WHITE PAPER Moving Beyond the FFIEC Guidelines

Similar documents
WHITE PAPER. Internet Gambling Sites. Expose Fraud Rings and Stop Repeat Offenders with Device Reputation

WHITE PAPER Fighting Banking Fraud Without Driving Away Customers

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

WHITE PAPER. Credit Issuers. Stop Application Fraud at the Source With Device Reputation

ACI Response to FFIEC Guidance

Protecting Online Gaming and e-commerce Companies from Fraud

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Supplement to Authentication in an Internet Banking Environment

FFIEC CONSUMER GUIDANCE

10 Things Every Web Application Firewall Should Provide Share this ebook

Device Fingerprinting and Fraud Protection Whitepaper

WHITE PAPER Fighting Mobile Fraud

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

A strategic approach to fraud

WHITEPAPER. Fraud Protection for Native Mobile Applications Benefits for Business Owners and End Users

TrustDefender Mobile Technical Brief

Protect Your Business and Customers from Online Fraud

Five Trends to Track in E-Commerce Fraud

The Cloud App Visibility Blindspot

Electronic Fraud Awareness Advisory

Beyond passwords: Protect the mobile enterprise with smarter security solutions

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

RSA Adaptive Authentication For ecommerce

How To Protect Your Online Banking From Fraud

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

ThreatMetrix Persona DB Technical Brief

How To Buy Nitro Security

Security Best Practices

WHITE PAPER. VeriSign Identity Protection Fraud Detection Service An Overview

Strengthen security with intelligent identity and access management

End-user Security Analytics Strengthens Protection with ArcSight

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

The State of Insurance Fraud Technology. A study of insurer use, strategies and plans for anti-fraud technology

Internet threats: steps to security for your small business

ENABLING FAST RESPONSES THREAT MONITORING

Gladiator NetTeller Enterprise Security Monitoring Online Fraud Detection INFORMATION SECURITY & RISK MANAGEMENT

ONLINE AND MOBILE BANKING, YOUR RISKS COVERED

CA Arcot RiskFort. Overview. Benefits

one admin. one tool. Providing instant access to hundreds of industry leading verification tools.

White paper. Convenient Multi-Factor Authentication (MFA) for Web Portals & Enterprise Applications

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Corporate Account Take Over (CATO) Guide

DETECT MONITORING SERVICES MITIGATING THE EPSILON BREACH SUMMARY

Prevent Malware attacks with F5 WebSafe and MobileSafe. Alfredo Vistola Security Solution Architect, EMEA

RSA Web Threat Detection

PCI Data Security Standards (DSS)

ALERT LOGIC FOR HIPAA COMPLIANCE

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

Concierge SIEM Reporting Overview

Protecting Against Online Fraud with F5

Your security is our priority

Transaction Anomaly Protection Stopping Malware At The Door. White Paper

Product. Onboard Advisor Minimize Account Risk Through a Single, Integrated Onboarding Solution

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

ACCEPT MORE ORDERS, FROM MORE PEOPLE, IN MORE PLACES.

Application Security in the Software Development Lifecycle

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Multi-Factor Authentication of Online Transactions

Case Study SMS Two Factor Authentication. Contact us Infracast Ltd, Merlin House Brunel Road, Theale, Berkshire, RG7 4AB

Stay ahead of insiderthreats with predictive,intelligent security

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

Evaluating DMARC Effectiveness for the Financial Services Industry

Top five strategies for combating modern threats Is anti-virus dead?

The SIEM Evaluator s Guide

Feature. Log Management: A Pragmatic Approach to PCI DSS

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Best Practices in Account Takeover

On-Premises DDoS Mitigation for the Enterprise

A Practical Guide to Anomaly Detection

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Best Practices: Reducing the Risks of Corporate Account Takeovers

Dissecting Wire Fraud: How it Happens, and How to Prevent It WHITE PAPER

ACH AND WIRE FRAUD LOSSES

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

SANS Top 20 Critical Controls for Effective Cyber Defense

Smart Device Identification for Cloud-Based Fraud Prevention. Alisdair Faulkner Chief Products Officer

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

Securing Online Payments in ACH Client and Remote Deposit Express

9K: How Technology Can Address Current and Emerging Fraud Risks

Understanding and Combating Online Fraud in 2014

Warranty Fraud Detection & Prevention

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Transcription:

WHITE PAPER Moving Beyond the FFIEC Guidelines How Device Reputation Offers Protection Against Future Security Threats

Table of Contents Introduction 1 The FFIEC Guidelines 2 Why Move Beyond Complex Device ID to Device Reputation? iovation s Device Reputation Service 4 Conclusion 8

Introduction With the continued growth of electronic banking and the greater sophistication of fraudsters, more effective security measures are required in order for financial institutions to reduce fraudulent activities and transactions. Criminal groups have expanded rapidly, becoming more specialized in financial fraud and much more successful in developing and deploying effective, complicated, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers online accounts. During the last several years, fraudsters have moved beyond account origination and are now also executing account takeover maneuvers, causing financial institutions and consumers to experience substantial losses. In the past few years alone, thousands of publicly reported data breach incidents have occurred, compromising over 460 million sensitive records; and creating hundreds of millions of dollars in losses resulting from online account takeovers and illicit funds transfers. The continued explosion of mobile connectivity and services only compounds the security challenges financial institutions face today. All of these factors are driving the necessity for the implementation of additional proactive security controls to better protect financial institutions and their customers. Berg Insight forecasts that the worldwide usage of mobile banking and related services will grow at a compound annual rate of 89% to reach 913 million users in 2014. 1

The FFIEC Guidelines In June of 2011, the Federal Financial Institutions Examination Council (FFIEC) issued a supplement to the Authentication in an Internet Banking Environment guidance (originally released in October 2005). The original guidance provided a risk management framework for financial institutions offering Internet-based products and services to their customers. The supplement reinforces the framework and updates supervisory expectations for customer authentication, layered security, and other controls in the increasingly hostile online environment. The FFIEC is concerned that customer authentication methods and controls have become less effective causing financial institutions and customers to face significant risks. These latest guidelines recommend minimum safeguards financial institutions should implement in order to protect themselves and their customers from hundreds of millions of dollars in potential losses caused by attack tools streamlined into downloadable kits and frighteningly sophisticated malware. The FFIEC s Supplement to Authentication in an Internet Banking Environment emphasizes the utilization of: Risk assessments Customer authentication for high-risk transactions Layered security programs Effectiveness of certain authentication techniques Customer awareness and education According to ComScore, in Q4 2010, 29.8 million Americans accessed financial service accounts (bank, credit card, or brokerage) via their mobile device, up 54 percent from 2009. The new FFIEC guidelines instruct banks and financial institutions to focus network defenses on layered security that involves fraud monitoring, dual customer authorization through different access devices, out-of-band verification, and technologies that limit the fraudulent transactional use of an account. The guidelines state that it is important to move from simple device identification to complex device identification, yet taking it one step further to device reputation, is what many leading financial institutions already have in place. This will ensure that financial institutions utilize the maximum protection possible against future security risks, and also prepare them for the FFIEC audits scheduled to begin in January 2012. Why Move Beyond Complex Device ID to Device Reputation? Most banks and financial institutions have already implemented simple device ID, which typically uses a cookie loaded onto a customer s PC confirming that it is the same PC originally enrolled by the customer, and that it matches the logon ID and password provided. However, this type of cookie can be copied and moved to a fraudster s PC, allowing the fraudster to impersonate a legitimate customer. 2

Complex device ID involves the creation of a digital fingerprint based on several characteristics of the device including hardware and software configuration, Internet protocol addresses, and geolocation. Unfortunately, complex device ID by itself only increases the strength of identification; it does little to increase the efficacy of an overall anti-fraud strategy. So while complex device ID provides a more secure line of defense over simple device ID and protects financial institutions against what the fraudsters dreamed up yesterday, notable personal security and identify theft expert, Robert Siciliano, suggests a smooth progression from complex device ID to device reputation to extend this protection for tomorrow s threats. Device reputation offers all of the security measures that complex device ID does, but it also strategically incorporates velocity, anomalies, proxy busting, webs of associations, and fraud and abuse histories. Device reputation moves from a micro to a macro view of transactions which takes into account how particular devices behave or have behaved beyond its activities with a financial institution, its usage by a current user or other users, and/or its relationship to other devices. Device reputation is the most comprehensive response and effective strategy available to address the FFIEC s call for fraud detection and monitoring systems that include consideration of customer history and behavior, that enable a timely and effective institution response. SIMPLE DEVICE ID COMPLEX DEVICE ID DEVICE REPUTATION Cookies / Tokens IP / Geolocation Device Fingerprint Browser Anomalies Behavior Patterns Evidence Shared Experience Hidden Associations Velocity Real IP / Proxy Piercing 3

iovation s Device Reputation Service In most device fingerprinting implementations, a newly purchased device has no connections and no history. One of the important and unique elements in iovation s device reputation service, ReputationManager 360, is its accommodation of the movement between devices and users. Gartner, Inc. positioned iovation in the Visionary Quadrant in the analyst firm s 2011 Magic Quadrant for Web Fraud Detection report, published April 19, 2011. With iovation s device reputation service, when a device (PC, Mac, laptop, tablet, mobile phone) tries to log in or complete a transaction with a financial institution, a real-time query is automatically sent to iovation related to the reputation of that device in order to assess the risk details and reach a decision whether to approve, deny and/or review the transaction. In fractions of a second, customized rules determine if a particular device has been seen before, which other devices it s related to, if any of iovation s other subscribers have seen those devices and/or had negative experiences with them; and if so, what kind of evidence has been placed against those devices. A check is also made to discover whether the specific device has any anomalous characteristics that merit suspicion, such as a browser language set in Chinese and a timezone of Panama. RM 360 FEATURES Dual-path Device ID Customer History and Behavior Script and Man-in-the- Middle (MITM) detection IP Reputation Policies and Practice Authentication RM 360 IMPLEMENTATION As part of our device reputation determination, iovation uses a 2-stage device identification strategy in order to uniquely identify devices, and correctly re-recognize devices we have seen before. This includes both token and tokenless based patterns for accurate identification, as well as control over tolerance for false positives/negatives. Commercial evidence regarding hundreds of millions of devices all over the world and from major global online brands provides factual information about past behavior. iovation velocity rules allow tracking of accounts per device, devices per account, and transactions per account, each evaluated against customizable thresholds. iovation checks IP addresses against white and block lists, flags proxies and sees through them to get the real IP. Business rules are a direct reflection of policy through selective application, thresholds and weights. iovation APIs support integration with third party services for customer authentication. 4

The reputation of a device is based on a living database of over a billion devices from every country in the world, providing a 360-degree view of a device s reputation. And since denying access or transactions to legitimate clients can damage customer relationships, iovation s device reputation service is managed with an eye toward near-zero false positives in device identification. iovation is the only service provider that can truly comment on device reputation around the world, across subscribers, with over 30 evidence risk types, and over 2,000 fraud professionals involved in updating the reputations of devices internationally every minute of every day. One large bank designed a log-in flow using iovation ReputationManager 360 plus authentication. Previously, legitimate customers who logged on to single accounts from multiple devices were repeatedly challenged, which could have led to unwanted churn in the bank s user base. Since device reputation enabled the bank to confidently and automatically map account-to-device relationships, repeated association between an account and a particular device was allowed to trump the authentication system s call for a challenge. The result was increased satisfaction through a system that exceeded expectations and vigorously protected customer security. DIAGRAM 1 Device Reputation Reduces Friction Device Reputation Yes No Yes No Authentication 5

The FFIEC guidelines suggest the implementation of value thresholds and consideration of the number of transactions allowed. Imagine a fraudster using scripted login attempts at a single financial institution on multiple accounts, but staying under the risk engine s alert threshold triggers for each individual account. This cumulative velocity would clearly exceed the norms; iovation s device velocity rules facilitate deeper visibility by allowing an institution to view activity across multiple institutions and multiple accounts originated from a single device. Another FFIEC suggestion is the use of IP reputation tools to block connection from known and suspected devices. Most institutions use third-party tools to identify anonymous proxies. However, iovation s device reputation service uses Real IP, which exposes the true IP of a device regardless of whether or not it is using an anonymous proxy. Utilizing data throughout the subscriber network provides a global view of that IP address, any evidence against it, or any devices in its web of associations. Through this mechanism, financial institutions can instantly leverage comments updated in real-time on high-risk ISPs and IP addresses. Device reputation components that financial institutions can implement in order to comply with and move beyond the FFIEC guidelines include real-time rules, forensics and reporting. These are a variety of valuable analytics and reports that work in conjunction with those real-time components to maximize protection and provide the most in-depth view of any device or web of devices. DIAGRAM 2 Device Reputation Solutions for FFIEC Compliance Real-time Rules Velocity Account Geolocation Account/Device Device/Device Forensics RM 360 Portal Evidence Placement Associations Matrixes Targeted Accounts Lookup Reporting Daily Account Takeover Suspicious Activity Daily Evidence Transaction History Strategically interwoven into security layers like authentication, iovation ReputationManager 360 helps maintain client satisfaction, minimize support calls, and ensure a competitive position in a challenging marketplace. iovation s Business Rules Editor allows financial institutions to see their rules at a glance, create new rules, adjust settings as new threats emerge and enable or disable rules at any time. 6

Banks can configure and weight business rules in categories including: Evidence Rules Trigger an alert when activity comes from an account or device already associated with fraud such as online scams or financial fraud. Geolocation Rules Trigger an alert when activity is coming from an unauthorized country or through a proxy. Velocity Rules Trigger alerts when thresholds for the number of accounts opened, or the number of devices accessing an account has been exceeded within a certain timeframe or when an account has been accessed by too many countries. Watch List Rules Trigger alerts on your pre-defined list of attributes. These lists can be set up as positive or negative lists, depending on what result or weight you assign to the rule. Lists could include accounts, devices, IP ranges, ISP lists and more. Age-Based Rules Trigger an alert based on the amount of experience that you have with a device or device-account pair. If activity comes from a device that has never previously been associated with an account in your system, you may want to offer additional authentication questions prior to giving account access. Anomaly Rules While individual device characteristics may not be indicators of risk, certain characteristics are worth monitoring, or several in combination with each other may indicate attempts by the user to evade detection. Risk Profile Rules Profile risk rules look at the specific combination of characteristics for the device accessing a site and then assesses the risk by examining all other devices in iovation s system that look similar. These profiles are based on devices that have accessed your financial site, as well as devices seen at any of iovation s global client sites. Banks can manage their business rule sets without requiring IT support or changes to the web integration. The Business Rules Editor is a standard component of iovation s ReputationManager 360 fraud prevention service. The truly forward-thinking have already moved on (from complex device ID) and are successfully leveraging the benefits of device reputation and shared device intelligence. Robert Siciliano / Personal security and identity theft expert 7

Conclusion With fraudsters becoming more innovative every day, it s no longer sufficient to protect against yesterday s threats. Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing transactions, but should instead utilize a system of layered security. Whether users are accessing a website through a PC or any type of mobile device connected to the Internet via a wireless network, iovation quickly identifies the device and generates critical device reputation intelligence. This allows financial institutions to instantly determine the risk of a transaction and provides an extra layer of protection without disrupting the customer s experience. By implementing iovation s device reputation service at the start of the fraud detection process, financial institutions can easily meet the FFIEC s compliance requirements and move beyond the latest guidelines to address future security threats. Please contact us to learn more about exceeding FFIEC guidelines by emailing info@iovation.com or calling (503) 224-6010. ABOUT IOVATION iovation protects online businesses and their end users against fraud and abuse, and identifies trustworthy customers through a combination of advanced device identification, shared device reputation, device-based authentication and real-time risk evaluation. More than 3,000 fraud managers representing global retail, financial services, insurance, social network, gaming and other companies leverage iovation s database of more than 2 billion Internet devices and the relationships between them to determine the level of risk associated with online transactions. The company s device reputation database is the world s largest, used to protect 12 million transactions and stop an average of 200,000 fraudulent activities every day. The world s foremost fraud experts share intelligence, cybercrime tips and online fraud prevention techniques in iovation s Fraud Force Community, an exclusive virtual crime-fighting network. For more information, visit www.iovation.com. GLOBAL HEADQUARTERS iovation Inc 111 SW 5th Avenue, Suite 3200 Portland, OR 97204 USA PH +1 (503) 224-6010 FX +1 (503) 224-1581 EMAIL info@iovation.com UNITED KINGDOM PH +44 (0) 800 058 8731 EMAIL uk@iovation.com 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information