Cyber teams have long conducted fraud controls like table top exercises and hired external pen testing companies to identify bank weaknesses. This is considered business as usual, and funding external pen testers is table stakes.
In contrast, banks have traditionally responded to fraud by analyzing what happened after the fact, making subtle changes to stop a particular exploit, and assuming that these changes will stop future fraud.
This reactive approach is costly and at many institutions, ineffective. Fraudsters are constantly evolving their techniques, and banks need to be proactive in testing their fraud controls to identify gaps and weaknesses.
In my opinion, there are three main reasons why fraud red team testing (where testers think like fraudster and conduct real transactions in the production environment or at a branch) is not more widely used:
- Fraud is a distributed function, and it is not clear who owns the responsibility for testing fraud prevention controls. Is it the business, the channel, the fraud shop, the info sec team, or the risk management team’s responsibility?
- The fraud culture is rooted in predictive analytics, which looks backwards at past data to identify future fraud. It is reactive by design (and some shops call it whack a mole).
- Banks are willing to tolerate some fraud losses as long as they are within risk tolerance.
However, this approach has fabulously funded fraudsters who are constantly finding new ways to exploit banks. In the face of this, banks need to add proactive testing into their fraud defenses before they get beat, and learn to invest in stronger controls before the fraud losses and operational expenses mount. It’s often said, if you have a great business case for implementing new fraud controls, you probably didn’t do a good job of understanding your risk.
I encourage fraud prevention teams to learn from their cyber security counterparts and adopt fraud red team testing (i.e., red teaming) as a best practice. Perhaps think of it as an extension of your secret shoppers or your voice of the customer (i.e., voice of the fraudster).
I know of several Banks that have incorporated this into their business as an on-going process with great success and would be happy to share details. What they have found is that by proactively testing their controls, they can identify and mitigate vulnerabilities before they are exploited by fraudsters. This helps them protect their customers and their bottom line.
Below are links to the other blogs in this Red Team Testing series.
Part 1 Red Team Testing Blog
Part 2 Red Team Testing Blog
Part 3 Red Team Testing Blog
About the Author
Since 2005, Ken has been in Online Security. He was a Director at MUFG Union Bank, retiring in early 2019. He helped shape the initial responses to the U.S. 2005 and 2011 FFIEC Regulatory Guidance to improve online security for US Banks. He is an early adopter and has selected and implemented a number of online security products. Ken was an advisor to the RSA eFraud Global Forum and a Program Committee member for the annual San Francisco RSA Conference. He is currently on The Knoble Scam Committee. He has recently published three white papers—one on the need to focus on online customer safety, one on online authentication and one on how to select a multi-factor authentication solution. He has been blogging on consumer financial scams and focusing on when financial institutions offer reimbursement. He also was the editor for the complete list of definitions of financial scams, published by The Knoble in 2022. In 2019, he received the Legends of Fraud Award at the 3rd annual FraudCON conference in Israel. He is currently consulting to banks and to online security vendors.