vision 2014: know your enemy - a financial institution’s best practices for preventing the latest...
DESCRIPTION
This session will focus on industrialization of fraud that is driven by well-organized, powerful fraud rings, which have emerged to capitalize on the opportunity and thrive in the anonymity of the online world. We will discuss emerging trends and best practices for combating a significant increase in new-account-opening fraud and account takeover attacks; mobile banking fraud schemes; and increased sophistication of malware.TRANSCRIPT
© 2014 Experian Information Solutions, Inc. All rights reserved. Experian and the marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc.
Other product and company names mentioned herein are the trademarks of their respective owners. No part of this copyrighted work may be reproduced, modified, or distributed in
any form or manner without the prior written permission of Experian. Experian Public.
Know your enemy – A financial institution’s best practices for preventing the latest fraud attacks
Taimur (Tam) Mohiuddin Chase
Matt Ehrlich Experian
Ori Eisen 41st Parameter – A part of Experian
#vision2014
2 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Picture today’s cyber criminal…
3 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Objectives
Review: emerging trends in authentication for online channels
Discuss: current and evolving methods to combat
Understand: winning strategies, gaps and blind spots
Agenda
Perspective: one bank’s authentication approach
Identity-based online authentication: practices and challenges
Dissecting a recent cross-industry online attack
Fraud landscape: industrialization of fraud and fraud rings
Questions
Session objectives and agenda
4 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Evolving authentication
strategies:
One bank’s approach
5 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Authentication One bank’s approach
Historic focus Protect the transaction
Results: High % of
monetary protection
Recent focus Non-monetary fraud
monitoring
Results: Reduction in
attacks “in silo”
But… your fraud prevention
strategies cannot be
single-channel or non
real-time!
6 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
So, where do we go from here?
Combined expertise
Customized risk engines focused on cross-channel data
Real-time solutions
Risking at point of contact:
Online
Phone
ATM
Branch
Tear down the walls
Silos are weakest
links – exactly what
crooks are looking for
One size does not fit all
Arsenal of actions
available
7 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Identity-based
authentication practices
in online channels
8 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Baseline: Identity-based authentication and fraud prevention practices
Scoring and analytics
Knowledge-based
authentication
Linkage
and velocity Consortiums
Know your
customer matching
Capabilities:
9 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Online-specific challenges
Anonymity
Identity theft / complete identity compromise
Malware
Volume of interactions
Cost-to-benefit ratio
Channel challenges
Challenges – no matter the channel
Customer friction (KBA use)
Breaches
Service response times
Privacy concerns
Social media
Customer reluctance to provide PII
10 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Industry / vendor response
KBA evolution – more intelligence into the tool
► Fewer questions
► Client data for questions
Frictionless first step
► Today: score, KYC assessment, device
► Future: biometrics, device attributes, other
Identity and device
► Enhanced authentication through trust
► Consortium elevation
► New risk-based authentication paradigm
Responding to the challenges
11 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Intersection of identity and device techniques
Identity Most risky
6%
Device Most risky
6%
<10% intersection
information is distinct
and complementary
12 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Risky device To assist identity information
Dev
Device
risk IP location
True IP
location ID
ID
risk Address results SSN results
1 Top 1% Springfield, United States
George Town, Cayman Islands
A 90% Match to full name – residential address
Match to address only
2 Top ½% Fremont, United States
Islamic Republic of Iran
B 25% Match to full name – residential address
Match to name only
3 Top 1% Providence, United States
Lagos, Nigeria C 50% Match to full name – residential address
Match to full name and address – match performed using SSN
4 Top 1% Lowell, United States
Port Harcourt, Nigeria
D 75% Match to full name – residential address
Match to full name and address – match performed using SSN
5 Top ½% Manassas, United States
Panama City, Panama
E 25% No match to name – residential address
Match to full name and address – match performed using SSN
13 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Risky identity To assist device information
ID ID risk
Address
results SSN results Dev
Dev
risk IP location
True IP
location
A Top ½%
No match to name – residential address
No match to name or address using SSN search
1 No risk* Atlanta, United States
Atlanta, United States
B Top ½%
Match to full name – residential address
Match to name only
2 No risk* Fontana, United States
Fontana, United States
C Top ½%
No match to name – residential address
Match to name only
3 No risk* Riverside, United States
Riverside, United States
D Top ½%
No match to name – residential address
No match to name or address using SSN search
4 No risk* Syracuse, United States
Syracuse, United States
E Top ½% No match to name – mixed use address
Match to name only
5 No risk* Scottsdale, United States
Scottsdale, United States
* The device doesn’t show high risk factors leading its risk assessment to be the same as most (>90%) other devices
14 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Dissecting a recent
cross-industry attack
15 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Baseline: Device-based fraud prevention practices
Link analysis Device intelligence
Rules engine
Investigator workbench
16 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
VICTIMS
IPs
THE
One issuer’s view A fraud ring attack
181 Apps
36 Days
Far East Ring
25 Devices
ATTACK THE 62 apps with MALAYSIAN IPs
119 apps with AOL IPs
device MANIPULATION some INVALID phone #s
PRIVATE e-mail domains
target PREMIER cards
+8 device TIME ZONE device VELOCITY
IP address VELOCITY
PASS credit checks
RING THE
17 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Mobile is powerful business enabler of:
Revenue growth
Fraud challenges
Dramatic shift in the distribution of devices
35% year-over-year growth in mobile commerce
25-50% share of banking logins – and growing
Fraud mostly perpetrated through non-mobile devices
Consumers treat mobile devices differently than PCs
Gaps where mobile-only functionality exists (mobile deposit)
Mobile malware and device emulation key risks to watch
Expect further shift as higher-risk mobile services rolled out
Mobile offerings often promote convenience NOT security
15%
-6%
35%
52%
27%
-10%
0%
10%
20%
30%
40%
50%
60%
On
lin
e
No
n-
mo
bil
e
Co
mb
ine
d
mo
bil
e
Sm
art
ph
on
e
Ta
ble
t
Change in distribution
of online commerce channels
18 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
The fraud landscape
Latest attacks and mitigation
techniques
19 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
The stakes are higher than ever
We are fighting creative
and motivated people, not predictable systems. Ori Eisen
Founder & Chief Innovation Officer, 41st Parameter
20 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Assume that every account, profile, identity and card is compromised – FOREVER
Counterfeit card fraud the most pressing concern
► Transaction monitoring or perpetual reissues?
Non-payment data breaches cause irreparable damage
► Your “identity” cannot be reissued
► Expect aggressive, sustained phishing campaigns
You can’t fight what you can’t see
E-mails, usernames, and passwords most compromised
Attractive to attackers because commonly reused
Deterring social engineering attacks requires constant training
Breaches make everyone a target The new normal
21 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
The fraud lifecycle begins at online opening / enrollment
Relying solely on identity verification, compliance tools, or shared databases is not enough
► Data breaches also enable online enrollment fraud
► Synthetic identities typically target individuals with “thin file” or exceptional credit score
Fraud rings are experts at impersonation
JohnDoe13
22 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Large issuer Same attack
VICTIMS THE
IPs IMPACT CROSS INDUSTRY
$13M ISSUER 1 $1M
ISS 2
$8M ISSUER 3
$? AIRLINE 1
$?
$?
$?
$?
$? E-COM 1
$? E-COM 2 2,995 Apps
9 Months
Far East Ring
2,500+ Frauds
ATTACK THE
X 10
23 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Account takeover the result of multiple failures
No shortage of takeover horror stories across industries
Account takeover a BIG problem with no easy answer
1. Gain broad visibility to all setups, logins, transactions, loyalty, etc.
2. Leverage all of the tools in your arsenal to target strategies
3. Time-to-detect is paramount to minimizing damage and protecting your brand
So how do you protect your organization?
24 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Has the device been associated with previous crimes?
DEVICE REPUTATION
Is the device impersonating multiple users? Focused on risky activities?
DEVICE HOSTILITY
Important to Assess Device Risk from Several Angles
Important to assess device risk from several angles
Does the device configuration match this user’s preferences?
USER / DEVICE COMPATIBILITY
Does this device configuration suggest malware or attempts to deceive?
MALWARE
Do this user and device share a history?
USER / DEVICE TRUST
25 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Questions
26 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Wrap-up
One bank’s approach…where is yours?
Are you prepared for these types of online attacks?
► Cross-channel strategy… or still silos?
► Gaps, blind spots (mobile isn’t one of these right?)
Opportunities to optimize…without sacrificing customer experience
27 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
For additional information, please contact:
[email protected] | @ehrlichmatters
[email protected] | @orieisen
Hear the latest from Vision 2014
in the Daily Roundup:
www.experian.com/vision/blog
@ExperianVision | #vision2014
Follow us on Twitter
28 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.
Visit the Experian Expert Bar to learn more about
the topics and products covered in this presentation.