Javelin was retained by SAS to understand the current state of e‐channel fraud among U.S. financial institutions (FIs). Javelin Strategy conducted in‐depth interviews with risk and fraud executives from small, mid‐size and large financial institutions to meet the research objectives. In this whitepaper, Javelin also presents relevant elements from its proprietary consumer data to bring in additional insights from the consumer perspective. For more info: www.nafcu.org/sas

1. Current State of E‐channel Fraud Trends:
Online Banking, Mobile Banking and Card Fraud
Conducted by
Javelin Strategy & Research
September 2012
© 2012 Javelin Strategy & Research– All Rights Reserved

2. Executive Summary
Javelin was retained by SAS to understand the current state of e‐channel fraud among U.S. financial
institutions (FIs). Javelin Strategy conducted in‐depth interviews with risk and fraud executives from
small, mid‐size and large financial institutions to meet the research objectives. In this whitepaper,
Javelin also presents relevant elements from its proprietary consumer data to bring in additional
insights from the consumer perspective.
In summary, the study found:
 Today’s anti‐fraud systems rarely track, monitor or report behavior across multiple e‐
banking channels, allowing fraudsters to move quickly from old to new channels where the
risks and vulnerabilities are not well known, and which therefore can be exploited.
 All interviewed recognize a need to improve current electronic banking anti‐fraud
strategies. Nearly 70% of interviewed FI executives have implemented, or are planning to
implement, cross‐channel behavioral anomaly, predictive analytics and other advanced
detection tools to combat e‐banking fraud.
 Malware‐based fraud attacks are being addressed by half the interviewed FIs who offer
customers anti‐malware software downloads.
 Interviewed FIs are not aware of the potential impact of fraud in mobile banking, partly
because few have tools to identify, track and report such fraud incidents separately from
overall fraud attacks.
 Card Not Present fraud is on the rise but some executives interviewed are not satisfied with
the current tools they use to combat credit and debit card fraud, calling for better
modeling and better processes using advanced technologies such as neural networks.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 2

3. I. Overview
Along with an increase in banking channels and electronic payment options, electronic fraud seems
to be keeping a lot of risk and fraud executives on their toes constantly re‐evaluating E‐channel
vulnerabilities and exploring newer ways of tackling fraud. Understanding current trends in
electronic fraud, identifying key risk areas and incorporating state of the art solutions to combat
fraud, will help financial institutions provide a risk free banking environment and boost customer
satisfaction. This whitepaper delves into the nuances of overall electronic banking fraud, the mobile
channel as an emerging area for electronic fraud and current software, programs and processes in
place to stop card fraud. The whitepaper concludes with recommendations on future fraud
prevention strategies as financial institutions move forward balancing increased fraud controls and
analytical capabilities vs. maintaining a positive customer experience.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 3

4. II. Electronic Banking Fraud
All financial institutions agree that electronic banking is an all encompassing term, which includes
online banking, mobile banking and other e‐channels. Interviewed FI executives went as far as
stating that electronic banking includes everything except any face‐to‐face interaction. Given this,
tracking fraud by product and channel is identified as the key method for FIs to categorize and assign
electronic fraud loss and to measure their channel risks. However, what’s missing in current fraud
categorization is a method to successfully categorize cross‐channel fraud, as most fraudulent
activities are not restricted to a single channel or product type. A leading FI executive qualified the
lack of cross‐channel categorization with the following example,
“If I fraudulently enroll in online banking through the call center, login to online banking
to gain some insight into your account and fraudulently order a credit card; is that call‐
center fraud, online fraud, card fraud, or check fraud? The answer is, it is all of those, so
we need a pretty dynamic way to assign the loss and we are still assigning the loss
basically to the product used to perpetrate the actual fraud.”
As FIs struggle to identify the actual source of fraud and how to assign loss, they continue to add
more layers to their authentication and log in processes, as well as their back‐end fraud analytics
and detection systems. But today, anti‐fraud systems rarely track and monitor consumer behavior
across multiple product lines, channels, and systems. Fraudsters recognize and take advantage of
this weakness, as their techniques morph into more sophisticated and targeted multi‐area attacks,
quickly moving to newly introduced banking channels where the risks are not as well known and
where vulnerabilities can be exploited.
Malware tops current fraud trend in the online space. The online channel is a prime focus for anti‐
fraud priorities in 2012 among interviewed executives. Most FIs are dedicating about 20% of their
total fraud spending towards electronic banking threats and almost all FIs have executive
sponsorship for their fraud tools. Cybercrime threats continue to loom large and multiple FIs
mentioned an increase in man‐in‐the‐middle, man‐in‐the‐browser and other malware attacks.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 4

5.
Javelin’s consumer data shows that more than 10% of the identity fraud victims who knew how their
information was stolen reported that it was stolen when making purchases online; another 9%
reported that their information was stolen through the computer due to stolen password or
keystroke capture (see Figure 1).
Figure 1: Method Used to Commit Identity Fraud
1%
7%
1%
Primarily Business Primarily Consumer
Other
Controlled 2% 19% Controlled
Physical items were
stolen
Of the 46% of
21% Purchase at a gas Victims who
station/restaurant/store Reporting
Online/online purchase 10%
(general) Knowing
How Their
Information
Friend/family
Was
member/spouse/co‐ Obtained
worker had previous
knowledge
Moved/items sent to 1% 9%
my old address Through the
computer/stolen
Purchases/transactions 1% 2% Items were password/keystroke
made over the phone lost capturing
3% (general)
Q25. How was your information obtained
Information taken from 2% 3% 9% by the perpetrator?
statements/receipts 8% October 2011, n= 333
Base: All fraud victims who reported
knowing how their information was stolen.
© 2012 Javelin Strategy & Research
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 5

6.
Wire transfer fraud and social engineering are not far behind in terms of leading fraud concerns in
2012. While social engineering uses trickery to gain information about customers online, phishing
has evolved over time as it not only looks to steal customers’ credentials but also infects their
machines with malware. One interesting anecdote from a small FI cited below shows how social
engineering or wire transfer fraud really has less do with channels, and more to do with the fact that
fraudsters have become increasingly sophisticated in their approach.
“In one case, the vendor representative’s email was compromised and a fraudster
started to communicate with our customer as though they were the vendor
representative. They made it very convincing because they had all the previous email
communication that basically convinced our customer that he had to change the wire
information. Trusting this email, our client sent money to a new account at their (the
fraudster’s) bank. This one was 100% social engineering and really nothing to do with the
Internet banking fraud. But it was just as successful a loss as it would have been through
Internet banking.”
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 6

7.
Electronic fraud is continuing to increase in terms of volume and number of ways of attack. In
addition to malware and social engineering attacks, FI executives also need to watch for, and
combat, increases in cybercrime attacks spurred by data breaches. According to Javelin’s 2012 ID
fraud report, 15% of consumers received a data breach notification from financial institutions, and
consumers who did receive a data breach notification were 9.5 times more likely to be victims of
identity fraud than consumer who did not (see Figure 2).
Figure 2: Fraud Incidence Rate Among Data Breach Notification Recipients –
Letter Recipients are 9.5 Times More Likely to Become a Fraud Victim
Received a data
breach notification 19% 81%
letter
Did not receive a data
breach notification 2% 98%
letter
All consumers 5% 95%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent of Consumers
Fraud victim Not a fraud victim
Q2. In the last 12 months, have you been notified by a business or other
institution that your personal or financial information has been lost, stolen October 2011, n= 5,022
or compromised in a data breach? Q5. How long ago did you DISCOVER that Base: All consumers.
your personal or financial information had been misused? Past 12 months. © 2012 Javelin Strategy & Research
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 7

8.
About half of the FI executives interviewed stated that there has been a significant increase in
number of fraud attempts through various attack techniques and they have grown worse because of
increased number of electronic banking channels. Given that wire transfer, which usually involves
larger cash payments, is one of the leading fraud trends in electronic banking, FIs don’t see a way to
control their overall fraud loss. A single wire transfer fraud incident could significantly increase the
total fraud loss for an institution regardless of the checks and balances in place.
FIs are looking for a change and are constantly re‐evaluating vendors and solutions to combat
electronic fraud. Nearly thirty percent of FIs interviewed named one of two leading products that
they use to block malware and other FIs were considering implementing the same solutions to help
stop fraud. Regardless of the tools in place, satisfaction with them runs surprisingly low among
these executives. This is partly due to the complexity involved in implementing or integrating certain
software and tools, and partly because of the nature of being a risk and fraud executive. They feel
that if fraudsters react with more sophisticated fraud techniques each time a new tool is
implemented then the executives cannot afford to be satisfied even if the latest anti‐fraud
technology is in place. One primary concern among most executives is how these advanced fraud
detection and prevention tools hinder the customers’ overall banking experience. Executives worry
that constant prompts for downloads and updates to increase security may become cumbersome
for customers and could turn them away from using electronic channels.
“Mostly, we have put in painful controls for customers. There’s always the fine line in
terms of customer pain versus fraudster access, so we continue to tweak those a lot. We
focused on a lot of customer education so we offer [anti‐malware] to customers, starting
in 2010. Our adoption rates are not what we expected but the customers who do have
installed it have not had a single fraud case...”
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 8

9.
Executives believe that fraud detection works in silos. FIs want a tool that detects cross‐channel
fraud which is easy to integrate with their systems with little or no modification. In the past two
years, there has been a strong push towards incorporating behavioral, geolocation and
demographic monitoring; however, not all FIs that Javelin interviewed have analytical tools built in
to track fraudulent or suspicious behavior on online channels. Among the FIs interviewed, 40%
mentioned having any kind of behavioral analytics or cross‐channel information tracking in place
with a dedicated team to crunch and analyze the numbers. Thirty percent of the remaining FIs are
looking to implement robust behavioral analytics to help curtail fraud using transaction analysis
which looks for anomalies. In addition to educating customers on safe banking practices, executives
are looking to turn towards real‐time vs. batch processing of transactions to help catch fraud which
can occur through various channels. Further, they are looking for back‐end customer velocity and
transaction scoring to provide more control for tracking and stopping fraud.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 9

10. III. The Emerging Mobile Channel
Almost all institutions interviewed currently offer some form of mobile banking and several
executives report they are expanding their current mobile offerings. Consumer usage of mobile
devices, such as feature phones, smartphones or tablets, is growing steadily. New mobile payment
and banking apps further make the mobile channel very attractive for consumers. Interestingly,
however, all executives interviewed believe that mobile banking is nascent and are not yet entirely
sure about its fraud impact.
FIs uncertainty regarding the size and scope of mobile fraud can be attributed in part to how most
FIs currently track all forms of fraud. None of the FIs interviewed have dedicated fraud investments
assigned to track and curtail mobile fraud separately from overall fraud through their various
channels. Twenty percent of FIs interviewed mentioned that they have tools to identify fraud by
device type; however, it is currently accounted for under the overall umbrella of electronic fraud. FIs
are looking to increase adoption of mobile banking; however, they currently lack tools to track
mobile fraud because they don’t yet see significant enough mobile banking volume to warrant
independent tracking and reporting. This essentially puts them in a Catch 22 situation. Executives
acknowledge the need to refine their fraud tracking capabilities by channel, by device and even by
cross‐channel tracking, so as to be able to better pinpoint sources of fraud. Acquiring such
capabilities will be vital for combating fraud risks presented by the rapidly developing mobile
channel.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 10

11.
Mobile devices are prone to more severe threats than personal computers, partially because they
lack security measures that are more common on personal computers such as antimalware
software, personal firewalls, and built‐in web browser security tools. Javelin’s recent report shows
that 7% of smartphone users were victims of identity fraud when compared to 4.9% of the total
adult consumer population (see Figure 3).
Figure 3: Fraud Incidence Rate among Smartphone Owners
Smartphone
7% 93%
owners
All consumers 5% 95%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent of Consumers
Fraud victim Not a fraud victim
Q39A: Please indicate which of the following products do you currently November 2011, n= 5,022
personally own. Q5. How long ago did you DISCOVER that your personal or Base: All consumers.
financial information had been misused? Past 12 months. © 2012 Javelin Strategy & Research
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 11

12.
While FIs don’t yet see the value of tracking mobile fraud separately, consumers are very conscious
and aware of needed mobile banking security. According to Javelin, 22% of mobile consumers would
like data encryption between the mobile device and bank as a way to make mobile banking more
secure and 14% would prefer all data on their mobile device to be encrypted (see Figure 4).
Figure 4: Preferred Security Features among All Mobile Consumers
Encrypting data between the mobile device and the
22%
bank server
Guarantee of reimbursement for fraud transactions 20%
Encrypting data on my mobile device 14%
Sending me an SMS or email alert when there is unusual
10%
activity on my account
Bank ability to suspend access to my online banking
9%
account when mobile device is lost or stolen
Services such as antivirus programs or spyware blockers 7%
Ability of my mobile operator to remotely disable my
6%
phone when I report it lost or stolen
Nothing/None of the above/No Preference 4%
Ability for me to track the physical location of my
4%
handset when it is lost or stolen
Unsure 2%
0% 10% 20% 30% 40% 50%
Percent of Mobile Consumers
June 2011, n= 3,180
Q22: Which of the following security features do you believe will make Base: All consumers with a mobile device.
mobile banking more secure and safe to use? (Select one only) © 2012 Javelin Strategy & Research
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 12

13.
Javelin’s data also shows that 35% of mobile consumers would like to be verified by personal
security questions and 21% by fingerprint scanning or voice recognition (see Figure 5).
Figure 5: Preferred Security Features among Mobile Bankers
Ask questions that only I know the answer to 35%
My usual log‐in and password that I use for online
27%
banking
My ATM or debit PIN 25%
Require a fingerprint scan or voice print to login 21%
Additional authentication besides username and
21%
password
Show an image you previously selected always
18%
displayed at login
Mobile device authentication (only allowing my
18%
mobile device to access my accounts)
Send a special one‐time code by text message to my
12%
mobile phone
Other, please specify 1%
0% 10% 20% 30% 40% 50%
Percent of Mobile Bankers
June 2011, n= 926
Q22: Which of the following security features do you believe will make Base: Mobile bankers past 12 months.
mobile banking more secure and safe to use? (Select one only) © 2012 Javelin Strategy & Research
This shows that consumers expect FIs to provide state of the art security features to assure them of
secure mobile banking. This also means FIs will need to set a separate budget to have programs in
place for combating mobile fraud due to increased adoption of mobile banking.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 13

14.
NFC could be a potential game changer. Mobile payment options are on the rise and Near Field
Communication (NFC) technology, although touted as more secure, could leave the door open for
new types of hacking attacks. At this stage the fraudsters are lying low but as the use of NFC grows in
the mobile payment world, FIs and payment providers alike should watch for innovative, more
targeted and sophisticated malware. One FI interviewed acknowledged the potential change for
mobile fraud with NFC adoption.
“Once that hits, all bets are off. It certainly becomes a space that is very attractive to the
fraudsters. I think there is more of a threat around the malware space on the mobile
phone, since it is essentially a PC. The Fed actually released an interesting survey about
consumers’ sentiments towards the mobile space. Their number one concern was that
somebody could hack in remotely with their phone and the second was that payments
could be wirelessly intercepted.”
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 14

15. IV. Credit and Debit Card Fraud
Lost and stolen cards, counterfeit cards and skimming are the leading categories in credit and debit
card fraud; however, what is on the rise is card not present (CNP) fraud. Approximately half of the FI
executives interviewed mentioned that CNP fraud is much higher in terms of cases and dollars, with
a split of about 60% CNP vs. 40% card present fraud. Javelin’s data shows that online purchases
continue to be the leading form of card misuse. Forty‐one percent of consumers affected by identity
fraud through the misuse of existing or new cards admitted that the card information was misused
for making online purchases and 17% mentioned that it was misused to make purchases by phone
or mail (see Figure 6).
Figure 6: Misuse of Information among Fraud Victims
Make purchases online 41%
Make purchases in person 35%
Make purchases over the phone or through the mail 17%
Write checks 9%
Withdraw cash from an ATM 7%
Buy prepaid cards or gift cards 4%
Made purchase (unspecified) 3%
Opened a new account 3%
Obtain health care 1%
Paid for utilities 1%
Tax fraud 1%
0% 10% 20% 30% 40% 50%
Percent of Fraud Victims
October 2011, n= 799
Base: All fraud victims.
Q12. How was your information misused? Was it used to...? © 2012 Javelin Strategy & Research
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 15

16.
All executives interviewed mentioned that CNP fraud tracking is included in their overall card fraud
tracking mechanisms and that there is no separate plan or program in place for CNP tracking despite
its increase. One interesting quote from a mid‐sized FI sums up the current state of card fraud tools.
“I am not very satisfied with the tools we are using currently. I think as far as the card
space is concerned, we are still using technology that’s twenty years old. There needs to
be better modeling, and better processing from the neural networks and so forth”
CNP fraud should be seen as an area of high risk because of the weak authentication processes in
place. Fraud in this area could quickly worsen. Online and mobile purchasing is growing at a faster
rate than in‐store purchasing. Additionally, as more secure chip technologies such as EMV are
adopted for transacting (and until remote readers become standard consumer fare), history has
shown that fraudsters are likely to quickly migrate to CNP frauds because they are relatively easier to
perpetrate.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 16

17. V. Fraud Prevention Strategies
All the executives interviewed are completely aware of the need to shake up and improve their
current fraud prevention strategies in the electronic banking world. Key areas for future anti‐fraud
spending and innovative fraud tracking include:
 Analyze fraud across channels using an integrated approach. One of the major
problems with electronic fraud is the inefficiency of tracking crimes in silos. Tracking
fraud across channels in an enterprise view is essential for FIs to get a clear picture of
current fraud loss. FIs will need to heavily invest in this area to build a platform to
integrate departments, products and channels in order to effectively monitor, mitigate
and prevent fraud.
 ID and device recognition is essential to increase adoption of mobile banking.
Javelin’s data shows that 18% of consumers who have mobile banked in the last 12
months are looking for their banks to incorporate mobile device authentication and
21% stated they expect their banks to include additional authentication besides
username and password (see Figure 6, on page 15). Consumers are willing to take
more control in their banking relationships. Indeed, mobile devices are becoming tools
to fight fraud as their use for one‐time‐password and out‐of‐band transaction
verification increases. With more robust device security and ID recognition tools, FI
executives should work to empower customers to work as partners in helping to
mitigate fraud occurring across any channel.
 Performance metrics are necessary to direct resources to areas of greatest need. It’s
not enough to fight against fraud; it’s also essential to measure performance. Most FIs
use basis points—net losses compared to net sales volume—to track their return on
investment (ROI). Executives mentioned tracking all fraud tools in terms of the
numbers of accurate cases detected and total fraud losses compared to the
investment. The revised FFIEC guidelines make it clear that not only are FIs expected to
adopt advanced user identification and authentication techniques, technologies and
processes, they will need to demonstrate and document their success for the regulator
as well as for internal management reporting. This means being able to measure
attempted attacks as well those successfully thwarted, while performing analysis that
will enable redirecting resources where needed for constant improvement.
 Real time fraud processing and tracking of transactional data is increasingly
important in this era of constantly changing technology and progressively
sophisticated malware attacks.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 17

18.
 Be proactive and predictive vs. reactive. It is clear that current methods of tracking
fraud cannot be sustained with changing technology, especially in the mobile area. To
gain consumers’ confidence, FIs will need to step up and be more proactive in their
approach when dealing with emerging fraud in mobile, NFC and CNP areas. Predictive
analytics will increasingly drive fraud prevention techniques.
 Educate consumers about malware and antivirus products. FIs are constantly faced
with the challenge of balancing the fine line between providing secure, fraud‐free
banking environment and hindering the customer experience. Over the last couple of
years, an increasing number of consumers believe that it is partially their responsibility
to protect their financial accounts from fraud (see Figure 7). If FIs step up and educate
consumers about safe practices and add layers of authentication to mitigate fraud,
then consumers should not resist the added security provided by their banks. But FIs
also need to hide some of their efforts in back‐end anti‐fraud systems which evaluate
transaction velocity, geolocation of the customer’s device, user behavior and other
performance metrics on a real time basis to stop fraud before it occurs.
Figure 7: Consumer Attitude on Fraud Responsibility, 2008 to 2011
2011 9% 4% 55% 21% 11%
2010 5% 5% 55% 25% 10%
2009 3% 5% 52% 25% 15%
2008 2%4% 51% 28% 16%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percent of Consumers
Solely my responsibility 1 2 Equally shared by bank and me 3 4 Solely the bank's responsibility 5
Q37. When it comes to protecting your financial accounts from
fraud, who do you think should be primarily responsible? On a 1 to March 2011, 2010, 2009, 2008 n= ,4,961, 5,046, 2,683, 2,256
5 scale, let 1 represent "Solely my responsibility", 3 represent Base: All consumers with financial accounts.
"Equally shared by bank and me" and let 5 represent "Solely the March 2011, 2010, 2009, 2008 n= 5,102, 4,998, 2,779, 2,350
bank's responsibility". © 2011 Javelin Strategy & Research
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 18

19. VI. Conclusions
Combating fraud in electronic banking is a never ending story due to new attack vectors, new online
banking channels, new consumer devices for accessing accounts and new banking services. Industry
leaders need to think about feedback reporting and measurements as part of a cross‐channel anti‐
fraud strategy. Such reporting and metrics are part of an FI’s responsibility to reduce fraud in order
to improve ROI and more importantly, to maintain customer trust. According to this study, FIs
indicate willingness and even an eagerness to adopt new, more sophisticated tools that use
advanced analytics to detect new, emerging threats which are increasing in complexity, as well as
continuing to fight existing fraud. These tools go hand‐in‐hand with process improvements, policies
and procedures to achieve their goal of mitigating fraud to acceptable levels while balancing the
overall customer experience.
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 19

20.
Learn how SAS can help financial institutions monitor behavior across multiple e‐banking channels
at www.sas.com/security
Current State of E‐channel Fraud Trends: Online Banking, Mobile Banking and Card Fraud – September 2012 20
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA
and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies.
105932_S94883.0812