears to go deeper than the model proposed by the authors by not just addressing system file modification, but also checking for safe browser mode, rootkits and other vulnerabilities, and protection against screen grabbing. Part of the Kaspersky product includes a software development kit that can improve branded mobile applications.
The paper might be most useful to individuals who are looking for papers seeking specific factors and technical details used in calculating risk scores for a fraud financial transactions model, with the caveat that certain commonly used devices outside of Windows are not included. The paper’s flowchart might also be a good starting point for individuals starting to examine financial transaction fraud models.
The paper is marred by grammatical mistakes in the use of English; for example: “users of none [sic] face-to-face electronic financial transaction services.”
Fraud is likely to increase in the years ahead. Useful preventive controls to detect and deter it would have great value. This paper may have more value if the authors are able to review the commercial offerings currently available and then provide an updated version. However, the paper as it currently appears remains a tough slog.
