Industry News

As the U.K. embraces check images, security risk awaits


Michael Lynch | Tuesday, April 18, 2017

Payments Source

While the U.K. gears up for what promises to bring greater convenience and faster clearing times from document imaging, businesses that still rely on the ability to accept paper cheques can learn from their counterparts across the pond, who found new risks accompanied the increase in speed.

Thanks to recent legislation, the Cheque and Credit Clearing Company (C&CC) announced recently that image-based cheque clearing will be coming to the U.K. starting this October. First to implement will be some banks and building societies, with the rest of the industry implementing through the second half of 2018.

In the U.S., the Check Clearing for the 21st Century Act (or Check 21) was implemented in 2004. And, as is expected in the U.K., the ability to process cheques electronically reduced costs associated with transporting and handling paper, reduced clearing and check return times, and paved the way for mobile deposit and remote capture.

However, this new functionality also meant that financial institutions took on potentially greater risk from electronic acceptance, images in the cloud, and significantly reduced float times.

As remote and mobile deposit capture took off in the U.S. in the wake of Check 21, financial institutions and payments processors began to seek enhanced digital risk mitigation methods to combat the increased fraud from malware/crimeware and reduced time to review for fraudulent items, as well as the inability to inspect physical items (making alterations and forgeries more difficult to detect), and with good reason: According to the ABA 2015

Deposit Account Fraud Survey Report, the number of banks suffering losses from consumer “remote deposit capture” (RDC) activity increased 400% from 2012 to 2014. And analysis conducted by Guardian Analytics across 400 financial institutions found that 72 percent of mobile banking fraud included use of RDC and fraudulent checks.

So, while U.K. financial institutions will be gearing up for image-based check clearing, you can count on fraudsters gearing up to exploit new vulnerabilities.

Specific malware threats have evolved to take advantage of this type of new functionality:

“Screen grabbers” have the ability to capture a consumer’s activity via video or camera image, such as the consumer remotely depositing a check with a smartphone. Fraudsters see tremendous value in the check images; they can use the images to create authentic-looking counterfeits and issue many checks very quickly before the bank or customer realizes there is a problem.

Hackers use malware to capture check images and credentials and use the account and checking information to commit account takeover fraud. Fraudsters reverse engineer a financial application, insert malicious capabilities, and then impersonate the legitimate apps. They then are able to “phish” customers into installing this app. Once installed, the fraudster then can fool consumers into entering personal information and capture their executed transaction information, which in this case might be their account information or check images.

Remote administration tools (often referred to as RATs) can be used by fraudsters to gain remote administrative control of any Android device. Examples of these tools include DroidJack and OmniRAT, which allow a hacker to gain access to information including remote deposit check images or exploit the RDC functionality.

It’s more essential than ever that financial organizations implementing image-based cheque clearing protect against malware/crimeware and other fraud schemes. A multi-faceted solution that includes digital device authentication such as detection of location, spoofing tools and other fraud tools, in combination with the ability to detect known malicious applications will offer the most comprehensive weapon for detecting fraud and mitigating risk.

Device authentication technology can determine device riskiness and flag potentially suspicious activity on the device at the time of the transaction. There are thousands of individual characteristics on a mobile device, including the operating system, location, application data and other valuable information.

Enhanced device intelligence technology can leverage these attributes, combining them to form a unique and permanent device identifier. This identifier acts as a secure token that the customer will have in their possession. If the device involved is not the one typically used by the customer, financial institutions may choose to challenge the user with additional authentication techniques.

Biometrics can also be integrated with mobile device authentication for an even deeper multi-layered approach to ensure that a transaction is being initiated from not only an authenticated, trusted device free of malware or crimeware, but is also being conducted by a verified user.

Malware detection and prevention from malware activity is critical to ensuring that consumers are protected when using RDC functionality.

The rollout of image-based cheque clearing will prepare the U.K. to move cheque presentment into the digital age, offering convenience, cost savings and faster payment times. It’s essential that financial organizations be equally prepared to implement next-generation fraud mitigation solutions.

This article was licensed through Dow Jones Direct.

Share

Tagged in: industry news

Contact us

Learn how FIS can help you stay on top of industry trends and address your business challenges.

Contact us