WHITE PAPER Moving Beyond the FFIEC Guidelines

Transcription

1 WHITE PAPER Moving Beyond the FFIEC Guidelines How Device Reputation Offers Protection Against Future Security Threats

2 Table of Contents Introduction 1 The FFIEC Guidelines 2 Why Move Beyond Complex Device ID to Device Reputation? iovation s Device Reputation Service 4 Conclusion 8

3 Introduction With the continued growth of electronic banking and the greater sophistication of fraudsters, more effective security measures are required in order for financial institutions to reduce fraudulent activities and transactions. Criminal groups have expanded rapidly, becoming more specialized in financial fraud and much more successful in developing and deploying effective, complicated, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers online accounts. During the last several years, fraudsters have moved beyond account origination and are now also executing account takeover maneuvers, causing financial institutions and consumers to experience substantial losses. In the past few years alone, thousands of publicly reported data breach incidents have occurred, compromising over 460 million sensitive records; and creating hundreds of millions of dollars in losses resulting from online account takeovers and illicit funds transfers. The continued explosion of mobile connectivity and services only compounds the security challenges financial institutions face today. All of these factors are driving the necessity for the implementation of additional proactive security controls to better protect financial institutions and their customers. Berg Insight forecasts that the worldwide usage of mobile banking and related services will grow at a compound annual rate of 89% to reach 913 million users in

4 The FFIEC Guidelines In June of 2011, the Federal Financial Institutions Examination Council (FFIEC) issued a supplement to the Authentication in an Internet Banking Environment guidance (originally released in October 2005). The original guidance provided a risk management framework for financial institutions offering Internet-based products and services to their customers. The supplement reinforces the framework and updates supervisory expectations for customer authentication, layered security, and other controls in the increasingly hostile online environment. The FFIEC is concerned that customer authentication methods and controls have become less effective causing financial institutions and customers to face significant risks. These latest guidelines recommend minimum safeguards financial institutions should implement in order to protect themselves and their customers from hundreds of millions of dollars in potential losses caused by attack tools streamlined into downloadable kits and frighteningly sophisticated malware. The FFIEC s Supplement to Authentication in an Internet Banking Environment emphasizes the utilization of: Risk assessments Customer authentication for high-risk transactions Layered security programs Effectiveness of certain authentication techniques Customer awareness and education According to ComScore, in Q4 2010, 29.8 million Americans accessed financial service accounts (bank, credit card, or brokerage) via their mobile device, up 54 percent from The new FFIEC guidelines instruct banks and financial institutions to focus network defenses on layered security that involves fraud monitoring, dual customer authorization through different access devices, out-of-band verification, and technologies that limit the fraudulent transactional use of an account. The guidelines state that it is important to move from simple device identification to complex device identification, yet taking it one step further to device reputation, is what many leading financial institutions already have in place. This will ensure that financial institutions utilize the maximum protection possible against future security risks, and also prepare them for the FFIEC audits scheduled to begin in January Why Move Beyond Complex Device ID to Device Reputation? Most banks and financial institutions have already implemented simple device ID, which typically uses a cookie loaded onto a customer s PC confirming that it is the same PC originally enrolled by the customer, and that it matches the logon ID and password provided. However, this type of cookie can be copied and moved to a fraudster s PC, allowing the fraudster to impersonate a legitimate customer. 2

5 Complex device ID involves the creation of a digital fingerprint based on several characteristics of the device including hardware and software configuration, Internet protocol addresses, and geolocation. Unfortunately, complex device ID by itself only increases the strength of identification; it does little to increase the efficacy of an overall anti-fraud strategy. So while complex device ID provides a more secure line of defense over simple device ID and protects financial institutions against what the fraudsters dreamed up yesterday, notable personal security and identify theft expert, Robert Siciliano, suggests a smooth progression from complex device ID to device reputation to extend this protection for tomorrow s threats. Device reputation offers all of the security measures that complex device ID does, but it also strategically incorporates velocity, anomalies, proxy busting, webs of associations, and fraud and abuse histories. Device reputation moves from a micro to a macro view of transactions which takes into account how particular devices behave or have behaved beyond its activities with a financial institution, its usage by a current user or other users, and/or its relationship to other devices. Device reputation is the most comprehensive response and effective strategy available to address the FFIEC s call for fraud detection and monitoring systems that include consideration of customer history and behavior, that enable a timely and effective institution response. SIMPLE DEVICE ID COMPLEX DEVICE ID DEVICE REPUTATION Cookies / Tokens IP / Geolocation Device Fingerprint Browser Anomalies Behavior Patterns Evidence Shared Experience Hidden Associations Velocity Real IP / Proxy Piercing 3

6 iovation s Device Reputation Service In most device fingerprinting implementations, a newly purchased device has no connections and no history. One of the important and unique elements in iovation s device reputation service, ReputationManager 360, is its accommodation of the movement between devices and users. Gartner, Inc. positioned iovation in the Visionary Quadrant in the analyst firm s 2011 Magic Quadrant for Web Fraud Detection report, published April 19, With iovation s device reputation service, when a device (PC, Mac, laptop, tablet, mobile phone) tries to log in or complete a transaction with a financial institution, a real-time query is automatically sent to iovation related to the reputation of that device in order to assess the risk details and reach a decision whether to approve, deny and/or review the transaction. In fractions of a second, customized rules determine if a particular device has been seen before, which other devices it s related to, if any of iovation s other subscribers have seen those devices and/or had negative experiences with them; and if so, what kind of evidence has been placed against those devices. A check is also made to discover whether the specific device has any anomalous characteristics that merit suspicion, such as a browser language set in Chinese and a timezone of Panama. RM 360 FEATURES Dual-path Device ID Customer History and Behavior Script and Man-in-the- Middle (MITM) detection IP Reputation Policies and Practice Authentication RM 360 IMPLEMENTATION As part of our device reputation determination, iovation uses a 2-stage device identification strategy in order to uniquely identify devices, and correctly re-recognize devices we have seen before. This includes both token and tokenless based patterns for accurate identification, as well as control over tolerance for false positives/negatives. Commercial evidence regarding hundreds of millions of devices all over the world and from major global online brands provides factual information about past behavior. iovation velocity rules allow tracking of accounts per device, devices per account, and transactions per account, each evaluated against customizable thresholds. iovation checks IP addresses against white and block lists, flags proxies and sees through them to get the real IP. Business rules are a direct reflection of policy through selective application, thresholds and weights. iovation APIs support integration with third party services for customer authentication. 4

7 The reputation of a device is based on a living database of over a billion devices from every country in the world, providing a 360-degree view of a device s reputation. And since denying access or transactions to legitimate clients can damage customer relationships, iovation s device reputation service is managed with an eye toward near-zero false positives in device identification. iovation is the only service provider that can truly comment on device reputation around the world, across subscribers, with over 30 evidence risk types, and over 2,000 fraud professionals involved in updating the reputations of devices internationally every minute of every day. One large bank designed a log-in flow using iovation ReputationManager 360 plus authentication. Previously, legitimate customers who logged on to single accounts from multiple devices were repeatedly challenged, which could have led to unwanted churn in the bank s user base. Since device reputation enabled the bank to confidently and automatically map account-to-device relationships, repeated association between an account and a particular device was allowed to trump the authentication system s call for a challenge. The result was increased satisfaction through a system that exceeded expectations and vigorously protected customer security. DIAGRAM 1 Device Reputation Reduces Friction Device Reputation Yes No Yes No Authentication 5

8 The FFIEC guidelines suggest the implementation of value thresholds and consideration of the number of transactions allowed. Imagine a fraudster using scripted login attempts at a single financial institution on multiple accounts, but staying under the risk engine s alert threshold triggers for each individual account. This cumulative velocity would clearly exceed the norms; iovation s device velocity rules facilitate deeper visibility by allowing an institution to view activity across multiple institutions and multiple accounts originated from a single device. Another FFIEC suggestion is the use of IP reputation tools to block connection from known and suspected devices. Most institutions use third-party tools to identify anonymous proxies. However, iovation s device reputation service uses Real IP, which exposes the true IP of a device regardless of whether or not it is using an anonymous proxy. Utilizing data throughout the subscriber network provides a global view of that IP address, any evidence against it, or any devices in its web of associations. Through this mechanism, financial institutions can instantly leverage comments updated in real-time on high-risk ISPs and IP addresses. Device reputation components that financial institutions can implement in order to comply with and move beyond the FFIEC guidelines include real-time rules, forensics and reporting. These are a variety of valuable analytics and reports that work in conjunction with those real-time components to maximize protection and provide the most in-depth view of any device or web of devices. DIAGRAM 2 Device Reputation Solutions for FFIEC Compliance Real-time Rules Velocity Account Geolocation Account/Device Device/Device Forensics RM 360 Portal Evidence Placement Associations Matrixes Targeted Accounts Lookup Reporting Daily Account Takeover Suspicious Activity Daily Evidence Transaction History Strategically interwoven into security layers like authentication, iovation ReputationManager 360 helps maintain client satisfaction, minimize support calls, and ensure a competitive position in a challenging marketplace. iovation s Business Rules Editor allows financial institutions to see their rules at a glance, create new rules, adjust settings as new threats emerge and enable or disable rules at any time. 6

9 Banks can configure and weight business rules in categories including: Evidence Rules Trigger an alert when activity comes from an account or device already associated with fraud such as online scams or financial fraud. Geolocation Rules Trigger an alert when activity is coming from an unauthorized country or through a proxy. Velocity Rules Trigger alerts when thresholds for the number of accounts opened, or the number of devices accessing an account has been exceeded within a certain timeframe or when an account has been accessed by too many countries. Watch List Rules Trigger alerts on your pre-defined list of attributes. These lists can be set up as positive or negative lists, depending on what result or weight you assign to the rule. Lists could include accounts, devices, IP ranges, ISP lists and more. Age-Based Rules Trigger an alert based on the amount of experience that you have with a device or device-account pair. If activity comes from a device that has never previously been associated with an account in your system, you may want to offer additional authentication questions prior to giving account access. Anomaly Rules While individual device characteristics may not be indicators of risk, certain characteristics are worth monitoring, or several in combination with each other may indicate attempts by the user to evade detection. Risk Profile Rules Profile risk rules look at the specific combination of characteristics for the device accessing a site and then assesses the risk by examining all other devices in iovation s system that look similar. These profiles are based on devices that have accessed your financial site, as well as devices seen at any of iovation s global client sites. Banks can manage their business rule sets without requiring IT support or changes to the web integration. The Business Rules Editor is a standard component of iovation s ReputationManager 360 fraud prevention service. The truly forward-thinking have already moved on (from complex device ID) and are successfully leveraging the benefits of device reputation and shared device intelligence. Robert Siciliano / Personal security and identity theft expert 7

10 Conclusion With fraudsters becoming more innovative every day, it s no longer sufficient to protect against yesterday s threats. Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing transactions, but should instead utilize a system of layered security. Whether users are accessing a website through a PC or any type of mobile device connected to the Internet via a wireless network, iovation quickly identifies the device and generates critical device reputation intelligence. This allows financial institutions to instantly determine the risk of a transaction and provides an extra layer of protection without disrupting the customer s experience. By implementing iovation s device reputation service at the start of the fraud detection process, financial institutions can easily meet the FFIEC s compliance requirements and move beyond the latest guidelines to address future security threats. Please contact us to learn more about exceeding FFIEC guidelines by ing info@iovation.com or calling (503) ABOUT IOVATION iovation protects online businesses and their end users against fraud and abuse, and identifies trustworthy customers through a combination of advanced device identification, shared device reputation, device-based authentication and real-time risk evaluation. More than 3,000 fraud managers representing global retail, financial services, insurance, social network, gaming and other companies leverage iovation s database of more than 2 billion Internet devices and the relationships between them to determine the level of risk associated with online transactions. The company s device reputation database is the world s largest, used to protect 12 million transactions and stop an average of 200,000 fraudulent activities every day. The world s foremost fraud experts share intelligence, cybercrime tips and online fraud prevention techniques in iovation s Fraud Force Community, an exclusive virtual crime-fighting network. For more information, visit GLOBAL HEADQUARTERS iovation Inc 111 SW 5th Avenue, Suite 3200 Portland, OR USA PH +1 (503) FX +1 (503) info@iovation.com UNITED KINGDOM PH +44 (0) uk@iovation.com 8