The following was grabbed from my Facebook post of the (pretty much) same name from 30/09/2024, and then mildly edited...
They say that a week is a long time in politics, and it’s an eternity in the every-second-counts, 24/7 world that is internet banking fraud. For those on both sides of online financial crime cycle, anyone can be a victim, it can happen any time and without warning, and it’s a target-rich environment out there. The following thoughts are based on my time (all 2.5 years of it so far) as an Internet Banking Fraud Analyst, and are offered purely from a personal perspective.
Given the speed that online criminals can extract, move, and hide funds from one online crime scene to another, it’s up to us in the banking and finance industries to be as professionally unpleasant to these … people (and I use that term as loosely as I can because these types are radioactive, sub-human scum in my book) as we can and still provide the level of service to our customers that they expect and deserve. Probably the most effective thing that we could introduce are “speed bumps” to slow the flow of scam and fraudulent transfers from victim to mule to ultimate beneficiary. I have absolutely no idea how much the following ideas would cost to implement, like I said before, I am but a humble, at-the-coalface fraud analyst with nothing but ideas and a dream (of crotch-punching every scammy bastard on Earth until various things bleed. Uncontrollably).
SETTING THE SCENE.
Recent years have provided a flurry of neo-banks and other online-only financial services and providers that don’t rely on the physical presentation of identification documents, with all proof-of-identity checks being provided by way of electronic verification of the details provided by the end-user. Most of the time this process is above-board and squeaky-clean, and the newly created profiles and accounts created go about their normal business without even a hint of shady activity. Then there are those banking profiles that are anything but “above-board and squeaky-clean”, and it's these profiles provide the majority of tools and facilities used by online criminals against us and against our customers. How do we stop these fraudsters before they begin or, at the very least, slow them down as much as possible?
PROVE IT OR LOSE IT.
How much harder would it be for online criminals if there was a database of the essential details of compromised identity documents, (probably no more than document type, document number, and state of issue), that was referred to during the profile or account opening process and, if flagged, triggered a response where the applicant would be prompted to present the actual physical documents in person for an equally in-person inspection and verification by a flesh-and-blood employee before an account could even be opened?
It’s a good start, but it leaves the online-only banks in the lurch unless we provide the capacity for their potential customers to be manually identified by a flesh-and-blood bank employee - So maybe there should be scope for customers of any financial institution to be manually identified by staff at any other financial institution (or even Australia Post, for that matter if push comes to shove). Despite the myriad of competitors in the banking and finance space, we all have a common enemy out there so some measure of co-operation and even a bit a quid-pro-quo is called for - It's worth it in the long run, I'm sure.
How ... annoying would it be for a fraudster if a new potential customer whose ID has been flagged as a matter of ongoing concern (because database hacks and breaches really are a thing these days, just ask Medibank and Optus to name but two) is provided with a unique reference number and is asked to attend any financial institution with their nominated ID for physical inspection and verification within the next 5 business days or so? A legitimate customer can then attend their closest bank branch (it doesn’t matter which) with their ID and their reference number, their ID gets verified and the identifying employee informs the other financial institution the customer’s ID has been verified in person. Regular customers may be inconvenienced by this development, but online scammers would be pleasingly enraged by the rampaging kick to the (no?) dick at this development. As an Internet banking fraud analyst, I take great comfort at any discomfort suffered regarding this potential development suffered by any wannabe "free money harvester". In the immortal words of my youngest, "Cry about it". (Take your time, I'll wait).
Let’s take it just one step further. What happens to these same online scammers if legitimate individuals, even if their own ID details haven’t been compromised yet(!), are empowered to register those same essential details of their ID documents to that same database as a pre-emptive measure? If this were an option today, you can guarantee that I'd be at the head of the queue willing to sign of for such a service.
SLOW THE TIME, SLOW THE CRIME.
Think hard for a moment, how many times in the last 12 months have you actually been inside a bank branch to conduct any sort of transactional activity? I’d wager good money that for most of us it’s less than a handful of times, if at all. We take for granted the simple fact that we can transfer money from one account to another, and from person to person, regardless of distance or financial institution at any time of the day or night, and from the comfort and convenience of wherever we may have our phone, tablet, or PC available when we do it. The fact we take this for granted is also the fact that our adversaries bank on for their own activities.
Okay, how do we deliver another (so very well-deserved!) dick-kick to these sorts of people? Easy! If your profile is a non-physically verified ID, and your profile with your bank has less than 12 months of regular, active, and non-suspect activity associated with it then all deposits to your account, regardless of where they're coming from, (ATO and Centrelink benefits fraud recipients, I’m looking right at you, you jammy gits!) all have a mandatory 72 hours of hold time applied to it before you can spend it or otherwise move it to another destination. If this proves to be personally annoying, then by all means go show your ID at a physical branch of any bank in Australia and prove to all and sundry that you really are who you say you are and that you are not the product of some shifty bastard with access to the proceeds of yet another data-breach. If, on the other hand, you are a scammy bastard then you are more than welcome to cry about it. At will, and at length.
No comments:
Post a Comment