Industrialized fraud

It sounds trite — heck, it is trite — to point out that IT has revolutionized business. But consider for a moment that the same methods are being used to boost the efficiency of financial fraud.

“The good guys use computers to automate business processes, capture knowledge, and then build on that,” says Elazar Katz, director of the Active Risk Monitoring Practice at Unisys. “But there’s a parallel universe of bad guys who are doing the same thing

but with a different aim, which is industrialized fraud.”

By industrialized fraud, Katz means practices such as spyware, keystroke logging, phishing, and other banes of modern commerce. Take, for example, the Stawin Trojan horse discovered earlier this year. Simply opening a contaminated e-mail can install this keylogger on a PC. Stawin then waits for users to visit online banks, logs their keystrokes, and sends the data back to the crook.

Such attacks have often targeted individuals, but are increasingly being aimed at corporations, as InfoWorld noted in its Oct. 4 cover story “Spyware Inflitrates the Enterprise”.

“The Stawin Trojan horse automates a business process — collecting private data,” Katz says. “We may guard against that one, but the next-generation keylogger will probably improve on each step in that process — just as a legitimate product might do.”

To combat industrialized fraud, Katz argues, smarter detection is needed. Rather than just analyzing the signature on a check, banks should compare it to those of the past 10 checks. If two signatures are identical, they might have been copied from an online check image. Or if the same computer is used to sign on by four or five customers, those accounts should be checked to see if payments are being sent to the same, possibly fraudulent, payee.

“Most fraud-management systems queue up suspicious transactions for human review. That’s because, in the past, this was like spotting a pin in a haystack,” Katz says. “Today, you’re not looking for one pin but for the 3,000 pins that were launched your way in the past 20 minutes. You need to handle them differently.”

Speaking of handling things differently, anyone who manages a Web site may enjoy this week’s cover package on content management systems. The CMS used to be the bane of the CTO who installed and managed it, as well as the CFO who paid for it. Today, you can find ready-made functionality online (see “Content Control on Demand” ) or invest in a low-cost solution such as those reviewed in “CMS Functionality Meets Value”. Either way, you’ll escape many of the old, familiar CMS headaches.