Event Recording

Fraud Reduction Intelligence Platforms - an Overview

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So as, as you can imagine, fraud is everywhere and it's, you know, just getting more and more sophisticated. So, you know, a lot of these talks, people will collect statistics and I, I actually think they're really interesting. They're, they're fun to look at and sometimes mind numbing or mind expanding, but I'm not gonna read all these to you, but you know, these are just from the FBI, the us FBI from last year, and these are the events that were reported, you know, 300,000 plus fishing reports. Think about how many fishing reports could have been made that weren't, I mean, the numbers are just huge, you know, so 2300 people a day bothered to file some kind of a report about, you know, attempts at cyber crime. You know, of course COVID was, or is an ongoing humanitarian disaster, but it's also been an opportunity for fraudsters.
And, you know, I think some of these headlines and I put links behind each one of these. So if you wanna get the slides later and follow up on, on what's actually meant, and the story behind it, please do, you know, some of the biggest fraud has been against governments. You know, governments who have been trying to help out citizens help out small businesses through the pandemic, you know, provide payments of one kind or another, and fraudsters immediately realized this was an opportunity for them to make mega bucks, you know, and in, in this case, you know, not even really sure how much fraud was perpetrated yet, it's still an ongoing investigation, but the amounts are just totally unbelievable.
So, you know, who is a target like on the business side or, you know, so of course you would think finance obviously, cuz that's where the money is, but you know, it's all over the place. Of course it's government agencies, you know, social media, you know, mobile network operators, you think in many, many countries around the world, you can use your phone to pay bills. So the phone is kind of a vector that can be used to transfer money. You know, before the pandemic, we were hearing a lot about fraud in the hospitality industry, airlines, you know, trying to attack frequent flyer accounts or any, any kind of rewards program that could be, you know, turned into money, was a potential victim, hotels, gaming, gambling, insurance, healthcare providers, all kinds, you know, there have been some notable data breaches that have resulted in the exposure of more than a billion users at a time.
And lots of individual data breaches have totaled, you know, over a hundred million records each and cybersecurity ventures predicted about a year or so ago that by 2025 globally, we may be looking at 10.5 trillion in cyber crime, which is just hard to imagine. You know, when you look at the individual side of fraud, I think many times people would perceive that it could be the older generations that are most likely to be hit. And that's true. There are, there's lots of fraud across all age groups, but there a recent report shows that you know, about 20% of people on the younger side are experiencing fraud. The numbers are increasing and that the most interesting thing on this statistic, and again, that's a link is almost 40% say, you know, that's not our problem. That's the company's problem that we're doing business with. So that to me says, you know, we have to continue to do our best on the provider side to, you know, in increase awareness of fraud and, and do what we can to prevent it technically.
So let's talk about the two biggest kinds of fraud. The biggest, you know, the headers that we'll use here are ATO and AO. So account takeover fraud, the goal is to at least temporarily get control of somebody else's existing account and you know, what would you want to do with that? If you were a fraud ner, well, anything you can to get the value out of it to drain it, anything that can be converted into money. And you know, again, almost any kind of industry is targeted. This differs from account opening fraud where the goal is to create fake accounts based on real people's information. And this can be used for of course, financial fraud, but even even bigger than just, you know, one or two hits against a person's credit card, the, you know, account opening fraud can be used to take out lines of credit, you know, get mortgages or, you know, huge dollar or Euro value, fraudulent transactions, including things like creating mule accounts, you know, for, you know, the bad guys who have already moved a lot of money and they want to get that into a place where then they can get access to it.
They will recruit people to be, you know, money mules and move that into different accounts. So it's less likely to be tracked the money laundering thing.
So let's look at some of the methods that are used for account takeovers. First up fishing, fishing, ING, all the different issues out there. We're all familiar with fishing have been for years, you know, smishing is getting a text and SMS. I get those, I'm sure you do too fishing. The voice calls. I mean, I don't know how many I get at least two a day on my landline about, you know, somebody's charged, you know, call and give us your credential information so that we can reverse this. You know, this is just rampant out there and they must work because the bad guys keep trying it, you know, they can also do things like do drive by downloads. They at least temporarily get malware onto a legitimate site. So that visitors that might accidentally pick up malware, the malware could be things like key loggers or root kits.
Again, designed to just capture username, password combinations, fake websites that are set up for fishing, you know, to redirect somebody to a place again, where they can harvest credentials, spyware that can steal cookies, you know, and try to do replay attacks. There are compromised credentials, all those data breaches. I was just mentioning compromise credentials in various places on the dark web that can be used in credential stuffing attacks. We've been hearing about those for a while. That's where, you know, a fraudster will go out and try a username password combination that that has been exposed. But since, you know, people have, you know, the last session we talked about each person has probably at least 90. I, I feel like it's gotta be more than 90 digital accounts per person at this point. You know? So is it not realistic for everybody to be creating their own unique passwords for each one?
So a credential stuffing attack is taking that one that, you know, that's been compromised and just blasting it out against a whole bunch of other sites and see what you get. And that works unfortunately. And then again, good old brute force password guessing, you know, we saw the, the stats about how easy it is to crack certain length and low complexity passwords. This is still a problem. And unfortunately, password guessing still works on the account opening side. How do they do this? Well, there's a whole lot of different places where this information can come from. You know, personal information can come from government records, your school records, employment records, healthcare records, insurance, you know, at least in the us until probably, I don't know, 10 or 15 years ago, it was pretty common to use a person's social security number on their healthcare records, insurance records, fortunately, that was stopped.
But you know, the idea of any unique identifier that could be tied and, and used kind of as the, you know, the key to pull all the other information about a person, then you can get, you know, names, email address, physical information, you know, physical address information. Think about all the data fields that you're asked to enter. If you want to let's say, go get a new credit card or open a new bank account. All that information, you know, could potentially be used by fraudsters to create an account in, in one of our names, if they're not checking to make sure that it's not the right person behind this request.
So I know this isn't really designed to be read out loud here. I've got a few slides like this. I thought I would just list everything that, that I'm aware of, different kinds of techniques, themes and variations on just the fishing's mission and fishing because there's, there's a lot of variety. I mean, it's kind of amazing how many different tactics the fraudsters will take to try to get credential information. You know, over the last couple of years, I've been writing reports, leadership compass, our comparative reports on what we call fraud reduction, intelligence platforms, you know, comparing the different services that are out there and I'm getting ready to update that. And one of the reasons I've tried to present all this information this week is this is gonna be a lot of, you know, the use cases that I'm looking at when looking at the different fraud reduction, Intel platform vendors, are they able to help their customers, you know, fend off attacks of, of these different kinds, you know, but these, they run the gamut here from shopping scams, you know, fake utility bills, you know, the fake tech support scams event ticket scams, you know, there's, there's like I said, quite a bit of variety here, but I just wanted to kind of leave this as a resource for you to be aware of, of what's going on out there.
And some other kinds of fraud, you know, looking at let's see card issuers, because obviously there's still tons of credit card fraud. There are things like PSD two and three S D three DS two, fortunately, that kind of rhyme, you know, standards around authentication in the, the financial industry. But there are still, excuse me, problems that arise with, you know, card, not present transactions, which, you know, many, most of them are, especially throughout the pandemic. Everybody was ordering things online. Of course you had to use that little three or four digit pin code on the back of your card to order. And then the others are kind of physical, you know, there's card not received. Let's say you've had a card that's been compromised, your credit card. Company's gonna send you another one. It gets intercepted in the mail. Similar to cards can be stolen in bulk, you know, during transport.
And there are still skimmers, you know, in different places where you can stick a card in and it copies magnetic Stripe information. If they're not using chip and pin cryptocurrency, you know, cryptocurrency has kind of been, well, it's been in the news for years, but it's kind of been in a downturn, you know, over the last few weeks, but still there have been things like fake ICOs, fake coin offerings, fake wallet, aggregators, fake exchanges, and you know, even interesting one here, malware, that specifically looks for the format of a cryptocurrency address because let's say somebody's stored that in a spreadsheet and you wanna just copy and paste that into, you know, your exchange when you wanna log into that. So yeah, there's malware that looks for the a crypto address in the, in the clipboard.
It's more lists about, let's say you're a website operator. Maybe you, maybe you're working, you know, for a retail company or a media company, there are lots of types of fraud that can be perpetrated against those companies, too. Everything from, you know, inventory hoarding bots, bots are kind of a big theme here. So inventory hoarding, bots, API checking bots, competitive price, checking bots, you know, but you can't just do bot detection and hope, you know, turn off access to all bots cuz a lot of business gets done on the web through bots. So there are some good bots, there's some gray bots and they're bad bots, but you can see as, as a business owner, as a website operator, there's a lot of different kinds of fraud that you have to try to prevent on your side as well.
So how do we do that? So just again, take it from the top, the best things that we've been talking about this here for the last couple hours and this track multifactor authentication, you know, we do highly recommended. It's a good thing for preventing account takeover fraud. You know, unfishable passwords or passwords are fishable, but having an unfishable authentication method definitely has its advantages. And then we were also talking about risk based authentication, the ability to, you know, check up on the context of a request, see if it really matches what's gone before and maybe not have to ask a user for an explicit authentication event every time they wanna log in or conduct a transaction for account opening. We've also talked a bit about identity proofing in here. Again, that's making sure that when an individual tries to open a new account, it really pertains to the individual, to who who's purporting to be that person and then doing the ongoing, know your customer as well. You know, this is something that's required in banking. We we're starting to see it more in other industries too, where there's an interest in identity proofing and some KYC.
So as part of those fraud reduction intelligence platforms, I was mentioning, I think that I call out six major capabilities, the identity proofing, credential intelligence, device intelligence, user behavioral analysis, behavioral biometrics, and then the bot detection and management. And I'll quickly walk through these. We've had a couple of good descriptions of identity proofing already. Some of it has been more on the manual side. I kinda wanted to highlight, you know, throughout, well, even before the pandemic, there were remote onboarding apps that would do things like, okay, you wanna apply for a high assurance credential. Maybe you wanna open a bank account, you download this remote identity verification app. You know, it can take a selfie, it can do liveness detection to make sure you're not just holding up a picture of the person you're trying to spoof. It can scan the documents, you know, maybe using an FC or OCR and then issue a credential. Of course, this is the happy path flow. This is assuming it's the right person getting the right account. This is what, how that would work. And because of the pandemic, this turned out to be a way that companies would onboard new employees too. You know, you might not wanna send a new employee into the office to have HR do all the, the sorts of verification that they used to do. These apps can also be used in an enterprise or workforce situation as well.
Credential intelligence. Just try to sum this up. As you know, there, if, if an identity provider knows that a, an identity has been used fraudulently, then it's wonderful if they could pass that information on to other downstream relying parties so that they are not tripped up by a fraudster who they know this credential has been recently used in, in an attempted fraud. So therefore, you know, send that signal to the next relying party downstream so that they can make a decision about, well, what do they wanna do about that? Would they like to force an explicit multifactor authentication event? This is why credential intelligence is important device intelligence. It's about, you know, the information you can glean from a device. We've talked about this a bit already, but there's things around device health, IP reputation services that can feed into fraud reduction Intel platforms and give, you know, a good indicator as to whether or not this is a device that should be trusted user behavioral analysis.
This is looking at a lot of it's about, you know, frequency and time of logins failed login attempts, and then transaction specific information is what is in the current request context? Is this like something that the user's done before, or is it totally different? Is this a new payee? You know, and is it an amount that's so great that this should raise a red flag? Well, if so, send a signal so that the relying party would say, wait a minute, we wanna make sure that this is really the right person, making the request here, behavioral biometrics. This is, you know, how you hold interact with your device. There's lots of different factors here that can be evaluated and, and believe it or not, this can create pretty unique identifier in itself. Something that's pretty unobtrusive as well. So behavioral biometrics I think is currently an area of innovation in fraud reduction technologies and more and more companies are getting into using it bot detection.
This is combining behavioral biometrics, IP and device reputation, signature methods, like the old antivirus signatures and then captures or other kinds of puzzles. Nobody likes caps though, but yeah, you've gotta do bot detection. So then you can decide what you want to do. If you figure out if it is a bot, is it a good bot, a gray bot that's where the bot management piece comes in and we're bumping up against time. So I'll just wrap it up and say, you know, this is a growth area. Obviously there are the threats continue to increase, but fortunately there are quite a few vendors out there covering all those different six areas. Many of them put it all together and, and they even cooperate in, in many cases, it's kind of a big ecosystem of, you know, information. In many cases, they do share it with one, one another so that they can mutually help each other and their customers and their consumers. And I think that's a good thing. And with that, I'll close.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Evolving Identity and Access Management for the Digital Era

Join Identity & Access Management experts from KuppingerCole Analysts and Broadcom as they discuss how business IT is changing, and the implications for IAM. They will define modern IAM and explain why and how IAM needs to change to support modern app development, regulatory compliance,…


Continual Access Control, Policies and Zero Trust

Trust no one, always verify. We know that Zero Trust phrase already. But this principle is rather abstract - how and where exactly should we do that? Martin sits down with Jackson Shaw, Chief Strategy Officer at Clear Skye to discuss one very important part of Zero Trust: Identity and…

Analyst Chat

Analyst Chat #154: 2022 Wrapped Up - Major Trends in IAM and Cybersecurity

Another year gone already! It's time to take a look back at 2022. Martin Kuppinger and Matthias talk about what happened in the past year and identify top trends in IAM and Cybersecurity. They go beyond technology but also look at processes and business models. By this, they also…

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Event Recording

The Future of Access Management: The Role of Contextual Intelligence, Verifiable Credentials, Decentralized Identity and Beyond

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00