"Both solutions are valid. They attempt to solve the problem from very different perspectives and in so doing, provide a layered approach and make it much more difficult for that fraudster to be able to penetrate that system," says Reed Taussig, CEO of ThreatMetrix, provider of fact-based fraud detection solutions.
According to the Federal Financial Institutions Examination Council's expected new guidance for online authentication, device identification is a necessity born from increasing overseas cyberattacks on U.S. accounts.
"Most online fraud comes from behind a hidden proxy," Taussig says. "So, the FFIEC is asking that you determine the true IP address, and determine whether or not a cookie has been copied."
Taussig says banks and credit unions will opt to invest in varying solutions, some that include log analysis, a behavioral-based approach.
"Behavioral-based solutions are really looking at the logs to see if the transaction fits in with the norm," he says. And when fact-based solutions are coupled with situation-based solutions, institutions have put in place their best lines of defense. Going forward, Taussig says financial institutions need to find practical solutions that require minimum resources. "Honestly, they don't have the expertise and the resources, typically speaking, to be able to meet these requirements, but the vendors in the marketplace do."
During this second part of a two-part interview, Taussig discusses:
- The connection between device identification and log analysis;
- Cloud-based solutions and behavioral analytics;
- The role of vendors and compliance with expected changes to FFIEC guidance.
Log Analysis and Device IdentificationTRACY KITTEN: We've talked about device identification and we've touched on authentication, but in this pending guidance that is expected to soon be released in an official way from the FFIEC, device identification is just one piece. Log analysis is another. How do the two fit together in the fight against ACH and wire fraud?
REED TAUSSIG: You have two solutions. One is fact-based, and device identification really is fact-based fraud. I am accessing this account, but the device that I am using has a language mismatch. I'm executing the transaction in English, but all of the fonts on my device are in Russian. I'm behind a hidden proxy, or I'm using some form of botnet, a man in the middle attack where I've compromised somebody else's computer. So what we are looking for are anomalies in a transaction, whether they are velocity rules, a single fraudster accessing multiple accounts at a bank, or many of the things I previously mentioned such as language mismatch. What we are looking at are factual based tall-tale signatures that would indicate that this is a fraudulent transaction.
On the other hand, behavioral-based solutions such as Actimize for example, are looking for situations that are unusual relative to the transaction itself. So as a small business, I typically process two hundred and fifty thousand dollars a month in payables, which might include payroll. It may include vendors that I am paying for as well, let's say half a dozen vendors. All of a sudden I'm located in California and all of a sudden I create a new vendor who is located in Florida, and I start transferring fifty-five thousand dollars a month to this new vendor. That is an unusual situation in that typically companies have a set number of suppliers that they work with within a given set of locations. And all of a sudden I have a new location with a new company with an unusual amount of money. In the behavioral-based solutions, we are very good at capturing those kinds of activities.
For device identification, what we are looking at are all of the activities that occur outside of the firewall. That is consumer-facing activities and it's for the most part based on fact-based fraud, whether those are velocity rules, language mismatches or hidden proxies. In behavioral-based solutions, which are looking at logs and at the activities, the actual transaction activities on a given individual to see if it fits within the norm, is it typical for this customer or this group of customers to operate in this way? When you combine those two elements together, you end up in a situation where some of the parts are greater than the whole. Meaning you have set up a layered defense strategy, which is something else that the FFIEC calls for, and that is putting layers of defense up in order to stop these kinds of activities. So both solutions are valid. They attempt to solve the problem from very different perspectives and in so doing, provide a layered approach and make it much more difficult for that fraudster to be able to penetrate that system.
KITTEN: Most banking institutions currently do analyze their transaction logs, but some industry pundits have suggested that they spend far too much time focusing on the wrong things in those logs. What is your perspective?
TAUSSIG: I don't really know if that is a fair criticism. The regional banks do not typically have the staff in place to be able to adequately address the problem. If you go to a Bank of America or Citigroup, they have 50 people in their fraud department who are well-versed in data analytics and have that kind of background looking for these kinds of anomalies; those guys do a pretty good job. You then go to a regional bank that has a bank manager, who doesn't really have any fraud training or analytics training, but is now responsible for reviewing transactions on an individual basis, and you can see how the amount of fraud can increase, and the fraudsters can slip through.
I think the answer to the problem is a greater reliance on the fraud vendors. There is a lot of expertise in the community, whether it's ThreatMetrix or other companies that provide fraud solutions, to be able to support these banks and help them with best practices in a very automated fashion. The nature of the software and the maturity of the software at this point in time is such that it can be implemented with minimum resources for stopping ACH fraud.
Advice to Institutions: 'Find Practical Solutions'KITTEN: Reed, given what you know about the expectations the FFIEC is likely to have for enhanced log analysis and device identification, what advice would you offer to financial institutions?
TAUSSIG: It's not just a regulatory problem. The FBI report, with respect to this Chinese gang, demonstrates that it is a real problem. It's not just an issue of where a group of bureaucrats in Washington is saying, "Well, we want you to protect yourself against "What if?" This is a "what is" rather than a "what if." My advice to them is to find practical solutions that can be implemented with minimal resources, because, honestly, they don't have the expertise and the resources, typically speaking, to be able to meet these requirements; the vendors in the marketplace do. It really should be a cooperative relationship between suppliers and the banks.
The second thing the banks should do is encourage their own customers, the merchants, to also incorporate and implement minimum security measures in their institutions. If they were to provide them with modest financial incentives, they would ensure that existing firewalls were in place and that malware software is installed across all of the devices they use to access bank accounts, whether it's within the merchant operating environment or home devices. They should encourage their customers to do it, because it is a shared problem. And where this starts typically speaking is not the fraudster breaking through the bank firewall to gain access to accounts, although that does happen from time to time. More often where it starts is with an unaware consumer being phished for credentials, or having some form of malware installed on their device, so that the fraudster can now use that device or use those credentials to access that consumer's bank account. There are multiple points of entry. I think that is a shared responsibility between the consumer, the merchant, and the bank itself to provide a security ring against these ACH fraudsters. I would suggest to them to go to the market place. There are a lot of viable solutions, at very reasonable price points, available in the market for them to take advantage of.
KITTEN: And what does all of this mean, from a fraud prevention and detection investment standpoint? When we talk about the FFIEC guidance and some of the challenges that the industry is already experiencing when it comes to ACH fraud, where do you see these investments going?
TAUSSIG: As a vendor in the marketplace, I think that there is a growth opportunity available to us here. I think there are two approaches to the problem though. ThreatMetrix has positioned itself in the market to offer easy-to-install solutions to stop all forms of fraud, not just ACH fraud, but new account origination and log-ins as well. Then there are very complex solutions offered by large vendors, platform vendors, in the market place that require a significant amount of investment both in hardware and software, as well as internal expertise to be able to fully utilize those solutions. Those solutions in many cases are extremely valid if you are looking at any of the major financial institutions where they are experiencing a lot of cross channel fraud and very sophisticated attacks. Those kinds of complex solutions, if you are in the position to be able to implement them, end up being a great alternative.
Part of it is, you don't have to do much to stop the fraudsters from coming to you. If you implement these kinds of security measures, the fraudsters look at is and they are going to say this is a hard target; I'm going to find an easy target. You don't have to "boil the ocean" in order to stop the fraud. All you have to do is put measures in place that will discourage them from hitting your particular bank. These kinds of solutions exist. They are readily available, and I would suggest that the banks take a hard look at them.
Online Authentication: An 'Evolving Market'KITTEN: What final thoughts would you like to leave our audience with where device identification, log analysis, and then online authentication generally are concerned?
TAUSSIG: It is an interesting and evolving market. The one thing that we didn't talk about today is the whole mobile aspect of online banking, which presents a whole new element of opportunity for the banks in terms of reducing cost and providing convenience to their customers. But it also opens up yet another channel for the fraudsters to participate in. In terms of looking at these kinds of solutions in the marketplace, the buyer really needs to consider the fact that there are multiple channels and multiple means by which that consumer is going to do business with you. They are going to walk in the front door, and all banks have security cameras and a stainless steel safe to protect those assets. They are also going to come online from fixed locations, as well as mobile locations using their smart-phones. What you would like to be able to do avoid is putting in a mobile solution and an Internet-based solution that are not well integrated. That is a big consideration and a growing consideration for all financial institutions as a whole, the new access through mobile and what threats that may bring with it.
Be sure to catch part 1 of this interview, during which Taussig explains why the FFIEC has pinpointed device identification as a weak point, and the role merchants play when it comes to device identification and the fight against ACH fraud.