Sep 29

#Fraudlifecycle; turning the tables on cyber criminals

Share this:
Twitter Email Linkedin

Fraud is not a point-in-time problem and data breaches should not be considered isolated attacks, which break through network defenses to abscond with credentials. In fact, data breaches are just the first stage of a rather complex lifecycle that begins with a vulnerability, advances through several stages of validation and surveillance, and culminates with a fraudulent transaction or monetary theft.

Cyber criminals are sophisticated and have a growing arsenal of weapons at their disposal to infect individual and corporate systems and capture account information: phishing, SMSishing and Vishing attacks, malware, and the like are all attempts to thwart security and access-protected information. Criminal tactics have even evolved to include physical-world approaches like infiltrating physical call centers via social engineering attacks aimed at unsuspecting representatives. This, and similar efforts, are all part of the constant quest to identify and exploit weaknesses in order to stage and commit financial crimes.

There are some companies that claim malware detection is the silver bullet to preventing fraud. This is simply not the case. The issue is that malware is only one method by which fraudsters may obtain credentials. The seemingly endless supply of pristine identity and account data in the criminal underground means that detecting a user’s system has been compromised is akin to closing the barn door after the hose has bolted. That is, malware can be an indicator that an account has been compromised, but it does not help identify the subsequent usage of the stolen credentials by the criminals, regardless of how the credentials were compromised.

Compromised data is first validated by the seller as one of their “value adds” to the criminal underground and typically again by the buyer. Validation usually involves logging into an account to ensure that the credentials work as expected, and allows for a much higher “validated” price point. Once the credentials and/or account have been validated, cyber criminals can turn their attention to surveillance.

Remember, by the time one realizes that credential information has been exposed, cyber criminal rings have captured the information they need – such as usernames, passwords, challenge responses and even token or session IDs – and have aded it to their underground data repositories. with traditional online authentication controls, it is nearly impossible to detect the initial fraudulent login that uses ill-gotten credentials. That is why it is critical to operate from the assumption that all account credentials have been compromised when designing an online authentication control scheme.

Sep 25

#FraudLifecycle Series: Managing the Integrated Omnichannel Experience

Share this:
Twitter Email Linkedin

Our #fraudlifecycle series of blog posts intends to inform our audience on trends, challenges and strategies of addressing fraud. Make sure to follow the #fraudlifecycle conversation here and on Twitter at @41stParameter

Our latest webinar explored the problems that businesses face in balancing fraud prevention with the frictionless customer experience in today’s omnichannel environment. Today, we’re taking a hard look at managing that all-important integrated omnichannel experience.

According to a 2013 Experian Marketing Services study, 36 percent of organizations interact with their customer in five or more channels. Matthew Ehrlich, director of product management with Experian Decision Analytics, predicts that number will hit 45 percent as we move into the fourth quarter of 2014, given the growth of mobile and tablet usage. “We have some strong forces working against today’s businesses. Retailers strive for a well-balanced and consistent customer friendly experience across all of the channels they offers sales through,” he explained before turning it over to Michelle Brisby, senior fraud manager with Sephora Direct to request her insight on what makes Sephora a leader in the customer omnichannel experience.

First, Brisby noted that the Sephora mobile app has more than 4 million downloads. “In addition, we offer store-to-web purchase. If it’s not on our shelf you can purchase it at the store and then ship it to your location. In the past we’ve also offered a concierge-type service where you can purchase online and then the order would be fulfilled and someone would show-up at your door to deliver the goods. And then lastly we also have the call center where you can receive a beauty consultation, then place an order by phone. Plus, we have different channels that are geared towards client support,” she explained.

Managing various channels is no easy task, particularly web versus mobile. There is a challenge related to separating traffic that comes in from various websites, whether it’s a reseller, referral or ad. Before the mobile explosion, Brisby discussed how fraud managers only had to concern themselves with two channels – phone and web. With mobile now thrown into the mix, they scrambled to find a way to separate additional channels as different devices requiring varying screenings, software and rules.

In new channel environments marketing realizes that to stay relevant they have to have a slick and convenient way for customers to interact. So they very quickly put forth great ideas of new products and services that can be deployed in the mobile space and it’s common to outsource that development. Where the breakdown occurs is risk. In many cases, what we find is that all of the strategies built up by businesses over the last decade to combat the online channel and all of the philosophies and strategies that have been put in place are not making their way into that third party development process.” David Britton, 41st Parameter, a part of Experian

Many companies don’t have in-house resources or experts in mobile. David Britton, an expert on mobile and its associated risks, said “In new channel environments marketing realizes that to stay relevant they have to have a slick and convenient way for customers to interact. So they very quickly put forth great ideas of new products and services that can be deployed in the mobile space and it’s common to outsource that development. Where the breakdown occurs is risk. In many cases, what we find is that all of the strategies built up by businesses over the last decade to combat the online channel and all of the philosophies and strategies that have been put in place are not making their way into that third party development process.”

Cherian Abraham, a senior business consultant with Experian Decision Analytics, says that balancing your approach to satisfying risk mitigation requirements is a challenge for the channel that’s at arm’s length for consumers: mobile. “With the ultimate customer experience on the front end, that’s a challenge regardless of what you know, whether you are a retail brand or a bank. Omnichannel discussions are almost always distilled down to mobile. When you have the limitations that are channel imposed, coupled with the element of fraud, fraudsters are going to leverage it as much as they can.”

Another factor to consider with managing a smooth customer experience across channels is authentication – there is a fine line between protecting customers with the appropriate level of security and turning customers away due to frustrations with authentication. We’ll review what the experts had to say about authentication in our next #fraudlifecycle post. At the end of the day, balance is key. But it’s also a challenge for most of the organization regardless of whether you’re a retailer or a financial institution.

Sep 05

#FraudLifecycle Series: Q&A with Michelle Brisby, Senior Fraud Manager of Sephora Direct

Share this:
Twitter Email Linkedin

We’re launching a series of #fraudlifecycle blog posts to help inform people on the trends, challenges and strategies associated with addressing fraud. Make sure to follow the #fraudlifecycle conversation on Twitter!

During a recent webinar on balancing customer experience and fraud prevention, we had the opportunity to hear from an expert panel including Michelle Brisby, the senior fraud manager of Sephora Direct. Here’s a Q&A with Michelle:

Fraud Lifecycle: Have recent compromises of personally identifiable information (i.e. name, full address, phone number, social security number, etc.) caused any shifts in your fraud prevention tactics and are you seeing any reluctance on the part of customers to provide this type of information?

michelle_brisbyblogpostMichelle Brisby: In the wrong hands, what is considered good personally identifiable information for our business can be the theft of an identity. This reality requires a shift in fraud prevention tactics. There are things that we do today that are different from what we did in the past. For example, there are new, less obvious, data that can be used behind the scenes to validate a client.

As for our customers, I don’t believe it has stopped them from shopping; it just has made them more aware. Customers are watching their credit cards and bank statements more closely and then disputing suspect transactions much faster. They understand that PII is essential to online commerce because it actually links back to the source: the bank. Banks have email addresses, phone numbers, and billing and shipping addresses on file. So not only are we validating the information as the merchant, but we’re also getting additional validation from the banks and other third party sources.

FLC: Sephora is known for a very elegant and integrated omni-channel experience for its customers. What makes Sephora a leader in this space and what are the challenges of managing the different channels?

MB: Thank you.As a fraud manager, you used to have two sources: your call center and the web. Now you have mobile thrown in to the equation. At a certain point, you’ve got everything – the stores, online, the call center, apps – all flowing through one source: your dedicated website. You need to find a way to separate these channels since different devices require a different set of slot screening and rules, as well as software. There is now a need to separate the channels so that from a fraud manager or fraud analyst perspective you can identify your traffic and determine next steps.

FLC: What are some of the challenges in establishing a mobile presence?

MB: For me the biggest challenge is timing. All of the new software and the preventative measures require involvement from IT in terms of development time. You just can’t add new software without knowing the impact to your website and the requirements for implementation. All of these require the fraud manager to work on coordinating dates, times, testing, and mapping. Then there is also the knowledge piece of it. There is so much information out there in the space that you need to make sure that its right for your brand and your business.

FLC: What is the right amount of authentication in fraud prevention?

MB: The right amount of fraud prevention depends on your business: are you shipping goods? A digital merchant? A subscription-type merchant?

Being that I am a shipped goods merchant, I actually have a little more time than a digital merchant, meaning I can hold that order and do the right type of verification to validate the customer before the package is shipped. If an error is made, I can recall that package—whereas in the digital and subscription space it works a little different.

You also need to know your data, because tuning your fraud tool directly correlates with knowing how you should tune in and what orders need to come into queue to reduce that false positive rate. I would generally look to use the reporting that’s offered through fraud tools and have someone dig through those reports on a daily basis to determine if my rules firing correctly. Am I seeing the right number of orders? Are my false positives too high? Those are the questions that you have to ask yourself when you’re looking to implement a good client-customer experience.

FLC: Thanks very much for your time Michelle.

MB: Thank you, it’s been a pleasure.

Listen to the complete webinar here and stay tuned for more #fraudlifecycle posts.

Aug 28

#FraudLifecycle Series: Balancing Fraud Prevention – Managing Cyber Risks without Sacrificing the Customer Experience

Share this:
Twitter Email Linkedin

We are launching a #fraudlifecycle series of blog posts to inform our audience on trends, challenges and strategies of addressing fraud. Make sure to follow the #fraudlifecycle conversation online!

Our latest webinar explored the problems that businesses face in balancing fraud prevention in today’s omnichannel environment. The panel of experts—including Michelle Brisby, senior fraud manager with Sephora Direct, Cherian Abraham, a senior business consultant with Experian Decision Analytics and Dave Britton, vice president of industry solutions with 41st Parameter, a part of Experian—provided insights on the challenges they face in managing cyber risk without sacrificing customer experience.

In this post, we will examine the key problems faced today with the unprecedented level of personal customer information available for exposure to fraudsters. Here’s a look at what our panelists had to say on the subject:


Click here to view the complete webinar replay.

Q1: Do you need to consider every transaction as potentially compromised?

The short answer is yes. David Britton pointed out, “It’s one thing to understand that usernames and passwords may be compromised, but equally important to understand that other data—email addresses, phone numbers and all of the other elements that make-up personally identifiable information—can be used by the fraudsters to build-up very good profiles in terms of impersonating legitimate users.”

Q2: Has this caused any shift in fraud prevention tactics?

Cherian Abraham is an advocate for a layered approach. “Use [of] a layered approach is a smarter approach in terms of decoupling from just using usernames and passwords, but also looking at a variety of other inspirations before…authorizing the customer to do certain things,” he explains.

Michelle Brisby pointed to “other data points that you can use behind the scenes.  So I do strongly feel that with these breaches it has changed the way we look at things.  However, there are more data points available for us to actually validate a client.”

Q3: Is there reluctance on the part of the customer to provide personal information?

Michelle Brisby noted, “I don’t believe it’s stopped consumers from shopping.  I just think it’s made them more aware.  They’re now watching their credit cards and their bank statements more closely and then disputing those transactions much faster.”

Q4: Is it still standard practice to collect this personal information?

“It is essential to continue to collect that information and the reason being that information actually links back to the source: the bank,” Brisby explained. “Banks have phone numbers, billing, shipping addresses [on file], so not only are you validating it, you’re also getting an additional validation from the banks and other third party sources.  So it’s still important to collect the data, but you also need to take it one step further.”

Click here to listen to the complete webinar. Stay tuned for more #fraudlifecycle posts.

Aug 06

Inside the mind of today’s cyber criminal

Share this:
Twitter Email Linkedin

Online crooks are getting more sophisticated by the second. Nowadays, fraudsters have the ability to conduct “clean fraud,” obtaining legitimate identities of users from the black market or data breaches to compromise a victim’s card account. Malware, too, is becoming more sophisticated both in the mobile and non-mobile space. But how can organizations fight such high-level tactics in such a broad, complex space? John Sarreal, Senior Director of Product Management at 41st Parameter, an online fraud prevention player, sat down with PYMNTS after the recent release of the white paper “Surveillance, Staging, and the Fraud Lifecycle” to reveal the inner workings of a cyber criminal’s mind, what should be done before and after data is snatched, and which aspects of account takeover are the most overlooked and dangerous.

Interview excerpts

Take us through the mind of a cyber-criminal. What are the most sophisticated tactics used today to capture account information from corporate systems?

JS: The amount of clean fraud that we see with our customers is unprecedented. By focusing on obtaining legitimate credentials and identities, fraudsters are more easily able to bypass traditional controls. This means that fraud tools need to adapt and gather additional attributes to augment their fraud screening. Although the techniques they’re using now to obtain these credentials are increasingly sophisticated, the MOs are still rooted in basic phishing and social engineering attacks.

Fraudsters will use identity information obtained from the black market or data breaches to conduct very convincing phishing attacks to reveal everything that is needed to compromise a victim’s card account. There’s also increasing sophistication in the use of malware to steal sensitive credentials in both the mobile and non-mobile arena. In Android, for example, Google recently passed a vulnerability that allows sophisticated malware to impersonate digital certificate signing authorities. This vulnerability allowed the malware to install itself on a mobile device without any user notification or intervention – obviously, a very dangerous attack.

Link to the podcast and transcript here.

Aug 01

Surveillance, staging and the fraud lifecycle

Share this:
Twitter Email Linkedin

Imagine the following scenario: an attacker acquires consumers’ login credentials through a data breach. They use these credentials to test account access and observe account activity to understand the ebbs and flows of normal cash movement – peering into private financial records – verifying the optimal time to strike for the most financial gain.

Surveillance and fraud staging are the seemingly benign and often-transparent account activities that fraudsters undertake after an account has been compromised but before that compromise has been detected or money is moved. Activities include viewing balances, changing settings to more effectively cover tracks, and setting up account linkages to stage eventual fraudulent transfers.

The unfortunate thing is that the actual theft is often the final event in a series of several fraudulent surveillance and staging activities that were not detected in time. It is the activity that occurs before theft that can severely undermine consumer trust and can devastate a brand’s reputation.

Read more about surveillance, staging and the fraud lifecycle in this complimentary whitepaper.

Jul 24

Another Breach, Another Instance of Weak Passwords Causing in Account Takeover

Share this:
Twitter Email Linkedin

Your password is weak, whether you use 40 random characters or your dog’s name. With so many large data breaches leading to hundreds of millions of compromised credentials and payment cards in the past two years, it’s no surprise that e-commerce account takeover attempts have grown dramatically in recent months – to a degree we have never seen before. Previously, account takeover was primarily a banking issue, not something merchants had to deal with.

Account takeover is an alarming trend that spans global airline loyalty programs, e-commerce transactions, social networking logins and virtually any web site leveraging username and password authentication. News of the latest cybersecurity concern should serve as yet another reminder that we live in a heightened state of risk where establishing online trust based solely on username and password or identity data is not sufficient. There are a number of factors that are contributing to the evolving fraud landscape namely that the Internet was not designed for security.  This places pressure on organizations to continually adopt new approaches to managing fraud like this growing account takeover threat. In this case, multiple layered controls including device intelligence are essential.

As merchants extend more services online and allow customers to store payment information or get more convenient checkout via logged in vs. guest access, we’ll continue to see fraud migrating deeper into the e-commerce ecosystem. The account takeover problem will continue as consumers share usernames and passwords across dozens of online profiles and e-commerce logins, opening the door for attackers to access multiple accounts through a single compromised credential. Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place. So it’s a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username/password authentication.

What can consumers and organizations do to protect themselves?

Our recommendation for consumers is that they have unique username and password combinations for every online profile. This protects against attackers compromising one site and leveraging the same credentials to access all of the victim’s accounts and online profiles across the web. For businesses, we recommend implementing technology solutions that increase visibility to and recognition of devices for every online interaction so the organization can differentiate attackers from legitimate consumers. Some businesses believe that their products, services and loyalty offerings do not require the same level of protection as online bank accounts, so they leave them exposed to cyber criminals via simple authentication controls. As we’ve seen fraudsters will migrate to the path of least resistance and exploit the fact that most consumers re-use credentials out of convenience.

In the digital age where consumers are increasingly represented by their devices the ability to know when there are authentication discrepancies between the data presented by the user and the device presenting those credentials is absolutely important to effectively controlling the threat. The authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information.

Conversations around the fact that the password is dead or dying have been circulating in the industry recently. What we don’t want is consumers getting tired of constantly changing passwords and giving up trying to protect themselves online. That is the worst case scenario that is becoming more of a reality as the days pass. Educated and aware consumers are still the best way to identify fraudulent attacks, and to keep identity data safe from hackers and devices free of malware.

Increased adoption of biometrics, device intelligence and the sharing of authenticated and credentialed identities across industries will become commonplace to help combat account takeovers as they increase. Until then we need to find a password replacement. 

Learn more about 41st Parameter fraud detection and prevention solutions here.

Jul 14

The Fraudster Underground – Revealing secrets of highly industrialized criminal organizations

Share this:
Twitter Email Linkedin

In our most recent webinar, I had the pleasure of moderating a panel session with four fraud experts spanning across many diverse backgrounds. The consistent theme throughout was that cyber criminals have become quite proficient at stealing data or account credentials. Once a cyber criminal has valid account data, they have incredible access to a broad range of possibilities. How an account is used; a real-time view of deposit and withdrawal patterns and what types of alerts and notification settings are in place. A determined fraudster may observe accounts for long periods to ensure they are able to make their move at the optimal time.

One of the biggest issues is being able to tell “friend from foe”, particularly in light of the endless supply of perfect, disposable data. I posed this scenario to our panel and asked what organizations can do now to protect themselves:

SCENARIO – Telling friend from foe

Credit card companies encourage travellers to alert them in advance of unusual travel to avoid red flags or declines while out of town. This can be a double-edged sword. A fraudster with appropriate credentials can contact a credit card company a few weeks before a “trip” to alert them of planned travel. At the start of the “trip” the distraught fraudster can then contact the credit card company to report a stolen card and request a replacement be expedited to them at their “destination.” The result is a fraudster armed with a completely legitimate card they can use at their leisure and with little risk of detection.

There were three key take-aways the expert panel recommended:

  1. Enhance your visibility. Without this important tactic, you won’t know what hit you. Fraudsters are armed with pristine identity data so they will look and act more like your best customers.
  2. Employee multiple security layers. You may be focused on ensuring that you know your customer, but does the transaction pattern fit normal behavior for the user? Malware could be embedded on the device. Are items such as language and other settings consistent with what you’d expect for your legitimate customers?
  3. Protect profile setups / online enrolment and reward programs the way you protect transactions. While the financial risk to your business may be limited, the potential regulatory exposure and brand reputation hit can be significant. It takes years to build your reputation with your best customers – but only seconds to destroy it. Undermining their trust in online or mobile interactions with your business has an immediate and destructive impact on loyalty.

What do you think? Let us know.

Jun 25

Mobile Fraud Trends #CreditChat – there’s always a first time for everything

Share this:
Twitter Email Linkedin
David Britton Online Fraud Industry Expert

David Britton
Online Fraud Industry Expert

Today I co-hosted a TweetChat with Experian on mobile fraud trends. To be honest, it was the first Twitter Chat I took part in. It was fun, informative and a great way to connect with folks in our industry – from our customer base, partners and more.

The discussion was fast paced and the 140-character limit for tweets means I wasn’t able to elaborate on many of the points I made. Thus, thought I would share my insight through a blog post.

What are the most common types of mobile fraud?  

Malware. According to Forbes, 97 percent of mobile malware is on Android devices. That’s not to say that Apple isn’t seeing it, too. They are, but at a much reduced scale due to their validation processes. Forbes also states that android malware rose from 238 threats in 2012 to 804 new threats in 2013 and continues to rise.

Mobile malware has a couple of varieties that everyone should be aware of. They’re increasingly common and you’ve likely seen the first one making media headlines like rapid fire in recent months:

  1. Ransomware: locks a user’s phone and fraudsters demand payment to unlock it.
  2. Credential stealing malware: attempts to capture the credentials of the victim as they access a service.
  3. Premium dialing/texting malware that uses victim phones to increase traffic and charges to rogue accounts.
Courtesy of AppleInsider

Courtesy of AppleInsider

Mobile fraud, as a category, also needs to include the use of the mobile device by fraudsters as the attacking instrument. Fraudsters exploit the fact that organizations may not have applied the same security measures to their mobile access points that they have in their traditional online access. Big mistake. All organizations should make sure that they are not exposed to fraud originating from the mobile channel (either mobile app or mobile web based.) Companies need to ensure they can identify the device regardless of platform.

Am I more at risk on my mobile device than I am on my computer? 

As a consumer, industry data has illustrated that there is no significant difference between the risk of the PC and a mobile device. The PC is still a much more valuable target to fraudsters, considering its wide use. But as the mobile platform continues to grow, mobile exploits are also growing, forcing the industry to build in more robust strategies around mobile access. This includes the platform providers, app developers and businesses that want to increase their mobile offerings.

The bigger point here is that the Apple platform has much less malware activity than the Android platform does today. Apple has stringent developer policies and scrutiny.

For businesses, as a relative percentage of device activity, we are beginning to see that there is more fraud in the mobile channel than in the traditional channel. Bear in mind that mobile volumes today are still much smaller than the traditional PC. Mobile can also be a fraud staging area, where fraudsters can see balances and activity and then takeover your account… But this is not a vulnerability with the consumer using their device, rather it’s with the fraudsters using the mobile channel since it’s a separate channel where the banks may not have effective cross-channel visibility.

How do I know if you have a legitimate app vs a fake / fraudulent app? 

There are a few simple steps to verify the legitimacy of apps – check for typos, grainy logos and images and check user reviews on the app store. Moreover, this is an issue of where users are getting their apps. Make sure you are only downloading apps from the platforms’ authorized app environments. And keep in mind that the prevalence of malware on the Google Play platform is much higher than that on the AppStore.

What other risks do mobile devices pose to personal identity?

The phone doesn’t necessarily present greater risks than PCs, but people do tend to use them more frequently, and with less of a thought toward security. My advice: make a habit of locking your phone and don’t buy apps from sketchy platforms.

What are the methods that banks and retailers are choosing to secure mobile payments?

It’s a device access versus personal access issue. Need for business is to recognize devices regardless of payment type.  In the NFC space, there’s also a question of liability… who is on the hook when happens? Is it the merchant? The card issuer?  There are still some gray areas when it comes to mobile wallet (NFC) transactions being used for physical purchases.

For NFC (in person) payments, the POS makers use industry standards – but they can still be vulnerable to attack based on malware distributed via POS terminals, as we have seen lately.

For mobile bank payments – some banks use device recognition and device behavior– but all banks really should use it – best way to detect rogue activity from the device.

Most retail mobile payments are tied to a wallet – so wallet providers must also secure access to the wallet ensure that it doesn’t become the weakest link.

Will passwords ever die? What other forms of identification might be used?  

For businesses, passwords are already dead, since most have been stolen over the years. Businesses should be using device recognition – it’s one of the strongest tools to differentiate between good and bad users.

Any final tips on how people can protect themselves from mobile fraud? 

Don’t buy apps from sketchy third party platforms. Don’t click on links from untrusted parties, lock your device, make sure your device is backed up and don’t pay ransomware demands.

If you have any other questions that weren’t answered in the #TweetChat, please leave a comment here or tweet to me at @DBritton41st.

Jun 24

Secrets that The Fraudster Underground don’t want you to know – live webinar panel

Share this:
Twitter Email Linkedin
Pose your questions to our panel! Click the image above and we'll make sure your questions are included in our live discussion.

Pose your questions to our panel!
Click the image above and we’ll make sure your questions are included in our live discussion.

Secrets revealed during live panel webinar

Tuesday July 1 2014 – 10:30 AM – 11:30 AM PDT

“The Fraudster Underground – revealing secrets of highly industrialized criminal organizations”

Once a cyber criminal has valid account data, they have incredible access to a broad range of possibilities. How an account is used; a real-time view of deposit and withdrawal patterns and what types of alerts and notification settings are in place. A determined fraudster may observe accounts for long periods to ensure they are able to make their move at the optimal time.

Don’t miss this “Tales from the Fraudside” live webinar, where our expert panel from MasterCard, HackSurfer and 41st Parameter, will reveal more secrets of these despicable cyber criminals. With these experts from a variety of industries, attendees will walk away with a better understanding of this critical piece of the lifecycle of fraud and what  can be done about it.

Older posts «