Fraud & Identity Management

Experian’s fraud prevention and identity management business helps clients combat the global fraud epidemic costing businesses hundreds of billions of dollars every year. Ori Eisen, founder of the 41st Parameter, a part of Experian, and Frank Abagnale Jr. talk to Bloomberg TV about the major new fraud threats emerging and how Experian can help protect organisations and their customers from becoming victims. Account takeover is a mainstream fraud issue as virtually any web site leveraging username and password authentication can be affected. As we wrote about earlier, another cybersecurity concern served as a reminder that managing fraud and protecting customer identities is becoming more complex as we are fighting creative and motivated people - not predictable systems. Watch the interview here:                         Learn more about Experian fraud intelligence products and services from 41st Parameter. 

Published: July 25, 2014 by Matt Tatham

A recent survey reveals that 30 percent of travelers have experienced identity theft while traveling or know someone who has.

Published: July 25, 2014 by Carrie Janot

Your password is weak, whether you use 40 random characters or your dog’s name. With so many large data breaches leading to hundreds of millions of compromised credentials and payment cards in the past two years, it\'s no surprise that e-commerce account takeover attempts have grown dramatically in recent months – to a degree we have never seen before. Previously, account takeover was primarily a banking issue, not something merchants had to deal with. Account takeover fraud is an alarming trend that spans global airline loyalty programs, e-commerce transactions, social networking logins and virtually any web site leveraging username and password authentication. News of the latest cybersecurity concern should serve as yet another reminder that we live in a heightened state of risk where establishing online trust based solely on username and password or identity data is not sufficient. There are a number of factors that are contributing to the evolving fraud landscape namely that the Internet was not designed for security.  This places pressure on organizations to continually adopt new approaches to managing fraud like this growing account takeover threat. In this case, multiple layered controls including device intelligence are essential. As merchants extend more services online and allow customers to store payment information or get more convenient checkout via logged in vs. guest access, we\'ll continue to see fraud migrating deeper into the e-commerce ecosystem. The account takeover problem will continue as consumers share usernames and passwords across dozens of online profiles and e-commerce logins, opening the door for attackers to access multiple accounts through a single compromised credential. Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place. So it\'s a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username/password authentication. What can consumers and organizations do to protect themselves? Our recommendation for consumers is that they have unique username and password combinations for every online profile. This protects against attackers compromising one site and leveraging the same credentials to access all of the victim\'s accounts and online profiles across the web. For businesses, we recommend implementing technology solutions that increase visibility to and recognition of devices for every online interaction so the organization can differentiate attackers from legitimate consumers. Some businesses believe that their products, services and loyalty offerings do not require the same level of protection as online bank accounts, so they leave them exposed to cyber criminals via simple authentication controls. As we’ve seen fraudsters will migrate to the path of least resistance and exploit the fact that most consumers re-use credentials out of convenience. In the digital age where consumers are increasingly represented by their devices the ability to know when there are authentication discrepancies between the data presented by the user and the device presenting those credentials is absolutely important to effectively controlling the threat. The authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information. Conversations around the fact that the password is dead or dying have been circulating in the industry recently. What we don’t want is consumers getting tired of constantly changing passwords and giving up trying to protect themselves online. That is the worst case scenario that is becoming more of a reality as the days pass. Educated and aware consumers are still the best way to identify fraudulent attacks, and to keep identity data safe from hackers and devices free of malware. Increased adoption of biometrics, device intelligence and the sharing of authenticated and credentialed identities across industries will become commonplace to help combat account takeovers as they increase. Until then we need to find a password replacement.   Learn more about 41st Parameter: https://www.experian.com/decision-analytics/41st-parameter.html?INTCMP=DA_Blog_Post072414   Related: The World Cup of Fraud  

Published: July 24, 2014 by Mike Gross

Your password is weak, whether you use 40 random characters or your dog’s name. With so many large data breaches leading to hundreds of millions of compromised credentials and payment cards in the past two years, it’s no surprise that e-commerce account takeover attempts have grown dramatically in recent months – to a degree we have never seen before. Previously, account takeover was primarily a banking issue, not something merchants had to deal with. Account takeover is an alarming trend that spans global airline loyalty programs, e-commerce transactions, social networking logins and virtually any web site leveraging username and password authentication. News of the latest cybersecurity concern should serve as yet another reminder that we live in a heightened state of risk where establishing online trust based solely on username and password or identity data is not sufficient. There are a number of factors that are contributing to the evolving fraud landscape namely that the Internet was not designed for security.  This places pressure on organizations to continually adopt new approaches to managing fraud like this growing account takeover threat. In this case, multiple layered controls including device intelligence are essential. As merchants extend more services online and allow customers to store payment information or get more convenient checkout via logged in vs. guest access, we’ll continue to see fraud migrating deeper into the e-commerce ecosystem. The account takeover problem will continue as consumers share usernames and passwords across dozens of online profiles and e-commerce logins, opening the door for attackers to access multiple accounts through a single compromised credential. Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place. So it’s a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username/password authentication. What can consumers and organizations do to protect themselves? Our recommendation for consumers is that they have unique username and password combinations for every online profile. This protects against attackers compromising one site and leveraging the same credentials to access all of the victim’s accounts and online profiles across the web. For businesses, we recommend implementing technology solutions that increase visibility to and recognition of devices for every online interaction so the organization can differentiate attackers from legitimate consumers. Some businesses believe that their products, services and loyalty offerings do not require the same level of protection as online bank accounts, so they leave them exposed to cyber criminals via simple authentication controls. As we’ve seen fraudsters will migrate to the path of least resistance and exploit the fact that most consumers re-use credentials out of convenience. In the digital age where consumers are increasingly represented by their devices the ability to know when there are authentication discrepancies between the data presented by the user and the device presenting those credentials is absolutely important to effectively controlling the threat. The authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information. Conversations around the fact that the password is dead or dying have been circulating in the industry recently. What we don’t want is consumers getting tired of constantly changing passwords and giving up trying to protect themselves online. That is the worst case scenario that is becoming more of a reality as the days pass. Educated and aware consumers are still the best way to identify fraudulent attacks, and to keep identity data safe from hackers and devices free of malware. Increased adoption of biometrics, device intelligence and the sharing of authenticated and credentialed identities across industries will become commonplace to help combat account takeovers as they increase. Until then we need to find a password replacement. Learn more about 41st Parameter fraud detection and prevention solutions here.

Published: July 24, 2014 by Mike Gross

Your password is weak, whether you use 40 random characters or your dog’s name. With so many large data breaches leading to hundreds of millions of compromised credentials and payment cards in the past two years, it’s no surprise that e-commerce account takeover attempts have grown dramatically in recent months – to a degree we have never seen before. Previously, account takeover was primarily a banking issue, not something merchants had to deal with. Account takeover is an alarming trend that spans global airline loyalty programs, e-commerce transactions, social networking logins and virtually any web site leveraging username and password authentication. News of the latest cybersecurity concern should serve as yet another reminder that we live in a heightened state of risk where establishing online trust based solely on username and password or identity data is not sufficient. There are a number of factors that are contributing to the evolving fraud landscape namely that the Internet was not designed for security.  This places pressure on organizations to continually adopt new approaches to managing fraud like this growing account takeover threat. In this case, multiple layered controls including device intelligence are essential. As merchants extend more services online and allow customers to store payment information or get more convenient checkout via logged in vs. guest access, we’ll continue to see fraud migrating deeper into the e-commerce ecosystem. The account takeover problem will continue as consumers share usernames and passwords across dozens of online profiles and e-commerce logins, opening the door for attackers to access multiple accounts through a single compromised credential. Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place. So it’s a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username/password authentication. What can consumers and organizations do to protect themselves? Our recommendation for consumers is that they have unique username and password combinations for every online profile. This protects against attackers compromising one site and leveraging the same credentials to access all of the victim’s accounts and online profiles across the web. For businesses, we recommend implementing technology solutions that increase visibility to and recognition of devices for every online interaction so the organization can differentiate attackers from legitimate consumers. Some businesses believe that their products, services and loyalty offerings do not require the same level of protection as online bank accounts, so they leave them exposed to cyber criminals via simple authentication controls. As we’ve seen fraudsters will migrate to the path of least resistance and exploit the fact that most consumers re-use credentials out of convenience. In the digital age where consumers are increasingly represented by their devices the ability to know when there are authentication discrepancies between the data presented by the user and the device presenting those credentials is absolutely important to effectively controlling the threat. The authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information. Conversations around the fact that the password is dead or dying have been circulating in the industry recently. What we don’t want is consumers getting tired of constantly changing passwords and giving up trying to protect themselves online. That is the worst case scenario that is becoming more of a reality as the days pass. Educated and aware consumers are still the best way to identify fraudulent attacks, and to keep identity data safe from hackers and devices free of malware. Increased adoption of biometrics, device intelligence and the sharing of authenticated and credentialed identities across industries will become commonplace to help combat account takeovers as they increase. Until then we need to find a password replacement. Learn more about 41st Parameter fraud detection and prevention solutions here.

Published: July 24, 2014 by Mike Gross

How mobile is transforming the banking industry and the fraud concerns with it, a Q&A with Mike Gross Mike Gross is the director of risk strategy and professional services at 41st Parameter and has more than 10 years of experience in financial services fraud prevention and risk management. At 41st Parameter, Mike is responsible for identifying banking, ecommerce, and travel industry trends, highlighting emerging fraud threats, understanding client and partner risk management controls, and defining, implementing, and measuring the performance of new risk strategies for top global online brands. I sat down with Mike to discuss how the banking industry is changing to adapt to new mobile technology and the new forms of fraud that exist as a result.   Matt: Mobile is transforming the banking industry, what are current fraud trends that banks and financial service companies need to be prepared for? Mike: Current fraud trends in mobile include increasingly sophisticated malware and attackers capitalizing on banks\' providing new service offerings to consumers via mobile devices. As consumer adoption of smartphones and tablets continues to steam-roll PCs (nearly 50% of logins via native app at some of the largest US banks, according to 41st data), we\'re seeing more fraudsters taking advantage of services like mobile deposit capture and peer-to-peer payments options in native applications and mobile websites. The growth of mobile malware (especially within the Android OS) is also particularly concerning. While most malware is intended to capture user credentials, which can be used by attackers to log into accounts and cause victims financial damage, more recent sophisticated variants like Svpeng leverage standard features like SMS balance checks to complement typical phishing, keylogging, and ransomware capabilities.   Mobile banking fraud trends from Experian Decision Analytics   Matt: What do you see as the next trend in fraud within the banking industry as the shift to mobile increases? Mike: We haven\'t seen much fraud originating from smartphones and tablets in comparison to PCs, but what we are seeing is the continued growth of mobile fraud. As services that directly target mobile users continue to expand we will see more attacks because many features were designed for convenience and not for security. Here are some fraud trends within mobile banking: Mobile deposit capture has been a consumer hit from a service and convenience perspective, but it has also been a major concern at top banks because risk and security teams are often not closely aligned with marketing initiatives as they are being designed and developed. So risk mitigation teams are often left scrambling to fill security gaps in new app functionality rather than being closely consulted throughout the development of new mobile-specific offerings. Mobile malware is seeing a meteoric rise, and the sophistication and number of new variants is also troubling. Malware is the most common attack method to steal consumer information, whether that is through a phishing site that redirects users or some other scheme. For example, a consumer opens the banking app but they are redirected to a phishing site that asks for account credentials as well as additional information like card number, PIN, SSN, etc. Another method is through keylogging to capture login details. Almost every variant of malware leverages one of these methods for data and credential theft. Social engineering via emails, calls, links, etc. also continues to be a growing threat, as attackers are increasingly leveraging knowledge of relationships to make attempts more personal and legitimate-looking. The days of the Nigerian 419 and lottery scams with misspellings and no personalization are long gone. Today\'s attacks often leverage personal information for the fraudster and look incredibly legitimate. As such, they can trick consumers into providing a few missing pieces of data that can be used to open accounts, transact online, etc.   Matt: As discussed, the ability to provide mobile money transfers is a very popular feature for mobile banking, what are the fraud risks with this option? Mike: Most mobile money transfer services (either through banks or other applications enabling P2P transfers and bill payments) traditionally required the service to be set up online where there was more control and security in place to identify attacks. But those services are increasingly being expanded via native application enhancements. In the past, consumers could send money via mobile phone, but they could only transfer funds to individuals who had been set up through the online channel as receivers / payees. Today, for added convenience, more functionality is being pushed to consumers and essentially allows account to account transfers with nothing more than a receiver\'s e-mail address. This absolutely adds risk and banks have added layers of phone-based step-up authentication controls to ensure that mobile transfers are not fraudulent. Obviously, this is a fraud concern and will continue to grow as an attacker MO, along with consumer wire and other transfer types.   Matt: How much have cybersecurity policies changes in the past few years within the banking industry? Mike: There has been intense industry regulatory pressure, which has even grown recently in light of several data breaches with large point-of-sale stores, online retailers and other providers. Compromised data is free-flowing in the criminal underground, and unfortunately, no amount of regulation can completely address that problem. So organizations are left to protect themselves from a wide array of attack types where fraudsters often have pristine identity data and can answer basic out-of-wallet questions or pass standard authentication controls. Obviously, pressure will continue around data security through PCI, encryption, EMV, and even tokenization for the retail and online community. But we\'re finally starting to see regulatory attention given to security in the mobile channel as well. That\'s been a major gap in previous guidance such as the FFIEC Online Guidance of 2005 and update in 2011. The most obvious and pivotal change, however, is that employing basic authentication methods to determine whether an individual really is who they say they are online is no longer acceptable. Regulators demand more and require that organizations deploy multiple strategies to prevent losses resulting from account compromises. This begins with basic know your customer (KYC) requirements, but often layers solutions like device intelligence, malware detection, behavior analytics, and anomaly detection on top of existing risk-based authentication solutions. Even that is not a guarantee that attackers won\'t be successful, however. There have been countless examples where several layers of security were in-place but banks and retailers still failed to spot the attacks due to all of the noise around differentiating good customers from attempts by attackers. It will be increasingly important for organizations to not just have solutions deployed — but to have those solutions optimized and layered in a way that produces minimal friction for legitimate users and stops attackers at the door.   Matt: What can banks do to help protect themselves but also consumers who bank with them? Mike: Banks should employ multiple layered security through a continuously refined set of controls that immediately identify fraudulent access attempts so they can protect their invaluable customer relationships. Device intelligence coupled with a powerful risk engine is one critical component of such a layered approach, and it needs to be in-place across mobile and online channels. With the abundance of compromised data from recent breaches, relying solely on usernames / passwords, accurate identity information, and basic step-up authentication to protect accountholders at login is a recipe for disaster without visibility into attacks across the entire online estate. The list of alternative or complementary two-factor authentication approaches is long, and most enterprises are implementing multiple complementary controls and options to meet security needs and limit user inconvenience. This is often a delicate balancing act, but technologies like device intelligence and SMS-based tokens are seeing mass adoption. Biometrics, geo-location, and other native app technologies continue to show promise for mobile devices, but are often viewed as too intrusive unless the consumer is performing transactions that require a significant increase in security. These are also often opt-in only solutions, which could ultimately limit adoption. We also see more institutions rolling out technologies that are focused on quickly authenticating good users to make their user experience as convenient as possible. Covert device intelligence is a strong option for this use case as well, since it limits friction and can enable seamless consumer interaction across all channels, from desktops to smartphones and tablets to any device capable of an Internet connection.   To learn more please visit: https://www.experian.com/decision-analytics/41st-parameter.html 

Published: July 22, 2014 by Matt Tatham

In our most recent webinar, I had the pleasure of moderating a panel session with four fraud experts spanning across many diverse backgrounds. The consistent theme throughout was that cyber criminals have become quite proficient at stealing data or account credentials. Once a cyber criminal has valid account data, they have incredible access to a broad range of possibilities. How an account is used; a real-time view of deposit and withdrawal patterns and what types of alerts and notification settings are in place. A determined fraudster may observe accounts for long periods to ensure they are able to make their move at the optimal time. One of the biggest issues is being able to tell “friend from foe”, particularly in light of the endless supply of perfect, disposable data. I posed this scenario to our panel and asked what organizations can do now to protect themselves: SCENARIO – Telling friend from foe Credit card companies encourage travellers to alert them in advance of unusual travel to avoid red flags or declines while out of town. This can be a double-edged sword. A fraudster with appropriate credentials can contact a credit card company a few weeks before a “trip” to alert them of planned travel. At the start of the “trip” the distraught fraudster can then contact the credit card company to report a stolen card and request a replacement be expedited to them at their “destination.” The result is a fraudster armed with a completely legitimate card they can use at their leisure and with little risk of detection. There were three key take-aways the expert panel recommended: Enhance your visibility. Without this important tactic, you won’t know what hit you. Fraudsters are armed with pristine identity data so they will look and act more like your best customers. Employee multiple security layers. You may be focused on ensuring that you know your customer, but does the transaction pattern fit normal behavior for the user? Malware could be embedded on the device. Are items such as language and other settings consistent with what you’d expect for your legitimate customers? Protect profile setups / online enrolment and reward programs the way you protect transactions. While the financial risk to your business may be limited, the potential regulatory exposure and brand reputation hit can be significant. It takes years to build your reputation with your best customers – but only seconds to destroy it. Undermining their trust in online or mobile interactions with your business has an immediate and destructive impact on loyalty. What do you think? Let us know.

Published: July 14, 2014 by Maria Scalone

A recent study conducted by the Ponemon Institute found that a data breach is among the top three occurrences that affect brand reputation, along with poor customer service and an environmental incident.

Published: July 10, 2014 by Carrie Janot

Today I co-hosted a TweetChat with Experian on mobile fraud trends. To be honest, it was the first Twitter Chat I took part in. It was fun, informative and a great way to connect with folks in our industry – from our customer base, partners and more. The discussion was fast paced and the 140-character limit for tweets means I wasn’t able to elaborate on many of the points I made. Thus, thought I would share my insight through a blog post. What are the most common types of mobile fraud?   Malware. According to Forbes, 97 percent of mobile malware is on Android devices. That’s not to say that Apple isn’t seeing it, too. They are, but at a much reduced scale due to their validation processes. Forbes also states that android malware rose from 238 threats in 2012 to 804 new threats in 2013 and continues to rise. Mobile malware has a couple of varieties that everyone should be aware of. They’re increasingly common and you’ve likely seen the first one making media headlines like rapid fire in recent months: Ransomware: locks a user’s phone and fraudsters demand payment to unlock it. Credential stealing malware: attempts to capture the credentials of the victim as they access a service. Premium dialing/texting malware that uses victim phones to increase traffic and charges to rogue accounts. Mobile fraud, as a category, also needs to include the use of the mobile device by fraudsters as the attacking instrument. Fraudsters exploit the fact that organizations may not have applied the same security measures to their mobile access points that they have in their traditional online access. Big mistake. All organizations should make sure that they are not exposed to fraud originating from the mobile channel (either mobile app or mobile web based.) Companies need to ensure they can identify the device regardless of platform. Am I more at risk on my mobile device than I am on my computer?  As a consumer, industry data has illustrated that there is no significant difference between the risk of the PC and a mobile device. The PC is still a much more valuable target to fraudsters, considering its wide use. But as the mobile platform continues to grow, mobile exploits are also growing, forcing the industry to build in more robust strategies around mobile access. This includes the platform providers, app developers and businesses that want to increase their mobile offerings. The bigger point here is that the Apple platform has much less malware activity than the Android platform does today. Apple has stringent developer policies and scrutiny. For businesses, as a relative percentage of device activity, we are beginning to see that there is more fraud in the mobile channel than in the traditional channel. Bear in mind that mobile volumes today are still much smaller than the traditional PC. Mobile can also be a fraud staging area, where fraudsters can see balances and activity and then takeover your account… But this is not a vulnerability with the consumer using their device, rather it’s with the fraudsters using the mobile channel since it’s a separate channel where the banks may not have effective cross-channel visibility. How do I know if you have a legitimate app vs a fake / fraudulent app?  There are a few simple steps to verify the legitimacy of apps – check for typos, grainy logos and images and check user reviews on the app store. Moreover, this is an issue of where users are getting their apps. Make sure you are only downloading apps from the platforms’ authorized app environments. And keep in mind that the prevalence of malware on the Google Play platform is much higher than that on the AppStore. What other risks do mobile devices pose to personal identity? The phone doesn’t necessarily present greater risks than PCs, but people do tend to use them more frequently, and with less of a thought toward security. My advice: make a habit of locking your phone and don’t buy apps from sketchy platforms. What are the methods that banks and retailers are choosing to secure mobile payments? It’s a device access versus personal access issue. Need for business is to recognize devices regardless of payment type.  In the NFC space, there’s also a question of liability… who is on the hook when happens? Is it the merchant? The card issuer?  There are still some gray areas when it comes to mobile wallet (NFC) transactions being used for physical purchases. For NFC (in person) payments, the POS makers use industry standards – but they can still be vulnerable to attack based on malware distributed via POS terminals, as we have seen lately. For mobile bank payments – some banks use device recognition and device behavior– but all banks really should use it – best way to detect rogue activity from the device. Most retail mobile payments are tied to a wallet – so wallet providers must also secure access to the wallet ensure that it doesn’t become the weakest link. Will passwords ever die? What other forms of identification might be used?   For businesses, passwords are already dead, since most have been stolen over the years. Businesses should be using device recognition – it’s one of the strongest tools to differentiate between good and bad users. Any final tips on how people can protect themselves from mobile fraud?  Don’t buy apps from sketchy third party platforms. Don’t click on links from untrusted parties, lock your device, make sure your device is backed up and don’t pay ransomware demands. If you have any other questions that weren’t answered in the #TweetChat, please leave a comment here or tweet to me at @DBritton41st.  

Published: June 25, 2014 by David Britton

It’s no secret that e-commerce merchants, retailers, and financial institutions are prime targets for these digital ghosts as they look to quickly monetize their recent data heist. Unfortunately, many organizations are still scrambling to deploy proper defenses. So how do you defend against an unregulated, networked enemy intent on inciting chaos and filling their bank accounts? Following any data breach, it is essential that organizations gain complete visibility of their customers and transactions across channels. Once a breach has occurred, it is critical for organizations to perform a forensic review of the attack to identify and understand all of the potential points of vulnerability, what data was stolen and how that data was transmitted back to the attackers. What can be more concerning is that the initial scope may quickly expand into something much larger. This makes it essential that retailers and financial institutions rapidly gain complete visibility of their customer data and transactions across channels and keep drilling-down until the root cause can be identified and protected against a repeat attack. Unfortunately, that type of consolidated view does not exist in most companies. Organizations need to ask themselves some serious questions. Do you really know who is logging into your customers’ accounts? Without realizing their data has been compromised, consumers can fall prey to personalized phishing attacks and “give away the keys” to their accounts. How can you be certain a VIP customer is really behind a high-dollar transaction being rushed to an overseas address? No one wants to decline legitimate orders from loyal customers; but with revenue, reputation and brand equity at stake, no one can afford to ignore the potential risk. What controls are in-place to ensure that a fraudster in Malaysia isn’t using legitimate identity data and an anonymous proxy to submit credit card applications that are a perfect match to credit bureau data? Or to alert when a long-standing offline banking relationship suddenly enrolls online? Once access is established, address and other data can be updated and sold to the highest bidder in underground forums. All of these questions can be addressed through the combination of complex device intelligence, a powerful risk engine and support from industry-leading experts in fraud and risk management. Even after a breach has occurred, the risk can be managed. First, consumers need to be informed on how to protect themselves from sophisticated use of their data. Second, arm your organization with a layered security strategy that includes device intelligence. This will prepare you for the onslaught of compromised card usage, fraudulent enrollments, phishing attacks and attempted account takeovers that follow in the wake of a data breach.

Published: June 13, 2014 by Maria Scalone

The World Cup of Fraud By David Britton The World Cup “kicks” off this week in Brazil and is a tremendous business opportunity for merchants around the world to sell merchandise, apps, tickets and even the caxirola - this year’s version of the Vuvuzela. This opens the doors for cross-border business transactions and as the doors open for more business, they also open for fraudsters to take advantage of cracks in the system or unsuspecting shoppers. Businesses should remember that the Internet was never designed with security in mind, and that it also affords great anonymity, regardless of the locale of the buyer. International ecommerce studies have shown that ecommerce cross-border fraud can be 7 times higher than fraud within your own country. The anonymity of the Internet allows fraudsters to extend their reach to do damage – and to do so with greater confidence than they might in their own country. Here are some fraud tips for businesses to consider with cross-border ecommerce: Marketing budgets are typically 15% of total costs and require time to plan – don’t let those efforts get hurt by your fraud system. The marketing team needs to work closely with the fraud team. Share those marketing goals with your fraud team so they are aware of marketing projects. Are campaigns on mobile, is there a special sale, package, promotions, gift card, etc. The fraud team needs to know what is out there. Know your target international market to help recognize fraud outliers.   Know ahead of time what the measured attack rate is against your business.   Have appropriate countermeasures and business rules in place when attacks surface.  High risk products require a different strategy than low risk products. Have good data from within your business to understand the threat and to be ready to change course rapidly based on that data. There is also a major shift occurring in the mobile environment where users are rapidly adopting the practice of both perusing and shopping from their pocket-based devices. This shift includes fraud. More credit cards available on the underground than ever before.  Estimates put the total number of compromised identities at over 1 billion records over the past 2 years, many of which include credit card information. Combine this  information with the fact that the card issuers, for cost reasons do not proactively re-issue new cards – it is up to the merchants to be extra diligent when it comes to looking for fraud. Because the data breaches do not just divulge card data, but also the personal identity data elements of the victims, the fraudsters are able to create transactions that look very legitimate.  Merchants must employ technologies that allow them to see beyond the data presented by the user, to the data about the device that is transmitting that data, in order to have real visibility into the transaction.  The data may be completely legitimate; it just may not belong to the person using it.  Conversely, this same insight and capability can allow merchants to safely expand into new geographic markets, by allowing legitimate international transactions, without disruption, and without requiring an army of personnel to do the investigative work. Companies like 41st Parameter, a part of Experian, have spent a decade perfecting the art of how to detect the fraudster in the online anonymous environment.  See how we can help bolster your business defenses, while allowing your business to grow safely into new regions – and take advantage of the millions of customers that might have a hankering for your products.  After Heartbleed: are you vulnerable?    

Published: June 12, 2014 by David Britton

Apple held its annual developers conference last week to showcase its new features within iOS8. One area that still needs clarification is Apple’s intent for mobile payments. Cherian Abraham, Experian Decision Analytics mobile payments analyst, shares what he thinks Apple might look to do in the mobile payment space going forward. In my first post, I touched upon Apple’s program for third party hardware attachment market as being significant and likely to be a key aspect of its payments approach. In this post I discuss these three things: 1. How Apple’s new security paves the way for mobile payments 2. Bluetooth being secured enough where Payments is a use-case 3. Why the iPhone 6 will not have NFC Last week, 9to5mac reported that Apple has introduced a new specification for manufacturers in its MFi program (Made for iPad, iPhone and iPod) that allows them to create headphones that connect to iOS devices using a lightning connector instead of relying on the 3.5mm audio jack. Why is it important? Because as Apple looks to rid itself of any such remaining legacy vestiges, it’s also shedding any ambiguity around who is in control of the iOS hardware ecosystem and what it means to be a third party accessory maker – once reliant on open standards supported by all devices and now serving at Apple’s pleasure. It is a strategy that fits against the backdrop of an iOS ecosystem that is made up of software that is increasingly becoming more open, and hardware that is slowly being walled off – primarily in the name of security. The former is evident in how Apple has opened up third-party access to core authentication services like TouchID. What about the latter? Apple’s new security blanket Well, first let’s look at what Apple has publicly acknowledged about the MFi program. Every iOS device will initiate communication with a third-party accessory by asking it to prove sufficient authorization by Apple — to respond with an Apple-provided certificate, which iOS subsequently verifies. Further, the iOS device then issues a challenge, which is then answered by the third-party accessory by a signed response. These two steps require that a third-party accessory must have: • An Apple certificate • Requisite cryptographic capabilities — preferably in hardware to comply. That is precisely what Apple does by encapsulating all this in an Integrated Circuit that it controls – where the entire handshake is transparent to the accessory. With this – Apple’s role in the third-party accessory market becomes non-negotiable. You think you have a cool accessory that requires a trusted connection and intends to share data with an iOS device? Unless you inherit Apple’s controls you are relegated to speaking analog and conducting a limited set of user-driven operations — Start, Pause, Rewind (standard Serial UART audio playback controls) — usable only to headphones using the audio jack. Now, how about them apples? It’s important to note that these steps to validate whether an accessory is authorized to communicate with an iOS device can happen over the lightning connector, Bluetooth or WiFi. The advantage here is that this repels man-in-the-middle attacks because a malicious interceptor will not have the Apple IC to pass authorization, and subsequently will not have the negotiated key that encrypts all subsequent communication. The whole key negotiation occurs over Bluetooth. It is important because this approach can solve man-in-the-middle attacks for Bluetooth in scenarios including payments. A cynical view of the MFi program would be to consider it a toll that Apple is eager to extract from the third-party accessory makers building accessories authorized to communicate with an iOS device. A more pragmatic view would be to recognize Apple’s efforts as an ecosystem owner, whose primary intent is authenticating any and all devices within and in the periphery of the iOS ecosystem and secure all inbound and outbound data transfers. With more iOS device types, and a heterogeneous accessory market Apple is entirely justified in its role as the ecosystem owner to be at the front of the curve, to ensure security is not an afterthought - and instead to – mandate that data in transit or at rest is fully secured at all end-points. In fact, interest in Wearables, Home automation, Healthcare and Telematics are completely rewiring the rules of what it means to be an accessory anymore I believe this approach to security will be the mainstay of how Apple visualizes its role in enabling payments — regardless of channel. Anything it does to reduce payments friction will be counterbalanced by serious cryptographic measures that secure devices that have a need to communicate in payments — to authenticate, to encrypt and to subsequently transfer a payment token. With TouchID today it does so by verifying the fingerprint before authorizing the transmission of an authentication token from the Secure Enclave to an Apple server in the cloud. I don’t doubt that the authentication token being sent to the Apple server in the cloud is itself signed by the device’s unique ID – which is verified, before the server completes the purchase with a card on file. Thus, crypto pervades everything the iPhone does, touches or trusts. So how do the MFi program, Bluetooth, iOS Security fit in within Apple’s plan to tackle retail payments? For that, let’s start with NFC. With NFC anointed as the only way forward by networks and other stakeholders — every other approach was regarded as being less secure without much thought given to that classification by way of actual risk of fraud. You could build the best payments “whatchamacallit” and throw everything and the kitchen sink at it — and be still branded as ‘Card Not Present’ and inherit a higher cost. Understandably — merchants passed on it as they couldn’t scale with the costs that it confronted. No self-respecting merchant could afford to scale — unless they owned all of the risk (via decoupled debit, ACH or private label). All they could do was reject contactless and prevent themselves from being burdened by the network’s definition of a payments future. Thus the current NFC impasse was born. Now with merchants rolling out EMV-compliant terminals, many of which have contactless built in, they are desperately looking to Apple for clarity. If Apple does NFC then they have the entirety of a terminal refresh cycle (approximately 10 years) within which they hope that common sense may prevail (for example, debit as an acceptable payments choice via contactless) and correspondingly toggle the switch to begin accepting contactless payments. If Apple goes in a different direction, a merchant who has chosen an EMV-compliant terminal with or without contactless is locked out until the end of the current refresh cycle. But what if Apple went with Bluetooth? Two factors stand in the way: Bluetooth is not secure enough for payments today and terminal makers need to comply. Yet, with EMVCo publishing draft standards around tokenization one can argue that non-NFC modalities now are being given fair share, where proximity is not the only guarantee for security and other options such as Bluetooth can begin to address the challenge creatively. Where is the opportunity among all this for Bluetooth? Let’s tackle Bluetooth Range and Device Pairing that limit its utility in payments today. Range is as much a curse as it is a blessing for Bluetooth. If security via proximity was NFC’s raison d’être, then in contrast Bluetooth had to worry about man-in-the-middle attacks due to its range. Though Bluetooth communication is invariably always encrypted, the method in which two devices arrive at the encryption key is suboptimal. Since much of the early key negotiation between devices happens in the clear, brute forcing the shared secret that is key to encryption is a fairly easy and quick attack — and the range makes man-in-the-middle attacks easy to implement and harder to detect. The approach to device pairing also differs from Bluetooth to BLE. Needless to say, it is even less secure for BLE. Pairing in a payments context brings up further challenges, as it has to be silent, customer initiated and simple to execute. I am not going to pair my iPhone with a point-of-sale by punching in “000000” or another unique code each time I must pay Can NFC be of use here? It can. In fact, Bluetooth pairing is the only use case where I believe that Apple may feel there is utility for NFC so that an out-of-band key exchange can be possible (versus an in-band key exchange wholly over Bluetooth). This is far more secure than using Bluetooth alone and derives a much stronger encryption key. An out-of-band key exchange thus enables both devices to agree on a strong encryption key that can prevent malicious third parties from splicing themselves in the middle. BLE however does not allow for out-of-band key exchange and therefore is limited in its utility. This is another reason why if you are a BLE accessory maker Apple excludes you from having to participate in the MFi program. How can Apple secure Bluetooth and make it the standard of choice for a retail payment use case? The answer to that lies inside Apple’s specification for MFi participants — manifested in the form of the Integrated Circuit Apple provides to them so that these iOS accessories may authorize themselves to an iOS device and secure the communication that follows. This IC which encapsulates the initial setup including the certificate, mutual key negotiation and deriving the encryption key — can support Bluetooth. So if all that ails Bluetooth can be cured by including an IC – will point-of-sale manufacturers like Verifone and Ingenico line up to join Apple’s MFi program? The message is clear. You must curry favor with Apple if you want to be able to securely communicate with the iOS ecosystem. That is no tall barrier for terminal makers who would willingly sacrifice far more to be able to speak to 800M iOS devices and prevent being made irrelevant in an ever-changing retail environment. So why not include a single IC and instantaneously be able to authorize to that broad ecosystem of devices, and be capable of trusted communication? And if they do — or when they do — how will merchants, networks and issuers react? Today a point of sale is where everything comes together — payments, loyalty, couponing — and it’s also where everything falls apart. Will this be considered Card Present? Even with all the serious crypto that would become the underpinnings of such a system, unfairly or not the decision is entirely that of a few. Networks and issuers To answer how they may respond, we must ask how they may be impacted by what Apple builds. Is Apple really upending their role in the value chain? I believe Apple cares little about the funding source. Apple would instead defer to – the merchants who believe it should be debit, and the issuers who believe the customer should choose – and secretly hope that it is credit. I don’t think that Apple would want to get between those two factions. It wants to build simply the most secure, easy way to bring retail payments to iOS devices —  and allow all within the transaction flow to benefit. The rails do not change, but the end-points are now much more secured than they ever were, and they form a trusted bond and a far bigger pipe. A customer who authenticates via TouchID, a phone that announces to the point of sale that it’s ready to talk, a smart circuit that negotiates the strongest encryption possible while being invisible to all and a token that stands in for your payment credential that is understood by the point of sale. It is business as usual, and yet not. Will the iPhone6 have NFC? The presence of NFC in iPhone6 — if it’s announced — will not mean that NFC will be utilized in the same manner as it is today (for example, Isis). The radio will exist, but there will be no global platform secure element. Today the role of the radio is instrumental (in both secure element or HCE cases) in transmitting the PAN to the point of sale. When there are coupons that need to be presented and reconciled at the point of sale — things begin to get complex. Since the radio becomes the bottleneck, it requires longer than a quick tap for more data to be transmitted. Proximity is a good guarantee for device presence as well as the customer, but it’s a poor vehicle for information. So why wouldn’t one try to relegate it to the initial handshake to enable authentification of the device and therefore the customer with the point of sale? As I mentioned above, if Apple uses NFC, its role will be to facilitate an out-of-band key exchange to secure the subsequent Bluetooth communication so that an iOS device can trust the point of sale and securely transmit payment data. This data may include any and all tokenized payment credential along with loyalty, couponing and everything else. By using NFC for out-of-band authentication in conjunction with the authentication IC (provided by Apple) in the point of sale, Apple can run circles around the limitations imposed by a pure NFC approach — exceeding it on usability, security, adaptability and merchant utility. Yet, if NFC’s role is limited to the initial key negotiation, then the case can be made that NFC has very limited utility, it exists only to serve Apple’s security narrative, and utilizing NFC for the initial pairing strengthens the encryption and makes it harder to snoop. If it has only derived incremental value, would Apple care to put it on iPhone6 — and split its utility among customers using iPhone6 versus all others? With more than 400M iPhones out there that can support Bluetooth LE and iOS8, why ignore that advantage and create a self-induced dependency on a radio that has no subscribers today?  So where do I fall within this debate? I believe iPhone6 will not have NFC. Learn more about our Global Consulting Practice.  

Published: June 10, 2014 by Cherian Abraham

There are some definite misunderstandings about the lifecycle of fraud. The very first phase is infection – and regardless of HOW it happens, the victim’s machine has been compromised. You may have no knowledge of this fact and no control. All of that compromised data is off in the ether and has been sold. The next phase is to make sure that the next set of fraudsters can validate those compromised accounts and make sure they got their money’s worth. It’s only at the last phase – theft – that any money movement occurs. We call this out because there are a lot of organizations out there who have built their entire solution on this last phase. We would say you are about two weeks too late as the crime actually began much earlier. So how can you protect your organization? Here are five take-aways to consider: User / device trust. Do this user and device share a history? Has this user seen of been associated with this device historically? It may not be fraud but it is something we watch for. User / device compatibility. Does the user align with devices they’ve used in the past? What are the attributes of the device with respect to user preferences, profile and so on. Device hostility. Look at its behavior across your ecosystem. How many identities has it been associating with? Is it associated with a number of personal attributes or focused on risky activities? Malware. Does this device configuration suggest malware? Because we have information about the device itself, we can show that it’s been infected. Device reputation. Has this device been associated with previous crimes? There are some organizations who have built their entire solution around device reputation. We believe this is interesting to include but it’s more important to look at everything in the context across your entire ecosystem rather that focus on just one area. Want to learn more? Listen to this on-demand webinar “Where the WWW..wild things are – when good data is exploited for fraudulent gain”.

Published: June 10, 2014 by Maria Scalone

FICO, a leading predictive analytics and decision management software company, has partnered with 41st Parameter®, a part of Experian® and a leader in securing online relationships, to fight fraud on card-not-present (CNP) transactions, the top source of payment card fraud today, while letting more genuine transactions proceed in real time. FICO is integrating 41st Parameter’s TrustInsight™ with the FICO® Falcon® Platform, which protects 2.5 billion card accounts and is used by more than 9,000 financial institutions worldwide. Authenticating the device being used in a transaction provides yet another layer of detection to the Falcon Platform, which includes proprietary analytics based on more than 30 patents. 41st Parameter’s TrustInsight™ solution provides a real-time analysis of a transaction, crowd-sourced from a network of merchants, that produces a TrustScore™ indicating whether the transaction is likely to be genuine and should be approved. TrustInsight helps reduce the number of “false positives,” or good transactions that are declined or investigated by the card issuer. The TrustScore, integrated with the FICO Falcon Fraud Manager Platform, provides a link between data the merchant knows and data the issuer knows to enable issuers to utilize additional information that is not currently available in their fraud detection process, including the identification of a cardholder’s “trusted devices.” Read the entire release here.

Published: June 10, 2014 by Maria Scalone

During last week’s live webinar, David Britton, online fraud industry expert and vice president, industry solutions at 41st Parameter said this: “At 41st Parameter, we begin our days somewhat differently. We believe that the internet was never built for security in mind. We also assume that all user data has been stolen. Every bit of consumer data has been compromised. Why? It puts us on a much more heightened state of awareness to help mitigate the type of environment we work in. We also believe that we are not just fighting against naturally evolving organisms. Rather, we are combating a very sophisticated and powerfully-motivated individuals who are highly creative.” During the 45-minute live webinar, Britton also provided five distinct actions that businesses can take to help protect their organizations as well as real-world strategies for preventing and detecting fraud online AND maintaining a positive online experience for valued customers. Want to learn more? Link to the on demand webinar here and stay tuned for next month’s panel where we will focus on the surveillance and validation of data prior to theft. Viewers will be armed with tactics that they can leverage in their own organizations.

Published: June 9, 2014 by Matt Tatham