‘Old school’ fraud detection not making the grade in the new world of online attacks

Entrust Product Management

Times they are a changin’. It used to be that checking transactions when they happened (or shortly after) was enough to make sure that online fraud didn’t happen. Banks using sophisticated (or sometimes not-so-sophisticated!) systems for detecting fraud by integrating with banking applications can check for anomalies…but only if something seems ‘off’ in the transaction itself. While a valid and appropriate place to check for fraud (referred to as “Transaction Fraud Detection” by leading analyst firms like Gartner), it is only a part of an equation for success in catching fraud. New threats, especially Man-in-the-Browser attacks like Zeus and SpyEye (Brian Krebs often writes about this topic) have introduced a new attack vector that makes it extremely difficult to defeat with ‘old school’ approaches that rely completely on transactional fraud detection.

The key to catching and stopping Man-in-the-Browser attacks lies in the ability to understand behavioral changes in a user, often before any monetary transaction actually happens. An example may help to better understand the issue: Man-in-the-Browser attacks install software on a user’s machine and monitor for specific URLs in a watch-list. When a user logs in, the malware has the ability to take control of a session or even launch a new session as that user. Unusual navigation patterns and even speed of web page browsing can be indicators that something is not ‘right’ in the session. Without these early indicators, transactions may seem fine to the bank application, causing individuals or businesses to lose money and the bank to lose face. It’s still important to look at each transaction (ex: Is this amount unusual? Is the number of transactions unusual?), but in combination with a behavioral profile for that user. Leveraging ‘old school’ with the ‘new math’ of behavioral fraud detection will give banks and their customers a much better chance at a passing grade in the fight against online fraud. More on this topic to come…

Entrust Product Management
Entrust Product Management
Product Manager


Add to the Conversation