Posted by Mark Brousseau
By 2014, 15 percent of enterprises will adopt layered fraud prevention techniques for their internal systems to compensate for weaknesses inherent in using only authentication methods, according to Gartner, Inc.
Gartner analysts say no single layer of fraud prevention or authentication is enough to keep determined fraudsters out of enterprise systems. Multiple layers must be employed to defend against today's attacks and those that have yet to appear.
"Malware-based attacks against bank customers and company employees are levying severe reputational and financial damage on their victims. They are fast becoming a prevalent tool for attacking customer and corporate accounts, and stealing sensitive information or funds," said Avivah Litan, vice president and distinguished analyst at Gartner. "Fighting these and future types of attacks requires a layered fraud prevention approach."
Litan explained that while the layered approach to fraud prevention tries to keep the attackers from getting inside in the first place, it also assumes that they will make it in, and that multiple fraud prevention layers are needed to stop the damage once they do. She said that no authentication measure on its own, especially when communicating through a browser, is sufficient to counter today's threats.
Gartner breaks down fraud prevention into five layers:
Layer 1
Layer 1 is endpoint-centric, and it involves technologies deployed in the context of users and the endpoints they use. Layer 1 technologies include secure browsing applications or hardware, as well as transaction-signing devices. Transaction-signing devices can be dedicated tokens, telephones, PCs and more. Out-of-band or dedicated hardware-based transaction verification affords stronger security and a higher level of assurance than in-band processes do. The technologies in this layer can be typically deployed faster than those in subsequent layers and go a long way toward defeating malware-based attacks.
Layer 2
Layer 2 is navigation-centric; this monitors and analyzes session navigation behavior and compares it with navigation patterns that are expected on that site, or uses rules that identify abnormal and suspect navigation patterns. It's useful for spotting individual suspect transactions as well as fraud rings. This layer can also generally be deployed faster than those in Layers 3, 4 and 5, and it can be effective in identifying and defeating malware-based attacks.
Layer 3
Layer 3 is user- and account-centric for a specific channel, such as online sales; it monitors and analyzes user or account behavior and associated transactions and identifies anomalous behavior, using rules or statistical models. It may also use continuously updated profiles of users and accounts, as well as peer groups for comparing transactions and identifying the suspect ones.
Layer 4
Layer 4 is user- and account-centric across multiple channels and products. As with Layer 3, it looks for suspect user or account behavior, but it also offers the benefit of looking across channels and products and correlating alerts and activities for each user, account or entity.
Layer 5
Layer 5 is entity link analysis. It enables the analysis of relationships among internal and/or external entities and their attributes (for example, users, accounts, account attributes, machines and machine attributes) to detect organized or collusive criminal activities or misuse.
Litan said that, depending on the size and complexity of the end-user institution, implementing the systems that support a layered fraud management framework can take at least three to five years, especially when it comes to the upper layers — Layers 3, 4 and 5. These efforts are continuous, because fraud prevention rules and models require ongoing maintenance, tuning and care.
"Organizations don't have years to wait to introduce fraud prevention while malware-based attacks proliferate. We recommend starting with the first layer of this fraud prevention framework, as well as the second layer, resources permitting, since these can be deployed relatively quickly," says Litan. "Enterprises that start by deploying lower levels of the layered stack can help to stave off immediate threats, with the assurance that these layers are part of an overall strategy that relies on basic fraud prevention principles, such as user and account profiling that have generally stood the test of time."
What do you think?
Showing posts with label check fraud. Show all posts
Showing posts with label check fraud. Show all posts
Tuesday, May 24, 2011
Monday, March 14, 2011
BAI attendees look for new approach to fighting fraud
Posted by Mark Brousseau
Combating fraud -- and more efficiently and precisely identifying suspect transactions -- was the hot topic at last week's BAI Payments Connect conference in Phoenix, said US Dataworks (www.usdataworks.com) Product Manager Leilani Doyle (ldoyle@usdataworks.com).
"Here is the issue: financial institutions have fraud systems that send alerts each time a suspect transaction is idenitified," Doyle explained. "Seventy-five percent of these suspects prove to be false positives. Financial institutions need a better way to prune out the false positives with a higher percentage of accurately identified fraud."
"By using an enterprise fraud hub -- which consolidates payments and related data from various channels -- banks can reduce the number of false-suspect alerts they receive by more than 50 percent, without the risk of letting a higher number of fraudulent transactions slip through," Doyle said. "One bank did a presentation at the BAI conference explaining how breaking down payments silos would allow banks to more easily 'connect the dots' to identify systematic fraud. If payments silos do not share information, the ability to identify organized fraud is far more difficult -- if not impossible."
Another bank did a presentation at BAI Payments Connect on how it has used modeling to monitor a higher number of transactions while reducing the staff required for this function by over 30 percent.
Beyond fraud, another theme of the event was how banks can regain a competitive advantage in the payments space. Doyle noted that Federal Reserve Bank executive Richard Oliver gave an insightful presentation on how banks have lost their edge in transaction processing to non-bank competitors. Banks have been too slow to react to changing market demands, and this dawdling could eventually cause them to be lose further ground to nimble competitors with more compelling products, she said.
The good news: Oliver said businesses still have tremendous trust in banks -- something that should not be discounted. But banks will likely have to partner with other entities to bridge their product gaps.
What do you think?
Combating fraud -- and more efficiently and precisely identifying suspect transactions -- was the hot topic at last week's BAI Payments Connect conference in Phoenix, said US Dataworks (www.usdataworks.com) Product Manager Leilani Doyle (ldoyle@usdataworks.com).
"Here is the issue: financial institutions have fraud systems that send alerts each time a suspect transaction is idenitified," Doyle explained. "Seventy-five percent of these suspects prove to be false positives. Financial institutions need a better way to prune out the false positives with a higher percentage of accurately identified fraud."
"By using an enterprise fraud hub -- which consolidates payments and related data from various channels -- banks can reduce the number of false-suspect alerts they receive by more than 50 percent, without the risk of letting a higher number of fraudulent transactions slip through," Doyle said. "One bank did a presentation at the BAI conference explaining how breaking down payments silos would allow banks to more easily 'connect the dots' to identify systematic fraud. If payments silos do not share information, the ability to identify organized fraud is far more difficult -- if not impossible."
Another bank did a presentation at BAI Payments Connect on how it has used modeling to monitor a higher number of transactions while reducing the staff required for this function by over 30 percent.
Beyond fraud, another theme of the event was how banks can regain a competitive advantage in the payments space. Doyle noted that Federal Reserve Bank executive Richard Oliver gave an insightful presentation on how banks have lost their edge in transaction processing to non-bank competitors. Banks have been too slow to react to changing market demands, and this dawdling could eventually cause them to be lose further ground to nimble competitors with more compelling products, she said.
The good news: Oliver said businesses still have tremendous trust in banks -- something that should not be discounted. But banks will likely have to partner with other entities to bridge their product gaps.
What do you think?
Thursday, February 4, 2010
Don't Turn Cybersecurity into a Bureaucracy
Posted by Mark Brousseau
New legislation being discussed in Washington runs the risk of turning cybersecurity into a bureaucracy. Wayne Crews, vice president for policy at the Competitive Enterprise Institute, thinks a better solution is to enhance private sector practices. He explains:
The House of Representatives is considering HR 4061, the Cybersecurity Enhancement Act. A solid Cybersecurity Enhancement Act might read “Title I: Stop losing federal laptops.” That’s too flip, but consider that there are cybersecurity risks to cybersecurity legislation.
Vulnerabilities in the government’s information security policies and the need to “bring government into the 21st century” have long been noted. But given the constant temptation by politicians in both parties to meddle with cybersecurity policy by steering research and development in unnatural directions, any poor decisions made at this juncture could undermine both public and private information security.
Politicians, especially in frontier industries like information technology, often take the easy path of seeking massive sums to establish taxpayer funded research grants for politically favored cybersecurity initiatives, set up redundant cybersecurity agencies, programs, and subsidies. This is precisely what the Cybersecurity Enhancement Act will do, potentially steering cybersecurity research away from its natural, safer, course.
Vastly expanding federal grants, fleets of scholarships and government-induced Ph.D.s in computer security is not the same as actually bolstering security, nor is there any reason the private sector cannot fund the training of its own such personnel or provide application-specific training as needed. Moreover, many serious security problems are not matters of new training but simply of embracing security “best practices” that already exist.
The Cybersecurity Enhancement Act amounts to pork, and the private sector can and should fund the training of America’s security experts. Online security is an immensely valuable industry today, and there is no shortage of private research incentive and potential profit.
Taxpayer-funded scholarships have already been extended to universities in countless respects, and incentives already abound for students to pursue technology careers. These new programs can easily grow beyond the proposed, already-generous bounds.
It’s beyond doubt that online security problems exist. Yet the tendency of cybersecurity today to be seen as an increasingly government-spearheaded function is worrisome. The taxpayer-funding approach can benefit some sectors and companies at the expense of competition and of computer security itself. Federal spending and intervention may encourage market distortion by skewing private investment decisions, or promoting one set of technologies or class of providers at the expense of others
We need better digital equivalents of barbed wire and door locks, which private companies are constantly competing to improve. While government law enforcement agencies have a necessary role to play in investigating and punishing intrusions on private networks and infrastructure, government must coexist with, rather than crowd out, private sector security technologies. Otherwise we become less secure, not more.
A substantial government role invariably grows into an irresistible magnet for lobbyists and the creation of bloated “research centers” and could all too easily become the locus for establishing sub-optimal government authority over our most vulnerable frontier technologies and sciences.
The solution? Enhancing private sector cybersecurity practices.
Both suppliers and customers in the high-tech sector increasingly demand better security from all players. Improving private incentives for information sharing is at least as important as greater government coordination and investment to ensure security and critical infrastructure protection. That job will entail liberalizing critical infrastructure assets—like telecommunications and electricity networks—and relaxing antitrust constraints so firms can coordinate information security strategies and enhance reliability of critical infrastructure through the kind of “partial mergers” that are anathema to today’s antitrust enforcers.
The future will deliver authentication technologies far more capable than those of today. Like everything else in the market, security technologies—from biometric identifiers to firewalls to network monitoring to encrypted databases—benefit from competition. Private cybersecurity initiatives will also gradually move us toward thriving liability and insurance markets, to help address the lack of authentication and inability to exclude bad actors that are at the root of today’s vulnerabilities.
Security is an industry unto itself, let’s not turn it into bureaucracy.
What do you think?
New legislation being discussed in Washington runs the risk of turning cybersecurity into a bureaucracy. Wayne Crews, vice president for policy at the Competitive Enterprise Institute, thinks a better solution is to enhance private sector practices. He explains:
The House of Representatives is considering HR 4061, the Cybersecurity Enhancement Act. A solid Cybersecurity Enhancement Act might read “Title I: Stop losing federal laptops.” That’s too flip, but consider that there are cybersecurity risks to cybersecurity legislation.
Vulnerabilities in the government’s information security policies and the need to “bring government into the 21st century” have long been noted. But given the constant temptation by politicians in both parties to meddle with cybersecurity policy by steering research and development in unnatural directions, any poor decisions made at this juncture could undermine both public and private information security.
Politicians, especially in frontier industries like information technology, often take the easy path of seeking massive sums to establish taxpayer funded research grants for politically favored cybersecurity initiatives, set up redundant cybersecurity agencies, programs, and subsidies. This is precisely what the Cybersecurity Enhancement Act will do, potentially steering cybersecurity research away from its natural, safer, course.
Vastly expanding federal grants, fleets of scholarships and government-induced Ph.D.s in computer security is not the same as actually bolstering security, nor is there any reason the private sector cannot fund the training of its own such personnel or provide application-specific training as needed. Moreover, many serious security problems are not matters of new training but simply of embracing security “best practices” that already exist.
The Cybersecurity Enhancement Act amounts to pork, and the private sector can and should fund the training of America’s security experts. Online security is an immensely valuable industry today, and there is no shortage of private research incentive and potential profit.
Taxpayer-funded scholarships have already been extended to universities in countless respects, and incentives already abound for students to pursue technology careers. These new programs can easily grow beyond the proposed, already-generous bounds.
It’s beyond doubt that online security problems exist. Yet the tendency of cybersecurity today to be seen as an increasingly government-spearheaded function is worrisome. The taxpayer-funding approach can benefit some sectors and companies at the expense of competition and of computer security itself. Federal spending and intervention may encourage market distortion by skewing private investment decisions, or promoting one set of technologies or class of providers at the expense of others
We need better digital equivalents of barbed wire and door locks, which private companies are constantly competing to improve. While government law enforcement agencies have a necessary role to play in investigating and punishing intrusions on private networks and infrastructure, government must coexist with, rather than crowd out, private sector security technologies. Otherwise we become less secure, not more.
A substantial government role invariably grows into an irresistible magnet for lobbyists and the creation of bloated “research centers” and could all too easily become the locus for establishing sub-optimal government authority over our most vulnerable frontier technologies and sciences.
The solution? Enhancing private sector cybersecurity practices.
Both suppliers and customers in the high-tech sector increasingly demand better security from all players. Improving private incentives for information sharing is at least as important as greater government coordination and investment to ensure security and critical infrastructure protection. That job will entail liberalizing critical infrastructure assets—like telecommunications and electricity networks—and relaxing antitrust constraints so firms can coordinate information security strategies and enhance reliability of critical infrastructure through the kind of “partial mergers” that are anathema to today’s antitrust enforcers.
The future will deliver authentication technologies far more capable than those of today. Like everything else in the market, security technologies—from biometric identifiers to firewalls to network monitoring to encrypted databases—benefit from competition. Private cybersecurity initiatives will also gradually move us toward thriving liability and insurance markets, to help address the lack of authentication and inability to exclude bad actors that are at the root of today’s vulnerabilities.
Security is an industry unto itself, let’s not turn it into bureaucracy.
What do you think?
Monday, April 20, 2009
Increased Fraud During Economic Crisis
Posted by Mark Brousseau
Intense financial pressure during the economic crisis has led to an increase of fraud, according to a survey of fraud experts conducted by the Association of Certified Fraud Examiners (ACFE). The survey also found that layoffs are leaving holes in organizations' internal control systems.
More than half (55.4 percent) of respondents said that the level of fraud has slightly or significantly increased in the previous 12 months compared to the level of fraud they investigated or observed in years prior. Additionally, about half (49.1 percent) of respondents cited increased financial pressure as the biggest factor contributing to the increase in fraud, compared to increased opportunity (27.1 percent) and increased rationalization (23.7 percent).
“The message to Corporate America is simple: Desperate people do desperate things,” said ACFE President James D. Ratley, CFE. “Loyal employees have bills to pay and families to feed. In a good economy, they would never think of committing fraud against their employers. But especially now, organizations must be vigilant during these turbulent times by ensuring proper fraud prevention procedures are in place.”
The study also found that:
... Employees pose the greatest fraud threat in the current economy. When asked which, if any, of several categories of fraud increased during the previous 12 months, the largest number of survey respondents (48 percent) indicated that embezzlement was on the rise.
... Layoffs are affecting organizations’ internal control systems. Nearly 60 percent of CFEs who work as in-house fraud examiners reported that their companies had experienced layoffs during the past year. Among those who had experienced layoffs, almost 35 percent said their company had eliminated some controls, while 44.2 percent said the layoffs had no effect on controls and only 3.2 percent said their company had increased controls.
... Fraud levels are expected to continue rising. Almost 90 percent of respondents said they expect fraud to continue to increase during the next 12 months. Additionally, the fraud most expected to increase is embezzlement.
What do you think? Post your comments below.
Intense financial pressure during the economic crisis has led to an increase of fraud, according to a survey of fraud experts conducted by the Association of Certified Fraud Examiners (ACFE). The survey also found that layoffs are leaving holes in organizations' internal control systems.
More than half (55.4 percent) of respondents said that the level of fraud has slightly or significantly increased in the previous 12 months compared to the level of fraud they investigated or observed in years prior. Additionally, about half (49.1 percent) of respondents cited increased financial pressure as the biggest factor contributing to the increase in fraud, compared to increased opportunity (27.1 percent) and increased rationalization (23.7 percent).
“The message to Corporate America is simple: Desperate people do desperate things,” said ACFE President James D. Ratley, CFE. “Loyal employees have bills to pay and families to feed. In a good economy, they would never think of committing fraud against their employers. But especially now, organizations must be vigilant during these turbulent times by ensuring proper fraud prevention procedures are in place.”
The study also found that:
... Employees pose the greatest fraud threat in the current economy. When asked which, if any, of several categories of fraud increased during the previous 12 months, the largest number of survey respondents (48 percent) indicated that embezzlement was on the rise.
... Layoffs are affecting organizations’ internal control systems. Nearly 60 percent of CFEs who work as in-house fraud examiners reported that their companies had experienced layoffs during the past year. Among those who had experienced layoffs, almost 35 percent said their company had eliminated some controls, while 44.2 percent said the layoffs had no effect on controls and only 3.2 percent said their company had increased controls.
... Fraud levels are expected to continue rising. Almost 90 percent of respondents said they expect fraud to continue to increase during the next 12 months. Additionally, the fraud most expected to increase is embezzlement.
What do you think? Post your comments below.
Economy Causing Fraud Concerns
Posted by Mark Brousseau
Two-thirds of consumers around the world believe that the current economic crisis has impacted their personal risk for ID theft or fraud, according to research conducted by Unisys.
The current global findings of the Unisys Security Index also show that fears about bank card fraud and identity theft have increased. These areas remain the top overall consumer concerns globally, where they have ranked since Unisys began the comprehensive biannual study in 2007, and the increase in ID theft fears reverses a small downward trend. In addition, the survey saw a 10 point increase in Internet security fears worldwide, which included near equal rises in concerns about online banking and shopping as well as computer viruses and spam.
“Our research is a wake up call to every organization that serves consumers since perception is reality, and security fears are clearly growing worldwide,” said Tim Kelleher, vice president and general manager, Managed Security Services, Unisys. “Not only do the vast majority of people believe that the current global financial crisis directly increases their personal risk of being an ID theft or fraud victim, but general concerns about online transactions, computer viruses, and meeting financial obligations all saw significant increases among consumers worldwide. While the economic environment is difficult, it is more imperative than ever that businesses and governments assuage these fears by investing in unified solutions that address all their security vulnerabilities.”
“We continue to see unique nuances around the world, which can provide insight for businesses and governments when developing security solutions and communicating to customers,” Kelleher said. “Enterprises need to take a more unified approach to security and consider both common worldwide threats and trends, and how these relate locally depending on market conditions.”
What do you think? Post your comments below.
Two-thirds of consumers around the world believe that the current economic crisis has impacted their personal risk for ID theft or fraud, according to research conducted by Unisys.
The current global findings of the Unisys Security Index also show that fears about bank card fraud and identity theft have increased. These areas remain the top overall consumer concerns globally, where they have ranked since Unisys began the comprehensive biannual study in 2007, and the increase in ID theft fears reverses a small downward trend. In addition, the survey saw a 10 point increase in Internet security fears worldwide, which included near equal rises in concerns about online banking and shopping as well as computer viruses and spam.
“Our research is a wake up call to every organization that serves consumers since perception is reality, and security fears are clearly growing worldwide,” said Tim Kelleher, vice president and general manager, Managed Security Services, Unisys. “Not only do the vast majority of people believe that the current global financial crisis directly increases their personal risk of being an ID theft or fraud victim, but general concerns about online transactions, computer viruses, and meeting financial obligations all saw significant increases among consumers worldwide. While the economic environment is difficult, it is more imperative than ever that businesses and governments assuage these fears by investing in unified solutions that address all their security vulnerabilities.”
“We continue to see unique nuances around the world, which can provide insight for businesses and governments when developing security solutions and communicating to customers,” Kelleher said. “Enterprises need to take a more unified approach to security and consider both common worldwide threats and trends, and how these relate locally depending on market conditions.”
What do you think? Post your comments below.
Wednesday, March 25, 2009
Fraud Hits Financial Services Hardest
Posted by Mark Brousseau
Banks and financial services companies were the most commonly victimized industry by fraud (15 percent), according to the 2008 Report to the Nation on Occupational Fraud and Abuse prepared by the Association of Certified Fraud Examiners. Banks and financial services companies are followed by government (12 percent) and healthcare (8 percent). The median loss for banks was $250,000 per case, according to the report.
What do you think? Post your comments below.
Banks and financial services companies were the most commonly victimized industry by fraud (15 percent), according to the 2008 Report to the Nation on Occupational Fraud and Abuse prepared by the Association of Certified Fraud Examiners. Banks and financial services companies are followed by government (12 percent) and healthcare (8 percent). The median loss for banks was $250,000 per case, according to the report.
What do you think? Post your comments below.
Subscribe to:
Posts (Atom)
