The New Perimeter in Online Fraud Detection: Device Identification is First
As if we need another real-world story as proof that online fraudsters are getting far more sophisticated and getting away with their crimes—when Bank Technology News gives us a doozy. “On the Backs Of Mules: An ACH Fraud Scheme” tells the story of how fraudsters with a well-thought-out plan infiltrated a community bank by way of an innocent customer’s credentials. They then used intermediaries to steal tens of thousands of dollars—less than the amount at risk but still a lot of money for the not-for-profit bank customer.
The story is a compelling read that offers lessons for banks and any organization doing business online. There are three approaches to detecting fraud that rely on different kinds of data: behavioral data, personal data and device data. The only fraud detection approach that does not require any information about or from the person is device identification. That doesn’t mean that one approach is better than another—but device identification does bring a new dimension to online fraud prevention that is very effective by itself or additive to other fraud prevention technologies.
Had device identification technology been in place when the fraudsters in this story first attempted to login to the bank with stolen credentials, ThreatMetrix would have identified the computer(s) and might have turned them away based on information gleaned from their machine/session including: a negative reputation from known experience elsewhere on the worldwide web, a match to a local blacklist of “bad” computers, velocity checks that revealed suspicious behavior, use of a hidden proxy attempting to mask an IP address or true geographic point of origin. Device identification could have stopped the fraudsters before they gained access to the bank for reconnaissance.
Had the fraudsters successfully gained entry by way of stolen credentials, then behavioral fraud detection would have monitored their activity early in their pursuit and likely identified anomalous behavior that would alert the bank to the scheme. Device identification isn’t a silver bullet to fight online fraud, but it is the new front line that can detect fraud in real time.
- Tom
