A year after the Twitter-AP event, new security vulnerabilities and breaches (Heartbleed, Target, to name a few) continue to be in the weekly headlines. Organizations affected by those events have taken some measures to prevent them from happening again, and the largest financial services companies are investing heavily in cyber security. JPMorgan Chase, the nation’s largest financial institution, recently announced they are investing in additional layers of security, to the tune of $250 million annually and 1,000 people dedicated to the effort. Other organizations with high-value data and assets should follow that trend, and make a real assessment of their current solutions to see if they really help them combat cyber attacks and fraud in an effective way.
Today, a good number of leading financial institutions worldwide still use anti-fraud solutions initially developed in early 2000s. Those solutions were the first to penetrate the market, especially in the US, in the wake of the 2005 FFIEC guidance. They were built before Zeus, Point of Sale (POS) malware and mobile Trojans existed.
These first-generation solutions use old concepts and approaches to mitigate and detect fraud. One example is the use of browser user-agent string to identify a customer’s device. While primarily used for marketing, it has been used for the past 10 years to assess the risk of any given device. The problem with user agent string is that it can be faked and users can hide it. In my previous job, when doing forensics analysis after fraud was reported, we often found that the fraudster was able to spoof their device to make it appear like the customer’s device.
Newer solutions don’t rely on old, easily-bypassed technology like user-agent string. So why are organizations slow to retire first generation anti-fraud solutions? I view 2 key reasons:
- 1st gen anti-fraud solutions are mostly repurposed Infosec solutions, not initially built to combat online fraud. As a result, a dedicated technical team is often required to maintain these technologies. In addition, those teams may have developed their own tools to fully leverage those solutions and make them more effective for their organizations. Organizations have invested a lot of time and money on those tools over the last 10 years.
- These first generation anti-fraud solutions are completely integrated within the online/mobile application layer, therefore, any changes required to benefit from the latest enhancements of those solutions translate into a tremendous amount of work and months of regression testing of the entire online application.
The providers of those solutions continue to make small enhancements, but they are highly ineffective on current threats.
Before joining Easy Solutions, I was product manager for several digital finance products built in the early 2000s. We enhanced the product year over year, but reached a point where the solution had reached its end of life, as small changes started to require months of work. Most of the time, it's cheaper to re-build or doing a complete new architecture than trying to patch existing solutions.
Technology solutions, over time, become ineffective due to new exploits that have not been predicted. Investing more in security needs to be real investment in adding new tools to combat fraud. It should not be about just hiring more people to manage the current tools which by essence gets more expensive overtime to manage.
Organizations must augment their security with new anti-fraud solutions that are adaptable, so they can easily be updated to keep up with the innovation from the hackers. Ease of deployment and ability integrate with the existing anti-fraud systems is key to staying current.
Some examples of modern anti-fraud technologies, which are challenging to architect into legacy solutions, include:
- Multi-layered security: Risk should be assessed with more than a user-agent string that provide browser and IP address information. Multi-layered security through safe browsing, transaction monitor and authentication has already prove to reduce false-positives and increase fraud detection.
- Cross-Channel Intelligence: The ability to correlate data gathered from one channel with events happening on other channels (cross channel fraud detection) – Traditional anti-fraud solutions are mostly siloed systems that have the ability to monitor and detect fraud via a single channel (e.g. credit card fraud detection).
- Non-financial transaction patterns: Ability to correlate non-financial transaction patterns with financial transaction patterns in fraud detection. These are vital early warning signals for early detection of fraud attempts.
- Application logic layer separation: Architecture providing the ability to separate the application logic layer from the security logic layer, allowing organization to focus on their core business.
Enhancements to old technologies will not be able to address these challenges. Be future ready; don’t settle for decade old anti-fraud technology.