Fight Fraud with Device ID Traditional Cookies are Too Easy to Bypass
Strong authentication should be part of every financial institution's layered security approach, and that means implementing proven measures to enhance device identification.

"Most online fraud comes from behind a hidden proxy ... so the FFIEC is asking that you determine the true IP address, and determine whether or not a cookie has been copied," says Reed Taussig, CEO of ThreatMetrix, provider of fact-based fraud detection solutions.

But Taussig says banks and credit unions will opt to invest in varying solutions, some that include log analysis, a situation-based analysis.

"Behavioral-based solutions are really looking at the logs to see if the transaction fits in with the norm," he says. And when fact-based solutions, such as device identification, are coupled with situation-based solutions, such as log analysis, institutions have put in place their best lines of defense.

The FFIEC's draft of expected new guidance specifically mentions device identification - a necessity born from increasing overseas cyberattacks on U.S. accounts, he says.

"When you combine device identification and log analysis, you have a layered defense strategy," Taussig says. "What we are looking at on the device level are factual-based, tell-tale signatures that would tell us if fraud has occurred. The other is behavioral-based, and there you are looking for situations that are unusual, relative to the transactions itself."

During this first part of a two-part interview [transcript below], Reed discusses:

  • Device identification and log analysis;
  • Cloud-based solutions and behavioral analytics;
  • Relying on vendors for effective solutions.

Be sure to catch part one of this interview, during which Taussig explains why the FFIEC has pinpointed device identification as a weak point, and the role merchants play, when it comes to device identification and the fight against ACH fraud.

Taussig has more than 30 years of experience in the computer hardware and software fields. Prior to ThreatMetrix, Taussig was president and CEO of Vormetric Inc., a leader in data privacy and protection. Under his leadership, Vormetric established itself as a leading provider of encryption solutions. Taussig also served as president and CEO of Callidus Software, a leading provider of compensation management application systems. As founding CEO and the fifth employee, Taussig helped lead the company to earn more than $70 million in revenue and amass a staff of more than 350 employees. Prior to Callidus, Taussig served as president and CEO of inquiry.com, a pioneer in the B2B Internet space, and as senior vice president of operations for Gupta Technologies, a leader for PC client server software development tools and databases. Taussig holds a bachelor's degree in economics from the University of Arizona.

The Flaws of Cookie-Based Device ID

TRACY KITTEN: New guidance regarding online transaction authentication is soon expected to be released by the FFIEC, highlighting financial institution's needs to improve device identification. Today we get some insight into the guidance from Reed Taussig, president and CEO of fraud prevention provider, ThreatMetrix.

Reed, much has been said about the updates the FFIEC is expected to soon issue to its 2005 online authentication guidance. One update relates to the topic of device identification. Can you give us a little background about current device identification measures and why the FFIEC has pinpointed device identification as a weak point?

REED TAUSSIG: Historically, device identification has relied on cookies, browser-base cookies and Adobe Flash. And the difficulty with that, pointed out by the FFIEC, is that these cookies can be copied by fraudsters and put on a different device, and as a result of that creates fraudulent devices that in the bank's view are previously authenticated. So I create an account. I log into my financial institutions, Wells Fargo, Bank of America, or whatever financial institution it might be. That bank downloads a cookie on to my browser and every time I log back into that account, you might see this while doing your own online banking applications, you often will see a screen which says, "Please wait a moment. Your security is important to us and we want to authenticate your device," or some language along those lines. Historically that's been based on a flash cookie and a browser-base cookie.

What the fraudsters figured out is that once you have an authenticated device like that, if they can compromise a consumer's device, whether that's a device at an office or your home, they can then copy that cookie and put it on to their own device, and now they can use your credentials and your logins because they phished your device and your identity. I can log onto the bank as if I were you and the device is authenticated. The FFIEC recognized that as a result of the increase in the number of ACH fraud incidents and has advised its banking community that they need to upgrade to a more sophisticated and stronger form of device identification.

KITTEN: Now according to this December draft of the guidance, which has been widely circulated throughout the industry, so called simple device identification should be enhanced to include one-time cookies that offer a more complex digital fingerprint of a PC that looks at characteristics like PC configuration, internet protocol address, and geolocation. How would you distinguish this more sophisticated device identification from the identification many institutions rely on today?

TAUSSIG: The issues with the solutions that they are presently incorporating have a number of drawbacks. The first one that I mentioned is that they are subject to cookie copying, therefore creating multiple authenticated devices when in fact they really are not. The second issue is that the traditional means of device identification is incapable of determining what the true IP address of that user is. So what happens is as a fraudster I managed to compromise your device and your credentials. I now access your financial account, but I'm going to do so probably from behind a hidden proxy. It's well known that as much as 70 percent of the online fraud that occurs in the United States originates outside of our borders. Locations include Romania and China. These fraudsters tend to use hidden proxies so they will demonstrate to the bank that they are originating this application in Chicago, but actually they are in Romania or Beijing, some location like that.

What the FFIEC is asking for is two things. First of, it's to be able to truly determine what the true IP address of that consumer is. The second issue is a means to determine whether or not a cookie has actually been copied. In other words, is this an authenticated device that was stolen from some third party? However, if the cookie has been deleted or stolen, you need another factor. Think of it as two-factor authentication on the cookie itself to be able to authenticate the fact that this device is legitimate.

Roles Banks and Customers Play in Verifying Their Own Devices

KITTEN: Now when it comes to device identification, I would like to have you help us understand the role that banks play in helping to verify their own devices, and then the role that the merchants or the commercial customers play in authenticating or identifying their devices. Where do the merchants fall into some of this FFIEC guidance when it comes to device identification and its use to curve ACH fraud?

TAUSSIG: This is a really interesting question and I think a very complex question as you start digging into it. As you probably know, there are a couple of lawsuits right now in the courts that were resulted ACH fraud against businesses where the banks are claiming that in fact it was the business and the merchant that was compromised, and therefore they are not liable for the losses. The merchants, predictably so, are claiming that the banks in fact are the custodian of their funds and just as they have large steel safes to stop physical bank robbery, they should have logical measures, computer measures and security measures in place, to stop a virtual or internet robbery of the funds.

What this really comes down to is bank robbery, whether it's done electronically or whether you walk in the front door and demand cash at the counter. In a recent FBI report, they demonstrated the complexity of this. The fraudsters are targeting smaller banks and regional banks relative to ACH fraud, because these banks are typically less prepared. They have fewer resources and expertise to protect themselves against online fraud. But you have to recognize that the smaller banks, regional banks, are probably doing business with smaller companies who are just as poorly protected. IBM will end up doing its banking business with Citibank. You have two very sophisticated companies, Citibank and IBM, who have a lot of protective measures in their networks to stop internet fraud and ACH fraud, but now you end up with a situation where you have tailored machine shops, a 15 percent machine shop located here in California, that is making unique aircraft parts that may be a fifteen million dollar business. As a result of that, what they are looking for is banking relationships that understand small business, and that ends up being a regional bank.

You take it a step further in terms of where the points of access are. Many small business people end up accessing their accounts and accessing their business transactions from their home computer as well. You see it on television commercials, a typical small business man at his own office processing payroll or making payments to his vendors. You really have three points or more of access for these fraudsters. You have the person's home computer, which is probably not well protected. You have that company's office computer and the small business for the moment, which is not particularly well protected. Then you have your regional bank's processing system, which is probably better protected, but not as well protected as a major leading bank such as C Group or Bank of America. From the fraudster's viewpoint, they can access the network from any one of those three locations.

My personal view is that all parties are responsible for the protection of their own assets, and I think the FFIEC guidelines also point to this direction. I don't think that the banks themselves can say, "Your computer was compromised and as a result of that, you lost five hundred thousand dollars on an ACH fraud transaction." I don't think that they can absolve themselves of that responsibility. In fact they are custodians of your funds, and in so doing have pledged to you that they are going to protect those funds; otherwise you would put them under your mattress. But on the other hand, I think that the businesses themselves, as well as consumers, need to step up to the fact that online internet fraud is a fact of life. It's the new Cold War, cyber terrorism if you will. Every point in the chain needs to be fully protected relative to insuring that you are not phished, that fraudsters can't put malware on your device and be able to take advantage of that.

Need for Stronger Authentication

KITTEN: Now you've noted this recent incident in China, where we've seen some ACH transactions hitting these smaller institutions as well as these smaller businesses, and I'm wondering what does this trend tell us about the need for stronger authentication? Do you think that on some level consumers, merchants and commercial customers have just been experiencing so many breaches? They've seen so many online transactions compromised, but in some ways they are just suffering from breach fatigue.

TAUSSIG: If you start losing significant amounts of money on a monthly basis to internet fraud, the breach fatigue is probably highly energized by the fact that it's causing significant losses. Look at a small business for example and the recent attacks in China on those regional banks. They probably dealt predominately with small to medium size businesses. A loss of a hundred thousand dollars or two hundred thousand dollars from your bank account is a significant impact to your operating capital. I absolutely believe it gets their attention. I think the problem that they have is trying to find a cross effective solution that can be implemented given the technical resources that they employ. If you look at a lot of credit unions or small and regional banks, many of these institutions outsource the majority of their backroom banking operations to third party providers. They have very limited internal IT organizations and that is probably true of the merchant or company itself. The company I just spoke of, the local machine tool manufacturer, has a lot of capability and expertise with respect to creating machine tools or aircraft parts. But the company probably doesn't have any expertise when it comes to setting up anti-fraud measures using complex software products. We think the solution is to turn to cloud software as a service where companies can provide immediate solutions with minimum IT resources required; on the part of the customer to install those solutions at a very reasonable cost and be able to provide a very effective solution towards first and foremost meeting the FFIEC guidelines, but also in terms of providing their customers with a secure operating environment in order to stop this kind of ongoing activity.

KITTEN: Again, we've just heard from Reed Taussig, CEO of ThreatMetrix. Be sure to catch Part 2 of this interview part two during which Taussig explains how solutions that focus on device identification, coupled with those that focus on log analysis, can offer banks a more holistic view and transactional awareness.




Around the Network