Fraud in e-banking

As the number of offers increases, so does the scope for attack and the potential for damage for the providers. They face the following 3 challenges.

Autorin: Floarea Serban

E-banking is a huge success. Every year, more customers use the digital channels for even more financial transactions. Customers from all over the world can obtain services via the Web at any time. But this is just the beginning. For banks, digitalisation means, as a first step, the secure publication of an increasing number of services via the web: e-banking, e-trading, online mortgages or futures transactions to hedge foreign currency risks are examples.

Threats in e-banking

As the number of offers increases, so does the scope for attack and the potential for damage for the providers. Denial of service attacks and brute force attacks on passwords are still the simplest cases. Attackers are increasingly attempting to smuggle code fragments into the bank customer's computers and mobile devices in order to extend rights or read data without authorisation. Phishing, viruses, Trojans, spyware and other malware are now widespread and are offered illegally but professionally. In phishing, the fraudster pretends to be a trustworthy entity (e.g. the bank itself) in order to entice the user to reveal sensitive information such as passwords. Malware installs itself unnoticed on the user's device and executes payment orders to the fraudster's account in e-banking in the background as soon as the customer has logged into the e-banking portal (session hijacking).

Figure 1: How fraudsters lure customers into revealing their passwords. Source:

The financial industry faces major challenges in minimizing both financial and reputational risks. They can be divided into three aspects. They will be briefly characterised here:

Challenge 1: Threats are constantly changing

While traditional fraud patterns such as debit cards at ATMs, hiring money mules to disguise cash flows, and insider fraud are little changed, in the digital world threats are changing daily: a new malware website is emerging. Phishing messages are sent via WhatsApp, for example. Passwords from the e-banking app can be easily read on the iPhone, for example. The encrypted connection to the backend can be easily levered out. A stolen mobile device is used for e-banking.

It is therefore becoming increasingly impossible for a bank to know in advance all potential technical weaknesses, all malware websites and phishing attacks, to sensitize customers and to implement countermeasures in time. To make matters worse, the customers' devices elude the financial institution's control.

Challenge 2: Too many false fraud alerts

Only a small fraction of all financial transactions are fraudulent. Detected fraud cases are typically in the per mille range; the number of undetected cases is unknown. On the one hand, this rarity makes it difficult to systematically analyse fraud patterns. On the other hand, the proportion of «false positives», i.e. the proportion of orders that are automatically recognized as suspicious but proved plausible during manual checking, is much higher. The manual checking of individual customer orders is a labor-intensive, demanding but error-prone task that requires specialists. If the false alarms are in the range of thousands of transactions per day, this process step can become expensive and slow down the payment process.

Figure 2: Proportion of transactions with suspected fraud before (left, tinted orange) and after manual verification (right, red)

Challenge 3: Digitisation of the financial industry

As digitalization progresses, not only will more services be available online, but APIs will also enable access to back-end systems for partners and app developers. APIs not only allow efficient collaboration without media breaks, but also make it easier for fraudsters to attack the banks' IT systems. He can rely on the API and no longer has to worry about which language the user has set, where the password field is located in the portal user interface or which entries and clicks are required to enter an order. This and other security-relevant aspects of digitization are discussed in this article.

Figure 3: Digitisation of banking services increases scope for attack and damage potential

As fraud becomes more lucrative with digitalisation, fraudsters are becoming more professional in their efforts to steal information, money or goods. Fraudsters are finding more and more new ways to gain unauthorized access to information and systems in order to manipulate orders in the name of the customer or the bank in their favor.

Can you keep up with this rapid development? What skills do you lack to be prepared for the digital future? This is the subject of the second part of our analysis of fraud detection in e-banking.