November 21, 2017
Existing Web and Mobile Security Solutions are Failing to Stop Organized Cybercriminals
Forrester Vice President and Principal Analyst, Andras Cser, discusses the importance of bringing together fraud management, IT security and line of business owners to address fraud reduction and customer friction. Learn how businesses can leverage cloud services to implement risk based authentication, through data sharing.
Cybercriminals are gaining access to bank accounts and making fraudulent transactions. Traditional security systems that rely on credentials are susceptible to compromise when fraudsters use stolen credentials. In an effort to stop cybercriminals, fraud prevention teams often step-up existing security solutions. While this improves fraud detection rates, it also increases friction and false positives. This makes shared intelligence a crucial tool to fight organized criminal networks.
The more you’re able to understand the behavior and the data, you’re able to share this with other “phishermen” the more you’re able to catch as many poor phish as possible.
One of the problems that we’ve seen moving forward is that data breaches and cyber fraud do not go away. We’ve seen that Target, Home Depot, Sony and Anthem data breaches are just the beginning. Protecting customer data is very important, and organizations must be able to defend against a misuse, abuse or fraudulent use.
The Retail Shift to Online and Other Card-Not-Present Channels means a Major Change in Fraud Management
As organizations build out their own in-house developed fraud management systems, they become unsustainable. This is going to be a pretty difficult area for organizations, where fraud losses must be considered as a cost of doing business. Additionally, profit is reduced turning away good customers by trying to catch fraud with overzealous methods that stop too many transactions. Any commerce environment or bank that causes customer frustration slows the customer acquisition down. Spending too much money on employees for manual case reviews and investigations searching for potentially fraudulent activity becomes prohibitively expensive with too many investigators.
When it comes to web fraud management authentication. Two-factor authentication, device application fingerprinting and transactional monitoring are great tools, but can be very difficult to maintain and cost a lot of money. You’re practically married to your developers, you are forced to pay their salaries indefinitely. All this for a fraud management solution that does not detect the latest threats and methods of fraudster decisions.
Unfortunately, these resourceful cyber crooks are always two-steps ahead of fraud management and anti-money laundering practices. IT security is increasingly realizing that they cannot solve the problem of fraud management if they’re just looking at transactions. They must understand the online context of the transaction whether it is desktop or a mobile device which may be readily available at the IT security level and finally compliance. Sharing data streams is a very delicate balance and this is based on something that we hear from almost everybody in the fraud management space.
In the past, fraud management efficiency was based upon how much money we could stop from losing to now applying better security controls to inhibit the fraud and enhance our true customers to interact with us online. This idea of engaging with customers has always been the key tenant. Efficiency has always been objective number one to eliminate false positives. So basically while you’re trying to catch a certain level fraud you’re trying to mitigate the number of manual investigations that intercept known good customers.
The Cybercrime Industrial Complex
These cybercrime organizations created business models that can be best described as the cybercrime industrial complex, with vendors providing any number of tools and services ranging from distribution of personal information and stolen credit card data that it guarantees!
They all start with a multitude of technologies and techniques and from the use of malware social engineering phishing to find vulnerabilities for data breaches that are straight out of the headlines as indicated by JP Morgan Chase, Home Depot and the IRS to name a few. As reported by the identity theft Resource Center, almost 720 breaches last year containing more than 2 million records were quickly sold on the underground. Some personal information is very private (i.e. data stolen from healthcare providers like Anthem and Phoenix Services.) Email and password combinations that were stolen from Adobe, AOL, eBay and Google are bound to piece together identities of many. Forms of multi-channel fraud have taken a bit of a back seat lately but with the focus on these data breaches and with a growth rate that’s more than doubling every year it won’t be long before it makes its comeback.
Now that variants are detected in the hundreds of thousands of transactions per day, that’s a targeted way to collect personal data and even more creative by tricking customers when they log on to a bank account or accounts to transfer money to “mule” accounts in response to phishing emails and other messages. The attacks are all about tricking people into divulging credentials for spam email campaigns or targeted phishing to high value individuals, luring the users to counterfeit websites with the intention of stealing their data.
ThreatMetrix, the leading provider of context-based security and fraud prevention solutions, shares how understanding users’ digital identities across a global data network can identify trusted users from cybercriminals in real-time.