1 Introduction
Fraud is a major cost to businesses worldwide. Cybersecurity Ventures estimates that cybercrime costs will reach $10.5 trillion by 2025. Banking, finance, payment services, and retail are some of the most frequent objectives of fraudsters, as expected. However, insurance, gaming, telecommunications, health care, cryptocurrency exchanges, travel and hospitality, and real estate are increasingly targeted as cybercriminals have realized that most online services trade in monetary equivalents. Moreover, after years in the sights of cybercriminals, banking and finance in general are better secured than other industries, so fraudsters attack any potentially lucrative target of opportunity. Fraud perpetrators also continually diversify their Tactics, Techniques, and Procedures (TTPs).
Three of the most prevalent types of fraud businesses experience today are:
Account Takeover Fraud (ATO) - Often occurs when fraudsters use breached passwords and credential stuffing attacks to execute unauthorized transactions. Additional means for account takeover fraud are malware attacks (man in the middle and man in the browser) as well as the use of Remote Access Tools via Tojan or social engineering scams.
Account Opening Fraud (AO) - New Account Fraud which often happens as a result of using stolen personal information to create a synthetic digital ID, can be more difficult to detect and has advantages for attackers. This type involves gathering bits of PII (Personally Identifiable Information) on legitimate persons to construct illegitimate accounts. Educational, financial, and medical records can be sources of PII used for assembling fake accounts, which are then often used to abuse promotions and instant loans and/or used as mule accounts to move money around.
Social Engineering Voice Scams – In this scam, also known as Authorized Push Payment fraud, fraudsters call up victims, pretending to be from a bank or other business, and ask them to perform fraudulent actions such as transferring funds immediately in response to a non-existent condition. Fraudsters may claim that the victim’s accounts have been compromised and they need to move their funds as soon as possible to protect their money.
One of the chief mitigation strategies against these types of fraud is risk-based multi-factor authentication (MFA). Strong authentication or MFA can eliminate a substantial portion of ATOs by increasing authentication assurance levels. Risk-based MFA often includes mechanisms to increase identity assurance, such as identity proofing, user behavioral analytics, and behavioral/passive biometrics.
Risk-based MFA is characterized by transaction-time evaluation of multiple factors, including information about users, their devices, and the environments from which requests emanate. There are cases where legitimate users are being scammed (social engineering voice scams, for instance) and can pass the tests involved in various forms of MFA. The presence and action of malware like Remote Access Trojans (RATs) may also taint the results of MFA risk analyses. Thus, it is important to be able to have deeper insights into the context of each transaction. Risk-based MFA solutions operate optimally when integrated with or informed by Fraud Reduction Intelligence Platforms (FRIPs). FRIPs provide to risk-based MFA and transaction processing systems the information needed to make more accurate decisions on whether or not transactions should execute. FRIP solutions generally provide up to six major functions:
- Identity proofing/vetting
- Credential intelligence
- Device intelligence
- User behavioral analysis
- Behavioral/passive biometrics
- Bot detection & management
To detect and mitigate ATO fraud vectors, FRIP solutions interoperate with transaction processing systems, evaluating the context of each transaction request against pre-determined policies (similarly to authentication decisions in risk-based authentication systems) and then outputting risk scores. In these use cases, customers of FRIP solutions usually must write a bit of code to have their transaction processing systems query the FRIP service providers’ APIs. For example, a FRIP customer will collect transaction context information and transmit that as part of the API call to the FRIP service. The FRIP solution analyzes the transaction request context, gathers additional intelligence relevant to the user and request in real-time, scores it in accordance with customer-determined policies, then returns the risk score and potentially additional insights to the calling customer. The customer’s transaction processing logic then executes, taking into consideration the risk score from the FRIP service.
FRIP solutions also help prevent AO fraud. Various components can work in concert to deter fraudsters from being able to use fraudulently obtained personal information to create accounts. Identity proofing is a collection of processes that aim to ensure that the person attempting to create a digital account is the person they are purporting to be. These processes may include physical verification of presence with photo ID, or more modern means of using mobile apps to electronically match physical documents with the device operator. Credential and device intelligence can be used as part of the identity vetting process to deter AO fraud. Moreover, the development of user behavioral biometric profiles that can be set as baselines and analyzed at subsequent registrations can be a useful technique for stopping AO attempts.
Integration between advanced FRIP solutions and line-of-business applications in finance, insurance, and retail industries is a required technique to mitigate the ever-increasing frequency of and sophistication of fraudsters.