1 Introduction
Fraud has emerged as one of the biggest and still growing threats in cybersecurity. Fraud is costly, and is a drain on the global economy. Cybersecurity Ventures estimates that cybercrime costs will reach $10.5 trillion by 2025. The vast majority of successful cyberattacks, as well as various forms of online fraud, can be attributed to compromised digital identities. A lack of security, particularly around identity and authentication assurance, is a direct contributor to these problems.
Account TakeOver (ATO) incidents are the improperly authenticated and unauthorized use of digital credentials. ATO fraud is often perpetrated by malicious bots in credential stuffing attacks, which utilize username/password combinations discovered in breached password dumps posted or sold on dark web forums. This is why conventional IT security wisdom was to tell users to not re-use passwords between sites. However, applying that conventional wisdom is insufficient due to the sheer number of passwords that users have to maintain. Deploying Multi-Factor Authentication (MFA) and risk-adaptive authentication techniques are the primary means for protecting against ATO attacks.
What kinds of credentials are targeted for ATO? As expected, from a consumer perspective, banks and other financial institutions are indeed highly sought after accounts. But almost every type of consumer account is at risk, meaning companies in most all industries are being attacked by fraudsters. Any digital account that can be used for receiving/transferring funds, shopping, managing loyalty rewards, requesting or paying for services, etc., is a potential ATO victim.
From the Business-to-Enterprise (B2E) view, privileged accounts are the most valuable. Capturing an admin account allows attackers to more easily search for and exfiltrate sensitive information, such as trade secrets and other intellectual property, customer records, and Personally Identifiable Information (PII). In many ransomware cases, user accounts have been hijacked to deliver ransomware payloads as well. Successful takeovers of enterprise accounts therefore lead to theft of key information, and open the door to massive fines for loss of PII, and lost productivity and damages caused by ransomware detonation.
In most cases, the finance industry leads others in terms of implementation of fraud reduction technologies. However, extrapolating from the UK Finance 2021 report. even within this industry fraudsters have a 33% success rate. To thwart the rising threat of fraud, the European Union has adopted the Revised Payment Services Directive (PSD2). PSD2 mandates Strong Customer Authentication (SCA), which is defined as two of these three factors: something you know, something you have, or something you are. This applies to consumer and customer interactions across the finance ecosystem. PSD2 also requires ongoing analysis of risk factors to mitigate the need for explicit SCA events, which add friction to the consumer experience.
EMVCo, a global consortium composed of payment networks, service providers, card issuers, and technical associates, developed the 3-D Secure 2.x specification to improve security in the payments process. 3DS2, similar to PSD2, requires strong authentication of payment instrument users. 3DS2 allows the collection and evaluation of extensive device information and behavioral biometrics as a means to increase authentication assurance at transaction time.
New Account Fraud (NAF), sometimes called synthetic fraud or Account Opening (AO) fraud, is another significant type of malicious activity designed to abuse digital identities for illegal activities. Synthetic fraud involves the unauthorized creation of digital accounts, often for the purpose of moving stolen funds / money laundering. Fraudsters build accounts using PII items such as names, email addresses, physical addresses, phone numbers, driver’s license numbers, social security numbers, etc. The PII used to build fake accounts can be found in social media, government records, employment records, health care records, school records, and other sources. Fraudsters may also recruit people to serve as money mules via offers of fake jobs on social media, employment sites, community forums, and other less policed digital domains.
Synthetic fraud can be deterred through improving identity assurance. In-person and remote ID document verification, via secure mobile apps, are primary methods for ensuring that accounts are issued to the proper individuals. Physical and behavioral biometric authentication can also be used to bolster identity assurance. Authentication solutions commonly provide apps and SDKs that leverage fingerprint and facial recognition capabilities on smartphones as well as the ability to analyze and profile user-and-device behavior. Users physically interact with their devices in ways that can be quantified to build consistent profiles. Behavioral biometrics include examination of keystrokes, mouse movements, swipe analysis, touchscreen pressure, onboard gyroscopes and accelerometers, as well as location information such as geo-location, IP address, WiFi SSIDs, or mobile network information. Individual behaviors are baselined and those baselines can then be compared with the same attribute parameters at the time of each authentication or transaction request. If the behavioral biometrics samples do not deviate too significantly from the user template at the time of the request, the request may proceed without additional user input. Moreover, if user profiles can be ported between devices, then behavioral biometrics can increase identity assurance when users upgrade devices, thereby helping to prevent synthetic identity fraud.
Behavioral biometrics are often instrumental in detecting bot activity. Bots are automated programs that interact with web properties. Some are good and are necessary for the functioning of ecommerce ecosystems. Many are malicious or somewhere in between, and keeping the wrong kinds of bots out of consumer-facing sites is a top priority. Since bots activities are scripted, their behavior usually looks different from real human website interactions. Thus, output from behavioral biometrics can inform bot detection routines. However, bot creators and operators are always improving their bots with the intention of bypassing detection tools, so Fraud Reduction Intelligence Platform (FRIP) vendors must constantly innovate to stay ahead of the fraudsters.
Device information and behavioral biometrics are also used in the B2E context. Remote ID document verification has proven to be an effective way to onboard employees and contractors during the pandemic and will likely continue. Device intelligence and behavioral biometrics can both be used to inform risk-adaptive authentication systems, increasing productivity while reducing the need for obtrusive authentication events, as well as decreasing costs by utilizing ubiquitous smartphones rather than necessitating the purchase of separate hardware authenticators.