Content

Emerging products: Online fraud

Account takeover, online fraud (where there is no physical card), multifactor authentication for consumers, and website fraud analysis and prevention...these all are the meat and potatoes of online fraud management. This month, we have a crop of products that fit that description nicely. These all are tools from established companies, so in that regard they are not exactly emerging. But, there are two important aspects that make them appropriate for our online fraud detection emerging products: first, they are new versions of existing products that have shown significant growth as they have developed and, second, the whole area of online fraud detection is in its infancy, so any solutions to the online fraud challenge is, almost by definition, emerging.

That said, let's begin by taking a look at where these products fit into the fraud management arena. Today's users do several types of things online. They buy things - e-commerce using credit cards, but without, of course, presenting a physical card to the merchant. And, they bank - and by using typical ID/password credentials they open themselves up to fraud and account takeover. 

Perhaps the most dangerous compromise is account takeover. ATO, as it's called, allows the fraudster to gain access to a user's bank account as if they were the user. There are a number of ways that the bad guys can do this, but among the most common are client-side compromises. These range from sophisticated banking trojans to simple keystroke monitors. The fraudster gains access to the victim's computer - usually an unprotected or moderately protected home PC - and harvests banking credentials. Once they have the victim's creds it is a simple matter to access the account and clean it out. If the bad guy is lucky, the victim will have multiple accounts in banks, e-commerce sites, etc., and will be using the same credentials on all of them. That can mean a hefty payday for the fraudster.

The other side of that coin is the site itself. It really is not the bank's or e-commerce site's responsibility to keep the user's PC secure, but the organization itself is apt to lose money when one of these ATOs happens. If it is a bank, the user often believes that it is the bank's responsibility to keep the crooks out of the cookie jar. If the victim is not satisfied with the level of protection for their money, they jump ship and head for a competing bank. For the e-commerce vendor, the loss can be more direct: merchandise literally stolen right from the site. The victim, of course, never sees the merchandise, so, like the bank, the e-commerce site makes the victim's loss good to keep the customer. That's a double loss: the merchandise and the customer's credit card expense.

An extension for the e-commerce site is the card-not-present risk. There are many ways to harvest credit card information and use it to steal from online merchants. The trick is knowing when this is happening and stopping it before there is a loss. Sounds simple, of course, but it's not. Solutions to this problem and the others is a matter of extremely sophisticated fraud identification algorithms and lots of data. This may be one of the ultimate uses of Big Data analysis techniques. And that, among other things, is where the four products this month shine.

Our solutions, as is usual for our Emerging Products section, each address a piece of the puzzle. One of the major fraud enablers is simple ID/password pairs. In a client-side exploit, whether sophisticated or not, success depends on being able to harvest credentials. If there are no credentials to harvest, the fraudster is stopped in their tracks. That is one of the solutions to the online fraud problem that we address.

Another area is analytics related to websites. Since the websites are the real targets - remember that old saw about robbing banks because that's where the money is - being able to catch fraud attempts at the website is a big deal. Add to those two, account takeover protection and risk analysis and you've rounded out this month's offerings. So without further ado, let's get on with it and have a look at our first product.


Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.