Security Experts:

Six Ways to Expand Your Fraud Program

While attackers and fraudsters are continually adapting and evolving, there are some measures that businesses can take to improve their fraud programs

Many businesses, particularly those in the financial sector and those that transact heavily online (ecommerce), already have a fraud program. In some cases, that fraud program may be quite mature, while in other cases, it might still be maturing. Regardless of the maturity of a fraud program, there are always steps that can be taken to improve its efficiency and effectiveness.

While there are many different metrics by which a fraud program can be measured, the amount/percentage of fraud detected and mitigated, along with the potential fraud loss avoided are two of the primary measures. With attackers and fraudsters continually adapting and evolving, what are some measures that businesses can take to improve their fraud programs?

While certainly not an exhaustive and complete list, here are my thoughts on six suggestions for improving an existing fraud program, regardless of its maturity:

1. Augment your intelligence: As attackers and fraudsters adapt and evolve, their tactics and techniques do as well. While individual businesses may be able to stay current on a portion of these changes, it is nearly impossible to achieve the breadth needed to effectively counter the rapidly changing threat landscape. By pooling resources and looking to providers that specialize in staying current, fraud teams can amplify their reach, visibility, and breadth. Even better than merely augmenting the team’s intelligence is finding ways to weave that intelligence into the day-to-day operations of the fraud team in a seamless and automated fashion.

2. Supplement your telemetry data:  Perhaps the fraud team looks at individual transactions or series of transactions. Or, perhaps the team looks for known patterns of activity in log data. Or, perhaps there are a set of rules, signatures, and thresholds running over one or more data sets that are ready to fire when there is a match. Whatever data you are looking at, it can likely be supplemented. If you aren’t already looking at the end-user journey through your application and the end-user’s behavior within that journey, you might want to take a look. That telemetry data can be extremely valuable and can provide unique insight and important context around various different activities, requests, and transactions. That insight and context combine to help support better decision making. In other words, they directly lead to better and more reliable fraud detection.

3. Improve your decision making: More often than not, the decision about whether or not a certain behavior is fraudulent isn’t binary. Rather, the likelihood that something is fraudulent is a probability based upon a number of different factors. Like any probability-based decision, its quality and accuracy depend on a number of different factors, including the quality and accuracy of the input data, as well as the breadth and coverage of the data.  As such, improving, augmenting, and supplementing the data you use to calculate what activities may be fraudulent will help you more accurately detect and mitigate fraud.  You will detect more true positives, while at the same time reducing the number of false positives and false negatives.  All of that spells good news for the fraud program.

4. Analyze sessions: As you’ve likely already gathered, it is not enough to examine individual transactions or individual activities within the application. Rather, a more holistic approach around understanding what is going on in the session as a whole is required. Simply put, real customers don’t live within thresholds all the time, nor do they live within a well-defined set of rules. Only through analyzing sessions and all of the relevant context they provide can fraud teams move away from a steady diet of false positives and improve their performance.

5. Remove automation: Many people think of automation solely in terms of attacks, often in large volumes, by bots.  What people sometimes forget, however, is that there is also the aspect of Account Takeover (ATO). In other words, besides attacking applications to take them offline, drive bottom-line costs up, and perform credential stuffing attacks, bots are also used to take over accounts. Bots are not just a security problem.  They are, essentially, the front line of fraud. As such, removing automation not only has benefits for the security team, it also has tremendous benefits for the fraud team as well.  Mitigating bots and automation is well worth the fraud team’s time, and it is well worth doing in partnership with the security team.

6. Unify security and fraud: As our understanding of risk management as a profession matures, the unification of the security and fraud teams only makes sense. In addition to the bot use case, there are many other use cases where security and fraud teams can, should, and need to work together in order to effectively mitigate risk. The two functions have many synergies - security knowledge can often strengthen the fraud program and vice versa. Unifying these two teams into one powerful risk mitigation force is one way in which organizations can significantly improve both their security and fraud programs.

Perhaps you have been working in the fraud space for years and have a mature fraud program. Or, perhaps you are just getting started and are building and maturing a nascent fraud program. In either case, there are steps you can take to broaden your view, improve your decision making, and strengthen the state of your fraud program.

Releated: All About the Bots: What Botnet Trends Portend for Security Pros

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.