Over the last decade, I have spent the majority of my time focused on strategic planning for fraud prevention and fraud program enhancements. During this time, I have met and spoken with countless financial and law enforcement professionals who are facing the challenges of the ever-changing fraud environments. Due to the nature of fraud, my programs had to be ever-changing as well. I have taken the time to identify the most reoccurring themes I have seen throughout my travels and wanted to share them with you.
1. Reactive Programs
Arguably, the most common and troubling is the majority of the anti-fraud programs I have reviewed over the course of ten years are entirely reactive. This means they are following the fraud trends and respond to threats as they see them in their environment. The problem with this approach is obvious, you must see fraud to detect fraud. I have found that it is much more valuable to identify and measure risk both within your environment and outside of it. By measuring risk you identify your exposure, and by understanding your exposure you can identify both, your strengths and weaknesses as a program.
When you identify the most likely place for fraud to occur you can focus your efforts to strengthen those gaps within your security layers and proactively prevent exploitations of those weaknesses. Your program shouldn’t stop there, when fraud is confined we tend to believe it is controlled, I would suggest that that is not always the case. Controlling fraud is a perception of your effectiveness to mitigate it, not control it. One factor that is always hard to quantify is how much fraud have you redirected or avoided by having strong controls vs. how much of a target you are for fraud. When the attacks stop, or slow down you need to understand why. Are your tools that much more effective? Did the bad guys move on to weaker, easier targets or have you lost the ability to see fraud and it has moved into a blind spot? As a program manager, you should constantly be testing your environment and exploring new and innovative way to mitigate fraud as it relate to emerging and unknown threats.
Additionally, you can learn a lot by recognizing what is happening in the cybercrime world, find what is gaining popularity in the underground forums, and then put together a strategy to risk-assess and combat those threats to ensure you are somewhat capable of mitigating them. When you see another institution in the news related to a breach or a large fraud event do you ask yourself “could that happen to us?” If so, consider that part of the problem. If your program is not already prepared for such event then take some time to learn from others but consider why you had not prepared for that kind of event already. Why did it take something news-worthy to identify a potential problem? Why couldn’t your team anticipate that exploitation or exposure? More often than not, institutions are more focused on stopping what they know is happening, and less focused on what could happen. Unfortunately, this approach works in favor of the criminal.
2. Fraud Losses
The second most common mistake I see is the focus on fraud losses, the numbers game. I believe this is a result of how we are told to view fraud by the fraud solutions we are sold. As most of us know, many fraud solutions focus on monetary values as it relates to measuring risk, which in some cases is a valid perspective. However, doing so means the solution will disregard risk associated to low monetary values, leaving an open exposure that goes unchecked. Most institutions are only looking at the most risky of transactions; limiting their view and only increasing risk exposure instead of reducing it. This is what we have come to call “death by a thousand paper cuts”. These tools only measure risk as it relates to individual events, and then try to compound risk by putting more than one condition on the event. Whenever you rely on triggering events based on specific criteria, you have also determined the work-around strategy for the criminal. It then becomes only a matter of time for them to explore your changes and find out what it takes to bypass them.
Additionally, when only reviewing monetary values many low value transactions can occur in a very short amount of time, effectively draining accounts without any notifications to the institution. When this happens often enough institutions find themselves having to manage or create additional controls to measure velocity of events and accumulated amounts over time, while continuing to set limits on what is and is not assessed by placing requirements to trigger the assessment. This is due to the poor performance of the tools and the sheer volume of transactions that fall into those ranges.
3. Poor Analysis
Another most common reoccurring theme with fraud programs, the amount of analysis performed. When fraud tools miss a fraud event, an analysis is performed to determine the reason why it was missed and some sort of corrective action is put in place to make adjustments and prevent it from happening again. This is an effective process and should be done for every event. However, this process should be extended to all events captured this will give you the ability to identify what stopped the fraud, what is working. Why is this so important? Because this is exactly what the criminal is doing to identify gaps within your controls. They perform root cause whenever they fail to steal from you. They do this so they can come back and exploit the very solution that you have tuned to stop them previously.
4. Improper Classifications of Fraud
Have you experienced fraud without a monetary loss? Most likely you have, but more importantly, do you categorize it as such? Account exploration is a leading indicator of fraud as such to “normalize” account activity in order to accumulate account specific information such as name, address, phone number, e-mail, etc. Often when a criminal purchases account related user names and passwords, they also purchase a short file with this information in it. This information is gathered via reconnaissance through the online and other channels to be used via online and phone verifications, or to minimize the chances of failing out-of-wallet questions and challenges with future log-ins or risk assessed activity. If we are not measuring the occurrence of this type of activity we are not properly identify exposures in our programs. It is important to realize fraud is not synonymous with loss and your program strength and exposure ratings should reflect that.
By Bryan Jardine, Project Manager, Easy Solutions
Easy Solutions delivers Total Fraud Protection® to over 100 clients, with over 32 million end users. The company’s products protect against Phishing, Pharming, malware, Man-in-the-Middle and Man-in-the-Browser attacks, and deliver multifactor authentication and transaction anomaly detection. For more information, visit http://www.easysol.net, or follow us on Twitter @goeasysol.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.