September 20, 2018
The online digital economy can provide fraudsters with the perfect cloak of anonymity to dupe customers and businesses into allowing fraudulent access to trusted accounts. Businesses must detect and block fraud while ensuring that good customers are not caught in the net of high-friction authentication solutions.
The cost of compromised customer accounts is far reaching, with account takeover having the potential to not only severely hinder business growth, but also jeopardize reputation, customer trust and industry standing. Damage from account takeover attacks is not limited to the business, with organizations also having to protect the customer from compromise and widespread violation of their online relationships and credentials. However, protecting both customer and organization from considerable financial and reputational loss is becoming ever more complex; consumers are storing huge swathes of personal information in online accounts, with fraudsters deploying increasingly sophisticated tactics in order to exploit this vulnerable information via account takeover.
Threats can range from identity, device and location spoofing, to automated bot attacks and advanced social engineering/remote access attacks that piggy back fully-authenticated login sessions. As criminals become less decipherable from customers, businesses need a complete authentication solution that can protect against the full spectrum of account takeover attacks.
The Value of Establishing Trusted Customer Behavior
The ThreatMetrix solution delivers multiple layers of defense against account takeover, enabling organizations to detect suspicious behavior or compromised devices before accounts are infiltrated by fraudsters. This approach allows organizations to verify that customers are who they say they are, every time. What’s more, ThreatMetrix helps to minimize friction by recognizing up to 95% of returning customers.
Underpinning the ThreatMetrix solution is the Digital Identity Network®, which collects and processes global shared intelligence from millions of daily consumer interactions including logins, payments and account applications. This intelligence feeds into the ThreatMetrix Smart Authentication framework, which combines risk-based and Strong Customer Authentication (SCA) for a low-friction approach to authentication. In addition, Digital Identity Intelligence is also leveraged by key components of the ThreatMetrix Dynamic Decision Platform, such as Behavioral Analytics and Machine Learning, to better distinguish between trusted and potentially high-risk behavior.
Providing Risk-based Authentication ThreatMetrix analyzes the risk associated with transactions to avoid friction for genuine customers, allowing most transactions to be passively authenticated in near real time by comparing event data to Digital Identity Intelligence held in the Network. This crowdsourced, global repository combines:
- Web and Mobile Device Intelligence: Device identification, detection of device compromises across web and mobile, device health and application integrity.
- True Location and Behavior Analysis: Detection of location cloaking or IP spoofing, proxies, VPNs and the TOR browser. Detection of changes in behavior patterns, such as unusual transaction volumes, changes to velocity or frequency of transactions or new use of remote access software.
- Identity and Link Analysis: Defining patterns of trusted user behavior by combining identity and transactional metadata with device identifiers, connection and location characteristics.
- Bot and Malware Threat Intelligence: Actionable threat detection for Malware, Remote Access Trojans (RATs), automated bot attacks, session hijacking and phished accounts, combined with global threat information such as known fraudsters and botnet participation.
Providing Strong Customer Authentication Organizations can deploy Strong Customer Authentication (SCA) for high-risk transactions or those that require additional authentication as a result of regulatory requirements (such as PSD2). In this case, the customer’s mobile device becomes the authenticator and the ThreatMetrix Mobile SDK becomes the enabler. Key features include:
- Mobile App Security: ThreatMetrix Mobile SDK is a lightweight software development kit (SDK) for Google Android and Apple iOS mobile devices, providing complete fraud protection for the mobile channel. This includes: application integrity evaluation, advanced persistent device identification, malware detection, location services, jailbreak and root detection technologies, anomaly and device spoofing detection and dynamic configuration and updates.
- Device Binding: Leveraging the trust of existing devices using the following key capabilities:
- Strong Device ID: A unique tamper resistant identifier available for both web and mobile. ThreatMetrix uses Public Key Cryptography to establish a cryptographically-backed strong device identifier.
- Carrier ID: ThreatMetrix works with Mobile Network Operator Data aggregators to create a Carrier ID, a unique persistent identifier representing a mobile subscriber. In the case of a trusted transaction, a user’s device is registered along with user context (such as account name or account email) and a carrier ID obtained from the MNO aggregator. If future transactions reveal increased risk, additional authentication assurance can be provided by invoking the Carrier ID service via an API. Enabled via the ThreatMetrix Integration Hub, Carrier ID provides secure, passive assurance that a transacting device matches with the one registered.
- Multifactor Authentication (MFA) Secure Notification: Push notifications to the user’s mobile device for low-friction authentication without the associated costs of SMS step-ups, available via ThreatMetrix SDK.
- Biometrics: A comprehensive range of FIDO-compliant, low friction, password-free authentication strategies.
Providing Smart Analytics ThreatMetrix Smart Analytics combines intelligence from the Digital Identity Network with behavioral analytics (Smart Rules) and machine learning (Smart Learning). This enables organizations to identify anomalies between current and historical behavior and better differentiate between trusted and fraudulent users.
A Customizable Solution for Your Business ThreatMetrix enables organizations to fine tune and automate responses to login sessions, allowing businesses to incorporate their own businesses processes and tolerances for risk. Businesses are able to allow account access from known good customers or deny logins from highly suspicious situations or known botnet participants. Businesses are also able to implement step-up, “out-of-band” authentication or manual reviews only for suspicious and high-risk logins.
The ThreatMetrix Advantage
ThreatMetrix offers the broadest combination of defenses against account takeover, in a solution which helps reduce friction for good and returning customers.
- An Unparalleled Network: The ThreatMetrix Digital Identity Network protects 1.4 billion unique online accounts using intelligence harnessed from over 3 billion monthly transactions.
- A Comprehensive End-to-End Solution: Universal fraud and authentication decisioning across all use cases and throughout the customer journey.
- Bringing Digital Identities to Life: ThreatMetrix ID combines a unique identifier, a confidence score and a visualization graph to genuinely understand a user’s unique digital identity across all channels and touchpoints.
- An Integrated Approach to Authentication: Flexibly incorporate real-time event and session data, third-party signals and global intelligence into a single Smart Authentication framework, to deliver a consistent and low-friction experience with reduced challenge rates.
- Advanced Behavioral Analytics and a Clear-box Approach to Machine Learning: ThreatMetrix Smart Analytics analyzes dynamic user behavior to build more accurate, yet simpler, risk models. The result is a competitive edge in customer experience with reduced false positives, while maintaining the lowest possible fraud levels.
- Privacy by Design: ThreatMetrix is unique in its ability to solve the challenge of providing dynamic risk assessment of identities while maintaining data privacy through the use of tokenization and encryption.
- Rapid, Lightweight Deployment: The ThreatMetrix solution is cloud- based, providing simple and straightforward integration with existing systems.
Using Digital Identity Intelligence to Detect Key Account Takeover Attacks:
- Use of Stolen Credentials: Detect an attempted login from a new
device for an existing user, logins from unusual or high-risk locations, or using hidden proxies/VPNs, or multiple account access attempts from a single device in quick succession.
- Automated Bot Attacks: Context-based information is used to perform behavioral analysis of users during periods of normal operation and compares such data to that gathered during a bot attack. This helps businesses differentiate between a human and a bot in real time. It can also detect low-and-slow attacks that are designed to bypass traditional rate control measures such as WAFs and mimic legitimate user behavior patterns.
- Social Engineering/Remote Access Attacks: If fraudsters can trick customers into unwittingly downloading remote access software/Remote Access Trojans onto their machine (under the guise of being from their bank for example), they can successfully infiltrate the user’s account. For example, they may be able to gain access to a fully authenticated login session while purporting to be “fixing a problem”, or a Remote Access Trojan (RAT) might stay hidden on an infected machine, monitoring the browsing behavior of its target and stealing sensitive information. ThreatMetrix detects sudden use of remote access software when it hasn’t been seen on an account before, as well as blocking RATs in real time.