Chapter

Pomerleau PL., Auger-Perreault M. (2020) Fraud Risk Management: Using Fraud Analytics to Combat External and Insider Threats. In: Shapiro L., Maras MH. (eds) Encyclopedia of Security and Emergency Management. Springer, Cham. Retrieved from https://link.springer.com/referenceworkentry/10.1007/978-3-319-69891-5_296-1

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
The core goal of this paper is to identify guidance on how the research community can better transition their research into payment card fraud detection towards a transformation away from the current unacceptable levels of payment card fraud. Payment card fraud is a serious and long-term threat to society (Ryman-Tubb & d’Avila Garcez, 2010) with an economic impact forecast to be $416bn in 2017 (see Appendix A). The proceeds of this fraud are known to finance terrorism, arms and drug crime. Until recently the patterns of fraud (fraud vectors) have slowly evolved and the criminals modus operandi (MO) has remained unsophisticated. Disruptive technologies such as smartphones, mobile payments, cloud computing and contactless payments have emerged almost simultaneously with large-scale data breaches. This has led to a growth in new fraud vectors, so that the existing methods for detection are becoming less effective. This in turn makes further research in this domain important. In this context, a timely survey of published methods for payment card fraud detection is presented with the focus on methods that use AI and machine learning. The purpose of the survey is to consistently benchmark payment card fraud detection methods for industry using transactional volumes in 2017. This benchmark will show that only eight methods have a practical performance to be deployed in industry despite the body of research. The key challenges in the application of artificial intelligence and machine learning to fraud detection are discerned. Future directions are discussed and it is suggested that a cognitive computing approach is a promising research direction while encouraging industry data philanthropy.
Article
Full-text available
At a time when the government is aiming for bank recapitalization, the PNB scam comes as a huge blow to the entire banking sector. The Rs 12,700 crore scam involves at least six banks, raising doubts over the internal safety of operations in financial firms. It may be noted that the PSBs lost at least Rs 227 billion to bank frauds in the last five years. The magnitude of PNB scam is very exorbitant and it has been happening for more than five years undetected. This poses serious questions into the internal operations and auditing processes. The apex bank of the country RBI is facing public wrath for not being able to detect the largest banking scam. It is high time that all PSBs should review their internal process and take appropriate actions. This paper aims to identify and analyze the factors that led to this massive scam. It uses the quality tool 5W2H for analysis. This paper also delves into auditing process of the banks and possible loop-holes that led to the fraud. This paper also summarizes the impact of scam on various banks and the economy as whole.
Article
Full-text available
This article sought to raise the awareness of vulnerabilities in the maritime transportation systems sector and to ask those involved in security and emergency management to answer for themselves, “What are your acceptable risks?” In particular, the review alerts security and emergency managers to the Trojan horse risks that expose maritime organizations, including shippers, mariners, and port employees, to dangers from physical, personnel, and cyber security problems and from natural and man-made disasters, which may appear as Trojan horses. The article first discusses maritime threat actors, motives, tactics, and targets. Next, vulnerabilities of the maritime transportation systems sector that could be exploited by those seeking to conduct a Trojan horse attack are examined. Finally, a variety of security measures used to protect the maritime transportation systems sector from Trojan horse attacks are described. Advice to those in security and emergency management for maritime organizations on how to recognize, plan, and mitigate Trojan horse issues is provided.
Article
Full-text available
This article explores the social and market dynamics of Darkode, an invitation-only cybercrime forum that was dismantled by the FBI in July 2015 and was described by a U.S. Attorney as “the most sophisticated English-speaking forum for criminal computer hackers in the world.” Based on a leaked database of 4,788 discussion threads, we examine the selection process through which 344 potential new members introduced themselves to the community in order to be accepted into this exclusive group. Using a qualitative approach, we attempt to assess whether this rigorous procedure significantly enhanced the trust between traders, and therefore, contributed to the efficiency of this online illicit marketplace. We find that trust remained elusive and interactions were often fraught with suspicion and accusations. Even hackers who were considered successful faced significant challenges in trying to profit from the sale of malicious software and stolen data.
Article
Full-text available
A data breach is the intentional or inadvertent exposure of confidential information to unauthorized parties. In the digital era, data has become one of the most critical components of an enterprise. Data leakage poses serious threats to organizations, including significant reputational damage and financial losses. As the volume of data is growing exponentially and data breaches are happening more frequently than ever before, detecting and preventing data loss has become one of the most pressing security concerns for enterprises. Despite a plethora of research efforts on safeguarding sensitive information from being leaked, it remains an active research problem. This review helps interested readers to learn about enterprise data leak threats, recent data leak incidents, various state‐of‐the‐art prevention and detection techniques, new challenges, and promising solutions and exciting opportunities. WIREs Data Mining Knowl Discov 2017, 7:e1211. doi: 10.1002/widm.1211 This article is categorized under: Application Areas > Business and Industry Fundamental Concepts of Data and Knowledge > Key Design Issues in Data Mining Technologies > Prediction
Article
Full-text available
We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.
Article
Full-text available
The field of Artificial Intelligence (AI) has been around for over 60 years now. Soon after its inception, the founding fathers predicted that within a few years an intelligent machine would be built. That prediction failed miserably. Not only hasn't an intelligent machine been built, but we are not much closer to building one than we were some 50 years ago. Many reasons have been given for this failure, but one theme has been dominant since its advent in 1969: The Frame Problem. What looked initially like an innocuous problem in logic, turned out to be a much broader and harder problem of holism and relevance in commonsense reasoning. Despite an enormous literature on the topic, there is still disagreement not only on whether the problem has been solved, but even what exactly the problem is. In this paper, we provide a formal description of the initial problem, the early attempts at a solution, and its ramifications both in AI as well as philosophy.
Conference Paper
Full-text available
Internet banking (IB) is not a new phenomenon anymore as more and more financial institutions worldwide jump onto this wagon as it creates win-win situation for all parties. There is no need to go to bank office to pay bills, check account balance and make funds transfer. Today banks with significant IB experience provide even more complicated online financial tools and services. Nonetheless, due to the fact that platform of IB is World Wide Web, security and privacy issues are of high concern. So banks in Oman, lacking technically advanced experience of other countries should provide more safe and secure IB services, as security issues in this vulnerable area do exist. This work studies security and safety problems and suggests theoretical and practical recommendations. I. INTRODUCTION Due to rapid development of interconnected online IT infrastructure financial institutions around the world urged to keep up with this development as many see the future of commerce and affairs done online. People can do banking operations sitting home, at work, or lying on their beds midnight as this can be done through computers or mobile devices. Internet Banking (IB) was defined as distantly performing financial transactions over internet with the help of bank's website [1]. Since banks provide internet-based services, they should have secure and reliable methods of authenticating their customers [2]. Therefore, banks have to better understand their customers, current adoption of IB and respond quickly to market developments by identifying reasons that impact customer perception of security and usability issues in IB [3]. We believe that many banks in Oman have security issues as there was a biggest ATM fraud heist in history of USD 45mln by hackers worldwide. The cash withdrawals were made through ATMs in 24 countries including the US, Germany, Japan, Russia, Romania, Egypt, Colombia, Britain, Sri Lanka and Canada. Hackers accessed Bank Muscat and Rakbank databases, removed withdrawal limits on prepaid debit cards and created access codes. Others loaded that data onto any expired plastic card with a magnetic stripe and distributed among themselves, thus stealing loads of money [4]. This case subsequently might have led to low use of IB in Oman, which can be seen in statistics discussed next.
Article
Full-text available
In this paper, we give formal analyses of notions of fraud for the aim of verification of trade procedures. A fraud possibility is seen as an undesirable property of a trade procedure which its specification should not satisfy. It is argued that fraud may occur (in a trade pro- cedure) when an agent violates an obligation and he/she also deceives another agent (a controller) about the fulfilment of that obligation. The formal definitions are given using modal operators for obligation, action and belief.
Article
Full-text available
Benford's law has been promoted as providing the auditor with a tool that is simple and effec- tive for the detection of fraud. The purpose of this paper is to assist auditors in the most effec- tive use of digital analysis based on Benford's law. The law is based on a peculiar observation that certain digits appear more frequently than others in data sets. For example, in certain data sets, it has been observed that more than 30% of numbers begin with the digit one. After dis- cussing the background of the law and development of its use in auditing, we show where dig- ital analysis based on Benford's law can most effectively be used and where auditors should exercise caution. Specifically, we identify data sets which can be expected to follow Benford's distribution, discuss the power of statistical tests, types of frauds that would be detected and not be detected by such analysis, the potential problems that arise when an account contains too few observations, as well as issues related to base rate of fraud. An actual example is pro- vided demonstrating where Benford's law proved successful in identifying fraud in a popula- tion of accounting data.
Conference Paper
Full-text available
Internet of Things (IoT) will comprise billions of devices that can sense, communicate, compute and potentially actuate. Data streams coming from these devices will challenge the traditional approaches to data management and contribute to the emerging paradigm of big data. This paper discusses emerging Internet of Things (IoT) architecture, large scale sensor network applications, federating sensor networks, sensor data and related context capturing techniques, challenges in cloud-based management, storing, archiving and processing of sensor data.
Article
Full-text available
This paper presents a systematic analysis of twenty four performance measures used in the complete spectrum of Machine Learning classification tasks, i.e., binary, multi-class, multi-labelled, and hierarchical. For each classification task, the study relates a set of changes in a confusion matrix to specific characteristics of data. Then the analysis concentrates on the type of changes to a confusion matrix that do not change a measure, therefore, preserve a classifier’s evaluation (measure invariance). The result is the measure invariance taxonomy with respect to all relevant label distribution changes in a classification problem. This formal analysis is supported by examples of applications where invariance properties of measures lead to a more reliable evaluation of classifiers. Text classification supplements the discussion with several case studies.
Article
Full-text available
A wide variety of systems requires reliable personal recognition schemes to either confirm or determine the identity of an individual requesting their services. The purpose of such schemes is to ensure that the rendered services are accessed only by a legitimate user and no one else. Examples of such applications include secure access to buildings, computer systems, laptops, cellular phones, and ATMs. In the absence of robust personal recognition schemes, these systems are vulnerable to the wiles of an impostor. Biometric recognition, or, simply, biometrics, refers to the automatic recognition of individuals based on their physiological and/or behavioral characteristics. By using biometrics, it is possible to confirm or establish an individual's identity based on "who she is", rather than by "what she possesses" (e.g., an ID card) or "what she remembers" (e.g., a password). We give a brief overview of the field of biometrics and summarize some of its advantages, disadvantages, strengths, limitations, and related privacy concerns.
Conference Paper
Despite widespread adoption, machine learning models remain mostly black boxes. Understanding the reasons behind predictions is, however, quite important in assessing trust, which is fundamental if one plans to take action based on a prediction, or when choosing whether to deploy a new model. Such understanding also provides insights into the model, which can be used to transform an untrustworthy model or prediction into a trustworthy one. In this work, we propose LIME, a novel explanation technique that explains the predictions of any classifier in an interpretable and faithful manner, by learning an interpretable model locally varound the prediction. We also propose a method to explain models by presenting representative individual predictions and their explanations in a non-redundant way, framing the task as a submodular optimization problem. We demonstrate the flexibility of these methods by explaining different models for text (e.g. random forests) and image classification (e.g. neural networks). We show the utility of explanations via novel experiments, both simulated and with human subjects, on various scenarios that require trust: deciding if one should trust a prediction, choosing between models, improving an untrustworthy classifier, and identifying why a classifier should not be trusted.
Article
Threats from the inside of an organization's perimeters are a significant problem, since it is difficult to distinguish them from benign activity. In this overview article we discuss defining properties of insiders and insider threats. After presenting definitions of these terms, we go on to discuss a number of approaches from the technological, the sociological, and the socio-technical domain. We draw two main conclusions. Tackling insider threats requires a combination of techniques from the technical, the sociological, and the socio-technical domain, to enable qualified detection of threats, and their mitigation. Another important observation is that the distinction between insiders and outsiders seems to loose significance as IT infrastructure is used in performing insider attacks.
Article
US credit card companies and banks are starting to distribute new credit cards with an embedded chip and magnetic strip that has been in use from the 1970s. The credit card companies and banks can learn several lessons from such efforts made in Europe. The idea behind EMV is simple enough where the card is authenticated by a chip that is more difficult to forge than the magnetic strip. Banks in the UK decided to use PIN verification wherever possible, so that the system there is branded. The US scheme is a mixture, with some banks issuing chip-and-PIN cards and others going down the signature route. EMV also introduces some new vulnerabilities, as the first-wave EMV cards in the UK have been cheap cards capable of Static Data Authentication (SDA) where the card contains a certificate signed by the bank attesting the card data is genuine.
Conference Paper
Cyber security continues to be an increasingly important topic when considering Homeland Security issues. This area however is often overlooked during a disaster or emergency situation. Emergency management within the US as it currently stands lacks any real cyber situational awareness with respect to the core activities of emergency management such as mitigation, preparedness, response and recovery. As a result critical cyber-infrastructure resources that emergency management personnel rely on is left on the sideline when planning, handling, and recovering from emergencies or natural disasters. As emergency management evolves within the US to handle dynamic man-made, and natural disasters such as terrorist attacks, hurricanes, and floods, these issues must be addressed to mitigate risks. This paper takes the first step in examining the issue of cyber situational awareness within emergency management and identifies several concerns for the emergency management community.
Article
A vast database of human experience can be used to direct a search.
Article
This paper discusses the concept of Cloud Computing to achieve a complete definition of what a Cloud is, using the main characteristics typically associated with this paradigm in the literature. More than 20 definitions have been studied allowing for the extraction of a consensus definition as well as a minimum definition containing the essential characteristics. This paper pays much attention to the Grid paradigm, as it is often confused with Cloud technologies. We also describe the relationships and distinctions between the Grid and Cloud approaches.
Article
When Kurt Goedel layed the foundations of theoretical computer science in 1931, he also introduced essential concepts of the theory of Artificial Intelligence (AI). Although much of subsequent AI research has focused on heuristics, which still play a major role in many practical AI applications, in the new millennium AI theory has finally become a full-fledged formal science, with important optimality results for embodied agents living in unknown environments, obtained through a combination of theory a la Goedel and probability theory. Here we look back at important milestones of AI history, mention essential recent results, and speculate about what we may expect from the next 25 years, emphasizing the significance of the ongoing dramatic hardware speedups, and discussing Goedel-inspired, self-referential, self-improving universal problem solvers.
Understanding the convergent and divergent for future research
  • R Abdullahi
  • N Mansor
Abdullahi, R., & Mansor, N. (2015). Fraud triangle theory and fraud diamond theory. Understanding the convergent and divergent for future research. Retrieved from https://pdfs.semanticscholar.org/d86f/ 5988fccc216c 92c891191323a2c7f639b834.pdf
Security and fraud issues of E-banking
  • E Abu-Shanab
  • S Matalqa
Abu-Shanab, E., & Matalqa, S. (2015). Security and fraud issues of E-banking. International Journal of Computer Networks and Applications, 2(4), 179-187. Retrieved from https://www.ijcna.org/Manuscripts/Vol ume-2/Issue-4/Vol-2-issue-4-M-04.pdf
Encyclopedia of security and emergency management
  • C A Binns
Binns, C. A. (2019). Investigations: Fraud. In L. Shapiro & M.-H. Maras (Eds.), Encyclopedia of security and emergency management. Cham: Springer.
Artificial intelligence definition: A review
  • R Chandra
  • Y Prihastomo
Chandra, R., & Prihastomo, Y. (2012). Artificial intelligence definition: A review. Retrieved from https:// www.semanticscholar.org/paper/Artificial-Intelli gence-Definition-%3A-A-Review-Chandra-Prihastomo/d959ad041acca7570a7229e51c18a297bb 7ca0b2
International business e-mail compromise takedown: Multiple countries involved in coordinated law enforcement effort
Federal Bureau of Investigation. (2018). International business e-mail compromise takedown: Multiple countries involved in coordinated law enforcement effort.
Equifax data breach, one year later: Obvious errors and no real changes, new report says
  • G Fleishman
Fleishman, G. (2018). Equifax data breach, one year later: Obvious errors and no real changes, new report says. Retrieved from http://fortune.com/2018/09/07/equifaxdata-breach-one-year-anniversary/
Canadian cybersecurity 2018; An anthology of CIO/CISO enterprise-level perspectives
  • W R Gordon
Gordon, W. R. (2018). Information sharing and collaboration. In A. K. Sood (Ed.), Canadian cybersecurity 2018; An anthology of CIO/CISO enterprise-level perspectives (pp. 107-128). Retrieved from https://issuu. com/clxforum/docs/canadian-cybersecurity_2018
Cyber-crime scenario in banking sector of Bangladesh: An overview
  • S S Karim
Karim, S. S. (2016). Cyber-crime scenario in banking sector of Bangladesh: An overview. Retrieved from http://www.icmab.org.bd/images/stories/journal/2016/ Mar-Apr/3.Cyber-crime.pdf
Understanding the cost of a cybersecurity attack: The losses organizations face
  • S Lobo
Lobo, S. (2019). Understanding the cost of a cybersecurity attack: The losses organizations face. Retrieved from https://hub.packtpub.com/understanding-the-cost-of-acybersecurity-attack-the-losses-organizations-face/
Yahoo triples estimate of breached accounts to 3 billion
  • R Mcmillan
  • R Knutson
McMillan, R., & Knutson, R. (2017). Yahoo triples estimate of breached accounts to 3 billion. Retrieved from https://www.wsj.com/articles/yahoo-triples-estimateof-breached-accounts-to-3-billion-1507062804
Guest editor's introduction; 21st-century AI: Proud, not smug
  • T Menzies
Menzies, T. (2003). Guest editor's introduction; 21st-century AI: Proud, not smug. Retrieved from https://www. computer.org/csdl/magazine/ex/2003/03/x3018/ 13rRUxC0SLS
Hands-on cybersecurity for finance: Identify vulnerabilities and secure your
  • E Ozkaya
  • M Aslaner
Ozkaya, E., & Aslaner, M. (2019). Hands-on cybersecurity for finance: Identify vulnerabilities and secure your
Encyclopedia of security and emergency management
  • P L Pomerleau
Pomerleau, P. L. (2019). Public-private partnerships: Port security. In L. Shapiro & M.-H. Maras (Eds.), Encyclopedia of security and emergency management. Cham: Springer.
Cyber attacks on U.S. companies in 2016
  • R Walters
Walters, R. (2016). Cyber attacks on U.S. companies in 2016. Retrieved from http://thf-reports.s3.amazonaws. com/2016/IB4636.pdf
Security-Risk-Management-Information-Paper back/dp/B015QL5S22/ref=sr_1_fkmrnull_3?key words=Security+risk+management%3B+Building +an+information+security+risk+management+pro gram+from+the+ground+up&qid=1555378999&s=
  • E Wheeler
Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Retrieved from https://www.amazon. com/Security-Risk-Management-Information-Paper back/dp/B015QL5S22/ref=sr_1_fkmrnull_3?key words=Security+risk+management%3B+Building +an+information+security+risk+management+pro gram+from+the+ground+up&qid=1555378999&s= books&sr=1-3-fkmrnull