Sunday, February 22, 2009

Banking's Achilles Heel

There is a perfect storm raging...
  • non-real-time banking/credit systems
  • global, distributed cash-access networks
  • near-depression global economy
  • collapse of financial markets globally
  • hackers contributing to organized crime
... when you add all those together you get one ugly situation. The recent fraud that was globally-coordinated was only possible because ATM systems, in certain places, operate on a non-real-time batch processing schedule. Having spent many years in a banking/credit institution I can say confidently that there are still many systems which are non-real-time, and the problem is not going to be going away tomorrow.

Have you ever taken money out at an ATM [automated teller machine] only to see it appear on your statement a few days, or maybe weeks later? What about making a debit card purchase that doesn't post to your account (or count against your balance) for days? How about purchasing something on your credit card that doesn't post against your account until the end of the next business day? Have you then wondered why these things happen?

The answer is this: banking and credit systems are still largely batch-processes. These systems depend for the most part on an end-of-day job that takes the sales for the day and sends them to a processor to post through. Sometimes, in certain cases where the merchant is low-tier, these batches don't happen for days or as much as a week!

While on a road trip a year or so ago, we stopped in a mountain restaurant in Southern Carolina... had lunch and bought some gas at the fuel station across the parking lot. When I got home the next day I tried to reconcile my checking account's available cash against purchases only to discover that the nearly $100 I had spent that afternoon hadn't made it to my account. In fact, that debit did not post to my account until 4 days later! This got me thinking...

No one will contend that recent hacker activity around credit card numbers and financial fraud has skyrocketed, and is only trending upward at an alarming rate. With the global financial crisis we can anticipate more losses and hack attempts in the world's financial and credit institutions. So why is this a bigger problem today than it was years ago?

The main reason is that financial systems like credit card processing are not real time; meaning, they do not instantly transfer the money you credit/debit against your account. In fact, as my story illustrates some of the less-developed areas within this ecosystem are very much laggards. These systems aren't going away, either. With banks on the brink of being nationalized there is very little chance that tomorrow we will all wake up to a financial system that has globally performed a rip-and-replace exercise on the technology underpinnings of the credit markets. In short, non-real-time batch processing of credit/debit is here to say for the forseeable future... this presents a glaring problem.

Take a scenario where hackers break into a massive treasure trove of credit account data (such as they did at Heartland Payment Systems, recently) and then create cloned cards which can be used at ATMs to withdraw cash or POS systems to make small purchases without raising any eyebrows. These criminals can then tap into a globalized organized crime network which can take the millions of compromised, cloned cards and strike simultaneously to withdraw massive amounts of cash before any bank realizes what just happened. Massive, coordinated fraud efforts like these are being perpotrated all around the world and it is very, very difficult to find them, and even more difficult to prevent them.

The only answer to attacks of this nature is a full conversion to real-time financial systems within our banking industry. Given the anemic condition most of these banks are, this is simply not a possibility. What makes this even more improbable is that a system like this would have to be cover over to in an all-or-nothing fashion. The bandage would have to be ripped off in one clean motion otherwise the pieces not attached to the new network would systematically begin to fail. Global credit processing failure would lead to an even more serious catastrophic event... but that's neither here nor there.

So you see, the banking industry has only itself to blame for the fraud it's being subjected to right now. Hacking happens, and no matter how PCI Compliant you are, how much money you've invested in preventative technologies they will not stop the determined human attacker who could be sitting in your call center harvesting card data about your customers right now!

So the ultimate rip-off? Finding an account that has a sizeable take, but not too big as to trigger special flags, and simultaneously withdrawing a good chunk of those funds from different global locations. By the time the different batch-oriented systems go to reconcile... you'll be [ $WithdrawAmt x SizeOfMob ] overdrawn and the criminals will have gotten away with it cleanly.

Will this achilles heel ever be fixed for good? It has to be. But only time will tell when... and how painful that transition will be. As for me, I'm going to keep using the cash I've been hording in my mattress.


Nick Bell said...

American Banks are so far behind other parts of the world. I have discovered this personally since arriving in the US from Australia 6 months ago. In the "Land Down Under" transactions on your Debit Cards and Credit Cards can be view almost instantly via internet banking, ATM statement etc. You at least have the amount deducted off your 'total' balance straight away so you can't overdraw and then the transaction's actual details show up at midnight that night.

Pretty Fast!

This has probably been happening for the last 4 or 5 years with Australian Banks. The processing systems and applications driving Australian banking have some sophistication and to add to this I have never been a victim of 'fraud' whilst using these systems. In my 6 months in the USA, I have had my CC frozen three times as a result of 'suspected fraudulent activity' (Not that HSBC could tell me anything nor would they let me verify, they just froze it) and had 2 cards replaced (Heartland!)

USA.....It's time to catch up! Your banking systems are terrible. Give us some confidence. Maybe if they had a better way of processing transactions that didn't have to go through so many systems, we might be better protected. If other parts of the world, including Australia that apparently doesn't have universities (Another story, we all live on farms apparently), can do it surely the 'world leaders and champions' of everything can do it also.

Maybe I should right a post on American Banks are still in the 1980s...Checks?? Seriously...ok I'll stop now!

Unknown said...


I hear what you are saying, but you have to understand how it got to this point. The banking systems in the U.S. have been in use far longer than the systems in Australia. These legacy systems would cost millions to recode. Australia, fairly new to the banking industry, could afford to buy newer systems. I am not making excuses, I am just stating facts.

Do we need to bring our banking systems up to date? Absolutely. In order for us to compete in a world wide economy, we need a desperate overhall. I have not doubt that American ingenuity and hard work will make these new systems on par, if not better, than systems designed in other countries.