Embed Size (px)
Citation preview
E-guide
Web Fraud Protection Buyer’s Guide – part 1 Your expert guide to web fraud protection
Page 1 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
Introduction to Web fraud detection systems
Ed Tittel
Expert Ed Tittel explores the purpose of Web fraud detection
systems and services, which are designed to reduce the risks
inherent in electronic payments and e-commerce.
Each U.S. consumer has, on average, at least one credit card and two bank
cards that are used to make in-person and online purchases, pay bills and send
money to others. Collectively, U.S. consumers make billions of noncash
transactions every year, which are prime targets of cybercriminals looking to
walk away with as much of that money as they can.
Although the rate of cybercrime and attempted fraud increases each year, the
portion of lost e-commerce revenue by North American merchants is just under
1%, according to the 2014 CyberSource Online Fraud Report, and that number
has remained fairly static since 2010. Experts point to the efficient management
of Web fraud as the key reason. Even so, payment fraud is a great concern to
consumers, and merchants and financial institutions take the hit for most of the
money lost as a result of fraud in the form of refunds and chargebacks.
Page 2 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
What is Web fraud detection?
Organizations that accept payment cards over the Web -- also referred to as
"card not present (CNP)" transactions -- or organizations that back those
payments, will deploy Web fraud detection software or services to detect and
help prevent fraud.
Web fraud detection systems typically focus on new account origination,
account takeover and payment fraud. With account takeover and new account
origination fraud detection, organizations attempt to root out unauthorized or
fraudulent users posing as legitimate users. Payment fraud detection involves
determining whether purchases are being or have been made with stolen
payment cards. Some vendors also offer fraud intelligence services,
authentication, malware detection (such as man-in-the-browser infections on
computers and mobile devices) and secure clients, as well as managed
services in which the vendor is primarily responsible for monitoring and taking
action on instances of fraud.
Web fraud detection system vendors generally provide either an on-premises
software product or platform, or cloud-based software as a service (SaaS) that
scans financial transactions made via the Web or by using mobile devices.
Page 3 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
How does a Web fraud detection system work?
Web fraud detection software (or cloud-based service) runs background
processes that scan transactions and score them based on the possibility of
fraud. Many different data points are considered to determine the score, such as
user behavior, device ID, other device characteristics, geolocation, order links
and so on. The data is then compared against "normal" attributes. If the
transaction is deemed valid, it's allowed and processed. If the transaction falls
outside of an accepted range, an alert is issued and the transaction may be
automatically suspended or denied.
To detect fraud, vendors typically use a predictive behavioral scoring model, in
which an account holder's behavior is the predominant criteria, or a rule-based
system that uses pattern recognition. Some products or services use both types
of scoring models.
Even with automated systems available, organizations still need to manually
analyze certain transactions, such as those that an automated tool flags as
fraudulent.
Page 4 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
Who needs Web fraud detection services?
Organizations of all sizes (SMBs to enterprises) that deal with any volume of
CNP transactions, that are too burdensome or time-intensive to review
manually, should have some type of fraud detection in place. Types of
customers include banking and financial services institutions, e-commerce
merchants, human resources and payroll services, and social networking sites -
- just to name a few. Plus, Web fraud detection services help organizations
meet Payment Card Industry Data Security Standard requirements.
How is Web fraud detection sold?
SaaS offerings are the most straight-forward approach to Web fraud detection.
A customer simply signs up for a service and agrees to pay a monthly fee based
on the number of anticipated transactions or a similar metric. The customer can
scale the fraud detection service up or down as its needs change.
On-premises software requires an upfront cost for the software, and any
hardware and infrastructure upgrades required to support the software.
Companies that lack a full-time security support team (which are most often
small to midsize) may need to pay the vendor for initial setup just to get the
software up and running properly, and may need minimal staff training.
Page 5 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
Managing and supporting Web fraud detection
Web fraud detection management and support varies depending on how it's
implemented.
SaaS-based Web fraud detection is hosted by a service provider; customers
access the service through a configuration interface to customize settings and
perform typical administrative tasks.
On-premises Web fraud detection systems require more administrative effort for
installation and maintenance of the server on which the software runs, the
software itself, and the customer's network infrastructure.
Organizations may very well find that UTM is the smart decision going forward.
Page 6 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
Moving on
Web fraud detection systems and services can't detect every instance of fraud,
but they greatly reduce a merchant's or financial institution's risk and provide a
high level of protection to consumers.
The next article in this series on Web fraud detection looks at use cases of
these products to pinpoint the types of organizations that benefit from their
implementation.
Next article
Page 7 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
Four enterprise scenarios for Web fraud detection systems
Ed Tittel
Expert Ed Tittel describes use cases for Web fraud detection
systems and products and explains how they can increase account
and transaction security.
While consumers use a mix of Web browser settings and protection software to
help defend against malware and malicious attacks, they expect organizations
to be much more vigilant and highly protective of their data. Essentially,
consumers expect organizations to be bulletproof. The problem is no company
or government agency is immune from cyberattacks. In fact, they face a barrage
of attacks almost continuously.
Organizations that allow users to create online accounts and/or those that
engage in online financial transactions need Web fraud detection systems as
part of a layered defense to detect fraud and help protect confidential assets.
These organizations are at risk for bogus account origination, account takeover
and payment fraud, to mention a few. And, because of the nature of business in
which they engage, most of these organizations are required to comply with one
or more U.S. regulations and standards, such as the Gramm-Leach-Bliley Act
Page 8 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
and the Payment Card Industry Data Security Standard. Web fraud detection
systems can go a long way toward helping organizations meet requirements
and maintain compliance.
The following sections describe industries that are particularly susceptible to
Web fraud and how Web fraud detection systems have reduced risk as well as
chargebacks and other losses.
Use case #1: Banking and financial services
According to the Kroll 2013/2014 Global Fraud Report, about 75% of financial
institutions have experienced fraud, second only to manufacturing; and 29% of
the institutions have experienced information theft, loss or attack. The banking
and financial services industry is often cited as one of the most victimized
industries.
With millions of people and companies conducting online banking every day,
many Web fraud detection (WFD) vendors zero in on the needs of the financial
services industry. Web fraud detection systems use behavioral or rule-based
analytics to monitor online activity and account holder behavior to detect and
respond to suspicious activity. For example, a WFD tool would be able to detect
an online banking customer adding a new payee to his or her account and then
immediately making a payment to that payee. A WFD product may also monitor
for phished credentials, malware infections and spoofed devices, as well as
Page 9 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
provide highly effective end-user device or browser protection by blocking
threats at the source -- preventing them from affecting the transaction process.
Use case #2: Retailers and e-commerce
Although credit card photos and real-time checking account verification have
helped reduce some types of fraud at in-store points of sale, online fraud
remains a growing threat for the retail and e-commerce industry.
These organizations must protect transactions and confidential information
while providing an optimal shopping experience in order to gain new customers
and keep current customers satisfied. Industry players require Web fraud
detection systems that provide insight into customer purchasing behavior and
can detect fraud with high accuracy and minimal false positives.
Note: A false positive occurs when a customer tries to make a legitimate
transaction that is blocked, perhaps because the transaction was made in a city,
state or country other than where the person normally conducts business. False
positives are a pain for the customer, and they cost retailers money in the way
of additional customer support and/or lost sales.
Page 10 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
Use case #3: Social networking
Social networking users are exposed to serious and widespread threats every
day, from social engineers posing as legitimate users or companies, to account
takeovers to phishing and pharming attacks.
Note: Phishing and pharming attacks use legitimate looking links that fool
people into clicking them. Once clicked, a malicious file with malware may run
and gather data from the user's computer, or the user is redirected to a
fraudulent website in order to extract confidential data.
Page 11 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
Any company that hosts a social networking site must be concerned with
security to protect its visitors and its brand. Consider a financial institution that
uses social media to engage with its customers or to market services and solicit
applications for new accounts. If a malicious user spoofs the site, it can easily
post a phony application that gathers personal information from unsuspecting
users and then steal their identity or withdraw funds from bank accounts. The
victim company's reputation will be tarnished, at a minimum, and existing
customers may lose trust and move to a different company.
Companies can use WFD to monitor social media and other websites for brand
mentions, and identify social media threats quickly and take appropriate action.
Use case #4: Government agencies
Many government entities conduct business with consumers and employees on
the Web, such as administering student loans and mortgages, issuing Social
Security cards, accepting tax payments and administering payroll direct
deposits. Although agencies are required to use strong security measures, they
are also prime targets for attackers and are extremely susceptible to account
takeovers, access credential theft and fraudulent transactions.
A comprehensive Web fraud detection system protects user logins, performs
device profiling and analyzes user identities and behavior to detect risky
Page 12 of 12
In this e-guide
Introduction to Web fraud
detection systems
Four enterprise scenarios for
Web fraud detection systems
E-guide
situations, such as attempted logins using stolen credentials, botnets employing
a password-guessing algorithm and replay attacks or session hijacks.
The benefits of Web fraud detection systems
In addition to the industries featured in this article, many more can benefit from
Web fraud detection systems, such as payroll services, payment aggregators,
healthcare providers, the insurance industry and more. Once the need for WFD
is established, the next step is to select a product that best meets an
organization's unique needs. Find out about the WFD purchase selection
process in the next article in this series.
About the author
Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking
consultant, technical trainer, writer and expert witness. Perhaps best known for
creating the Exam Cram series, Ed has contributed to more than 100 books on
many computing topics, including titles on information security, Windows OSes
and HTML. Ed also blogs regularly for TechTarget (Windows Enterprise
Desktop), Tom's IT Pro, GoCertify and PearsonITCertification.com.
