The Composition of a Fraud Team or Function is Often Overlooked in Threat Intelligence Market
Threat intelligence has quickly become a must-have for fraud teams. But similar to the market for threat intelligence vendors that cover the deep & dark web—which I discussed in my previous column—the market for those that support fraud use cases is laden with misconceptions. And in order to make threat intelligence more accessible and effective for more fraud teams, it’s important for vendors and practitioners alike to recognize and debunk these misconceptions, some of which include:
Fraud is simple
Fraud is often oversimplified when referenced in the threat intelligence market. Many vendors claim that their intelligence, data sources, and tools are universally suitable for all fraud teams when in reality, they’re only suitable for a select few use cases or common types of fraud. One reason for this disconnect is that most standard definitions of fraud, though correct, are extremely simple, usually referring to it as the use of deception for personal or financial gain.
Less simple, however, is that regardless of how we define fraud, it encompasses countless deceptive schemes that target and impact different types of victims for different reasons in different ways. Banks and health insurance providers, for example, both deal with fraud, but the types of fraud they deal with, how it impacts them, and how their fraud teams might use threat intelligence to help manage it are, in most cases, quite different. Payment card fraud is typically what banks most often face, while for health insurance providers it’s usually health insurance fraud.
Further complicating matters is the fact that the same type of fraud can affect different organizations in different ways. Aside from being familiar to banks, payment card fraud is also common among retailers—but that doesn’t mean fraud teams in these two industries have identical approaches for managing it. Indeed, the extent to which banks and retailers address, and are liable for, fraudulent transactions can vary heavily depending on each organization’s anti-fraud controls, which controls the fraudster circumvented and how, and whether the transaction occurred in-store or online, among other factors.
Fraud prevention = fraud detection
The composition of a fraud team or function is also often overlooked in the threat intelligence market. Most moderately sophisticated teams comprise fraud prevention and fraud detection components, often among others. And because each component’s responsibilities reflect the different stages of the fraud lifecycle, their use cases for threat intelligence tend to differ. To illustrate these differences, let’s consider how the various components of a bank’s fraud team might manage payment card fraud:
Fraud prevention, as its name implies, focuses on implementing and strengthening controls to help prevent fraud. And with respect to payment card fraud, these controls typically include authentication measures, such as requiring cardholders to provide a signature and government-issued ID for in-store purchases and a valid billing address and CVV code for online purchases. Restrictions for larger transactions or those that occur in certain regions are another common prevention control, as are certain tools that use algorithms to automatically detect and block risky transactions before they are finalized and losses incurred.
Threat intelligence can help optimize payment card fraud prevention by providing visibility into the illicit online communities where fraudsters congregate and discuss their schemes. By shedding light on how fraudsters are seeking to circumvent certain authentication measures, for example, this visibility can allow fraud teams to better understand how to adjust these measures to help prevent fraudulent transactions.
Fraud detection, when it comes to payment card fraud, is about identifying and escalating fraudulent transactions. Rapid detection is crucial because it helps prevent fraudulent transactions of the same type from recurring. Fraud detection regularly works with fraud prevention to help ensure authentication measures and fraud controls account for emerging fraud tactics and high-risk indicators.
In order to detect payment card fraud more effectively and efficiently, fraud teams can use threat intelligence gleaned from the illicit marketplaces where fraudsters buy and sell stolen payment card data. Since these card shops typically sort card data by Bank Identification Number (BIN), threat intelligence can help fraud teams monitor various shops for their bank’s BIN(s). Card numbers associated with BINs advertised in card shops can then be categorized as high-risk, enabling fraud teams to quickly flag suspicious transactions from these cards as fraudulent.
Fighting fraud with threat intelligence is all about alerting
There is one caveat to the fraud detection example above that highlights another common, and particularly problematic, misconception. That example demonstrates how alerting fraud teams when their bank’s BIN surfaces in a card shop can help them quickly detect fraud, but it’s crucial to recognize that fighting fraud with threat intelligence requires much more than just alerting.
Alerts, in and of themselves, are not intelligence and can even be counterproductive when not supplemented with intelligence. Card shops, for example, are ranked by tiers that generally reflect the timeliness and freshness of the card data advertised and reputability of the vendor selling it. Lower-tier shops are more likely to advertise older card numbers that have already been abused, recycled, and in many cases, cancelled by their issuing banks.
If a fraud team receives an alert that their bank’s BIN surfaced in a card shop, that alert is only actionable if it is also supported by intelligence on the card shop’s tier and the vendor’s reputability and past activities, among other details. Otherwise, the fraud team could easily waste time evaluating previously cancelled card numbers from an old breach that were simply repackaged by a less-reputable vendor seeking a quick profit, for example.
Above all else, keep in mind that since there is no one-size-fits-all type of fraud, there is no one-size-fits-all way to fight fraud—including with threat intelligence. And while the diverse and complex nature of fraud will likely always lend itself to a number of misconceptions in a number of different contexts, it’s imperative that as security practitioners, we acknowledge how these misconceptions hinder the fight against fraud and do what we can to dispel them accordingly.