January 10, 2019
We live in a post data-breach world. Identity information, payment credentials, account credentials and responses to security questions are widely available for purchase in bulk. Complete fraud exploits and zero-day attacks are also easily available on the black market for outright purchase or as a hosted/fully managed service. Worryingly, these fraud offerings come with online help and full technical support. At the same time online business is becoming increasingly competitive with tighter economics of operation and declining average revenue per user (ARPU).
There is mounting pressure on all sides. Customers demand security, privacy and a first-class user experience. Investors demand economic efficiency, growth and cost reduction. Regulators including the Federal Trade Commission (FTC) are increasing enforcement actions, including monetary sanctions for poor security and lax privacy practices. Meanwhile, fraudsters are also becoming better organized and increasingly aggressive.
How can businesses effectively protect the security of their customers in this post-breach world? What are the practical steps to implementing an effective fraud and security strategy? ThreatMetrix takes a holistic, layered approach to identifying cybercrime, leveraging the unique digital identities created as people transact online to effectively recognize an organization’s returning users with virtually no associated friction.
Understanding Online Fraud
The fraud climate is complex and ever changing and it is a full-time job just keeping up to date with the intricate technical mechanisms employed in contemporary exploits. Business managers need a framework to understanding fraud and the attack mechanisms used.
One helpful solution is to think in terms of attack vectors (the method of attack) and attack surfaces (the components on which the attack is launched). Attack vectors and attack surfaces can be arranged in endless unique combinations and permutations; each combination essentially defies a unique fraud attack. Fortunately, the resulting endless universe of possible fraud attacks can be simplified into a small number of common basic patterns.
The primary component is the attack vectors that are essentially the ammunition and weapons used to commit fraud. There are four basic classes of attack vectors:
- Stolen and Synthetic Identities: This includes identities and personal credentials that are used in many fraud attacks. This information is widely available on the dark web and can consist of stolen identities from data breaches, phishing exploits, etc.
- Device Malware: This includes Trojans, key loggers, ram scrapers, etc. Most commonly malware is a tool used distribute and implement attacks.
- Web Threats: This class includes bots, proxies, hidden VPNs, scripts, emulators, Man-in-the-middle (MitM) attacks, etc. that enable attackers to mask the device identity, location and web address of the attack source. These are the building blocks for web exploits and are widely available on the dark web both individually, or assembled as full exploits.
- Mobile Application Reverse Engineering: Tools and services for code profiling, reverse engineering and repackaging of mobile apps are widely available on the dark web. Reverse engineered mobile apps can be repackaged and distributed to unsuspecting users.
The next important component of the framework is attack surfaces. Attack surfaces are the transaction components that are vulnerable to third party interference:
- Device: The user’s device is a large attack surface which is vulnerable to multiple attack vectors. These include OS Malware, malicious apps, crime ware and malicious libraries.
- Transactions: This includes Trojans, key loggers, ram scrapers, etc. Most commonly malware is a tool used distribute and implement attacks.
- Transaction Context/Web Context: This attack surface is where device spoofing, IP spoofing, location spoofing and identity masking attacks are targeted. This includes the deployment of hidden VPNs, proxies, botnets and emulators.
- Mobile App: This attack surface is targeted by reverse engineering tools which can be used to change the behavior of the mobile app to bypass security checks, steal credentials or steal user secrets.
The next important component of the framework is attack surfaces. Attack surfaces are the transaction components that are vulnerable to third-party interference. For the online B2C channel the four attack surfaces are the device, the transaction, the transaction context and the mobile app.
The universe of all possible attacks can be catalogued into four basic fraud templates or fraud patterns. Understanding the four basic fraud patterns enables business managers to better comprehend the universe of all possible attacks and the steps required to mitigate them. The basic patterns are identity fraud, payment fraud, transaction fraud and mobile fraud.
- The online identity fraud pattern describes attacks which leverage stolen and synthetic identities which are spoofed using web mechanisms that mask the identity and location of the true source of the spoofed transactions. The masking mechanisms include hidden VPNs, proxies and botnets.
- The online payment fraud pattern is very similar to the identity fraud pattern except that stolen payment credentials are used in place of stolen or synthetic identities. Examples include Fullz, which is essentially a complete set of information: payment credentials and the full set of identity attributes belonging to the legitimate owner. Fraudsters can leverage a botnet to launch an attack using a zombie PC in the same geolocation as the primary residence or workplace of the legitimate owner of the payment credentials.
- The online transaction fraud pattern includes attacks that intercept and manipulate legitimate transactions such as MitB and MitM. Other examples of transaction fraud patterns includes remote access Trojans (RATs). Here, the attacker remotely controls an unsuspecting user’s PC to gain access to the user’s online accounts and launch fraudulent transactions using the identity, device ID and IP address of the legitimate owner.
- The mobile fraud pattern describes attacks that target the mobile application through reverse engineering of the actual source code or mechanisms to steal credentials and secrets using ram scrapers or SMS sniffers.
Fraud Mitigation Requirements
Analysis of the four basic fraud patterns enables enumerations of all the vulnerability classes that must be mitigated to provide complete online fraud protection. The major vulnerability classes include:
- Identity vulnerabilities: Includes fraudulent use of legitimate or synthetic user identities.
- Web vulnerabilities: Web mechanisms used by fraudsters to hide device identity, location and IP address of the attack source.
- Device vulnerabilities: Malware and crime ware used to make user devices behave in corrupt ways.
- Mobile vulnerabilities: Methods to modify or interfere with the behavior of an application.
Protecting the identities of users, employees and partners means ensuring that only legitimate users gain access to the business platform. Authentication is the process of ensuring that users are who they say they are, and are using a legitimate identity. The most obvious way to protect user identities is to implement strong authentication or multi-factor authentication. Not all methods of authentication are equal in terms of assurance level. Interestingly, with so much available stolen data, fraudsters are often more adept at passing basic step-up authentication questions than legitimate customers.
The ThreatMetrix Digital Identity Network
A Layered Approach to Authenticate Identities
The ThreatMetrix Digital Identity Network (The Network) has the capabilities to protect against each of these fraud patterns by analyzing the myriad connections between devices, locations and anonymized personal information. This enables fraud, security, risk, compliance and customer engagement departments to have a unified view and risk model of a user across all digital channels and lifecycle and engagement.
The Network harnesses global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications. Using this information, ThreatMetrix stitches together a user’s true digital identity which routs out, among other things, stolen identities, location cloaking, devices infected with malware and corrupt mobile applications. Transactions are verified in real time against trusted patterns of behavior: high-risk anomalies are accurately identified for review while genuine users experience minimal friction.
This uniquely combines the four pillars of digital identity: device identity, threat intelligence, identity information and behavior analytics.
Integration and Orchestration
Made up of three components:
- A real-time interface to ThreatMetrix that returns device identifiers, anomaly indicators and risk scores. This includes an API server as well as SDKs for web, mobile and endpoint.
- An integrated database called ThreatMetrix Persona DB. This is an extensible, enterprise-accessible database.
- The ThreatMetrix Integration Hub, which integrates prepackaged/customized third-party services without adding friction. This is a REST-based API that provides a bridge to cloud and enterprise data sources and services.
Combines business rules, behavioral analysis and machine learning into an integrated framework to make real-time decisions. The ThreatMetrix policy engine allows businesses to incorporate their own tolerance for risk and operational metrics.
Enables continuous optimization of authentication and fraud decisions with visualization, data correlation and exception handling. This include search and link analysis, reporting for retrospective-based and proactive forensic data analysis and ThreatMetrix Case Management which provides customizable case routing and event correlation.
The ThreatMetrix Digital Identity Network in Operation
The purpose of the Digital Identity Network is to prevent online fraud in real time, by gathering and evaluating transaction data in accordance with policy settings. Let’s return to our four major online fraud patterns (identity, payment, transaction and mobile fraud) and look at potential solutions.
This is the largest fraud pattern and is used in account takeover and new account fraud.
Account Takeover Fraud
Recognizing returning customers is pivotal for business success. Account takeover can severely hinder business growth, customer trust and lifetime value. Knowing your customers and how and when they transact can help detect suspicious behavior or compromised devices. The challenge for businesses is how to recognize returning customers without adding friction. The Digital Identity Network contains multiple identity authentication/protection capabilities that can be used as a silent second factor of authentication or as step-up authentication. These are:
- SmartID This is an HTTP device fingerprint that is optimized for persistence across standard PC lifecycle events. It is calculated from hundreds of device attributes that are measured in real time. The SmartID is calculated in the cloud and is never exposed to the user or the device, making it immune to theft, spoofing or replay.
- ExactID This is an HTTP fingerprint that is optimized for identity assurance. ExactID is also calculated in the cloud and is immune to theft, spoofing or replay. When used together SmartID and ExactID enable the device to be used as a second strong factor of authentication that is transparent to the end used and immune from attack.
- CarrierID This is a third-party feature of the ThreatMetrix Integration Hub which enables real-time federation with the mobile network operators (MNOs) for SIM card-based authentication of a smartphone. Carrier ID offers the highest possible identity assurance which is NIST level 4. The identity credential is stored in the hardware of the SIM card which protects it from device-based software attacks. CarrierID can be activated from a policy call-out.
- SMS Passcode This is also a third-party service enabled via the Integration Hub and and supports a policy callout to external SMS aggregation services.
The ThreatMetrix Digital Identity Network also supports contextual authentication in order to identify possible fraudulent account takeover attacks. These capabilities include:
- True location identification services, including proxy piecing, VPN and TOR browser detection. Detection could then trigger step-up authentication or manual review depending on the policy settings.
- Velocity checks and location rules can also be implemented to identify identify a possible fraud attack.
- Behavior analytics can detect anomalous behavior that may indicate a fraudulent account takeover. A fraudster is unlikely to have knowledge of the behavior patterns associated with the legitimate account holder.
New Account Fraud
This is frequently referred to as account origination fraud and involves false identities that have not previously been seen by the target online business. The attacker attempts to open a new account using a stolen identity or synthetic identity. A legitimate and trusted customer base is essential to business growth; the infiltration of cybercriminals from fraudulent account registrations can result in huge fraud losses. ThreatMetrix can help prevent new account fraud in the following ways:
Identity verification/identity proofing
The Digital Identity Network includes multiple methods for identity verification:
- Analyze the identity of the device and run link analysis to see what persona identities have been associated with that device across the Network. The device identity and persona identity are indexed against global shared intelligence which is composed of anonymized attributes and their relationships and behaviors. Other transaction attributes, including IP address, geolocation, email address, age and device configuration are also indexed into the global shared intelligence.
- Related to this, ThreatMetrix can also verify that a new account request in not originating from a device that is currently associated with other personas already seen elsewhere in The Network. This is a powerful way to protect sites where users may fraudulently register multiple accounts, such as in online gaming.
- The Network can accurately detect account originations that appear to be automated via a botnet by looking for multiple accounts created from a single device, unusual packed fingerprints and comparing these against known botnet intelligence.
- The ThreatMetrix Integration Hub has a number of pre-packaged partner services that also support identity proofing:
- Identity verification services can be used to check personal identity details and analyze the attributes that have been historically associated with that identity such as name, address, IP address, location, email address, age etc.
- CarrierID enables business managers to obtain the SIM card-based identity of the user’s device. This is NIST level 4 identity assurance, which cannot be stolen, copied or spoofed by an attacker. CarrierID also factors in standard lifecycle events such as number change, device lost/stolen, service suspended and carrier porting. This is also one of the pre-integrated services of the ThreatMetrix Integration Hub.
- Step-up authentication using an SMS passcode.
Card not present (CNP) payment fraud is a subset of identity fraud, where the attacker uses payment credentials without the legitimate owner’s permission or knowledge. Many of the same ThreatMetrix capabilities that are effective against identity fraud can also be used for CNP payment fraud, these include:
- Device ID: ThreatMetrix supports a variety of device IDs as described earlier (ExactID, SmartID and CarrierID). ExactID and CarrierID are strong, persistent and impossible to steal, spoof or replay. Carrier ID is NIST level 4 identity assurance. ThreatMetrix device identity effectively binds a CNP transaction to a device as a silent second factor of authentication.
- Device reputation, behavior analytics and link analysis: Using device ID as a starting point, ThreatMetrix can leverage global shared intelligence to identify previous associations of the device with fraud or risky online behavior. This includes direct involvement in transactions that resulted in chargebacks and excessive velocities i.e. high volume payment credentials being launched from the same device.
- Botnet detection and script detection: Fraudsters frequently leverage botnets to perpetrate payment fraud. Botnets enable the fraudster to select a Zombie bot device that is located in the same geographical region as the legitimate card holder. ThreatMetrix can detect botnets even when they are low and slow and therefore appear to mimic legitimate user behavior, for example if a zombie device is used for just one fraudulent attack.
Transaction fraud refers to a family of attacks that hijack legitimate transactions or login sessions. These attacks can be particularly hard to detect because they often appear to be linked to the legitimate user, who may have been targeted by a remote access Trojan (RAT) or unwittingly downloaded remote access software. The fraudster then gains access to the user’s device and targets key high-value transactions, such as banking sessions. ThreatMetrix can help detect and stop this type of fraud using:
- Device ID: When used as a silent second factor of authentication device ID can effectively detect and prevent man-in-the-middle attacks because it detects any unusual connecting devices or other high risk anomalies such as location cloaking.
- Page fingerprinting: Page fingerprinting provides evidence-based detection of illegitimate HTTP / SSL requests which are commonly associated with man-in-the-middle and man-in-the-browser attacks.
- Client agent: The client agent can validate that transactions are being sent to the correct network destination as defined in the certificate belonging to the online destination.
- Malware scan: ThreatMetrix malware scan enables detection of Trojans and rootkits that can be leveraged for RATs.
- Device port scanning: ThreatMetrix can detect suspicious connections to remote management ports in real time.
This type of fraud includes mobile application attacks and mobile host attacks. ThreatMetrix Mobile is a lightweight software development kit (SDK) for Google Android and Apple iOS mobile devices which provides specific protection for the mobile channel. This includes:
- Location Services: Captures Wi-Fi, cellular and GPS details which are compared to IP address information to detect anomalous connections and the use of proxies and VPNs.
- Device ID: Distinguishes new and returning devices by looking at operating system information, system configuration information, hardware and software details and proprietary identifiers.
- Malware Detection: Known, trusted applications are identified in real time, along with any application containing malware or a poor associated reputation. These benefits also apply to the host iOS app.
- Anomaly and Device Spoofing Detection: Anomalous transactions from mobile devices compromised by malware can also be detected.
- Jailbreak and Root Detection: Serves as a potential indicator that the device may have been modified in order to commit fraud.
- Application Integrity Evaluation: Ensures the host application containing the ThreatMetrix Mobile SDK has not been tampered with or modified by malware or a malicious user.
ThreatMetrix Digital Identity Network offers businesses a single fraud and security solution consisting of several tightly integrated fraud prevention technologies which support robust user authentication without adding friction.
The Survival of Digital-First Businesses in a Post-Breach World
It’s clear to see that static identity verification no longer works in a post-breach world, as fraudsters continue to launch unrelenting attacks on digital commerce. Businesses must operate on the assumption that they have already been breached, and will soon be breached again. Cybercriminals have been fast to leverage the network effect and self-organize to exploit lax security and weak fraud prevention solutions. Businesses must fundamentally change the way they think about authenticating user identity, adopting a layered approach that can succeed where traditional methods in isolation are falling short.
However, this relies on a single view of a user’s digital identity across fraud, security, compliance and risk departments and for many businesses, lack of integration across legacy databases makes this extremely challenging. Businesses continue to rely on the lowest common denominator security measures when it comes to transaction security. Tokens, cookies and passwords are staples when it comes to customer recognition and authentication. Layered on top of this shaky foundation is machine learning, behavioral analytics and risk scoring. Businesses are lagging behind cybercriminals, encumbered by big data platforms, a lack of integrated solutions and the sheer volume and persistence of fraud attacks.
The other challenge for digital businesses is ensuring their fraud and security defenses protect against the full spectrum of attacks. Many companies are investing heavily in network security, ignoring the huge volume of attacks directly on user accounts, which are far from safe with basic authentication procedures. This is further challenged by the endless variety of connecting user devices (PCs, smartphones, tablets, IOS, windows, Android and Chrome).
ThreatMetrix Digital Identity Network offers businesses a single fraud and security solution consisting of several tightly integrated fraud prevention technologies which support robust user authentication without adding friction. The ThreatMetrix platform includes multiple forms of device identity, malware protection, web threat protection, reputation and behavioral analytics. The ThreatMetrix policy engine consists of high-performance analytics and machine learning. It can process multiple dimensions of threat associated with each transaction concurrently , with real-time access to historical data as well as external third-party data. Cybercriminals have many threat vectors at their disposal. Most common fraud attacks consist of several threat vectors and cannot be mitigated with disparate point solutions, making this multi-dimensional insight crucial.
In addition ThreatMetrix decision management enables policy rules to be tailored and weighted to reflect the specific risk appetite of the digital business. As the fraud climate changes and evolves, ThreatMetrix decision management supports smart rules, which enables machine learning so that policy settings can be continuously and autonomously adjusted, allowing businesses to stay ahead of changing threat and fraud patterns.
Ultimately, end users don’t differentiate between a network security failure or an account authentication failure. They simply care about the negative and far-reaching consequences of fraud. It is up to businesses to adopt robust fraud and security strategies that protect their end users, as well as secure their own revenue and growth. Users are increasingly demanding friction-free online experiences while expecting their transactions to be safe and secure. Businesses must ensure that the protection they put in place doesn’t end up creating a barrier to doing business.