Vision 2014: Know Your Enemy - a financial institution’s best practices for preventing the latest...

© 2014 Experian Information Solutions, Inc. All rights reserved. Experian and the marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc.

Other product and company names mentioned herein are the trademarks of their respective owners. No part of this copyrighted work may be reproduced, modified, or distributed in

any form or manner without the prior written permission of Experian. Experian Public.

Know your enemy – A financial institution’s best practices for preventing the latest fraud attacks

Taimur (Tam) Mohiuddin Chase

Matt Ehrlich Experian

Ori Eisen 41st Parameter – A part of Experian

#vision2014

2 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.

Picture today’s cyber criminal…


Objectives

Review: emerging trends in authentication for online channels

Discuss: current and evolving methods to combat

Understand: winning strategies, gaps and blind spots

Agenda

Perspective: one bank’s authentication approach

Identity-based online authentication: practices and challenges

Dissecting a recent cross-industry online attack

Fraud landscape: industrialization of fraud and fraud rings

Questions

Session objectives and agenda


Evolving authentication

strategies:

One bank’s approach


Authentication One bank’s approach

Historic focus Protect the transaction

Results: High % of

monetary protection

Recent focus Non-monetary fraud

monitoring

Results: Reduction in

attacks “in silo”

But… your fraud prevention

strategies cannot be

single-channel or non

real-time!


So, where do we go from here?

Combined expertise

Customized risk engines focused on cross-channel data

Real-time solutions

Risking at point of contact:

Online

Phone

ATM

Branch

Tear down the walls

Silos are weakest

links – exactly what

crooks are looking for

One size does not fit all

Arsenal of actions

available


Identity-based

authentication practices

in online channels


Baseline: Identity-based authentication and fraud prevention practices

Scoring and analytics

Knowledge-based

authentication

Linkage

and velocity Consortiums

Know your

customer matching

Capabilities:


Online-specific challenges

Anonymity

Identity theft / complete identity compromise

Malware

Volume of interactions

Cost-to-benefit ratio

Channel challenges

Challenges – no matter the channel

Customer friction (KBA use)

Breaches

Service response times

Privacy concerns

Social media

Customer reluctance to provide PII


Industry / vendor response

KBA evolution – more intelligence into the tool

► Fewer questions

► Client data for questions

Frictionless first step

► Today: score, KYC assessment, device

► Future: biometrics, device attributes, other

Identity and device

► Enhanced authentication through trust

► Consortium elevation

► New risk-based authentication paradigm

Responding to the challenges


Intersection of identity and device techniques

Identity Most risky

6%

Device Most risky

6%

<10% intersection

information is distinct

and complementary


Risky device To assist identity information

Dev

Device

risk IP location

True IP

location ID

ID

risk Address results SSN results

1 Top 1% Springfield, United States

George Town, Cayman Islands

A 90% Match to full name – residential address

Match to address only

2 Top ½% Fremont, United States

Islamic Republic of Iran

B 25% Match to full name – residential address

Match to name only

3 Top 1% Providence, United States

Lagos, Nigeria C 50% Match to full name – residential address

Match to full name and address – match performed using SSN

4 Top 1% Lowell, United States

Port Harcourt, Nigeria

D 75% Match to full name – residential address


5 Top ½% Manassas, United States

Panama City, Panama

E 25% No match to name – residential address



Risky identity To assist device information

ID ID risk

Address

results SSN results Dev

Dev

risk IP location

True IP

location

A Top ½%

No match to name – residential address

No match to name or address using SSN search

1 No risk* Atlanta, United States

Atlanta, United States

B Top ½%

Match to full name – residential address

Match to name only

2 No risk* Fontana, United States

Fontana, United States

C Top ½%


Match to name only

3 No risk* Riverside, United States

Riverside, United States

D Top ½%


No match to name or address using SSN search

4 No risk* Syracuse, United States

Syracuse, United States

E Top ½% No match to name – mixed use address

Match to name only

5 No risk* Scottsdale, United States

Scottsdale, United States

* The device doesn’t show high risk factors leading its risk assessment to be the same as most (>90%) other devices


Dissecting a recent

cross-industry attack


Baseline: Device-based fraud prevention practices

Link analysis Device intelligence

Rules engine

Investigator workbench


VICTIMS

IPs

THE

One issuer’s view A fraud ring attack

181 Apps

36 Days

Far East Ring

25 Devices

ATTACK THE 62 apps with MALAYSIAN IPs

119 apps with AOL IPs

device MANIPULATION some INVALID phone #s

PRIVATE e-mail domains

target PREMIER cards

+8 device TIME ZONE device VELOCITY

IP address VELOCITY

PASS credit checks

RING THE

http://conscioushumaninitiative.org/wp-content/uploads/2013/02/aol-logo.png


Mobile is powerful business enabler of:

Revenue growth

Fraud challenges

Dramatic shift in the distribution of devices

35% year-over-year growth in mobile commerce

25-50% share of banking logins – and growing

Fraud mostly perpetrated through non-mobile devices

Consumers treat mobile devices differently than PCs

Gaps where mobile-only functionality exists (mobile deposit)

Mobile malware and device emulation key risks to watch

Expect further shift as higher-risk mobile services rolled out

Mobile offerings often promote convenience NOT security

15%

-6%

35%

52%

27%

-10%

0%

10%

20%

30%

40%

50%

60%

On

lin

e

No

n-

mo

bil

e

Co

mb

ine

d

mo

bil

e

Sm

art

ph

on

e

Ta

ble

t

Change in distribution

of online commerce channels


The fraud landscape

Latest attacks and mitigation

techniques


The stakes are higher than ever

We are fighting creative

and motivated people, not predictable systems. Ori Eisen

Founder & Chief Innovation Officer, 41st Parameter


Assume that every account, profile, identity and card is compromised – FOREVER

Counterfeit card fraud the most pressing concern

► Transaction monitoring or perpetual reissues?

Non-payment data breaches cause irreparable damage

► Your “identity” cannot be reissued

► Expect aggressive, sustained phishing campaigns

You can’t fight what you can’t see

E-mails, usernames, and passwords most compromised

Attractive to attackers because commonly reused

Deterring social engineering attacks requires constant training

Breaches make everyone a target The new normal


The fraud lifecycle begins at online opening / enrollment

Relying solely on identity verification, compliance tools, or shared databases is not enough

► Data breaches also enable online enrollment fraud

► Synthetic identities typically target individuals with “thin file” or exceptional credit score

Fraud rings are experts at impersonation

JohnDoe13


Large issuer Same attack

VICTIMS THE

IPs IMPACT CROSS INDUSTRY

$13M ISSUER 1 $1M

ISS 2

$8M ISSUER 3

$? AIRLINE 1

$?

$?

$?

$?

$? E-COM 1

$? E-COM 2 2,995 Apps

9 Months

Far East Ring

2,500+ Frauds

ATTACK THE

X 10

http://conscioushumaninitiative.org/wp-content/uploads/2013/02/aol-logo.png


Account takeover the result of multiple failures

No shortage of takeover horror stories across industries

Account takeover a BIG problem with no easy answer

1. Gain broad visibility to all setups, logins, transactions, loyalty, etc.

2. Leverage all of the tools in your arsenal to target strategies

3. Time-to-detect is paramount to minimizing damage and protecting your brand

So how do you protect your organization?


Has the device been associated with previous crimes?

DEVICE REPUTATION

Is the device impersonating multiple users? Focused on risky activities?

DEVICE HOSTILITY

Important to Assess Device Risk from Several Angles

Important to assess device risk from several angles

Does the device configuration match this user’s preferences?

USER / DEVICE COMPATIBILITY

Does this device configuration suggest malware or attempts to deceive?

MALWARE

Do this user and device share a history?

USER / DEVICE TRUST


Questions


Wrap-up

One bank’s approach…where is yours?

Are you prepared for these types of online attacks?

► Cross-channel strategy… or still silos?

► Gaps, blind spots (mobile isn’t one of these right?)

Opportunities to optimize…without sacrificing customer experience


For additional information, please contact:

[email protected] | @ehrlichmatters

[email protected] | @orieisen

Hear the latest from Vision 2014

in the Daily Roundup:

www.experian.com/vision/blog

@ExperianVision | #vision2014

Follow us on Twitter


Visit the Experian Expert Bar to learn more about

the topics and products covered in this presentation.

Vision 2014: Know Your Enemy - a financial institution’s best practices for preventing the latest...

Economy & Finance

Transcript of Vision 2014: Know Your Enemy - a financial institution’s best practices for preventing the latest...