ALIGN YOUR FINANCIAL FRAUD DETECTION STRATEGY WITH GARTNER'S CAPABILITY MODEL

 

Published: 26 July 2017 ID: G00325850

Analyst(s):

 Jonathan Care, Tricia Phillips

Summary

As digital fraud attacks become more sophisticated and identity theft becomes more complex, it's time to rethink fraud's functional detection and protection architecture. Security and risk management leaders must strive for a contextual, risk-based approach to address multiple use cases.

Overview

Key Challenges

Recommendations

Security and risk management leaders responsible for fraud prevention must:

Strategic Planning Assumption

By 2022, 60% of organizations will be at capability Level 5 or above in the Gartner Fraud Detection Capability Model, up from less than 30% today.

Introduction

Gartner defines financial fraud as a malicious activity performed by an individual or organization through deception, intended to result in financial gain at the expense of another individual or organization.

Once considered primarily a risk associated with transaction events, financial fraud now stretches across all channels of interaction, and at all stages of a customer account life cycle. A fraud attack can breach internal processes and customer points of interaction alike, and includes use cases such as new account fraud, account takeover, fraudulent purchases, deposit and check fraud, and disbursement or invoice fraud. Security and risk management leaders responsible for fraud prevention (fraud prevention leaders) report that mobile interfaces, call centers, payment systems and retail locations are all vulnerable to financial fraud attacks. The expansion and reach of fraud today creates financial losses so extensive that observers have a difficult time measuring its cost. 1

While this note focuses on digital fraud prevention techniques, it is important to note that financial fraud is a cross-channel activity. Fraudsters will have no compunction about moving between digital, telephonic and even traditional paper-based channels to reach their goals.

What is needed is an architectural approach to addressing the fraud prevention needs of various stakeholders and use cases. Identity corroboration processes should serve as a safeguard against identity theft, synthetic identity and account takeover, but they must not degrade the experience of the 98% of users who are not engaging in malicious activity (see Note 1). This note looks beyond a simple one-dimensional view aimed solely at online fraud, and presents a flexible and modular approach that uses various corresponding technologies and functions, enabling leaders to orchestrate appropriate solutions for complex threats.

Analysis

Fraud is part of a cycle of technological crime perpetuated by several categories of actors, including organized crime, terror groups, and solitary or loosely organized opportunists greedy for money. Cyberattacks are integral to organized criminal activity programs that steal data for intelligence-gathering purposes or to sell for profit. In vast black markets, technological vulnerabilities are commoditized and traded, then weaponized. As part of this progression, fraud efforts make use of data stolen in hacking intrusions to create fraudulent accounts, or to take over the accounts of legitimate individuals or businesses. Funds obtained through intrusion or fraud schemes enable and support additional criminal activities.

This cycle draws on proven methods, tactical innovations and new technologies to spread crime, with compromises of identity a consistent feature of fraud's endurance as a global problem. Statistics show that hacking, malware and account takeover were linked in a destructive chain in 2016: 3 billion credentials were reported by organizations as compromised; 60% of users reuse passwords across multiple sites; 90% of websites with log pages experienced bot attacks. 2

Financial fraud is a cross-channel activity. The more interaction points a business has to support transactions with customers, the more blind spots exist where a potential fraud incident could occur. Mobile business, call centers and online services are all vulnerable to the deceptions that fraudsters deploy using increasingly sophisticated attack techniques and tools. A fraudster will present a synthetic (fake) identity or a stolen identity in a call to a customer service agent, and change account credentials, allowing them to transfer funds using a untraceable "burner phone" at their leisure. In other words, such violations penetrate deep into other areas of the enterprise — to digital business initiatives, to brick-and-mortar retail locations, to the supply chain.

Fraud prevention must be cross-channel as well. Solutions focusing on single channels without cross-channel behavior analytics and anomaly detection provide an incomplete picture of the organization's fraud challenges and financial losses.

Several realities are now evident:

For example, consider a distributed denial of service (DDoS) attack against a web portal. As Gartner has seen, DDoS attacks on a login page will drive up calls to the contact center from legitimate users, creating a customer service crisis. The fraudsters now have an opportunity to exploit the contact center using social engineering techniques, exploiting contact center agents' intentions to reduce the angry queue and help customers. The employees make exceptions during calls to appease distressed customers; account information is inadvertently validated or changed. When the DDoS attack is over, the malicious actors now have more information and access to take over customer accounts online.

Several best practices allow security and risk management leaders to counter such intricate and expansive attacks.

Align Strategy With Gartner's Capability Model for Fraud Detection

The Gartner Fraud Detection Capability Model, shown in Figure 1, highlights seven key capabilities that Gartner recommends as best practices in financial fraud systems. Deployment of these capabilities provides a structured approach to fraud detection, and each capability layer provides detection capability and data to the layers above.

Figure 1. Gartner Fraud Detection Capability Model for Cross-Channel Fraud Prevention

 

Source: Gartner (July 2017)

Some functions are lower in sophistication and are more useful in providing security and risk management leaders with hindsight:

  1. Static data-based identification is composed of two primary functions — identification of new customers at enrollment, and the validation of returning customers. Static identification can be used if a step-up verification is required to increase trust assurance. These methods are commonly used to satisfy know-your-customer (KYC) requirements, and customers are accustomed to providing much of this data. Unfortunately, with the vast data breaches of personally identifiable information, the ability to produce "matching" information for an identity record is hardly proof of positive identity. Additionally, intrusive knowledge-based verification (KBV) challenges often frustrate legitimate users and lead to abandonment, while sophisticated fraudsters are capable of providing correct data. The driving force to improve and implement further layers of the capability model and reduce reliance on this category of tools is to increase the smoothness of the identity corroboration experience for legitimate customers, and to reduce the attack surface where fraudsters can easily operate. Vendors such as IDology, LexisNexis Risk Solutions and TrustID operate at this level.
  2. Rule-based risk assessment is a baseline capability for compliance, business policy enforcement and suspicious activity detection. It is the primary method of fraud prevention for many organizations, especially in developing regions. The level of sophistication for rule-based platforms varies widely, with some supporting highly complex and nuanced rules, automatic relevance testing, and aggressive rule management focused on retiring outdated rules. Nearly all rule-based systems are focused on negative use cases and historical activity (known bad behavior), which often results in high false-positive rates, and an inability to detect emerging and unknown threats. Additionally, fraudsters often analyze and take inventory of combinations of data attributes or attack methods that fail due to rules, and are skilled at minor modifications of behavior to circumvent them. Few vendors offer a risk scoring system based solely on rules, due to the rapidly changing nature of fraud attacks. This capability is therefore either through internal development or legacy transaction analysis systems, although vendors such as ThreatMetrix expose "smart rules," which also make use of analytics features, to their customers.
  3. Endpoint profiling (EP) technologies assess a variety of devices (including mobile phones and tablets, laptop and desktop computers, desktop phones, and emerging endpoints) capable of initiating interactions, such as smart cars and virtual personal assistants. EP can spot devices that are in an unsafe, jailbroken state, demonstrating inconsistencies or anomalies that indicate spoofing behavior, or that are inconsistent with expected characteristics (such as previously profiled devices), can look for matches or similarities to known fraudulent devices, and can sometimes perform scoring on the risk of the device/endpoint. Yet these solutions are often blind to devices compromised by malware or advanced attacks, such as man-in-the-middle (MITM), man-in-the-browser (MITB) or remote access Trojan (RAT) attacks. While this technology is sufficient protection for many organizations and use cases, as with most security and fraud detection and prevention tools, an arms race between fraudsters and solution providers continues. Each side is continually one-upping the other with a new approach to either violating a device or detecting the violation. Large enterprises are targeted by the most sophisticated fraud attacks, and this continuous evolution of deception capability is a driver to migrate upward in the maturity model, enabling detection capability of advanced fraud attacks that compromise the endpoint and subvert user sessions that have been genuinely authenticated. Vendors in this space include Experian, IBM Trusteer, iovation, Kaspersky Lab, Kount and ThreatMetrix.
  4. Entity Relationship uses graph analysis to analyze the metadata of an account or transaction, as well as the relationships between data points, to create a risk assessment of said data points. Information that can be analyzed for linkages and reputation include email addresses, phone numbers, addresses and recipient account information. This type of activity can determine whether there are indicators of risk through associations or links to negative lists, high-velocity activity or morphing. This type of analysis is also effective in determining that the ultimate beneficiary of a transaction is both who the originator intended, and the subject of any regulatory cautions or sanctions requiring further approval before the transaction is fulfilled. Typical recipient analyses make use of relationship graphing to identify strength, frequency and quality of relationships, and thereby to uncover any hidden ultimate beneficiaries or other dishonest nodes in the graph. This becomes of significant value when a transaction crosses jurisdictional boundaries and has other elements that indicate it is of high risk. Vendors in this space include ID Analytics, LexisNexis Risk Solutions, TransUnion and Whitepages.

Above this level, organizations are either brokering large numbers of financial transactions, or have a profile that indicates they are significantly at risk of loss from concerted fraud attacks. Cross-channel risk scoring, behavioral analysis and web session protection can provide key risk indicators that a transaction is being initiated by a fraudster rather than by a genuine customer.

  1. Behavior analytics that use several techniques — including supervised and unsupervised machine learning — provide security and risk management leaders with considerably more power to detect emerging threats than rule-based systems alone. Cross-channel behavior analytics assesses baseline behaviors against historical individual activity as well as peer groups, and should include all interaction channels. This method can detect subtle anomalies that are indicative of advanced fraud attacks, including changes or outliers in page navigation and sequence of actions, passive behavior biometric analysis indicating automated interactions, changes in keystroke patterns, mouse movement, swipe pressure, and so on. Additionally, using cross-channel behavior analysis, it is possible to detect subtle changes across channels that wouldn't exceed a channel-specific risk threshold, but would in combination with other channels. For example, a login attempt from a new device with failed step-up authentication may not, on its own, seem excessively risky, but when followed by three failed attempts to provide an account number or date of birth via an interactive voice response (IVR) system, followed by a request for a password reset via a new mobile device a few minutes later, the indication that the account is at risk for takeover is much higher. Vendors offering solutions with this capability include BehavioSec, BioCatch, Featurespace, Guardian Analytics, IBM Trusteer and Pindrop (in the call center space).
  2. User interface protection (UIP): While the web application firewall protects against specific exploits, the UIP layer defends against specific business logic attacks that fraudsters use, including credential stuffing, impersonation using RATs, injection/medication of the Document Object Model (DOM), traffic interception and redirection, and session hijacking. UIP is commonly implemented as server-side scripts added to the website, and typically defends against advanced attack vectors such as Dridex, Kins, Zeus, Dyre and similar. Migration beyond this layer is typically driven by a need to defend against targeted fraud attacks by advanced fraudsters due to the high risk profile of the organization, either because of brand prominence or assets of value to an attacker. Vendors offering solutions in this category include Akamai, Cleafy, CodeSealer, Distil Networks, F5 (Websafe), RSA and Shape Security.
  3. Continuous risk assessment integrates results from all customer interaction channels, including web, mobile, call center, instant messaging, and other, less-considered channels, such as social media, email and even face-to-face. It also factors in the risk context for every available action within an account or transaction event. The fraud system therefore becomes key to governing the entire customer experience. It acts as a governance hub, determining whether additional step-up authentication is required, whether the identity corroboration loop must be run or even whether certain services should be suspended to keep transactions within risk tolerance. Risk indicators for most digital channels are well-understood; however, when looking at newer innovative channels (and for banking, new payment instruments and bearers), caution must be taken to ensure that the organizational reputation is not damaged by a misfiring fraud hub denying service, or that an overly permissive fraud hub does not expose the organization to risk outside of tolerance. This scoring must overcome data and organizational silos. Vendors solutions in this area include BAE Systems, Bottomline Technologies, Brighterion, Featurespace, Feedzai, FICO, IBM Trusteer and SAS.

Fraud prevention leaders must analyze fraud events to understand their role in the broader, more complex cycle of criminal activity, as shown in Figure 2.

Figure 2. The Cycle of Financial Fraud Attacks

 

 

Source: Gartner (July 2017)

Cyberattacks focus on the theft of valuable data, which is then used to perpetrate fraudulent purchases of goods and services. The proceeds of these are used to fund other criminal and insurgent activity, including acts of violence, the purchase and sale of illicit items and content, and so forth. The proceeds from these activities are, in turn, put through money-laundering processes to legitimize the funds and release them for general-purpose use. Such activity can be detected by anti-money laundering systems and by regulatory sanction. Some of these legitimized funds are then used to fund the research, development and weaponization of exploits that can be used in future cyberattacks.

Develop a Holistic Fraud Strategy That Encompasses Online and Offline Modes

Fraud attacks increasingly exploit blind spots and channel-based silos of fraud detection and prevention strategies. While emerging technologies represent new opportunities for fraud prevention leaders, and anti-fraud efforts can be fortified with an understanding of how these assets perform complementary functions across use cases (such as new account onboarding risk assessment, high-value transaction risk assessment and account change assessment), the investments will fall short of expectations if an organization is not employing a cross-channel view of its customer accounts. As Figure 2 illustrates, available resources offer varying levels of sophistication, and implementation of advanced solutions should match the maturity level of the attack methods employed against the organization.

Fraudsters will gravitate toward the easiest point of attack, and will make use of silo-based differences in fraud management strategy (for example, between the online portal and the call center) to exploit weaknesses in an organization's fraud detection posture.

Establish Dialogue Between Fraud Prevention Leaders and Others

Gartner notes that there is a frequent disconnect between fraud prevention leaders and other security and risk management leaders. Advanced fraud attacks can touch on the domains of information security, application security, underwriting and credit risk, identity and access management, accounting, and treasury. Fraud prevention leaders are encountering increasingly sophisticated attacks across a wide variety of channels and attack methods, which include bots targeting login on application pages, browser-based attacks, DDoS attacks in combination with other methods, social engineering, spear-phishing and malware attacks, and credential compromises. By pooling skills, expertise and technology budgets, a cutting-edge, cross-channel fraud prevention approach can be developed and implemented. Cybercriminals move freely between the stages of the financial crime attack cycle, and all security and risk management leaders must become just as fluid if they intend to compete.

Build an Application Stack That Is Extensible and Flexible, as No Single Vendor-Supplied Solution Will Fit All Fraud Prevention Needs

When designing the organization's approach to fraud detection and prevention, fraud prevention leaders must develop a focus on adaptive capabilities and strategies. The overarching strategy must focus on revenue protection.

Revenue protection is the primary goal of any fraud protection team. Revenue protection is supported by building trust with the customer, streamlined and delightful customer experience, and high-fidelity identification and prevention of fraudulent activity, In order to facilitate these objectives, common capabilities and technologies at many levels of the capability maturity model should be employed for use cases that span account creation and underwriting activities, account access and identity and access management (IAM) activity, account maintenance, customer service activity, and transactional events. The use of common capabilities across the customer life cycle increases understanding of good behaviors and the ability to detect nuanced anomalies that indicate malicious activity.

Fraud prevention leaders and their counterparts in application and information security, underwriting, and IAM must articulate the benefits of a robust and adaptive fraud prevention platform. Such a solution should offer orchestration capabilities and functionality that go beyond loss prevention and into revenue generation. In deploying these solutions, enterprises should strive for less friction in the customer experience.

One of the biggest assists an organization can unwittingly provide a fraudster gang is to fail to align and engage across all channels — for example, treating the call center (or the written correspondence processing area) as an isolated silo, and failing to connect with other fraud systems. One challenge that can occur is where organizational dynamics are insufficiently flexible to allow the implementation of a common fraud strategy. Allowing gaps in fraud strategy provides the adversaries with footholds to exploit.

Case Study

A retirement fund used third-party financial advisors to act as sales agents. As small independent operators, some of these financial advisors had lax data security practices and exposed sensitive client data on their laptops.

This information was enough to allow two paths of attack:

Both attack paths resulted in an out-of-band exfiltration instruction — a skillfully crafted letter directing funds to be transferred to an unauthorized offshore account.

A holistic, cross-channel fraud detection and prevention platform would have identified the combination of high-risk activities and stopped the exfiltration of funds.

Evidence

"The Staggering Cost of Fraud," 2016 Global Fraud Study, Association of Certified Fraud Examiners (ACFE).

See "2017 Credential Spill Report," Shape Security, January 2017, and A. Gott, "Keep Your Friends Close and Your Passwords Closer," LastPass, 18 February 2016.

"Sanctions and AML Compared and Contrasted: 15 Things You Should Know," ICAEW (The Institute of Chartered Accountants in England and Wales)

Note 1 
Renaming "Identity Proofing" to "Identity Corroboration"

In industry, there is a loosely defined term of "identity proofing." This covers validation and corroboration of identities through analysis of physical documents, searches of identity data brokers and activities designed to bring the risk of transactions with unknown parties within risk tolerance. As part of Gartner’s aim to bring clarity and definition to the IT industry, we felt that "identity corroboration" is a more appropriate term; "proofing" implies an absolute, and this process actually brings the risk of an identity assertion within organizational risk tolerance.

 

© 2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Gartner provides information technology research and advisory services to a wide range of technology consumers, manufacturers and sellers, and may have client relationships with, and derive revenues from, companies discussed herein. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."