All posts by David Britton
Earlier this week, Javelin Strategy & Research announced its inaugural edition of the 2017 Identity Proofing Platform Awards. We were honored to see CrossCore as the leader – taking the award for the best overall identity proofing platform. According to the report, “Experian’s identity proofing platform is a strong performer in every category of Javelin’s FIT model. It is functional. It is innovative. And, most important, it is tailored toward the advisory’s expectations. The comprehensive nature of CrossCore makes it the market-leading solution for identity proofing.” It’s harder than ever to confidently identify your customers in today’s digital economy. You have lots of vendor solutions to choose from in the identity proofing space. And, now Javelin has made it much easier for you to select the partner that is right for your needs. Javelin’s newly minted Identity Proofing Platform Scorecard assesses current capabilities in the market to help you make that decision. And they have done a lot of the heavy lifting, looking across 23 vendors and scoring them based on three categories of their FIT model – functional, innovative, and tailored. Protecting customers is a priority for you – and for us. Here at Experian, we have a range of capabilities to help businesses manage identity proofing, and our CrossCore platform brings them all together. We launched CrossCore last year, with the goal of making the industry’s fraud and identity solutions work better for everyone. CrossCore delivers a future-proof way to modify strategies quickly, catch fraud faster, improve compliance and enhance the customer experience. We’re proud of the work we’ve done so far, integrating our products as well as adding more than 10 partners to the program. We’re pleased to see so many of our partners included in Javelin’s report. We’re working closely with our clients to pull in more partner capabilities, and further enhance our own platform to create a layered approach that supports a risk-based, adaptable strategy. As highlighted in the Javelin report, a reliance on traditional identity verification approaches are no longer sufficient or appropriate for digital channels. With CrossCore, our clients can choose the capabilities they want, when they want them, to dial in the right confidence level for each and every transaction. This is because CrossCore supports a layered approach to managing risk, allowing companies to connect multiple disparate services through a common access point. We are committed to making it easier for you to protect consumers against fraud. CrossCore is helping us all do just that.
Profile of an online fraudster I recently read a study about the profile of a cybercriminal. While I appreciate the study itself, one thing it lacks perspective on is an understanding of how identity data is being used to perpetrate fraud in the online channel. One may jump to conclusions about what is a good indicator for catching fraudsters. These very broad-brush observations may result in an overwhelming number of false positives without digging in deeper. Purchase value A single approach for understanding the correlation between purchase value and fraud does not work to best protect all businesses. Back in 2005, we saw that orders under $5 were great indicators of subsequent large-ticket fraud. For merchants that sell large-ticket items, such as electronics, those same rules may not be effective. To simply believe that the low dollar amount is the extent of the crime and not just a precursor to the real, bigger crime indicates a lack of understanding of how fraudsters work to manipulate a system. For some merchants, where fraudsters know they can go to do card testing against their business, low-dollar-amount rules may apply. However, for other businesses a different set of rules must be put into place. Time of day We have been tracking fraud time of day as a rule since 2004, but the critical point is a clear definition of which time of day. For the merchant, 3 a.m. is very different than 3 a.m. for a fraudster who is in Asia or Eastern Europe, where 3 a.m. merchant time is actually the middle of the online fraudster’s day. FraudNet is designed to identify the time from the user’s device and runs its rules from the user’s time. We find that every individual business will have a very specific threat profile. Businesses need to build their individual fraud strategy around their overall attack rate taking into account the strength of the defense and the ability to be flexible to accommodate the nuances for individual consumers. A general approach to fraud mitigation inevitably results in a system that begins to chase broad averages, which leads to excessive false positives and mediocre detection. That’s what drives us to do the job better. The proof of every fraud solution should lie in its ability to catch the most fraud without negatively impacting good customers.
Companies are facing incredible difficulties identifying fraud risks at the point of origination. Setting up accurate fraud detection processes has become more and more challenging as mobile and online channels have become widely used by consumers. At the same time, fraudsters’ techniques are becoming increasingly sophisticated. To compensate, organizations have had the choice of either: a) Implementing very tough identity-proofing standards — risking turning away legitimate customers. b) Lessening their criteria and opening themselves to increased risk. Any business that functions in a web connected environment that has a need to recognize new or returning consumers must look beyond the simple credentials that have been provided by the user such as usernames, passwords, email addresses, phone numbers, handles, secret questions or secret answers. To increase assurance businesses need to start need to start looking at authenticating users through their devices that are being used to present those credentials. The underground is awash in legitimate but stolen credentials and should be treated with a great deal of skepticism by the businesses attempting to authenticate their customers. There will always be a pendulum swaying in the echoes of this kind of news – with businesses locking down access with more stringent policies and in doing so they begin to undo all the work that has been done to create a frictionless consumer experience. The industry may now begin to realize the ultimate dream of the consumer: completely effortless access. Rather than requiring consumers to type in credentials that may have been compromised why not leverage the various technologies that exist to simply recognize the consumer when they access the site in question? Digital consumers interact with businesses via their digital proxies – their devices – which must come in digital contact with the web servers in order to gain access. The industry should require the machines to do heavy lifting (rather than consumers) when it comes to “recognizing” them when they return. The right technology offers a more robust, privacy-compliant and transparent way for businesses to recognize their digital consumers. As we’ve discussed previously the authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information. This is done through technology that has been tested over the years and protects millions of customer accounts today with incredible results in terms of both fraud detection and frictionless consumer experience. The time has come to embrace the realities and the possibilities of the new digital environment in which we operate. Learn more about how your business can authenticate consumers confidently.
Today I co-hosted a TweetChat with Experian on mobile fraud trends. To be honest, it was the first Twitter Chat I took part in. It was fun, informative and a great way to connect with folks in our industry – from our customer base, partners and more. The discussion was fast paced and the 140-character limit for tweets means I wasn’t able to elaborate on many of the points I made. Thus, thought I would share my insight through a blog post. What are the most common types of mobile fraud? Malware. According to Forbes, 97 percent of mobile malware is on Android devices. That’s not to say that Apple isn’t seeing it, too. They are, but at a much reduced scale due to their validation processes. Forbes also states that android malware rose from 238 threats in 2012 to 804 new threats in 2013 and continues to rise. Mobile malware has a couple of varieties that everyone should be aware of. They’re increasingly common and you’ve likely seen the first one making media headlines like rapid fire in recent months: Ransomware: locks a user’s phone and fraudsters demand payment to unlock it. Credential stealing malware: attempts to capture the credentials of the victim as they access a service. Premium dialing/texting malware that uses victim phones to increase traffic and charges to rogue accounts. Mobile fraud, as a category, also needs to include the use of the mobile device by fraudsters as the attacking instrument. Fraudsters exploit the fact that organizations may not have applied the same security measures to their mobile access points that they have in their traditional online access. Big mistake. All organizations should make sure that they are not exposed to fraud originating from the mobile channel (either mobile app or mobile web based.) Companies need to ensure they can identify the device regardless of platform. Am I more at risk on my mobile device than I am on my computer? As a consumer, industry data has illustrated that there is no significant difference between the risk of the PC and a mobile device. The PC is still a much more valuable target to fraudsters, considering its wide use. But as the mobile platform continues to grow, mobile exploits are also growing, forcing the industry to build in more robust strategies around mobile access. This includes the platform providers, app developers and businesses that want to increase their mobile offerings. The bigger point here is that the Apple platform has much less malware activity than the Android platform does today. Apple has stringent developer policies and scrutiny. For businesses, as a relative percentage of device activity, we are beginning to see that there is more fraud in the mobile channel than in the traditional channel. Bear in mind that mobile volumes today are still much smaller than the traditional PC. Mobile can also be a fraud staging area, where fraudsters can see balances and activity and then takeover your account… But this is not a vulnerability with the consumer using their device, rather it’s with the fraudsters using the mobile channel since it’s a separate channel where the banks may not have effective cross-channel visibility. How do I know if you have a legitimate app vs a fake / fraudulent app? There are a few simple steps to verify the legitimacy of apps – check for typos, grainy logos and images and check user reviews on the app store. Moreover, this is an issue of where users are getting their apps. Make sure you are only downloading apps from the platforms’ authorized app environments. And keep in mind that the prevalence of malware on the Google Play platform is much higher than that on the AppStore. What other risks do mobile devices pose to personal identity? The phone doesn’t necessarily present greater risks than PCs, but people do tend to use them more frequently, and with less of a thought toward security. My advice: make a habit of locking your phone and don’t buy apps from sketchy platforms. What are the methods that banks and retailers are choosing to secure mobile payments? It’s a device access versus personal access issue. Need for business is to recognize devices regardless of payment type. In the NFC space, there’s also a question of liability… who is on the hook when happens? Is it the merchant? The card issuer? There are still some gray areas when it comes to mobile wallet (NFC) transactions being used for physical purchases. For NFC (in person) payments, the POS makers use industry standards – but they can still be vulnerable to attack based on malware distributed via POS terminals, as we have seen lately. For mobile bank payments – some banks use device recognition and device behavior– but all banks really should use it – best way to detect rogue activity from the device. Most retail mobile payments are tied to a wallet – so wallet providers must also secure access to the wallet ensure that it doesn’t become the weakest link. Will passwords ever die? What other forms of identification might be used? For businesses, passwords are already dead, since most have been stolen over the years. Businesses should be using device recognition – it’s one of the strongest tools to differentiate between good and bad users. Any final tips on how people can protect themselves from mobile fraud? Don’t buy apps from sketchy third party platforms. Don’t click on links from untrusted parties, lock your device, make sure your device is backed up and don’t pay ransomware demands. If you have any other questions that weren’t answered in the #TweetChat, please leave a comment here or tweet to me at @DBritton41st.
The World Cup of Fraud By David Britton The World Cup “kicks” off this week in Brazil and is a tremendous business opportunity for merchants around the world to sell merchandise, apps, tickets and even the caxirola - this year’s version of the Vuvuzela. This opens the doors for cross-border business transactions and as the doors open for more business, they also open for fraudsters to take advantage of cracks in the system or unsuspecting shoppers. Businesses should remember that the Internet was never designed with security in mind, and that it also affords great anonymity, regardless of the locale of the buyer. International ecommerce studies have shown that ecommerce cross-border fraud can be 7 times higher than fraud within your own country. The anonymity of the Internet allows fraudsters to extend their reach to do damage – and to do so with greater confidence than they might in their own country. Here are some fraud tips for businesses to consider with cross-border ecommerce: Marketing budgets are typically 15% of total costs and require time to plan – don’t let those efforts get hurt by your fraud system. The marketing team needs to work closely with the fraud team. Share those marketing goals with your fraud team so they are aware of marketing projects. Are campaigns on mobile, is there a special sale, package, promotions, gift card, etc. The fraud team needs to know what is out there. Know your target international market to help recognize fraud outliers. Know ahead of time what the measured attack rate is against your business. Have appropriate countermeasures and business rules in place when attacks surface. High risk products require a different strategy than low risk products. Have good data from within your business to understand the threat and to be ready to change course rapidly based on that data. There is also a major shift occurring in the mobile environment where users are rapidly adopting the practice of both perusing and shopping from their pocket-based devices. This shift includes fraud. More credit cards available on the underground than ever before. Estimates put the total number of compromised identities at over 1 billion records over the past 2 years, many of which include credit card information. Combine this information with the fact that the card issuers, for cost reasons do not proactively re-issue new cards – it is up to the merchants to be extra diligent when it comes to looking for fraud. Because the data breaches do not just divulge card data, but also the personal identity data elements of the victims, the fraudsters are able to create transactions that look very legitimate. Merchants must employ technologies that allow them to see beyond the data presented by the user, to the data about the device that is transmitting that data, in order to have real visibility into the transaction. The data may be completely legitimate; it just may not belong to the person using it. Conversely, this same insight and capability can allow merchants to safely expand into new geographic markets, by allowing legitimate international transactions, without disruption, and without requiring an army of personnel to do the investigative work. Companies like 41st Parameter, a part of Experian, have spent a decade perfecting the art of how to detect the fraudster in the online anonymous environment. See how we can help bolster your business defenses, while allowing your business to grow safely into new regions – and take advantage of the millions of customers that might have a hankering for your products. After Heartbleed: are you vulnerable?
Each year, more than $1 billion is stolen from accounts at small and mid-sized banks across the U.S. and Europe. Unless the nature of the threat is recognized and addressed, this amount will only continue to grow. This week, we released of our latest webinar, Fraud Moving Downstream: Navigating Through the Rough Waters Ahead. Julie Conroy, research director at Aite Group and I team together to address this growing risk for regional and mid-sized banks, providing an overview of the current threat landscape and explain how the existing conditions are creating the perfect storm for fraudsters. Key topics discussed in this webinar include: How Regional Banks are Enhancing Online Offerings: Regional banks are responding to customer demand for more offerings, especially mobile banking options, which exposes them to new threats. The Rise in Sophisticated Fraud Attacks: Fraud rings and other new attack types (malware, man-in-the-middle, man-in-the-browser, etc.) are occurring at a higher rate than ever and pose serious threats to regional banks that lack strong, multi-layered defenses. Regional Banks’ Lack of Resources: Second and third tier banks have less manpower and less sophisticated solutions in place, which makes reviewing transactions and identifying repeat and cross-channel attacks incredibly difficult. You can access the on-demand webinar here. Also be sure to check out our infographic that illustrates this growing threat of fraud for small and mid-size banks, found here.
Learn More Image
