Security Experts:

Detecting Fraud - Every Step of the Way

Data and Evidence Are Important to Properly Detecting, Preventing, and Investigating Both Security and Fraud Incidents

Comedian John Mulaney has some clever routines based on the TV program Law and Order. The other day, while watching one of those clips, I got to thinking about something. A detective wouldn’t be very good if he or she only looked at a small fraction of the evidence. In order to be highly effective, a detective needs to look at all of the evidence - or at least all of the evidence that is available to them.

Of course, this probably seems obvious to you. You might find yourself asking the question: What could this possibly have to do with security? I’ll elaborate.

Facts, data, and evidence are extremely important to properly detecting, preventing, and investigating both security incidents and fraud incidents. So, you can imagine my surprise at how little of the facts, data, and evidence many organizations examine when looking to improve their respective security postures and proactively reduce fraud losses.

While there are many illustrative examples we could turn to, let’s take a closer look at detecting and preventing fraud. In particular, let’s look at the stages of the user journey through an online site such as a banking or an e-commerce site. While not an exhaustive list, I’ve included some places along the user journey where fraud can be identified if studied and analyzed properly:

1. Account creation: The first step for legitimate users and fraudsters alike is often account creation. Fraud detection methods that don’t look at this step are overlooking a gold mine of data. But with so many online transactions in a given day, how can organizations separate legitimate account creation from fraudulent account creation? The trick is to understand intent. And how exactly can intent be understood?  It’s complicated, though the methods that understand intent well look at a mix of user data, environmental data, and behavioral data over time and across different online applications.

2. Login: Looking at login is another great way to detect fraud. There is a lot of meta-data around a login: how a user logs in, when they log in, how frequently they log in, how frequently their login fails, from where they log in, from what type of device they log in, etc. Looking at as many of these parameters as possible is important when looking to detect fraud. Or, more precisely, to detect when a user account may belong to a fraudster or when it may have been compromised and stolen. That being said, while looking at logins is important, it’s not the only important characteristic. Fraud detection methods that rely too heavily on logins don’t meet the needs of today’s customers and the complex journeys their users take on a regular basis.

3. Request for data: A user may request certain data as part of their journey through an online application. For example, on an e-commerce site, a user may request loyalty points information. On an online banking site, a user might request their balance. Or, on a credit card site, a user might request their credit limit. These are just a few examples, though there are many such information requests that could fit the profile of a given user and would be considered completely legitimate. From time to time, however, a given user account may request information that is outside of its behavioral profile or request information more frequently or in a different way than is typically seen. Not paying attention to those data points is a mistake when looking to detect fraud.

4. Add account: One way in which fraudsters profit is by hijacking a session or taking over a user’s online account, adding a financial account as a drop, and then transferring money to that financial account. There is no shortage of fraud solutions on the market that look at the final step - the money movement. But any fraud solution that doesn’t pick up on the illicit activity much earlier in the user journey isn’t going to be effective against modern attackers and isn’t going to be able to properly prevent fraud losses. All stages of the user journey, including adding an account for transfers, is something to keep in mind when looking to detect fraud.

5. Environment: If the environment from which a user account accesses an online site keeps changing, or the inverse, where many user accounts access an online site from the same environment, it could be an indication that something is off. This data point is one of many that goes into making a decision about the true nature of a given session or a given sequence of transactions. That being said, if we overlook the environment entirely, we’re leaving a valuable set of data points out of the equation entirely. Not having that set of data points severely impedes our ability to detect fraud.

Related: Is Chasing Malware Really Helping You Reduce Fraud?

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently Director of Product Management at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.