The scourge of electronic banking fraud:Banker/customer responsibilities

Ghana’s current high unemployment situation could, therefore, increase the rising spate of fraud as people succumb to pressure, find a rationale, and opportunity to commit fraud. Christian scripture also says the devil finds work for idle hands.

 The irony, I have noted, however, is that there are some social deviants who would commit fraud not because they are financially handicapped or needy, but merely to boost their weird sense of self-esteem. Perhaps this is to convince themselves (and others) that they too are “smart enough” to have beaten the system of social or organizational controls.  

 Fraud is an ever present monster inherent in the financial landscape. It is simply impossible to eradicate economic crime. For as long as people’s needs remain insatiable, so long would they explore fair and foul opportunities to make ends meet.

 Electronic banking has become a very useful innovation in banking and finance, especially for the ease of instant access to funds, of directing instructions to one’s bankers, access to account information and a variety of other functions. It, however, suffers grave vulnerabilities.  Mobile, on-line banking and internet applications produce challenges for the banking and financial systems , especially in emerging economies.

 It has been observed, for instance, that as developed economies find responses to electronic banking fraud, criminals migrate into “fertile” emerging African markets where security consciousness is relatively poor. Sophisticated fraudsters have therefore emerged who find easy ways to commit electronic banking fraud. Cyber criminals are at an advantage because they can commit crime from any part of the world and still remain largely anonymous, although new technologies are emerging to trace the source of criminal messages on the internet.

This accentuates the need for greater surveillance and the need for continual awareness regarding fraud dimensions, especially electronic -banking risks and cyber fraud.

While banks cannot completely avoid fraud, the incidence and impact of the fraud menace can be managed to a significant degree depending on how the banks and their customers conduct their mutual responsibilities regarding electronic card usage. An even greater responsibility lies on the banking community to educate customers on electronic banking usage to stem the rising incidence of fraud.

Fraud can be mitigated by effective controls and a strong culture of prevention and deterrence, good corporate governance practices and assertive action when incidents arise. An induced climate of permissiveness or management indifference to disciplinary measures may foster fraud perpetration.

It is essential, therefore for banks to have in place effective and efficient procedures and controls; including strong disciplinary mechanisms to deal with infractions of rules to minimize acts of fraud.

“The Bank of Ghana (BOG) is alarmed at the rising spate of card fraud and defalcation in the banking sector that is threatening the integrity of the financial system”- Graphic Business No 432 of February 28- March 6 2017 reports.

This write up is therefore, an attempt to promote education and awareness among the banks and their customers about electronic fraud dimensions in the collective effort to sanitise the electronic banking space.

Banks’ responsibilities

From the banks’ perspective, it is essential to have in place effective and efficient procedures and controls. This should include disciplinary mechanisms to deal with staff infractions of rules to serve as a deterrent against acts of fraud. It is generally accepted that about 80% of all fraud committed in banks is done with the connivance of internal staff.

Banks attempt to minimize the incidence and effect of card fraud from various perspectives, the prime being technological innovation. Over time, banks have strengthened the security features of cards they deploy. Among these is the migration from magnetic strip based Automatic Teller Machines card (ATMs) and Point of Sale (POS) devices which suffer grave vulnerabilities to CHIP and PIN based cards.  The entire process of producing cards and delivery to the ultimate users must come under various checks and balances through functional segregation.

In addition, banks rely on improved technologies including firewalls which come in the form of hardware and software. A firewall is a mechanism by which the bank prevents intrusion into its technological environment, to prevent unauthorised access or to control the flow of information across the network. Other sniffing software also continually survey the network for any criminal intrusions

Other security measures employed in the electronic banking environment include,  but is not limited to the following;

  • Regulated Access Controls- (both at the user’s end and the bank’s IT centre)
  • Hierarchical and formalised approvals for access to specified programs or operating systems
  • Close liaison with the Human Resource Department for prompt deletion of staff access to systems during resignations, dismissals, and interdepartmental transfers.
  • The use of microchip-based devices such as smart cards or other types of tokens to restrict access to sensitive installations,
  • Biometric identifiers which read individual human traits eg fingerprint, voice, facial images (iris pattern)
  • Intrusion detection systems, eg CCTVs. One must be aware of the limitations of this device in order not to fall into a comfort zone.
  • Antivirus and anti-spyware technologies
  • Encryption and regulated disposals of discarded data
  • Disaster recovery planning- including back- ups and regular checks. 

Customer education and responsibilities

Customer education is imperative in the fight against card and other electronic banking fraud. Banks should, therefore, invest time and effort in helping customers to understand card usage and the mutual responsibilities in curbing card mis-use.

ATM fraud

ATM fraud may be committed at any point in the customer satisfaction chain. It may be prevalent during the production, recording, delivery and dispensing of ATM or credit cards. Banks must employ dual controlled processing from end to end to minimise card fraud, while emphasizing due diligence in the “Know Your Customer”. 

Obligations.

 This effort must be complemented with structured education to new customers and even existing card holders on the forms of inherent vulnerabilities in card and other electronic banking applications. In particular, customers must be exposed to the under-mentioned risks to stem electronic banking fraud.

Counterfeit card fraud/cloning

This takes place through skimming where data on usually the magnetic strip of a customer’s card is copied using hand held skimming devices which transfer data unto duplicate/cloned cards.

The scam is usually prevalent in retail outlets- supermarkets, fuel stations, airline ticketing outfits, airport lounges, etc. where tellers or other operators smuggle cards briefly out of sight of customers and skim essential data unto other devices for cloning purposes.

Businesses that accept bank cards have an important role to play in stemming card fraud. Up to 80% of fraud can be stopped at the merchant level through education.

ATM and shoulder surfing 

The security of one’s PIN or other authentication mechanism is crucial in the card and electronic banking space. A person  standing nearby  at the ATM or Point of Sale (POS) machine as you enter your PIN number, or punch in your calling card numbers may be doing more than just waiting for  their turn.(just like shouting re-charge units reference to a  recipient in a telephone conversation) 

 To help prevent shoulder surfing, a user must shield their paperwork from view using their bodies, while cupping their hand over the keypad.

 Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices.  Fraudsters may conceal inexpensive, miniature closed-circuit television cameras (CCTV) in ceilings, walls or other fixtures to clandestinely observe user’s data entry especially in secluded ATM installations.  Inspection of the ATM for any tampering or suspicious devices, especially the key pad, may be helpful to minimize fraud.

Keyloggers.

 These are electronic devices that may be affixed clandestinely to record keystrokes on a keyboard in order to gain user names, passwords, and other data. It may come  in a form similar to a pen drive. Armed with sensitive passwords of say a Manager or a Chief Teller in a bank, a fraudster may be able to even transfer funds from the bank’s vault into other designated accounts for eventual withdrawal.

Customers can be more at risk from key logging software in internet cafes.

Customers may also be tricked into downloading a software at home. Some banks cure this mischief by disabling all the USB ports on network computers to avoid the insertion of  any device capable of stealing sensitive data from the bank’s network.

Other generic e-banking fraud

Customers and even bank staff must be educated on what is euphemistically called social engineering schemes. These come in the form of; 

Phishing scams- . Here the fraudsters send you unsolicited emails,-specifically to steal access credentials, eg. User- names and password. The emails are purportedly from your bank, requesting you to click onto a link in the email to update your personal details. Once clicked, the link will divert you to a fraudulent or spoof website where the information is sent to the fraudsters who will then defraud you. Remember that a bank will never request you to confirm confidential information via email or the Internet.

 When a user receives any suspicious and unsolicited mail (usually with catchy titles) on your computer or smart phone, the best thing to do is to avoid opening the file; delete the  file  immediately and go ahead into your recycle bin to delete as well.  Do not also use the link provided by the fraudster. When in doubt, type the website address into your Internet browser yourself, rather than clicking on a hyperlink in the email.

 In this fraud scheme, the fraudster’s attack is designed to re-direct a website’s traffic to another bogus site. It may be conducted by either changing the host’s file on a victim’s computer or by exploiting vulnerabilities inherent in a Domain Name Server (DNS) software.DNS servers are computers responsible for resolving internet names into their real Internet Protocol (IP) addresses.

Pharming

Pharming is most prevalent with home/personal computers which are not protected with firewalls. Pharming scams target usually businesses hosting e-commerce and on-line banking websites.  Combating pharming requires sophisticated anti-pharming measures not normal anti-virus or spyware removal software.

Website cloning. This is where the fraudsters clone the website of major banks. In the internet banking space- customers must be educated not to respond to links offered by the potential fraudster in their mail or other correspondence. It is safer to type in the website themselves. Users must refrain from flippantly disclosing their account details and access credentials.

NIGERIAN 419 SCAMS/ADVANCE FEE FRAUD

The scam starts by enticing a victim with a bogus business proposal, or promises of a share in an inheritance, or the proceeds of a lottery you have ostensibly won.

 Through unsolicited correspondence, the victim is asked if his/her bank account can be used to launder a huge amount of money, and in return a generous slice of the money is promised.

Advance fees may be asked to facilitate the movement of funds to the gullible (greedy?) victim.     

Where essential account information/details is/ are divulged ignorantly, the fraudster uses this  to then  instruct your bankers to transfer funds  or your identity  may be used to open accounts elsewhere.

In more sophisticated schemes, fraudsters use the names, fake letterheads, stamps, seals and signatures of prominent companies, including government agencies, especially the Central Bank and other high profile banks around the world to give a semblance of authenticity to their schemes to defraud the unwitting victim.

 

 Staff and customers are to be advised to ignore any such solicitations by taming their own greed and gullibility. It is simply inconceivable to have won a lottery you never entered! Staff and customers must refrain from getting excited about these grand schemes and simply work hard and diligently. 

 

* The writer is a Fellow of the Chartered Institute of Bankers and an adjunct lecturer at the National Banking College  and also author of “Risk Management in Banking” textbook.

Email; [email protected] Tel. 0244 324181 / /0576436414


Comments