November 13, 2018
Digital transactions continue to proliferate apace, whether customers are buying, selling or accessing services and content online Knowledge sharing across industries and channels could streamline the user experience as well as reduce fraud and operational cost.
As more and more consumers buy goods and access services and content through digital channels, gaining insight across different industries and channels can accelerate and personalize user experience and reduce fraud and operational cost. ThreatMetrix’s Digital Identity Network, built on the shared intelligence from over a billion transactions per month, can help correlate seemingly disconnected events and security incidents in real time. This provides organizations with anonymized intelligence across financial services, ecommerce, payments, social media, insurance and other diverse industries.
ThreatMetrix’s products allow organizations to differentiate between trusted users and potential threats by analyzing the relationship between devices, digital personas and contextual behavior over time to establish a true digital identity that is continuously evaluated in the context of every interaction.
ThreatMetrix believes not just in the power of big data, but more specifically in the power of big networks. Billions of data points and interactions from tens of thousands of websites combine to build an accurate view of an individual or device prior to the transaction of interest. Organizations can then link identities across devices and channels based on global patterns. ThreatMetrix conducts link analysis across devices, identities and locations in real-time, enabling organizations to link identities across devices and channels based on internal and external (global) linkages and patterns of behavior.
The challenge of tracking fraudulent behavior however, is that the legitimate user and the fraudster may be transacting at the same time. How can an organization protect a trusted user whilst preventing fraud? ThreatMetrix enables the creation of user-specific profiling, identifying anomalies between current and historical behavior to help differentiate between trusted and fraudulent users.
ThreatMetrix Behavior Analytics
Behavior Analytics tools provide an extremely powerful way of detecting and analyzing changes in user behavior. ThreatMetrix’s behavioral model is based on the user’s history derived from the Digital Identity Network and uses behavior and metadata for automated detection of user behavior patterns and anomalies. ThreatMetrix’s Behavior Analytics tool-set allows organizations to create custom variables, rules, models and policies to analyze patterns specific to their organization as well as their users. Rather than a static and linear behavior model, the ThreatMetrix policy engine can determine whether an event falls within a “good user” or “bad user” pattern, whilst still allowing for changes in trusted user behavior (for example if a trusted user legitimately increases the number of devices used). This helps organizations more accurately differentiate between true fraud and legitimate behavior change, reducing the step-up frequency without increasing overall risk.
ThreatMetrix uses behavior, age and location variables to examine the historical data related to a given transaction to run a deep behavioral assessment:
- Behavior variables:
Measures of metadata such as velocity, count distinct, sum and average. measures of metadata such as velocity, count distinct, sum and average.
Crucial insight into legitimate and fraudulent behavior can be derived from velocity and frequency, or how quickly and often something occurs over a particular period of time. These two attributes form an expected baseline that allows for historical comparisons. When a returning customer’s behavior fits the baseline, he or she can be accelerated into your website without additional verifications. This baseline can also be used to keep cybercriminals away when they match known fraudulent behaviors. ThreatMetrix tracks velocity and frequency on a global, per-site, per-event type, per-device, an per-identity basis.
ThreatMetrix believes not just in the power of big data, but more specifically in the power of big networks.
- Age Variables:
Measures of time such as the time since the first event, time since the last event, and average time between events.
A mismatch between behaviors often suggests potential fraud. Understanding a customer’s activity pattern around the frequency and timing of transactions can provide valuable insights to differentiate legitimate users from potential fraudsters or scripting attacks. Age variables can be used to create a time-based profile of the customers’ activity patterns to better evaluate the transactions by benchmarking time-based behavior.
- Location and Distance:
Measure of distance/location such as distance from closest location, average distance between events, and the standard deviation between this event and all other events.
Customers’ location and travel behaviors provide valuable insights that establish normal usage behaviors ThreatMetrix analyzes the customers’ trusted location, distance from the trusted location and also the distance between events.
In addition, ThreatMetrix’s Expression Variable allows attributes and variables that are available in a particular transaction to be combined into a mathematical expression. The main goal of this tool set is to allow risk analysts to create polices that help prevent fraud and reduce customer friction by analyzing behavior at a granular level. For example, the ability to analyze a payment transaction by looking at the average daily amount for a consumer for a specific period of time will deliver additional insight by combining pre-existing variables using mathematical operators. With Behavior Analytics, customers have the ability to architect complex decisioning polices to address their specific business needs with minimum friction to end-users.
The ThreatMetrix Advantage: Powerful Features Not Found in Traditional Fraud Systems
Utilizing sophisticated analytics, a customer can tune the system to produce strong anomaly detection rules that only fire when behavior is truly out of character:
- Access management rules based on device/IP velocity
- Users who regularly exhibit irregular behavior:
Utilizing proxy detection and adaptive analytics, a fraud team can reduce risk rating for users who regularly use a proxy/VPN versus users who are using one for the first time.
- Transaction monitoring models:
Statistical functions that can deal with a wide variety of usage patterns, not simply a high transactional amount.
- Statistical functions and time series analysis in real time:
Full arithmetic functions, sum, count, count distinct, average, maximum/ minimum, time between events, distance on map and many more functions allow true modeling of behavior to detect what counts.
While other behavioral models can suffer from false positives, through leveraging global shared intelligence and deep behavior analytics ThreatMetrix is in a unique position to provide a behavioral model with reduced false positives.