Replacing MFA with Biometrics Simply Amounts to Swapping Out One Vulnerable Authentication Mechanism for Another

The federal Office of Personnel Management (OPM) recently disclosed that the personal information compromised in last month’s data breach included 1.1 million fingerprints. This is cause for sobering consideration about using biometrics for authenticating into secure systems such as online and mobile banking services.

The appeal of biometrics is compelling. They’re stronger than passwords, they’re unique to each user, they’re easy, and cannot be lost or forgotten. However, there are limited biometric options (fingerprints, retina scan, face recognition, voice print, heartbeat), they’re dependent upon users having the needed technology (such as fingerprint scanners on smartphones), and they can’t protect against romance scams or unauthorized activity by friends and family.

As financial institutions debate adopting biometrics as a compelling replacement for simple, multi-factor, or knowledgebase authentication, this latest breach highlights very clearly that despite its benefits, using biometrics is insufficient by itself.

For biometrics to work for account authentication, there must be an image of the user’s fingerprint (or retina or facial image) digitized and stored somewhere. Each subsequent access compares the current fingerprint against the stored image to validate that the user is indeed who he says he is. And once a fingerprint is digitized and added to a database, it simply becomes part of one’s PII along with a phone number, mother’s maiden name, and zip code. Furthermore, a fingerprint can never be modified. Perhaps the article in National Journal put it best: “unlike a Social Security number, address, or password, fingerprints cannot be changed—once they are hacked, they’re hacked for good.”

According to Goode Intelligence, over 1 billion people worldwide will be using biometrics to access financial accounts by 2017, and it will be the predominant authentication mechanism by 2020. If all of these financial institutions are thinking that all they have to do is replace MFA with biometrics and their accounts will be protected, we encourage them to rethink their strategy. We believe that the OPM data breach offers sufficient reason to believe that replacing MFA with biometrics simply amounts to swapping out one vulnerable authentication mechanism for another.

Behavior, on the other hand, is equally as unique as a fingerprint, but is not a simple, singular piece of data that must be stored and is therefore vulnerable to being compromised. While criminals probably have richer, more in-depth dossiers on FIs’ clients, the FIs have much richer data than fraudsters will ever have on each account holder’s banking behavior.

FIs can model each client’s unique behavioral patterns and then compare new activity – in online banking, mobile banking, debit card use, and various types of payments – to detect anomalies that indicate possible account compromise or fraudulent transactions. And it’s invisible to the account holder so it doesn’t involve any changes to the user experience.

Blending biometrics with behavior will provide a much higher level of confidence that individuals accessing accounts are indeed who they say they are, lowering fraud risk while also improving the user experience and decreasing friction.

 

Fraud Factor – Latest News on Banking Fraud – August 2015

We regularly hear from financial institutions how much they appreciate information we share about the latest banking fraud activities. Towards that end, this post pulls together recent news stories across the spectrum of banking fraud developments.

We also distribute this as a monthly Fraud Factor email. If you’d like to be added to the distribution list, please go to our Contact Us page.

Company Suffers $46M Cyberheist
Networking firm Ubiquiti Networks Inc. acknowledged that cyber thieves stole $46.7 million using a scam in which crooks spoof emails from executives at the victimized firm in order to initiate unauthorized international wire transfers. (see our Fraud Informer on this scam.)  This scheme is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments.

Threats Span Phone Hacks, Fingerprints, Google Compromise, and more

Nearly 1 Billion Phones Can Be Hacked With 1 Text
Think twice before giving away your cell phone number—especially if you happen to own a phone that runs on Google’s Android operating system. That’s the only thing a hacker needs to compromise a handset. A mobile security researcher has uncovered a flaw that leaves as many as 95% of Android devices—that’s 950 million gadgets—exposed to attack.

How Much Damage Can be Done With a Million Fingerprints?
The OPM data breach included 1.1 million fingerprints. Security professionals are particularly troubled because of the permanent nature of fingerprints and the uncertainty about just how the hackers intend to use them. Unlike a Social Security number, address, or password, fingerprints cannot be changed—once they are hacked, they’re hacked for good. This lies at the core of concerns about using biometrics for financial authentication.

Malvertising Attack Hits Yahoo! Ad Network
A large malvertising attack hit the Yahoo! advertising network over the course of a week before it was discovered and shut down. Many of the website’s 6.9 billion readers could have been affected, making this one of the largest malvertising attacks ever detected. Victims were infected with ransomware and possibly banking Trojans.

Alert: ATM Skimming Up in U.S.
A new security alert from ATM manufacturer NCR Corp. warns that ATM skimming attacks in the U.S. are on an upswing. The trend likely is being fueled by the migration away from magnetic-stripe technology toward EMV chip technology. ATMs will increasingly be targeted, experts predict, because the vast majority of ATMs in the U.S. won’t even begin their migrations toward EMV for another two to three years.

ZeusVM Malware Leak May Cause Botnet Surge
The Internet could see a new wave of botnets based on the ZeusVM banking Trojan after the tools needed to build and customize the malware program were published online for free. ZeusVM, also known as KINS, hijacks the browser process in order to modify or steal information from websites opened by victims on their computers. It’s primarily used to steal online banking credentials.

New Phishing Campaign Targets Google Credentials
Criminals have again leveraged users’ trust in Google with a newly discovered campaign designed to steal credentials that grant access to the multitude of Google’s online services, including email. The campaign is similar to the one discovered in March 2014, and if it’s the same group, then their work is evolving and they’re taking additional steps to elude detection.

Fraudsters Show Their Flexibility, Sophistication

Banks Brace for Fraud Migration
Big banks are bulking up their IT security budgets as they brace
for fraud to migrate to the online and mobile channels in the wake of the U.S. implementation of EMV chip technology for payments, says Julie Conroy, the Aite research director. Banks anticipate that faster ACH payments could also create new risks of fraud.

Russian Cyber Underground Goes From Strength to Strength
The Russian cybercrime underground has evolved to a new level of sophistication and professionalism, with enhanced features such as automation to accelerate sales, as well as translation and anti-spam proof services.

Criminals Continues Assault on PII is Increasing Pressure to Drop MFA and KBA

Data Breach At a Zoo Near You
Anyone who’s visited one of at least two dozen zoos over the last several months may want to check their credit and debit card statements. A third party operator of concessions and retail services at zoos from Hawaii to Florida acknowledged that attackers commandeered point-of-sale systems for nearly three months, from March to June. The compromised information may contain everything from card numbers and names to the three-digit CVV security codes that appear on the back of most payment cards.

United Airlines Hacked Again—by China?
The Chinese hacking team behind the strike on the US government’s Office of Personnel Management is believed to be responsible for a fresh hack of United Airlines. The US Department of Defense has claimed that China is developing a vast database of information about US citizens, which would be used to craft crippling attack strategies.

62 Percent of Android Infections Steal Sensitive Info
In their Q2 2015 Android Malware and Vulnerability Report, 360 Security found that for nearly two of every three Android devices, the malware steals sensitive, personal information. The report also found that only 1.4 percent of devices were infected by malware, which makes the other finding easy to dismiss, but when you consider that 334 million Android devices were shipped, in real numbers that equates to 2.9 million Android owners who whose personal information has been compromised.

Breached PII: Why KBA Has to Go
A wide variety of personally identifiable information (PII) is readily available to fraudsters as a result of data breaches. With so much stolen PII available, it’s time for banking institutions to enhance the technologies and techniques they use to authenticate customers’ identities. Knowledge-based authentication, based on questions derived from PII, is no longer reliable.

 

New Fraud Challenges Introduced by Same Day ACH

We all recognize that Same Day ACH promises improved payments services for account holders. But FIs have a lot to figure out between now and when it goes live in September 2016, including how to mitigate increased fraud risk.

While we have some ideas for the types of schemes fraudsters may launch (below), perhaps the biggest risk is they have repeatedly demonstrated their creativity and innovation in how to take advantage of any disruption or change. If you want to be truly ready for Same Day ACH, it’s time to step up your fraud prevention game.

What’s Different?

If the improved service level has the effect that NACHA (and the industry) wants, there will be increased use of the ACH payments system for same day payroll, P2P, bill pay, and other payment offerings. So, more files will need to be processed in a shorter period of time.

Also, the funds will be harder to retrieve if a fraudulent transaction does slip through. Just as wire transfers have been popular with fraudsters because of the speed with which they can access the funds and move them out of reach, Same Day ACHs will now provide criminals with this same benefit.

How Will Criminals Attack?

Here are some of the fraud schemes that FIs need to consider as they update processes and consider new technologies. Fraudsters could:

  • Submit a large volume of payments just before the cut-off time, forcing FIs to rush through their review process and resulting in some payments slipping through undetected
  • Submit payments that are just under the FI’s review threshold so they’re less likely to get noticed, especially in light of higher payment volumes
  • Target other channels or payment types, on the theory that FIs are overly focused on ACH leading up to settlement times, lowering their guard elsewhere
  • Use social engineering techniques against account holders, resulting in payments that look legit because they’re coming from the actual account holder, but with less time to uncover the underlying scheme
  • Add recipients to payroll files or change account information for existing recipients within a payroll file, which are hard enough to detect today and will be even harder to detect under severe time constraints
  • Compromise third-party senders and submit fraudulent payments into which ODFIs have no visibility and that could get overlooked among the high volume of payments needing to be reviewed in the short review window

New Strategies for Mitigating Fraud Risk

Simply increasing the size of the team charged with reviewing ACH files is not an affordable, scalable, nor sustainable option. The cost of hiring additional staff would be prohibitive, especially at a time when many FIs are trying to downsize their fraud operations team, and pulling people from other functions for a few hours a day would leave those other areas understaffed and exposed.

And tightening up security rules crafted to identify suspicious ACH payments will likely just result in poor customer service and higher false positive rates. On top of the higher volume, this will produce more alerts, with less time to investigate them.

The best strategy is to add technology to automate as much of the review process as possible. A real-time behavioral analytics solution like FraudMAP can use behavioral models to triage incoming files into low risk payments that can be released automatically (the majority of payments), and the relatively few high-risk payments that require manual review.

Furthermore, FraudMAP’s rich activity history for will make it easier and faster for analysts to investigate high-risk payments and decide which ones to release.

Our most important recommendation is to start now, because you know the fraudsters have already started planning their new attacks. Rethink your payments offerings and policies, evaluate technology solutions for automatically reviewing payments, and budget now to be sure you’re ready to go come September 2016, which is just around the corner.

 

This article also appeared, with slight modifications, in Banking Exchange.

 

Be Sure to Calculate the Full ROI on Improved Fraud Prevention as you Plan your 2016 Budget

As you enter the 2016 budgeting season, you may be considering asking for improved fraud prevention. Many of the financial institutions we talk with are doing just this, especially in light of increased risk from the vast amount of data in fraudsters’ hands, the proven ineffectiveness of authentication, and the impending availability of Same Day ACH that will further increase fraud risk.

However, many of the FIs we talk with also make the same mistake when building their case for investing in improving their ability to mitigate fraud risk – they limit their estimated return to expected decreases in fraud losses. This is important, but it significantly undervalues what improved fraud prevention will deliver to your institution.

As you plan your budget for 2016, we encourage you to consider the strategic, business benefits of mitigating fraud risk, including:

  • Adding online and mobile products and improving service levels, which can improve competitiveness as well as generate added revenue
  • Winning new customers by offering faster payment processing, higher limits, and advanced payment services such as online bill pay and P2P.
  • Improving operational efficiency by automatically releasing low-risk wire and ACH payments, minimizing false positives, speeding investigations, and eliminating the need to write and maintain rules
  • Building client loyalty by taking responsibility for securing their assets and proactively alerting them to suspicious account activity
  • Reducing the full cost of fraud that includes the nominal loss plus legal costs, time spent on investigations, damaged reputation, and customer churn
  • Enhancing compliance with FFIEC Guidance that explicitly calls for using behavior to detect anomalies in banking activity.

These strategic business benefits are described in detail in our “Building a Business Case” document (PDF, 239kb). In addition to quantifiable examples of the business benefits realized by other financial institutions in each of the categories above, it provides specific topics to discuss internally to estimate the return you will see, given your institutions unique size, organization, staffing, services, and clients.

If you’re committed to improving fraud prevention and would like an estimate of how much to budget for, please request a FraudMAP cost estimate.

 

Fraud Factor – Latest News on Banking Fraud

We regularly hear from financial institutions how much they appreciate information we share about the latest banking fraud activities. Towards that end, this post pulls together recent news stories across the spectrum of banking fraud developments.

We also distribute this as a monthly Fraud Factor email. If you’d like to be added to the distribution list, please go to our Contact Us page.

Why Consumers Don’t View Banks As ‘Trusted Partners’
Every FI wants its customers to view it as a trusted partner. But it appears that goal is far from being met. According to a new study, only one quarter (27 percent) of U.S. consumers view their financial institutions as a “trusted partner.” Our customers, however, report that one of the best ways to build trust is to proactively contact account holders about the suspicious activity that FraudMAP detects, even if it turns out not to be fraudulent. Clients appreciate the FIs taking responsibility for the security of their accounts.

Wide-ranging Threats Span Mobile, Phishing, Social Engineering and Social Media

Financial Services Attacked 300 Percent More Frequently Than Other Industries
A new Websense research study reveals that: 1) the finance sector dwarfs the volume of attacks against other industries by a 3:1 ratio; 2) hackers are spending huge amounts on reconnaissance and lures; 3) credential stealing and data theft are criminals’ primary objectives; and 4) fraudsters switch-up campaigns frequently to outfox FIs’ security measures.

Critical Flaws in Apple, Samsung Devices
A zero-day bug in iOS and OS X allows the theft of both Keychain (Apple’s password management system) and app passwords. In addition, a serious vulnerability in a third-party keyboard app that is pre-installed on more than 600 million Samsung mobile devices allows attackers to remotely access resources like GPS, camera and microphone, secretly install malicious apps, eavesdrop on incoming and outgoing messages and voice calls, and access pictures and text messages.

Phishing Campaigns Harder to Mitigate
The emergence of top-level domains, such as .xyz, has fuelled an uptick in spoofed websites being used to wage targeted phishing attacks. While the new .bank domain has a privileged position with a very stringent vetting process, others, such as .cn, do not, and almost anyone can use them to register new domain names, including criminals.

Call Center Fraud Targets Processors
The massive number of retail point-of-sale breaches over the last two years has fueled an uptick in call center fraud that targets payments processors. Using stolen card details obtained in retail breaches, fraudsters call payments processors before the transactions are flagged as suspicious by the issuing institutions and convince the call-center staff that the transactions are legitimate.

The Rise Of Social Media Botnets
Cyber criminals use social media botnets to disseminate malicious links, collect intelligence on high profile targets, and spread influence. As opposed to traditional botnets, each social bot represents an automated social account rather than an infected computer. Bot herders leverage botnets to distribute phishing and malware links across social media. The lucrative part of the attack involves selling the phished information or the myriad ways malware is leveraged to extort money, be it data theft, ransomware, blackmail, or banking Trojans.

Federal Employees Top Data Breach News

U.S. Officials Report Massive Breach of Federal Personnel Data
Initially reported to affect 4 million federal employees, the breach is now understood to include all federal employees and retirees, as well as one million former federal employees. The personal information that was stolen includes Social Security numbers, addresses, birth dates, job and pay histories, health insurance, ages, gender, race, and more.

Where Has All the Stolen Data Gone?
In her latest blog post, Avivah Litan from Gartner explains the “dark web” and theorizes about who is buying the data and to what end. She explains that hidden dark web black data markets are very different than the black markets where stolen credit card data is sold. In the dark web data markets, only 4-5% of the information is exposed to initial site visitors. The rest is buried farther down in what’s known as the Deep Web, and access to this information requires that potential buyers pass intense background check and credentialing process. The buyers mine these vast troves of data to determine how to infiltrate their desired targets in unexpected ways and with unexpected motives.

Team GhostShell Hacking Group is Back
A group of hackers known as Team GhostShell claims to have hacked a multitude of organizations, including financial institutions, government agencies, political groups, law enforcement entities, and universities. They are dumping the data via Twitter, including emails, user names, addresses, telephone numbers, dates of birth, and other personally identifiable information.

Beware of Rogue Banking Apps, Malvertising, and the Malware Stepping in for Gameover

Cybersecurity Article Highlights Risk of Rogue Banking Apps
In a sample of 350,000 mobile banking applications analyzed by RiskIQ, 40,000 apps, or about one out of every nine, contained adware or malware. These neo bank robbers have been brazen in carrying out some of their scams. One bank began receiving calls from disgruntled customers about its Windows mobile banking application not working properly. The study’s author explains, “The help desk kept filing tickets for the calls until it found out the bank didn’t have a Windows mobile app. It was an app in the Windows mobile store for their bank that people were downloading and using, and all it was doing was capturing the user information and sending it to Russia.”

Massive Malvertising Campaign Hits Users with Angler Exploit Kit
This attack is focused on users browsing several well-trafficked sites in Europe and the US. The attack leads users to the Angler Exploit kit to infect users with the Bunitu Trojan turning the infected system into a zombie computer, allowing the computer’s network connection to be used for subsequent malicious activity.

Dyre’s Rise to Top Financial Malware Threat
Researchers are crediting Dyre malware with filling the void left by the Gameover ZeuS takedown last summer. The malware uses several different types of Man-In-the-Browser (MITB) attacks against the victim’s web browser to steal credentials. It targets all three major browsers (Internet Explorer, Firefox, and Chrome), and has been configured to target customers at more than 1,000 banks and other firms.

Webinar Recommends Device Binding to Mitigate Mobile Risk and Improve Client Experience

Last week’s webinar, titled “How Mobile is Reshaping Banking and Fraud,” reviewed the tremendous growth in mobile adoption, the fraud risks this introduces, and recommendations for embracing mobile to improve your clients’ experience. The webinar featured our own Chris Silveira, manager of fraud intelligence, who provided a holistic view of the impact that mobile is having on consumers and financial institutions.

Huge Growth in Mobile Usage Attracting Criminals

Did you know that 1 in 4 account holders consider themselves “mobile first”? This means that their primary channel for banking is mobile. Or that 33% of e-commerce orders are from a mobile phone? Mobile logins to financial accounts are skyrocketing and are estimated to be double online logins by next year.

In addition, Chris reported that mobile banking users are 47% more profitable for FIs than offline users. So, all of this growth in mobile adoption should be great news for banks and credit unions. But many only see risk, and understandably so.

Criminals are targeting mobile to gather personal data and credentials, conduct reconnaissance, defeat controls, and initiate fraudulent transactions. Chris also described some of the vulnerabilities of mobile phones, such as how criminals can access sensors that do not require the user permission the way the microphone and camera do. Did you know that the gyroscope used to orient content as the phone is turned sideways can be used to monitor and identify voices?

Use Mobile to Improve Clients’ Experience

All of which lead to perhaps the most interesting and insightful content. Instead of just coping with increased mobile usage and trying to defend against the myriad schemes that incorporate mobile, FIs have the opportunity to truly embrace mobile, use it as part of their security strategy, and improve clients’ experiences, ultimately creating competitive advantage.

Chris described the concept of device binding, which is using behavior, device characteristics, and information about the account holder to bind a device to the legitimate account holder. By doing so, FIs can not only mitigate mobile fraud risk, they can actually step DOWN authentication in some cases, decreasing friction and improving the user experience.

For example, through device binding, FIs could streamline ATM security, authorize retail payments, and skip re-authenticating someone calling customer service.

To hear the full story, you can watch the recorded webinar (duration: 58 minutes).

 

The Squeeze is on Financial Institutions

Financial institutions are always under some form of pressure. Now there’s a new squeeze being put on, as depicted in our new infographic.

FIs are caught between two powerful forces. On one side the pressure is coming from criminals who have access to vast amounts of personal information and credentials, to the point where bankers can no longer trust that clients are who they say they are (see Can You Trust Your Customers Really Are who They Say They Are?. Fraudsters are using detailed dossiers on victims and on FIs’ employees to launch relentless attacks, constantly changing their strategies and schemes as new security measures are put in place.

On the other side, the pressure is coming from account holders that want new banking capabilities and improved service levels. These might include faster payment processing, P2P and bill pay capabilities, higher limits, or expanded mobile banking options such as remote deposit capture. The challenge for FIs is that all of these elevate risk.

The combination of decreasing trust and competitive pressure to add products is placing unprecedented pressure on financial institutions to improve fraud prevention capabilities.

Download our infographic to learn more. And please contact us to learn how behavioral analytics can relieve the pressure.

Can You Trust Your Customers Really Are Who They Say They Are?

We live in unprecedented times. Criminals now know more about the identity of a bank’s customers than the bank.

Due to vast amounts of data available to criminals and their clever ability to masquerade as and manipulate their victims, FIs find it increasingly difficult to trust that their clients truly are who they say they are.

Trust Damaged by Access to Personal Data

Nearly a billion identities have been exposed since the beginning of 2013. Around the world, 1,355 records are stolen every minute. And criminals are using their detailed knowledge of account holder and bank employee identities to commit fraud.

We all see the news about new strains of malware, data breaches, credential compromises and new fraud tactics one at a time. But they are additive. When taken together, including what people willingly share on social networks and additional data gathered through social engineering, criminals have an unprecedented amount of data about account holders and employees.

Trust is further eroded by victims being tricked or manipulated into doing something that benefits the fraudster. Recent examples include criminals using compromised business email account to submit fake vendor invoices that fool AP staff into paying them, and compromising a CFO’s email account and using it to ask the controller to send a wire to the fraudster’s account.

As a result of this loss of trust, many financial institutions hold back on capabilities because of concerns over trust and security, scaling back the speed and depth of products and services they offer, how big of an audience is allowed to use certain capabilities, and the overall service levels being offered.

Institutions’ Unique Advantage Over Criminals – Behavior

This isn’t an authentication problem, or a device problem, or a manual review problem. These measures have been defeated and simply doing more of the same won’t prevent fraud nor solve the trust issue. Financial institutions need a different approach to validating that users are who they say they are and their actions are not being driven by criminal manipulation.

While criminals may have identity information as a weapon, FIs have an something much more powerful – a rich account holder history of interactions with the institution. Account holder behavior is an FI’s greatest asset in their fight to prevent fraud.

By using behavioral analytics to detect suspicious activity, FIs will once again know when a user is legitimate (and engaged in legitimate activity) and not an imposter. FIs will regain control over trust because while fraudsters can worm their way past any authentication control, they can’t mimic the behavior of the legitimate user.

Unprecedented times call for new solutions. A recent Aite Group study found that 79% of the financial institutions interviewed have one or more behavioral analytics solutions already in place, with another 10% in the pilot phase. FIs using behavioral analytics can prevent banking fraud and mitigate the risks associated with expanded services, turning this data-induced identity crisis into improved competitiveness and customer loyalty.

Beyond the Patch – Heartbleed Drives New Security Requirements

In the last 18 months we have seen some of the largest data breaches ever, and now the Heartbleed bug further erodes the small amount of remaining  trust we might have had that sensitive information and access to critical systems is protected. Given the scope of the hardware and software impacted by the Heartbleed bug and the time it will take to address the bug, companies and consumers are exposed more than ever to criminal attacks, even after patches are in place, new keys are issued and passwords are reset.

The impact of Heartbleed, the massive number of identities exposed in 2013 through data breaches – 552M – and the ongoing attacks on our sensitive information and systems will be long term and far reaching, ultimately requiring a rethinking of the fundamentals we use to protect ourselves and our customers.

The flaw and the successful exploitation of it calls into question the effectiveness of the controls and tools enterprises use to detect attacks on consumer accounts and corporate networks.   At the heart of the issue:

  1. The bug exposes information used to validate users – usernames, passwords, personal information, payment information, health and medical information.
  2. The bug allows criminals to attack and highjack traffic to gain access to networks and systems.
  3. It is unknown how much information has already been exposed and how long internal systems will take to patch.

Given these, criminals can successfully access consumer applications and corporate networks and go undetected by most common authentication and network and security controls.  With access to credentials, authentication-related information and network traffic, criminals will look just like legitimate users – no malware used, no other attacks on networks or servers needed.

Companies can no longer have confidence that users (consumers, employees, vendors, partners) are who they say they are.

The immediate focus was naturally been on stopping the bleeding through patches, new keys and password changes. While the majority of websites have been fixed, enterprises face the daunting task of identifying all of the software and equipment exposed and implementing patches.  In the meantime, they are exposed.

Enterprises, therefore, need to think “beyond the patch” and also implement a more comprehensive, effective and resilient change to their approach to securing access to applications and systems.   In the wake of this flaw, malware detection, network monitoring, sandboxing, and authentication all fail to detect the unauthorized access.   Companies cannot rely on looking for known patterns of bad actors – they won’t find any. Rather, they need to start with the perceived good actor and look for anomalies in their behavior as a signal of unauthorized access.

Bad actors hide behind legitimate credentials – but behavior never lies.

Companies at the forefront of security have already adopted user based behavioral analytics to strengthen consumer and corporate security. The Heartbleed bug means this approach is a new fundamental security requirement for all.

 

Were forgotten passwords really forgotten? Or were they never known in the first place?

While fraudsters continually develop new schemes, they also persist in using older techniques that have proven to be effective. Our latest Fraud Informer, Fake Forgetfulness Flags Fraud, describes how criminals are defeating authentication by using a feature that is available on every online banking system: the Forgotten Password reset.

Our fraud intelligence group has witnessed ongoing attacks against hundreds of retail clients plus a smaller number of commercial accounts at over 50 banks and credit unions. The pattern is very similar across all of them, and surprisingly, the attacks don’t include transactions.

This scheme is a good reminder of two important factors in detecting fraud attacks: 1) fraudsters can defeat authentication, and 2) you can’t detect fraud by only monitoring transactions. Make no mistake, this is fraud. And to detect it and prevent resulting offline fraudulent transactions you have to be monitoring the behavior taking place during online banking sessions.

Read on in the full Fraud Factor.

About Guardian Analytics

Guardian Analytics is the technology leader in the prevention of online account fraud, providing real-time risk management solutions that protect online channels. The company supports the end-to-end online risk management process with rich analytics and behavior-based modeling. We offer an analytics-based software solution that addresses the entire risk management lifecycle.