THE PERIODIC TABLE OF DIGITAL IDENTITY ASSESSMENT

Transcription

1 THE PERIODIC TABLE OF DIGITAL IDENTITY ASSESSMENT

2 DEVICE DIGITAL AND THREAT INTELLIGENCE DECISION PLATFORM DECISION MANAGEMENT LOCATION REAL-TIME ANALYTICS IDENTITY THREAT INTEGRATION & ORCHESTRATION SOLUTIONS INDUSTRIES

3 Introduction Online businesses continue to struggle with evaluating the validity of digital interactions. Internet anonymity and sophisticated cybercrime tools enable fraudsters to pretend to be legitimate prospects and returning customers. With the evolving fraud and threat environment, online businesses need a better way to understand and evaluate the validity of their customers and prospects across all touch points and channels. The ability to analyze and evaluate a customer s true digital identity and assess the validity of on online interaction requires a platform that unite several capabilities or elements that span the various aspects of the customer lifecycle, use cases and channels. The ThreatMetrix Digital Identity Network is the largest and richest global repository of online digital identity and interaction data; data from over 1 billion digital transactions per month across our expansive global customer base feeds a 40 terabyte (and growing) digital identity data repository. Using intelligence from the Network, businesses can prevent fraud in real time, validate new and returning customers with no associated friction and proactively detect evolving threats. The key to leveraging the Digital Identity Network intelligence is ThreatMetrix real-time analytics and decision systems. The ThreatMetrix decision platform combines data from online interactions with associated historical data to return a real-time, accurate risk assessment. This purpose-built platform is unique in its ability to dynamically associate identities and past interactions across the ThreatMetrix global customer base. A real-time data analytics and decision platform of this magnitude must be designed for speed, flexibility, accuracy and persistency. ThreatMetrix constructed a unique Periodic Table of Digital Identities to provide a reference to digital businesses looking to deploy an identity and transaction risk assessment solution that aligns with their strategic business imperatives. The table organizes the critical components of an effective Digital Identity Assessment platform in an intuitive manner and presents some of the essential elements that should be considered within each component. This white paper presents the design of our Periodic Table of Digital Identities and illustrates how the ThreatMetrix platform is aligned with this architecture. PAGE 3

4 ThreatMetrix Periodic Table of Digital Identities The Core Structure The ThreatMetrix Digital Decision Platform is a market-leading fraud and security solution that provides a holistic approach to authentication, fraud prevention and threat detection. The Periodic Table of Digital Identities offers a unique way to explain the individual elements of the solution, and their dynamic interaction. Digital Identities the Primary Principle of the ThreatMetrix Solution The key challenge for digital businesses is how to differentiate fraudsters from genuine users when the online environment provides the perfect cloak of anonymity to test stolen identities, spoofed credentials or other techniques to mask true identity. The onus is squarely on businesses to know who they are transacting with, and to protect loyal users from fraudulent threats. Yet this is becoming harder than ever in a post-breach world where fraudsters can create pitch perfect attacks. The ThreatMetrix solution solves this challenge with the concept of digital identities. ThreatMetrix stitches together a user s unique digital identity by combining information relating to devices, identity information, user location and threat intelligence. This creates a profile that fraudsters can t fake, made up of dynamic, shared intelligence that gets better over time. Transactions are verified in real time against trusted patterns of behavior: high-risk anomalies are accurately identified for review while genuine users experience minimal friction. PAGE 4

5 Bringing Digital Identities to Life Using the ThreatMetrix Digital Decision Platform The ThreatMetrix Digital Decision Platform has two distinct components: 1. Digital and Threat Intelligence ThreatMetrix is unique in its ability to dynamically combine the four key pillars that define digital identity across all device platforms. These can be summarized as: The Device Series: Device identification, device health and application integrity. The Location Series: Detection of location cloaking or spoofing, (proxies, VPNs and the TOR browser). The Identity Series: Incorporating anonymized, non-regulated personal information such as user name, address and more. Defining a pattern of trusted user behavior by combining identity and transactional metadata with device identifiers, connection and location characteristics. The Threat Series: Harnessing point-in-time detection of malware, Remote Access Trojans (RATs), automated bot attacks, session hijacking and phished accounts, then combining with global threat information such as known fraudsters and botnet participation. 2. Decision Platform This enables businesses to use the ThreatMetrix platform for realtime digital decisions via the following key functions: Integration and Orchestration: Uniting the ThreatMetrix solution with back-end services and prepackaged / customized third party services. Real-time analytics: Leveraging business rules, behavior analytics and machine learning capabilities to identify complex fraud patterns with high accuracy. Decision management: Enabling continuous optimization of authentication and fraud decisions with visualization, data correlation and exception handling. PAGE 5

6 ThreatMetrix Periodic Table of Digital Identities The Individual Elements DEVICE DIGITAL AND THREAT INTELLIGENCE LOCATION IDENTITY DECISION PLATFORM REAL-TIME ANALYTICS DECISION MANAGEMENT Within these two components, and each of their core functions, lie the individual elements that make up the overall solution. These are the nuts and bolts of the platform which allow individual businesses to tailor the solution to their specific requirements; using a combination of individual elements to create a bespoke solution. THREAT INTEGRATION & ORCHESTRATION The Saas-based platform secures businesses without the need to add or deploy additional servers or infrastructure. Unlike solutions that require deep levels of integrations, the ThreatMetrix platform can be used across virtually any webbased application, harnessing the power of global shared intelligence with near-instant, real-time insight. This approach secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches. SOLUTIONS INDUSTRIES PAGE 6

7 DEVICE ThreatMetrix Periodic Table of Digital Identities Using the Individual Elements to Create Bespoke, Market-Leading Solutions DIGITAL AND THREAT INTELLIGENCE ThreatMetrix customer span a diverse set of industries from financial services, e-commerce and media to healthcare, enterprise and government. By leveraging different combinations of the individual elements of the Periodic Table, ThreatMetrix solves for: LOCATION Payment Fraud detecting the use of stolen or fraudulent payment credentials IDENTITY in real time. Identity Verification ensuring that connecting users are who they say they are. This detects fraudsters attempting to open new accounts with stolen or spoofed identities that might otherwise go undetected using static identity assessment alone. Digital Authentication effectively recognizing new and returning users; providing a slick and streamlined login experience. Step-up authentication procedures are only used for high-risk transactions, reducing friction for trusted users and operational costs for businesses. Account Security protecting trusted user accounts from fraudulent account takeover, whether from stolen credentials, malware, advanced phishing scams, remote access Trojans (RATs) or THREAT automated botnet attacks. Compliance Assurance providing businesses with identity and location certainty, for example ensuring that businesses are not transacting with individuals or networks from countries that are subject to penalty. INTEGRATION & ORCHESTRATION Workforce Authentication protect business platforms from fraudulent takeover, as well as allowing a workforce to login remotely, whether on desktop or mobile. DECISION PLATFORM REAL-TIME ANALYTICS Threat Intelligence combining threat detection with global threat intelligence of known fraudsters and botnet participation to help proactively detect complex attack vectors. Identity Analytics using behavioral analytics to inform smarter machine learning models to better predict future fraud. Mobile App Security protecting the integrity of host mobile applications, as well as protecting the surrounding mobile platform from device spoofing and malware attacks. DECISION MANAGEMENT SOLUTIONS INDUSTRIES PAGE 7

8 ThreatMetrix Periodic Table of Digital Identities A Glossary of the Individual Elements The Device Series Persistent and statistical web and mobile device identification. (D) Tag Based ID: ThreatMetrix ExactID is a persistent global identifier which relies on a variety of markers (ex., browser cookies, Adobe Flash cookies, HTML 5 local storage), to give 100% accuracy identifying a device. (Ds) Statistical ID: ThreatMetrix SmartID identifies returning users that wipe cookies, use private browsing and change other parameters to bypass device fingerprinting. This improves returning user detection and reduces false positives. (Sdk) Mobile SDK: ThreatMetrix Mobile is a lightweight software development kit (SDK) for Google Android and Apple ios mobile devices, providing complete fraud protection for the mobile channel. (Ig) Device Integrity: ThreatMetrix Mobile SDK distinguishes new and returning devices by looking at operating system information, system configuration information, hardware and software details and proprietary identifiers. ThreatMetrix Desktop SDK examines how a device interacts with a page to automatically determine the presence of bots, scripted and other automated attacks. Its unique combination of web fingerprinting and device identification technologies reduces risk exposure from fraud while securing customer data. (Ap) Application Integrity: Ensures the host application containing the ThreatMetrix Mobile SDK has not been tampered with or modified by malware or a malicious user. Known, trusted applications are seamlessly identified in real time, along with any application containing malware or a poor associated reputation. (Dsd) Desktop SDK: A software development kit (SDK) for Apple OS X and Microsoft Windows endpoint / desktop applications providing holistic fraud protection. (Cl) Client: A lightweight client validates and protects sessions with your business and assists in finding and eliminating any security issues. PAGE 8

9 The Location Series Fraudsters often attempt to hide behind location and identity cloaking services such as hidden proxies, VPNs and the TOR browser. ThreatMetrix accurately detects the use of these technologies and, in the case of proxies and VPNs, allows businesses to see the true IP address, geo-location and other attributes of each transaction. (Ti) True IP: The ThreatMetrix solution allows businesses to see the true IP address of the connecting user, providing a number indicating how close the true_ip is to the proxy_ip in terms of IP address. (Dn) DNS IP: ThreatMetrix profiling tags can detect a unique domain name. A recursive call through various intermediate DNS Servers will reveal the IP address of the ISP s DNS Server. This exposes any anomalies between the client's IP address and its relationship with the DNS Server, including both geo-location and the associated ISP Organization. (Lo) Location Services: ThreatMetrix Mobile captures Wi-Fi, cellular and GPS details which are compared to IP address information to detect anomalous connections and the use of proxies and VPNs. ThreatMetrix Web analyzes geographical attributes such as IP address, VPNs and the TOR network. (Lsp) Location Spoofing: Detects cybercriminals using proxies, IP spoofing, GPS tampering etc. to mask their true location. (Pr) Proxy Piercing: Examines TCP / IP packet header information to expose both the Proxy IP address and True IP address. (Vp) VPN Detection: Detects the use of VPNs, allowing businesses to see the true location of the connecting user. PAGE 9

10 The Identity Series ThreatMetrix bridges the gap between physical identities and online user identities. Digital identities created in the Network are unique and impossible to fake, leveraging the almost infinite connections that a user creates as they transact online. This ensures that legitimate users are recognized and experience minimal friction, while fraudsters using stolen or spoofed identities are accurately detected before the transaction is processed. (Cr) User Credentials: ThreatMetrix incorporates anonymized, non-regulated personal information such as user name, address, telephone number with key intelligence relating to devices, locations and online behavior from the Digital Identity Network to build a unique digital identity for each user. (Tt) Trust Tags: ThreatMetrix Trust Tags are digital labels that can be applied to various combinations of entities within a user s persona to indicate their trustworthiness. Trust can be associated dynamically with any combination of online attributes such as devices, addresses, card numbers etc. Trusted users are therefore quickly recognized and experience less friction. (La) Links and associations: Using Person ID, businesses benefit from a real-time linkage of a current transaction to related transactions through a matrix of attributes associated with the user, device and connection. (Bb) Behavioral Biometrics: Evaluate user and device interactions in the current session to historical user and device interactions and known bad behaviors. (Pid) Persona ID: Captures connected entities such as addresses, transactions, accounts, devices, IP addresses, geo-location, proxies, and physical addresses relating to a user. PAGE 10

11 The Threat Series ThreatMetrix provides point-in-time detection of complex fraud attack vectors across desktop and mobile. This is combined with global threat information such as known fraudsters and botnet participation to give organizations a holistic view of emerging threats. (Bd) BOT Detection: ThreatMetrix uses context-based information to perform behavioral analysis of users during periods of normal operation and compares such data to that gathered during a botnet attack. This differentiates between a human and a bot in real time. It can also detect low-and-slow attacks that are designed to bypass traditional rate control measures such as WAFs and mimic legitimate user behavior patterns. (Rd) RAT Detection: This capability detects changes in behavior that are indicative of fraudulent session hijacking. (Cr) Credential Testing: ThreatMetrix can detect individuals testing stolen credentials to automated botnet attacks performing mass credential testing sessions. ThreatMetrix compares each transaction to digital identity information held in the Network to detect anomalies relating to devices, addresses, behavior and more. (Jbr) Jailbreak / Root: Detection of jailbreak and root serves as a potential indicator that the device may have been modified in order to commit fraud. (Ma) Malware Detections: ThreatMetrix Mobile detects any application containing malware or a poor associated reputation. Conversely, known, trusted applications are seamlessly identified in real time. These benefits also apply to the host ios app. ThreatMetrix Web uses honeypot technology to set traps to detect unauthorized webpage modifications in the browser. This tricks the malware into believing the user is about to navigate to a high value website. (Pf) Page Fingerprinting: Detects Man-in-the-Middle (MitM) and Man-in-the-Browser (MitB) attacks, as well as targeted Trojans. (Ist) Insider Threat: Monitor and control user accounts to minimize the risk of insider threats. (Ar) App Reputation: Information relating to the trustworthiness of applications running on a user s mobile device to detect the presence of malicious or potentially unwanted apps. (Is) ID Spoofing: Transactions are compared against the trusted digital identity of the real user to identify anomalies that might indicate fraud. For example, a fraudster may use a spoofed device, a hidden location or an unusual pattern of behavior, such as an unusually high payment. (Dsp) Device Spoofing: Detects device tampering and attempts to masquerade as a different device, for example using virtual machines. (Cw) Cookie Wiping: Detects devices that are repeatedly wiping cookies and could therefore be fraudulent. (Mas) Mobile App Security: Ensures the host application containing the ThreatMetrix Mobile SDK has not been tampered with or modified by malware or a malicious user. Identifies unofficial or illicitly modified customer applications. PAGE 11

12 Integration and Orchestration ThreatMetrix solves the challenges of operationalizing digital identity assessments with the ThreatMetrix Integration Hub that unites the ThreatMetrix Digital Identity Network with back-end services and prepackaged / customized third party services such as identity verification and two-factor authentication, streamlining fraud and security orchestration. (Api) Real-time APIs: A real-time interface to ThreatMetrix that returns device identifiers, anomaly indicators and risk scores. This includes an API server as well as SDKs for web, mobile and endpoint. (Ip) Integration Platform: A REST based open API that extends the capabilities of ThreatMetrix core platform to include third party services. (Stu) Step-up Authentication: ThreatMetrix two-factor authentication is an identity-based solution that invokes a challenge response only when attributes or behavior deviate away from the trusted digital identity. A one-time passcode is generated and sent to the user s mobile to authenticate their identity. (Idv) Identity Verification: ThreatMetrix bridges the gap between online identities and physical identities by combining static identity data with dynamic, real-time intelligence from the Network. This gives a more accurate risk score for every user. (Ca) Carrier ID: Validates IP geolocation and phone carrier ID based on ownership and irrefutable evidence of communication with the SIM card. (Tf) Threat Feed: Make comparisons against collective threat intelligence. Additional insight from industry data about known malware and spyware can provide a security risk profile of each user s device. (Av) Address Verification: Address verification attributes, (e.g. length of residence at a particular address), and history of address can help filter out bots attacking with machine generated information. (Pdb) Persona DB: An extensible, enterprise-accessible database that allows an organization to privately and securely store and retrieve identifying attributes, characteristics, and behaviors associated with their users and customers. PAGE 12

13 Real-time Analytics ThreatMetrix combines business rules, behavioral analysis and machine learning into an integrated framework to make real-time decisions, providing business agility and dynamic adaption to changing fraud and user trends. (Pe) Policy Engine: The ThreatMetrix open policy engine allows businesses to incorporate and adjust their own tolerance for risk and operational metrics. (Pc) Policy Callout: This enables policies to call other policies via a special "Call Policy" rule. (Ro) Rules Optimization: Enables customers to tune their policies and access pertinent information for future risk assessments. (Ped) Policy Editor: An online portal that customers can use to create and modify their policies. (Th) Transaction History: Digital identities can be continuously evaluated in the context of each and every transaction, correlating seemingly disconnected security incidents in real time. (Ad) Anomaly Detection: ThreatMetrix uncovers anomalous behavior in real time through the association of related activity and connected entities such as addresses, transactions, accounts, devices, IP addresses, geo-location, proxies, and physical addresses using Persona ID. (Sr) Smart Rules: Uses behavioral analytics to accurately detect and analyze changes in user behavior. This approach identifies complex fraud patterns with high accuracy based on dynamic user behavior modeling. (Ag) Age Variables: Measures of time such as the time since the first event, time since the last event, and average time between events. (V) Velocity Variables: Measures of metadata such as velocity and frequency, or how quickly and often something occurs over a particular period of time. (Dv) Distance Variables: Measure of distance/location such as distance from closest location, average distance between events, and the standard deviation between this event and all other events. (Sl) Smart Learning: A cognitive system that gives customers an effective, predictive model based on past behavior and transaction data. This clear-box approach to machine learning combines global intelligence from the ThreatMetrix Digital Identity Network with customer truth data to produce a more accurate model. (Az) Anonymized Intelligence: Within the Network, individual pieces of information are hashed, so that they can never be tied back to a real identity. It s all about the connection and linkages between related personas, but not actually about their real identity information.

14 Decision Management ThreatMetrix enables continuous optimization of authentication and fraud decisions with visualization, data correlation and exception handling. (Sl) Search / Link Analysis: Examines beyond device and identity elements presented and looks for connections and associated entities. (Rv) Reporting & Visualization: Reporting for retrospective-based and proactive forensic data analysis. (Mr) Manual Reviews: Case management highlights only those transactions that genuinely require follow up or manual review, reducing operational costs associated with high manual reviews. (Wf) Workflow Management: Queue based technology that assists in the collection of relevant information about the investigation and then supports the escalation procedure. By creating a case, an analyst can monitor and track an event as well as associate other attributes to it. (Ws) Workspace: An area for investigating events and entities to enable detailed examination for further analysis. (Fr) Forensics: A graphical interface for examining and investigating data trends to allow the user to take action on, or move specific events directly from the screen. (Cm) Case Management: Identifies transactions that require additional review, providing a smarter, more integrated way to handle increasingly complex caseloads. This workflow process is highly customizable to suit the varying needs of different use cases and system configurations. PAGE 14

15 ThreatMetrix, The Digital Identity Company, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying billions of annual transactions supporting tens of thousands of websites and thousands of customers globally through the ThreatMetrix Digital Identity Network, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches. The ThreatMetrix Digital Identity Network provides the intelligence that fuels the ThreatMetrix solutions. The Network harnesses global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications. Using this information, ThreatMetrix stitches together a user s true digital identity by analyzing the myriad connections between devices, locations and anonymized personal information. Transactions are verified in real time against trusted patterns of behavior: high-risk anomalies are accurately identified for review while genuine users experience minimal friction. Key benefits include an improved customer experience, reduced friction, revenue gain, and lower fraud and operational costs. The ThreatMetrix solution is deployed across a variety of industries, including financial services, e-commerce, payments and lending, media, government, and insurance. For more information, or a demonstration of how the ThreatMetrix solution can work for your business, contact sales@threatmetrix.com. PAGE 15