September 25, 2018
September 20, 2018
We live in a post data-breach world. Identity information, payment credentials, account credentials and responses to security questions are widely available for purchase in bulk. Complete fraud exploits and zero-day attacks are also easily available on the black market for outright purchase or as a hosted/fully managed service. Worryingly, these fraud offerings come with online help and full technical support. At the same time online business is becoming increasingly competitive with tighter economics of operation and declining average revenue per user (ARPU).
There is mounting pressure on all sides. Customers demand security, privacy and a first-class user experience. Investors demand economic efficiency, growth and cost reduction. Regulators including the Federal Trade Commission (FTC) are increasing enforcement actions, including monetary sanctions for poor security and lax privacy practices. Meanwhile, fraudsters are also becoming better organized and increasingly aggressive.
How can businesses effectively protect the security of their customers in this post-breach world? What are the practical steps to implementing an effective fraud and security strategy? ThreatMetrix takes a holistic, layered approach to identifying cybercrime, leveraging the unique digital identities created as people transact online to effectively recognize an organization’s returning users with virtually no associated friction.
The fraud climate is complex and ever changing and it is a full-time job just keeping up to date with the intricate technical mechanisms employed in contemporary exploits. Business managers need a framework to understanding fraud and the attack mechanisms used.
One helpful solution is to think in terms of attack vectors (the method of attack) and attack surfaces (the components on which the attack is launched). Attack vectors and attack surfaces can be arranged in endless unique combinations and permutations; each combination essentially defies a unique fraud attack. Fortunately, the resulting endless universe of possible fraud attacks can be simplified into a small number of common basic patterns.
The primary component is the attack vectors that are essentially the ammunition and weapons used to commit fraud. There are four basic classes of attack vectors:
The next important component of the framework is attack surfaces. Attack surfaces are the transaction components that are vulnerable to third party interference:
The next important component of the framework is attack surfaces. Attack surfaces are the transaction components that are vulnerable to third-party interference. For the online B2C channel the four attack surfaces are the device, the transaction, the transaction context and the mobile app.
The universe of all possible attacks can be catalogued into four basic fraud templates or fraud patterns. Understanding the four basic fraud patterns enables business managers to better comprehend the universe of all possible attacks and the steps required to mitigate them. The basic patterns are identity fraud, payment fraud, transaction fraud and mobile fraud.
Analysis of the four basic fraud patterns enables enumerations of all the vulnerability classes that must be mitigated to provide complete online fraud protection. The major vulnerability classes include:
Protecting the identities of users, employees and partners means ensuring that only legitimate users gain access to the business platform. Authentication is the process of ensuring that users are who they say they are, and are using a legitimate identity. The most obvious way to protect user identities is to implement strong authentication or multi-factor authentication. Not all methods of authentication are equal in terms of assurance level. Interestingly, with so much available stolen data, fraudsters are often more adept at passing basic step-up authentication questions than legitimate customers.
The ThreatMetrix Digital Identity Network (The Network) has the capabilities to protect against each of these fraud patterns by analyzing the myriad connections between devices, locations and anonymized personal information. This enables fraud, security, risk, compliance and customer engagement departments to have a unified view and risk model of a user across all digital channels and lifecycle and engagement.
The Network harnesses global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications. Using this information, ThreatMetrix stitches together a user’s true digital identity which routs out, among other things, stolen identities, location cloaking, devices infected with malware and corrupt mobile applications. Transactions are verified in real time against trusted patterns of behavior: high-risk anomalies are accurately identified for review while genuine users experience minimal friction.
This uniquely combines the four pillars of digital identity: device identity, threat intelligence, identity information and behavior analytics.
Integration and Orchestration
Made up of three components:
Combines business rules, behavioral analysis and machine learning into an integrated framework to make real-time decisions. The ThreatMetrix policy engine allows businesses to incorporate their own tolerance for risk and operational metrics.
Enables continuous optimization of authentication and fraud decisions with visualization, data correlation and exception handling. This include search and link analysis, reporting for retrospective-based and proactive forensic data analysis and ThreatMetrix Case Management which provides customizable case routing and event correlation.
The purpose of the Digital Identity Network is to prevent online fraud in real time, by gathering and evaluating transaction data in accordance with policy settings. Let’s return to our four major online fraud patterns (identity, payment, transaction and mobile fraud) and look at potential solutions.
This is the largest fraud pattern and is used in account takeover and new account fraud.
Recognizing returning customers is pivotal for business success. Account takeover can severely hinder business growth, customer trust and lifetime value. Knowing your customers and how and when they transact can help detect suspicious behavior or compromised devices. The challenge for businesses is how to recognize returning customers without adding friction. The Digital Identity Network contains multiple identity authentication/protection capabilities that can be used as a silent second factor of authentication or as step-up authentication. These are:
The ThreatMetrix Digital Identity Network also supports contextual authentication in order to identify possible fraudulent account takeover attacks. These capabilities include:
New Account Fraud
This is frequently referred to as account origination fraud and involves false identities that have not previously been seen by the target online business. The attacker attempts to open a new account using a stolen identity or synthetic identity. A legitimate and trusted customer base is essential to business growth; the infiltration of cybercriminals from fraudulent account registrations can result in huge fraud losses. ThreatMetrix can help prevent new account fraud in the following ways:
Identity verification/identity proofing
The Digital Identity Network includes multiple methods for identity verification:
Card not present (CNP) payment fraud is a subset of identity fraud, where the attacker uses payment credentials without the legitimate owner’s permission or knowledge. Many of the same ThreatMetrix capabilities that are effective against identity fraud can also be used for CNP payment fraud, these include:
Transaction fraud refers to a family of attacks that hijack legitimate transactions or login sessions. These attacks can be particularly hard to detect because they often appear to be linked to the legitimate user, who may have been targeted by a remote access Trojan (RAT) or unwittingly downloaded remote access software. The fraudster then gains access to the user’s device and targets key high-value transactions, such as banking sessions. ThreatMetrix can help detect and stop this type of fraud using:
This type of fraud includes mobile application attacks and mobile host attacks. ThreatMetrix Mobile is a lightweight software development kit (SDK) for Google Android and Apple iOS mobile devices which provides specific protection for the mobile channel. This includes:
ThreatMetrix Digital Identity Network offers businesses a single fraud and security solution consisting of several tightly integrated fraud prevention technologies which support robust user authentication without adding friction.
It’s clear to see that static identity verification no longer works in a post-breach world, as fraudsters continue to launch unrelenting attacks on digital commerce. Businesses must operate on the assumption that they have already been breached, and will soon be breached again. Cybercriminals have been fast to leverage the network effect and self-organize to exploit lax security and weak fraud prevention solutions. Businesses must fundamentally change the way they think about authenticating user identity, adopting a layered approach that can succeed where traditional methods in isolation are falling short.
However, this relies on a single view of a user’s digital identity across fraud, security, compliance and risk departments and for many businesses, lack of integration across legacy databases makes this extremely challenging. Businesses continue to rely on the lowest common denominator security measures when it comes to transaction security. Tokens, cookies and passwords are staples when it comes to customer recognition and authentication. Layered on top of this shaky foundation is machine learning, behavioral analytics and risk scoring. Businesses are lagging behind cybercriminals, encumbered by big data platforms, a lack of integrated solutions and the sheer volume and persistence of fraud attacks.
The other challenge for digital businesses is ensuring their fraud and security defenses protect against the full spectrum of attacks. Many companies are investing heavily in network security, ignoring the huge volume of attacks directly on user accounts, which are far from safe with basic authentication procedures. This is further challenged by the endless variety of connecting user devices (PCs, smartphones, tablets, IOS, windows, Android and Chrome).
ThreatMetrix Digital Identity Network offers businesses a single fraud and security solution consisting of several tightly integrated fraud prevention technologies which support robust user authentication without adding friction. The ThreatMetrix platform includes multiple forms of device identity, malware protection, web threat protection, reputation and behavioral analytics. The ThreatMetrix policy engine consists of high-performance analytics and machine learning. It can process multiple dimensions of threat associated with each transaction concurrently , with real-time access to historical data as well as external third-party data. Cybercriminals have many threat vectors at their disposal. Most common fraud attacks consist of several threat vectors and cannot be mitigated with disparate point solutions, making this multi-dimensional insight crucial.
In addition ThreatMetrix decision management enables policy rules to be tailored and weighted to reflect the specific risk appetite of the digital business. As the fraud climate changes and evolves, ThreatMetrix decision management supports smart rules, which enables machine learning so that policy settings can be continuously and autonomously adjusted, allowing businesses to stay ahead of changing threat and fraud patterns.
Ultimately, end users don’t differentiate between a network security failure or an account authentication failure. They simply care about the negative and far-reaching consequences of fraud. It is up to businesses to adopt robust fraud and security strategies that protect their end users, as well as secure their own revenue and growth. Users are increasingly demanding friction-free online experiences while expecting their transactions to be safe and secure. Businesses must ensure that the protection they put in place doesn’t end up creating a barrier to doing business.