Tackling Fraud
4/5
()
About this ebook
The threat landscape is developing at such a rate that traditional IT security controls can no longer protect us. Legacy IT security mechanisms deal with rules and signatures for known threats coming from the outside. But today the threats are coming from inside. The risks are from malicious employees, stealthy malware and remote access Trojans. But innocent employees are not safe from this scourge and are being fired and their reputations ruined as they are deemed to be collaborating with the attackers. Of course it is not them, it is the embedded Trojans that take over their accounts and can now mimic their work and execute fraudulent transactions and the losses are staggering. Furthermore payments and fund transfer fraud is escalating as we can never be certain as to who is driving the transaction. We see increasing examples of friendly fraud, CEO fraud and insider fraud even account takeovers that deprive businesses and their customers from their legitimate funds because we cannot be sure who is making the transfer.
But it doesn't have to be that way, behavioural Biometric analysis empowered by machine learning can profile employee and customer activity and can flag anomalies in user behaviour. As a result strange actions that fail to match a profile will almost instantly trigger an alert and prevent fraudulent or malicious activity and more importantly protect the innocent from being blamed for the malicious actions of another fraudulent actor.
Read more from Alasdair Gilchrist
Concise Guide to DWDM Rating: 5 out of 5 stars5/5Google Cloud Platform an Architect's Guide Rating: 5 out of 5 stars5/5Google Cloud Platform for Data Engineering: From Beginner to Data Engineer using Google Cloud Platform Rating: 5 out of 5 stars5/5Spreadsheets To Cubes (Advanced Data Analytics for Small Medium Business): Data Science Rating: 0 out of 5 stars0 ratingsA Practical Guide Wireshark Forensics Rating: 5 out of 5 stars5/5REST API Design Control and Management Rating: 4 out of 5 stars4/5The Layman's Guide GDPR Compliance for Small Medium Business Rating: 5 out of 5 stars5/5An Executive Guide to Identity Access Management - 2nd Edition Rating: 4 out of 5 stars4/5Six Sigma Yellow Belt Certification Study Guide Rating: 0 out of 5 stars0 ratingsA Concise Guide to Object Orientated Programming Rating: 0 out of 5 stars0 ratingsSupply Chain 4.0: From Stocking Shelves to Running the World Fuelled by Industry 4.0 Rating: 3 out of 5 stars3/5Why Industry 4.0 Sucks! Rating: 0 out of 5 stars0 ratingsConcise Guide to OTN optical transport networks Rating: 4 out of 5 stars4/5Google Cloud Platform - Networking Rating: 0 out of 5 stars0 ratingsAn Introduction to SDN Intent Based Networking Rating: 5 out of 5 stars5/5Digital Success: A Holistic Approach to Digital Transformation for Enterprises and Manufacturers Rating: 0 out of 5 stars0 ratingsThe Certified Ethical Hacker Exam - version 8 (The concise study guide) Rating: 3 out of 5 stars3/5PSD2 - Open Banking for DevOps(Sec) Rating: 5 out of 5 stars5/5A Last Minute Hands-on Guide to GDPR Readiness Rating: 0 out of 5 stars0 ratingsConcise and Simple Guide to IP Subnets Rating: 5 out of 5 stars5/5FinTech Rising: Navigating the maze of US & EU regulations Rating: 5 out of 5 stars5/5The Concise Guide to SSL/TLS for DevOps Rating: 5 out of 5 stars5/5GDPR for DevOp(Sec) - The laws, Controls and solutions Rating: 5 out of 5 stars5/5A Concise Guide to Microservices for Executive (Now for DevOps too!) Rating: 1 out of 5 stars1/5Concise Guide to CompTIA Security + Rating: 3 out of 5 stars3/5ChatGPT Will Won't Save The World Rating: 0 out of 5 stars0 ratingsSRS - How to build a Pen Test and Hacking Platform Rating: 2 out of 5 stars2/5Management Accounting for New Managers Rating: 1 out of 5 stars1/5The Concise Guide to the Internet of Things for Executives Rating: 4 out of 5 stars4/5
Related to Tackling Fraud
Related ebooks
Fraud Analytics: Strategies and Methods for Detection and Prevention Rating: 5 out of 5 stars5/5What Is....Business Identity Theft! Rating: 0 out of 5 stars0 ratingsHow to Prevent Identity Theft: How Anyone Can Protect Themselves from Being a Victim of Identity Theft Rating: 0 out of 5 stars0 ratingsUnderstanding Identity Theft: Protect Your Identity From Theft Rating: 3 out of 5 stars3/5Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions Rating: 5 out of 5 stars5/5IT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsYour Personal Information Is At Risk: A Guide For Protecting Yourself Rating: 0 out of 5 stars0 ratingsThe Anatomy of the Swipe: Making Money Move Rating: 5 out of 5 stars5/5Essentials of Online payment Security and Fraud Prevention Rating: 0 out of 5 stars0 ratingsDon't Step in the Trap: How to Recognize and Avoid Email Phishing Scams Rating: 0 out of 5 stars0 ratingsI Was Scammed Rating: 0 out of 5 stars0 ratingsFraud Prevention Rating: 5 out of 5 stars5/5Bank Fraud: Using Technology to Combat Losses Rating: 0 out of 5 stars0 ratingsExposing Fraud: Skills, Process and Practicalities Rating: 4 out of 5 stars4/5How Fraudsters Operate Rating: 4 out of 5 stars4/5Trust Me: Frauds, Schemes, and Scams and How to Avoid Them Rating: 4 out of 5 stars4/5Fighting Fraud: How to Establish and Manage an Anti-Fraud Program Rating: 0 out of 5 stars0 ratingsCorporate Fraud Prevention and Detection Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsFraud Examination Casebook with Documents: A Hands-on Approach Rating: 4 out of 5 stars4/5Fraud Analytics Using Descriptive, Predictive, and Social Network Techniques: A Guide to Data Science for Fraud Detection Rating: 0 out of 5 stars0 ratingsInvestigator and Fraud Fighter Guidebook: Operation War Stories Rating: 0 out of 5 stars0 ratingsFraud Smarts Rating: 5 out of 5 stars5/5Fraud Analytics Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsProtect Your Business From Employee Fraud Rating: 4 out of 5 stars4/5Financial Statement Fraud Casebook: Baking the Ledgers and Cooking the Books Rating: 4 out of 5 stars4/5America's Guide to Fraud Prevention Rating: 4 out of 5 stars4/5Don't Be Scammed by the Latest Scams: I Was Scammed Books Rating: 0 out of 5 stars0 ratingsWhite-Collar and Financial Crimes: A Casebook of Fraudsters, Scam Artists, and Corporate Thieves Rating: 0 out of 5 stars0 ratingsCredit Card Fraud Prevention Strategies A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsCredit Card Fraud Prevention Strategies A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratings
Computers For You
The Insider's Guide to Technical Writing Rating: 0 out of 5 stars0 ratingsMastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5Creating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Artificial Intelligence: The Complete Beginner’s Guide to the Future of A.I. Rating: 4 out of 5 stars4/5Deep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5How to Create Cpn Numbers the Right way: A Step by Step Guide to Creating cpn Numbers Legally Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsThe ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 0 out of 5 stars0 ratingsElon Musk Rating: 4 out of 5 stars4/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5CompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Ultimate Guide to Mastering Command Blocks!: Minecraft Keys to Unlocking Secret Commands Rating: 5 out of 5 stars5/5Mindhacker: 60 Tips, Tricks, and Games to Take Your Mind to the Next Level Rating: 4 out of 5 stars4/5The Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5Slenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5The Invisible Rainbow: A History of Electricity and Life Rating: 4 out of 5 stars4/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5
Reviews for Tackling Fraud
1 rating0 reviews
Book preview
Tackling Fraud - alasdair gilchrist
Chapter 1 – Establishing Identity
Defining Identity
Uniqueness
Entropy: a measure of uniqueness
Unbundling Characteristics
Verifying Vs. Revealing
The Promise of Unbundling
Privacy: Type I Unbundling
Anonymity: Type II Unbundling
Enabling Technology
Chapter 2 - Identity as a Commodity
Direct Marketing
Cookies
Third Party Cookies
Private Browsing
Device Fingerprinting
Chapter 3 - Digital Identity and the Internet Economy
How does digital identity management work?
Why did the Old Processes Fail?
The Regulatory Response
What Is Strong Authentication?
When Are Stronger Controls Necessary?
Responding to the Challenges of Authentication
Risk Management Procedures
Authentication—One Part of Risk Assessment
Chapter 4 - Digital Identity Techniques
The Post-Breach Era
Major Breaches and their Effects
The Effects of Phishing
Strong Authentication Paradox
Building Trust
Identities for Sale
Account Take Over
Identity Theft
The need for Digital Identity
Behavioural Analysis
Chapter 5 - Behaviour as an authentication factor
Introducing Behavioural Biometrics
Anatomical-Physiological Biometric Characteristics
Behavioural Biometric Factors
Human Behavioural Patterns
Components of Behavioural Biometrics
Smart Sensors
Machine Learning / Deep Learning
Combining Traditional and Biometric Factors
Building a Digital Identity
Behavioural Biometrics techniques
Chapter 6 - The Threat and Vulnerability Landscape
Headline Fraud Events
Banking Fraud
What is Bank Fraud
Types of Bank Fraud
Insider Fraud
Dormant Account Take Over
Common Types of Insider Fraud
The Scale of Insider Fraud
Fraud Detection and Mitigation
The 4-Eye Principle
The 6 Stages of Fraud
Banking Malware
Carbanak
How Carbanak Was Launched
Silence Trojan
Ordinaff
What Could Have Been Done to Foil This Attack?
TrickBot Banking Trojan
The Ongoing TrickBot Attack
Network Breaches
Retail Threats and Vulnerabilities
Drive-By and Side-Channel Exploits
Point of Sale Attacks
Technology Sector
Business & Enterprise Threats
CEO Fraud
Chapter 7 - Mitigating Risk and Avoiding Threats
Keystroke Dynamics
Advantages of Keystroke Dynamics
Disadvantages of Keystroke Dynamics
Mouse Dynamics
Mobile Touch screen Biometrics
Chapter 8 - Digital Identity and Machine Learning
How Digital Identities Can Help Businesses:
Insurance
Lending
Media
Payments
Travel
Behavioural Biometrics – IoT and AI
Chapter 9 - Taking a Risk Based Analysis Approach
Dealing with Variance
Coping with Risky Behaviour
The Power of Inference
Creating a Network Effect
How active sessions can be hijacked
The Point of Determination
MiTB and MiTMo Attack Vectors
Chapter 10 - Behavioural Analysis and Security
Behavioural Analytics versus Cohort Analytics
Identifying Anomalies with Behavioural Analytics
Practical Aspects of Security
Three Tips for Implementing Security Behavioural Analytics
Chapter 11 - Machine Learning and Fraud Detection
Predictive Analysis
Optimized fraud risk algorithm
Pattern Recognition
Optimized fraud risk algorithm
Multi-Dimensional Algorithms
Chapter 12 - PSD2 and Continuous Authentication
Data Privacy
The Payment Landscape
The role of the PSP
Online Payment Risk
The Territorial Scope of PSD2
Customer Security Awareness
The Online Payment System
How Online Payments Work
How does an online transaction work?
Online Transactions and Secure Customer Authentication
Balancing PSPs, Merchants, and Customers
Behavioural Biometrics
Behavioural Biometrics and Privacy Law
Behaviour Biometric Techniques
Keystroke Dynamics
Mouse Biometrics
Multi-Modal Biometrics
Scientific View of Behavioural Biometrics
Integration of Behavioural Biometrics for PSPs
Typical deployment Architecture
Frictionless and Secure
Behavioural Biometrics – User Friendly Security
Use Cases
Continuous Authentication
Risk-Based Authentication
Insider Threat Detection
Fraud Detection and Prevention
Accuracy/Performance
Privacy
Outlook
Chapter 13 – Digital Identity Management
What are the policy challenges?
eIDAS
What Are the Benefits of eIDAS?
Who is eIDAS for?
Assurance Levels
eIDAS Regulations for the Trusted Services Provider
Summary
Chapter 13 - User + Entity Behaviour Analysis
Bringing it all together with UEBA
Putting it all together – A Use-Case
Summary
Chapter 1 – Establishing Identity
For digital businesses, whether they be banks, businesses or retailers identifying consumers accurately is their best defence against fraud as this follows the principle of know your customer. Therefore, the stakes are high. Yet, poor, disjointed identity assessment and authentication leads to a poor, disjointed digital experience for the consumer. Shifting the responsibility on to the consumer to authenticate themselves leads inexorably to inconsistent decisions and, ultimately, lost customers and profits.
Defining Identity
Today there is no generic system that is deployed pervasively in online systems for identification purposes. It is still not feasible to absolutely identify a person or for that matter an entity via a set of generic identity characteristics. Instead there is an abundance of diverse techniques that are deployed dependent on the risk appetite of the organisation.
This is partly due to the fact that although Identity itself is simply a collection of characteristics which can be verified there are many levels of confidence. This is despite Identity being a unique piece of information associated with that individual or entity. The characteristics used can be either inherent or are assigned by another and so not all characteristics have the same importance or weight. For example, the colour of a person's hair, their height, build and other physical characteristics are all part of a person's identity, but they are alone insufficient to identify an individual. However if we know a person’s gender, their data of birth and perhaps their postcode (zip-code) then that combination may well be sufficient to identify a subject.
In real world transactions say in a retail store an individual will inherently carry some of the characteristics that form the identity of the person originating the transaction. Generally, physical traits are visible during a transaction - for example when someone purchases a book from a book store, the book dealer may remember the buyer's race, gender, hair colour, height or build.
In cyberspace however we do not have the luxury of being presented with a set of inherent identity characteristics and this is perhaps the major difference between real space and cyberspace - there is no secondary information at hand. This is because digital transactions are just the communication of a stream of binary bits and they do not carry any separate information relevant to identity. In a real world transaction there is a multitude of inseparable secondary information that is available to both parties to authenticate one another when interacting. For example a customer will be confident that they are dealing with a reputable dealer due to their high street presence and shop frontage. This does not apply in an online transaction. Thus for authentication purposes, additional information needs to be transmitted to enable identification and authentication such as the store identifying its self via a trusted digital certificate.
Uniqueness
An important principle of determining an online identity is that no two identities should be the same. However that requires that each identity will map to a unique set of characteristics. The issue being that two people may share some of the same characteristics, such as being the same gender, age, height, race, hair and eye colour but that does not mean that they have the same identity. After all not even identical twins can have the same identity even though they share all physical characteristics including their DNA. Therefore, when two identities have character sets that are the same, there will be a need to search for new information that adds details that distinguish the identities from each other such as a name, address or social security number. Therefore identity is a multi-facet concept but it doesn’t apply just to humans as it also relates to things such as animals, companies, machines, devices and sensors such as in the Internet of Things.
To mitigate this shortcoming there is a mathematical quantity which allows us to measure how close a characteristic comes to revealing somebody's online identity uniquely. That quantity is called entropy, and it's often measured in bits.
Entropy: a measure of uniqueness
Intuitively you can think of entropy being a generalization of the number of different possibilities there are for a random variable: if there are two possibilities, there is 1 bit of entropy; if there are four possibilities, there are 2 bits of entropy, etc. Adding one more bit of entropy doubles the number of possibilities.
Because there are around 7.5 billion humans on the planet, the identity of a random, unknown person contains just under 33 bits of entropy (two to the power of 33 is 8 billion). When we learn a new fact about a person, that fact reduces the entropy of their identity by a certain amount. There is a formula to say how much:
ΔS = - log2 Pr(X=x)
Moreover Identity also evolves over time, as more information is gathered and hence more characteristics become evident everyday. An analogy would be with identical twins as they share the same DNA code and so are considered to be identical however they are not as they develop differently both within the womb and of course as they grow as children they will pick up a knock here and a scar there. Consequently by the time they reach adulthood there will be many diverse characteristics that will be useful in their identification such as a visible scar, a broken nose, dental records, x-rays and of course their fingerprints. With online systems such as ecommerce a customer’s identity will also be embellished every time they visit the online store as both their browsing habits and their preferences will be recorded and added to their ever burgeoning profile. When they make a purchase this too will embellish their profile as will the method they choose for payment and delivery, and all this information can be amalgamated into an identity classifier set pertaining to that individual.
The distinction between characteristics, classifiers and identity is not standard and often depends on the nature of the transactions. For example if we consider the earlier formula on entropy;
ΔS = - log2 Pr(X=x)
And then look at some examples for different characteristics we can demonstrate this point.
Starsign: ΔS = - log2 Pr(STARSIGN=Capricorn) = - log2 (1/12) = 3.58 bits of information
Birthday: ΔS = - log2 Pr(DOB=2nd of January) = -log2 (1/365) = 8.51 bits of information
Note that if you combine several facts together, you might not learn anything new; for instance, having knowledge of someone's Starsign doesn't reveal anything new if their birthday was already known.
What happens when facts are combined depends on whether the facts are independent. For instance, if you know someone's birthday and gender, you have 8.51 + 1 = 9.51 bits of information about their identity because the probability distributions of birthday and gender are independent. But the same isn't true for birthdays and starsign. For example if we know someone's birthday, then we already know their starsign, and being told their starsign doesn't increase our knowledge. Hence the goal is to calculate the change in conditional entropy of the person's identity where we consider all the observed variables, and then we derive the probabilities for new facts conditional on all the facts we already know.
Hence we have;
ΔS = -log2 Probability (Gender=Female|DOB=2nd of January) =
-log2(1/2) = 1, and
ΔS = -log2 Probability(Starsign=Capricorn|DOB=2nd of January)=
-log2(1) = 0.
In between cases are also possible: if I knew that someone was born in December, and then I learn that they are a Capricorn, I still gain some new bits of information, but not as much as I would have if I hadn't known their month of birth:
ΔS = -log2 Probability (Starsign=Capricorn|month of birth=December)=-log2 (10/31) = 1.63 bits.
In the examples above, each starsign and birthday was assumed to be equally probable. The calculation can also be applied to facts which have non-uniform likelihoods. For instance, the likelihood that an unknown person's ZIP code is 90210 (Beverley Hills, California) is different to the likelihood that their ZIP code would be 40209 (part of Louisville, Kentucky). As of 2017, there were 22,330 people living in the 90210 area, only 350 in 40209, and around 7.625 billion on the planet.
Knowing my ZIP code is 90210: ΔS = - log2 (22,330/7,625,000,000) = 18.21 bits
Knowing my ZIP code is 40209: ΔS = - log2 (350/7,625,000,000) = 23.81 bits
As of 2017, identifying someone from the entire population of the planet required:
ΔS = log2 (1/7625000000) = 32.6 bits of information.
Conservatively, we can round that up to 33 bits.
So for instance, if we know someone's birthday, and we know their ZIP code is 40209, we have 8.51 + 23.81 = 32.32 bits; that's almost, but perhaps not quite, enough to know who they are: there might be a couple of people who share those characteristics. Add in their gender, which is another 1 bit gives 33.32 bits, and we can probably say exactly who the person is.
Nonetheless, in virtually all cases it is a unique characteristic that serves as the main representation or identifier for identity. This is as much to do with database schemas as anything else but having one unique characteristic even if it has to be constructed and provided such as a member ID makes fast efficient and unique identification much easier. For example, each person’s social security number is unique and can be used to identify an individual. However the level of identity is important and although social security ID may be a unique identifier it may not be a suitable identity characteristic in all cases. For example although a Social Security Number may be mandatory for government or health care business it is too much information for most other ecommerce or even business purposes. Hence, it will be the requirements of the transaction that will determine the amount of one's identity that is required. Some transactions do not need to uniquely identify the purchaser such as in a bar or restaurant, all that is required is some proof that you are of legal age to purchase alcohol. However other transactions do depend on the unique identification of the individual—which requires knowledge of an identifier – such as an ecommerce store as orders and billing must be assigned to a unique customer account and identity for it to work, Finally, some situations as we have seen will require full knowledge of a person's identity such as with tax, health care or any other communications with the government.
In real world transactions, we deal with large character sets as it is difficult for the parties to selectively withhold or reveal portions of their identity as most forms of identification contain more information than is needed for any transaction. For example, a drivers license may have the identity characteristics of a name, address and date of birth but it may also have a picture that will confirm the individuals physical characteristics providing greater confidence that the holder is who they claim to be and not just someone in possession of the licence. Unfortunately many of these secondary characteristics of identity are not typically available in online transactions. Hence, in contrast to real world scenarios, there is a requirement in efficient online transactions to handle only portions of identity, which are a subset of characteristics that can be disassociated and verified on their own by a third party. This unbundling of a person’s identity characteristics may raise several issues for no longer is it as easy or straightforward to verify a person’s real world identity due to the loss of secondary characteristics yet it can still fulfill the requirements of uniqueness in an online environment, but it also enables several other intriguing possibilities.
Unbundling Characteristics
The unbundling of certain characteristics from a complete identity-set is necessary to separate and process characteristics or single traits of identity. Unbundling facilitates the ability to exchange identity information that is at a level that is sufficient, mutually acceptable and which can be verified easily. Unbundling of specific characteristics also provides for efficient authentication via the least revealing means such as by providing a combination of the weakest traits i.e. username/password. Furthermore, it also creates the framework for anonymous transactions as it is then possible to merely verify the chosen identity information without ever revealing the person’s name, address or any personal identifiable information (PII) such as when verifying against an anonymous email address. However, the really important thing is that it enables online users to control the relationship and strength of the link between their real world and online-identities.
What this means is that in cyberspace the ability for users to unbundled their identity characteristics at the granularity they are comfortable with means they can separate their actual identity from their interaction, content and transactions. Hence the famous internet meme ‘On the internet no-one knows that your a dog!" – As we will see later that fallacy of internet anonymity is rarely true.
Of course when an individual restricts their identity traits that they are willing to reveal to a website they seriously weaken the link between their online and real world identity. For example for most non commercial websites a simple