Product Group Tests
Emerging products: Online fraudSeptember 03, 2013
Account takeover, online fraud, multifactor authentication for consumers, and website fraud analysis and prevention…these all are the meat and potatoes of online fraud management. This month, we have a crop of products that fit that description nicely.
Account takeover, online fraud (where there is no physical card), multifactor authentication for consumers, and website fraud analysis and prevention...these all are the meat and potatoes of online fraud management. This month, we have a crop of products that fit that description nicely. These all are tools from established companies, so in that regard they are not exactly emerging. But, there are two important aspects that make them appropriate for our online fraud detection emerging products: first, they are new versions of existing products that have shown significant growth as they have developed and, second, the whole area of online fraud detection is in its infancy, so any solutions to the online fraud challenge is, almost by definition, emerging.
That said, let's begin by taking a look at where these products fit into the fraud management arena. Today's users do several types of things online. They buy things - e-commerce using credit cards, but without, of course, presenting a physical card to the merchant. And, they bank - and by using typical ID/password credentials they open themselves up to fraud and account takeover.
Perhaps the most dangerous compromise is account takeover. ATO, as it's called, allows the fraudster to gain access to a user's bank account as if they were the user. There are a number of ways that the bad guys can do this, but among the most common are client-side compromises. These range from sophisticated banking trojans to simple keystroke monitors. The fraudster gains access to the victim's computer - usually an unprotected or moderately protected home PC - and harvests banking credentials. Once they have the victim's creds it is a simple matter to access the account and clean it out. If the bad guy is lucky, the victim will have multiple accounts in banks, e-commerce sites, etc., and will be using the same credentials on all of them. That can mean a hefty payday for the fraudster.
The other side of that coin is the site itself. It really is not the bank's or e-commerce site's responsibility to keep the user's PC secure, but the organization itself is apt to lose money when one of these ATOs happens. If it is a bank, the user often believes that it is the bank's responsibility to keep the crooks out of the cookie jar. If the victim is not satisfied with the level of protection for their money, they jump ship and head for a competing bank. For the e-commerce vendor, the loss can be more direct: merchandise literally stolen right from the site. The victim, of course, never sees the merchandise, so, like the bank, the e-commerce site makes the victim's loss good to keep the customer. That's a double loss: the merchandise and the customer's credit card expense.
An extension for the e-commerce site is the card-not-present risk. There are many ways to harvest credit card information and use it to steal from online merchants. The trick is knowing when this is happening and stopping it before there is a loss. Sounds simple, of course, but it's not. Solutions to this problem and the others is a matter of extremely sophisticated fraud identification algorithms and lots of data. This may be one of the ultimate uses of Big Data analysis techniques. And that, among other things, is where the four products this month shine.
Our solutions, as is usual for our Emerging Products section, each address a piece of the puzzle. One of the major fraud enablers is simple ID/password pairs. In a client-side exploit, whether sophisticated or not, success depends on being able to harvest credentials. If there are no credentials to harvest, the fraudster is stopped in their tracks. That is one of the solutions to the online fraud problem that we address.
Another area is analytics related to websites. Since the websites are the real targets - remember that old saw about robbing banks because that's where the money is - being able to catch fraud attempts at the website is a big deal. Add to those two, account takeover protection and risk analysis and you've rounded out this month's offerings. So without further ado, let's get on with it and have a look at our first product.
All products in this group test
SC Magazine Articles
- PCI DSS version 3.2 release extends multifactor authentication requirement
- Over 7M Minecraft mobile credentials exposed after Lifeboat data breach
- New site on dark web offering one-stop ransom services
- Pwnedlist vulnerability exposed 866M accounts
- Turkish fascists claim responsibility for Qatar bank data breach
- DōTERRA breach exposes customer info; including SS, DOB, and addresses
- Federal court bucks trend, rules general liability insurance covers data breach
- The anatomy of a spearphishing scam, or how to steal $100M with a fake email
- Report: Ransomware feeds off poor endpoint security
- Pros examine Mossack Fonseca breach: WordPress plugin, Drupal likely suspects