It sounds trite -- heck, it is trite -- to point out that IT has revolutionized business. But consider for a moment that the same methods are being used to boost the efficiency of financial fraud.
"The good guys use computers to automate business processes, capture knowledge, and then build on that," says Elazar Katz, director of the Active Risk Monitoring Practice at Unisys.
"But there's a parallel universe of bad guys who are doing the same thing but with a different aim, which is industrialized fraud."
By industrialized fraud, Katz means practices such as spyware, keystroke logging, phishing, and other banes of modern commerce. Take, for example, the Stawin Trojan horse discovered earlier this year. Simply opening a contaminated e-mail can install this keylogger on a PC. Stawin then waits for users to visit online banks, logs their keystrokes, and sends the data back to the crook.
Such attacks have often targeted individuals, but are increasingly being aimed at corporations.
"The Stawin Trojan horse automates a business process -- collecting private data," Katz says. "We may guard against that one, but the next-generation keylogger will probably improve on each step in that process -- just as a legitimate product might do."
To combat industrialized fraud, Katz argues, smarter detection is needed. Rather than just analyzing the signature on a cheque, banks should compare it to those of the past 10 cheques. If two signatures are identical, they might have been copied from an online cheque image. Or if the same computer is used to sign on by four or five customers, those accounts should be checked to see if payments are being sent to the same, possibly fraudulent, payee.
"Most fraud-management systems queue up suspicious transactions for human review. That's because, in the past, this was like spotting a pin in a haystack," Katz says. "Today, you're not looking for one pin but for the 3000 pins that were launched your way in the past 20 minutes. You need to handle them differently."