Identity fraud – The future is now

According to statistics compiled by the Privacy Clearinghouse, the media have reported compromise of an astonishing 260 Million computer records containing personal information in the US alone since January 2005. A painful consequence of this failure is that, in 2008, as many as 7.5% of US adults lost money to financial fraud^[1]. Increasingly, these crimes are being perpetrated on-line. Understandably, this experience is having a chilling effect on consumers' willingness to conduct business on-line, and hampering the realization of the Web's full potential as a channel for e-commerce, e-government, e-health and e-banking. According to the same Gartner survey, 66% of users believe that extra security features are an important factor around their decision about banking online. And a Forrester Research survey has demonstrated that, when consumers' security concerns are adequately addressed, they are more than twice as likely to participate in on-line banking and on-line bill payment^[2]. If only consumers' fears could be overcome, then the Web's full potential could be unlocked.

The Web continues to revolutionize our approach to business; reducing operating costs, speeding delivery, enabling new services and smashing through the limitations inherent in traditional delivery models. It has matured to the point where the Cyberspace Policy Review conducted by agencies of the US Federal Government and announced by President Obama in June 2009, highlighted the critical role played by private sector information resources in the economies of the US and other countries. But, unfortunately, the benefits of the Web are also available to criminals, and the world of organized crime has been quick to exploit it for criminal gain.

While many people still lose money to traditional fraud scenarios, such as the massive Ponzi scheme perpetrated by Bernard Madoff, increasingly sophisticated on-line scenarios continue to emerge. An example of this is shown below. The basic tenet of this attack is to subvert the intended communication between the end user and the financial institution. And the sophistication of the methods used to achieve this are evolving at an astonishing rate.

Criminals are using very persuasive and often personalized tactics to  entice users to take specific actions that will result in the attackers ability to misdirect or take over a user's session-or their entire machine!

An Arms Race in the Making

While there are many safeguards deployed inside financial institutions, criminals are increasingly turning to sophisticated social engineering tactics to steal identities. Examples like spear phishing (targeting specific users), and malware like man-in-the-browser (MITB) are increasingly common. This is leading to higher losses than ever before, not only for individuals, but also for businesses-a recent FBI study highlighted that potential losses from attempted MITB and other attacks could have exceeded $100 million (October 2009). The AntiPhishing Working Group's most recent report noted that there were more than 49,000 unique phishing sites in June 2009 alone, paling in comparison to the number of new malware threats in the "wild" today.

Identifying fraud is much more complex than simply identifying transaction anomalies (such as a failure to authenticate properly). Often these can be explained as a mistake or a departure from routine on the part of the genuine user. Real attempts at fraud are more likely to show themselves in a pattern of events that unfold over an extended period of time, across a group of users, and even across more than one delivery channel. If the events leading up to an actual financial loss from fraud can be detected, then authentication and risk mitigation policies can be stepped up to prevent the fraud from taking place.

What's a bank to do?

Financial institutions need to understand the complexity of today's attacks and the value of the tools they have available. Along with the explosion in identity theft there has been an extraordinary amount of innovation driven into products to help detect, defend, and adapt to online fraud.

At a basic level of web security, organizations can now move beyond simple SSL (the padlock in the browser) to the next generation, call Extended Validation (EV) certificates. In combination with the latest browsers, this new method of identifying a site as safe for end users can be a highly effective first step at improving security.

Organizations should also look beyond approaches that can only examine transactions after the fact or those deployed on a per application basis. The modern version of fraud detection solutions offer organizations the ability to detect and defend against fraud in real time across applications and channels - a critical capability given how fast criminals move. Because of the new attacks, such as MITB, it is critical that a fraud detection solution be able to easily capture and analyze all of the data, not just select points in a web site. This empowers organizations to easily look back in time to understand the behavior of a newly discovered fraud incident.

Although there are multiple approaches to comprehensive monitoring, the ideal approach is one that does not require any changes in an application. Given the rapid pace of malware and attack evolution, fraud detection solutions must be able to rapidly adapt with the business, enabling new services, while detecting new forms of fraud, all without changing the applications.

Finally, organizations should look at deploying a range of authentication capabilities for both initial authentication and transaction verification. A one-size-fits-all approach simply doesn't work universally, and financial institutions need the flexibility to address a range of needs and user types. These can range from simple and transparent mechanisms, such as device authentication or IP Geolocation, to more secure methods, such as out-of-band (OTP) via SMS, OTP tokens or digital certificates. Having this flexibility provides organizations with options to deal with initial lower risk authentication as well as the ability to more strongly authenticate for more risky transactions. Deployed in concert with fraud detection, strong authentication can significantly increase the overall security of the online world.

Detect, defend, & adapt

Online fraud is constantly evolving, often spanning multiple sessions and channels. Financial organizations must take a proactive, layered approach to protecting online users, whether individuals or businesses. This can be achieved through the deployment of modern solutions for detecting fraud that do not impact end applications, and by enabling strong authentication that can be used when needed at a transaction level to defend against attacks based on risk. Given the speed at which identity theft is evolving, it is critical that fraud detection and authentication solutions provide the ability to adapt and evolve. From the ability to forensically examine newly discovered patterns to the deployment of new types of authentication, an effective solution set will provide organizations with this flexibility without unnecessary cost or delay. Organizations need to start now-online criminals are organized and actively looking for ways to steal identities...what will you do?

References:

[1] Gartner – 2008 Data Breach and Financial Crimes Scare Consumers Away

[2] Forrester – Three Ways Online Security Affects North Americans' Financial Behavior, Feb 2009