From Point Solutions to a Holistic Approach to Fraud Detection in 2020

Jan. 17, 2020 | by Ayelet Biger-Levin

When choosing an approach to fraud detection, many organizations are struggling with the most effective path to take. According to Gartner’s Predicts 2020: Identity and Access Management1 (Gartner subscription required), “a broad spectrum of capabilities is required to create an effective payment fraud prevention strategy for digital B2C channels, including malware and bot detection, device identification, behavioral analytics and transaction monitoring.” 

In addition, Gartner noted that “ The services of one, or likely more, fraud detection vendors may have been implemented piecemeal in the past and the “fraud project” considered closed. Thus, the resulting fraud detection and prevention capabilities have remained siloed and static, while the attackers evolve.”  The main takeaway, in my opinion,  is that we need to ensure that the fraud program is well-funded in order to mature and evolve as threats evolve. In addition, we need to  figure out how to pull together multiple fraud signals, which often come from multiple vendors in the space, and turn them into actionable insights. 

I would argue that both challenges require constant attention, but the latter fraud detection trend is the more challenging one. You need a continuous fraud program, rather than a fraud project, because threats change over time. As a result, you need to evolve your fraud solutions to effectively respond. Because some older controls go out-of-date quickly, it can be challenging to set and justify a sustainable budget. However, when fraudsters create new tools, they look at existing controls and how to circumvent them, creating new classes of automated malware attacks, bots, and device spoofing to replay information and imitate a device.

Let’s Review: Five Different Approaches to Fraud Detection

The question becomes, what is the most effective approach to managing a fraud program and detecting threats? Will fraud teams continue to layer solution on top of solution? Here are five common approaches and some of their benefits and shortcomings.

1. Malware detection

Methods: JavaScript Honeypots are used to “lure” trojan malware to attack the protection layer or on-device “virus like” detection solutions.

Benefits: Catch malware before it attacks the financial website, or identify that a device is infected with malware.

Shortcomings: Limited to detect automated attacks only. This solution must be tailored to the specific modes of operation of the Trojan Malware. There are many types of Trojan families, and endless variants. This is an arms race, and whenever the Trojan capabilities evolve, solutions need to be redesigned to catch up. Another shortcoming is that collection of data is not continuous. For approaches that detect the appearance of Trojans on a device, the tool will alert about infected devices that can potentially lead to fraud, but not about actual fraud attacks. An effective solution requires an operational procedure to contact users with infected devices and have them install additional software or clean their computer.

Cannot Detect: Account opening fraud, manual account takeover fraud, redirection attacks, deep social engineering scams (AKA Authorized Push Payment fraud), and bot and Remote Access Tools (RAT) attacks, unless they are related to a familiar trojan variant.

2. Bot detection

Method: Detect automated attacks.

Benefits: Detect bot activity attempting to use stolen credentials for brute force and access accounts

Shortcomings: Unable to detect human fraudster activity and additional types of malware without additional tools. Like malware detection tools, bot variants require constant updates to detection capabilities to ensure the latest patterns are detected, as they try to simulate user activity. Collection of data is not continuous.

Cannot Detect: Account opening fraud, manual account takeover fraud, deep social engineering voice scams, and RAT attacks.

3. Device intelligence

Method: Device activity monitoring, calculating velocity and location of device usage, Jailbreak and Root Detection, and Device Reputation (repository of devices used in fraudulent incidents). A more advanced version of IP and browser intelligence solutions.

Benefits: Monitor user activity and devices. Profile genuine user devices and known fraudster devices.

Shortcomings: The device is not the user. If someone, or an automated attack, is able to steal device identification information (or IP or browser fingerprints), which can be compromised via malware, the authenticity of the form of verification is in question. If a device is stolen, then it’s not the user. Collection of data is not continuous and is typically done upon user activity/ transaction. Device reputation is very powerful in cases where a fraudster device is tagged, but it doesn’t cover cases where fraudsters change their device characteristics. In addition, blacklists and whitelists need to be continually maintained.

Cannot Detect: Deep social engineering voice scams and automated attacks (Man in the Browser/ Man in the Middle, BOT and RAT attacks). No capabilities to detect account opening fraud use cases for unknown devices.

4. Activity (or transaction) monitoring

Method: Monitor user account activity, such as account updates, payments, new payee, location of activity, etc. to detect anomalies.

Benefits: Ability to profile user behavior and detect anomalies that might be considered risky.

Shortcomings: Often, legitimate users who perform anomalous activity are blocked due to a change in their behavior pattern, so false positives are extremely painful to both users and financial institutions. In addition, fraudsters have learned to circumvent behavioral tracking by using minimal amount transfers, social engineering the user, and more.

Cannot Detect: Deep social engineering voice scams and automated attacks (Man in the Browser/ Man in the Middle, BOT and RAT attacks). Account opening fraud use cases.

5. Basic behavioral biometrics – genuine user profiling

Method: Collect user interaction data, such as mouse clicks, swipes on mobile devices, and keystrokes.

Benefits: Monitor user interaction activity to profile genuine users and learn about genuine behavior and anomalies.

Shortcomings: Basic behavioral biometrics solutions do not profile fraudsters and instead look for very basic patterns. If the user is being scammed via social engineering, it will be hard to detect anomalies by only looking at basic patterns. The same goes for account opening.

Cannot Detect: Social engineering scams and account opening fraud (when the user is unknown).

Is a Genuine User or a Fraudster Performing the Activity?

Layering all the mentioned forms of detection one on top of the other provides a good solution, but there are still gaps. Some use cases, like account opening fraud and social engineering phone scams as well as Remote Access Tool attacks, are harder to detect. Rather than creating a solution for each class of attack, what we really want to achieve is an answer to a single question – is this a genuine user or a fraudster (human or automated) performing the activity? Instead of layering solutions, a more holistic approach would be to profile both genuine user activity and patterns as well as malicious actor patterns.

Behavioral Insights: Advanced Behavioral Biometrics 

BioCatch advanced behavioral biometrics leverages user-device interaction data, such as mouse clicks, swipes on mobile devices, and keystrokes, to analyze data using machine learning techniques. The technology profiles both genuine and fraudulent activity as well as cognitive insights to distinguish between genuine users and non-genuine users (automated or human) across multiple use cases and threat vectors. BioCatch is able to achieve advanced behavioral insights by learning about user intent, and then detecting the most subtle signals that indicate complex fraud scenarios. BioCatch can detect sophisticated attacks, such as social engineering scams and Remote Access Tools (RAT) attacks as well as bots, trojan attacks, and various types of human attacks that use compromised credentials and PII. 

The data that is collected and analyzed cannot be spoofed, copied, or replayed.

With the combination of a machine learning risk engine and a rule engine, BioCatch can quickly adapt to detect both known and unknown threats and respond to targeted attacks in real time by leveraging the power of human device interactions. BioCatch provides actionable insight to secure and enhance the user experience. 

Contact us to request a demo.

1Gartner “Predicts 2020: Identity and Access Management,” Felix Gaehtgens, et al, 9 December 2019

Topics: Malware, fraud detection