Everand Logo

Welcome to Everand!

  • Discover millions of ebooks, audiobooks, and so much more with a free trial

    Only $11.99/month after trial. Cancel anytime.

    Tackling Fraud
    Tackling Fraud
    Tackling Fraud
    Ebook240 pages3 hours

    Tackling Fraud

    By alasdair gilchrist

    4/5

    ()

    Read preview

    About this ebook

    The threat landscape is developing at such a rate that traditional IT security controls can no longer protect us. Legacy IT security mechanisms deal with rules and signatures for known threats coming from the outside. But today the threats are coming from inside. The risks are from malicious employees, stealthy malware and remote access Trojans. But innocent employees are not safe from this scourge and are being fired and their reputations ruined as they are deemed to be collaborating with the attackers. Of course it is not them, it is the embedded Trojans that take over their accounts and can now mimic their work and execute fraudulent transactions and the losses are staggering. Furthermore payments and fund transfer fraud is escalating as we can never be certain as to who is driving the transaction. We see increasing examples of friendly fraud, CEO fraud and insider fraud even account takeovers that deprive businesses and their customers from their legitimate funds because we cannot be sure who is making the transfer.
    But it doesn't have to be that way, behavioural Biometric analysis empowered by machine learning can profile employee and customer activity and can flag anomalies in user behaviour. As a result strange actions that fail to match a profile will almost instantly trigger an alert and prevent fraudulent or malicious activity and more importantly protect the innocent from being blamed for the malicious actions of another fraudulent actor.

    LanguageEnglish
    Publisheralasdair gilchrist
    Release dateDec 6, 2017
    ISBN9781386278955
    Tackling Fraud

    Read more from Alasdair Gilchrist

    Related to Tackling Fraud

    Related ebooks

    Computers For You

    View More
    View More

    Related podcast episodes

    Related articles

    • Article

      Offsite Banking

      Sep 7, 2019

      Offsite Banking
      8 min read

    • Article

      Fraud Squad

      May 12, 2019

      Thank you for your May cover story The Power of Persuasion, putting the spotlight on the explosion in frauds and scams, and the misery this form of crime wreaks on families. As one of the people interviewed, working in fraud investigation and prevent

      8 min read

    • Article

      Crooks Using New Schemes to Steal Your Identity

      Jul 6, 2018

      Julie Conroy, a research director at Aite Group, a financial services research firm, specializes in fraud and money-laundering issues. What is synthetic ID theft? Criminals fabricate new identities to open fraudulent lines of credit, typically by com

      1 min read

    • Article

      Electric Eye

      Feb 14, 2023

      Electric Eye
      12 min read

    • Article

      Alexa, Are You Acting In My Best Interest?

      Oct 18, 2019

      recently, I attended a conference where one of the points of discussion was the disruption within the world of finance through new breakthroughs in artificial intelligence, or AI. One of the panellists said she worries about the influence that Amazon

      4 min read

    • Article

      Embracing AI in Financial Services

      Jan 1, 2020

      You are the Chief Science Officer at RBC and you also oversee its AI research institute. Describe the bank’s interest in this arena. There are many aspects to our interest in AI. First of all, financial services is a very data-driven business. From t

      6 min read

    • Article

      On Data, Value And Consent

      May 15, 2019

      On Data, Value And Consent
      5 min read

    • Article

      Industry Protection In The Age Of Cyber Threats

      Oct 11, 2023

      In an era where digitisation offers unparalleled convenience and efficiency, the Australian caravan industry has not been exempted from evolving with this trend. Whether it be in the workshops, design studios or on the manufacturing floor, the ‘Inter

      3 min read

    • Article

      Digital Souls

      Sep 6, 2021

      Digital Souls
      5 min read

    • Article

      Travel Dilemmas: New Year, New Perspective On Keeping Digitally Safe

      Jan 14, 2019

      As consumers, we're thinking about data breaches all wrong. We ask how something like this can happen. We are shocked when 383 million people, more than the population of the United States, are potentially affected by digital evil-doers. We think not

      4 min read

    • Article

      Big Brother Is Watching

      Mar 22, 2023

      Big Brother Is Watching
      6 min read

    • Article

      Constant Vigilance

      Oct 30, 2020

      Constant Vigilance
      2 min read

    • Article

      4 Simple Steps to Help Protect Against Identity Theft

      Dec 18, 2018

      Since the advent of the internet and the ability to do all of our shopping online, identity theft has become an ever-increasing problem. For example, you may recall the immense news coverage last year when Equifax, one of the three big credit-report

      2 min read

    • Article

      Credit Crunch

      Apr 28, 2020

      Credit Crunch
      5 min read

    • Article

      The Future Of Media

      Jul 7, 2019

      It’s quite confronting being forced to think five years in the future let alone what might not even be around in that time. A quick glimpse into the future is both exciting and terrifying all at once. I think the biggest things that will suffer/impro

      7 min read

    Related categories

    Reviews for Tackling Fraud

    4/5

    1 rating0 reviews

    What did you think?

    Tap to rate

    Review must be at least 10 words

      Book preview

      Tackling Fraud - alasdair gilchrist

      Chapter 1 – Establishing  Identity

      Defining Identity

      Uniqueness

      Entropy: a measure of uniqueness

      Unbundling Characteristics

      Verifying Vs. Revealing

      The Promise of Unbundling

      Privacy: Type I Unbundling

      Anonymity: Type II Unbundling

      Enabling Technology

      Chapter 2 - Identity as a Commodity

      Direct Marketing

      Cookies

      Third Party Cookies

      Private Browsing

      Device Fingerprinting

      Chapter 3 - Digital Identity and the Internet Economy

      How does digital identity management work?

      Why did the Old Processes Fail?

      The Regulatory Response

      What Is Strong Authentication?

      When Are Stronger Controls Necessary?

      Responding to the Challenges of Authentication

      Risk Management Procedures

      Authentication—One Part of Risk Assessment

      Chapter 4 - Digital Identity Techniques

      The Post-Breach Era

      Major Breaches and their Effects

      The Effects of Phishing

      Strong Authentication Paradox

      Building Trust

      Identities for Sale

      Account Take Over

      Identity Theft

      The need for Digital Identity

      Behavioural Analysis

      Chapter 5 - Behaviour as an authentication factor

      Introducing Behavioural Biometrics

      Anatomical-Physiological Biometric Characteristics

      Behavioural Biometric Factors

      Human Behavioural Patterns

      Components of Behavioural Biometrics

      Smart Sensors

      Machine Learning / Deep Learning

      Combining Traditional and Biometric Factors

      Building a Digital Identity

      Behavioural Biometrics techniques

      Chapter 6 - The Threat and Vulnerability Landscape

      Headline Fraud Events

      Banking Fraud

      What is Bank Fraud

      Types of Bank Fraud

      Insider Fraud

      Dormant Account Take Over

      Common Types of Insider Fraud

      The Scale of Insider Fraud

      Fraud Detection and Mitigation

      The 4-Eye Principle

      The 6 Stages of Fraud

      Banking Malware

      Carbanak

      How Carbanak Was Launched

      Silence Trojan

      Ordinaff

      What Could Have Been Done to Foil This Attack?

      TrickBot Banking Trojan

      The Ongoing TrickBot Attack

      Network Breaches

      Retail Threats and Vulnerabilities

      Drive-By and Side-Channel Exploits

      Point of Sale Attacks

      Technology Sector

      Business & Enterprise Threats

      CEO Fraud

      Chapter 7 - Mitigating Risk and Avoiding Threats

      Keystroke Dynamics

      Advantages of Keystroke Dynamics

      Disadvantages of Keystroke Dynamics

      Mouse Dynamics

      Mobile Touch screen Biometrics

      Chapter 8 - Digital Identity and Machine Learning

      How Digital Identities Can Help Businesses:

      Insurance

      Lending

      Media

      Payments

      Travel

      Behavioural Biometrics – IoT and AI

      Chapter 9 - Taking a Risk Based Analysis Approach

      Dealing with Variance

      Coping with Risky Behaviour

      The Power of Inference

      Creating a Network Effect

      How active sessions can be hijacked

      The Point of Determination

      MiTB and MiTMo Attack Vectors

      Chapter 10 - Behavioural Analysis and Security

      Behavioural Analytics versus Cohort Analytics

      Identifying Anomalies with Behavioural Analytics

      Practical Aspects of Security

      Three Tips for Implementing Security Behavioural Analytics

      Chapter 11 - Machine Learning and Fraud Detection

      Predictive Analysis

      Optimized fraud risk algorithm

      Pattern Recognition

      Optimized fraud risk algorithm

      Multi-Dimensional Algorithms

      Chapter 12 -  PSD2 and Continuous Authentication

      Data Privacy

      The Payment Landscape

      The role of the PSP

      Online Payment Risk

      The Territorial Scope of PSD2

      Customer Security Awareness

      The Online Payment System

      How Online Payments Work

      How does an online transaction work?

      Online Transactions and Secure Customer Authentication

      Balancing PSPs, Merchants, and Customers

      Behavioural Biometrics

      Behavioural Biometrics and Privacy Law

      Behaviour Biometric Techniques

      Keystroke Dynamics

      Mouse Biometrics

      Multi-Modal Biometrics

      Scientific View of Behavioural Biometrics

      Integration of Behavioural Biometrics for PSPs

      Typical deployment Architecture

      Frictionless and Secure

      Behavioural Biometrics – User Friendly Security

      Use Cases

      Continuous Authentication

      Risk-Based Authentication

      Insider Threat Detection

      Fraud Detection and Prevention

      Accuracy/Performance

      Privacy

      Outlook

      Chapter 13 – Digital Identity Management

      What are the policy challenges?

      eIDAS

      What Are the Benefits of eIDAS?

      Who is eIDAS for?

      Assurance Levels

      eIDAS Regulations for the Trusted Services Provider

      Summary

      Chapter 13 - User + Entity Behaviour Analysis

      Bringing it all together with UEBA

      Putting it all together – A Use-Case

      Summary

      Chapter 1 – Establishing Identity

      For digital businesses, whether they be banks, businesses or retailers identifying consumers accurately is their best defence against fraud as this follows the principle of know your customer. Therefore, the stakes are high. Yet, poor, disjointed identity assessment and authentication leads to a poor, disjointed digital experience for the consumer. Shifting the responsibility on to the consumer to authenticate themselves leads inexorably to inconsistent decisions and, ultimately, lost customers and profits.

      Defining Identity

      Today there is no generic system that is deployed pervasively in online systems for identification purposes. It is still not feasible to absolutely identify a person or for that matter an entity via a set of generic identity characteristics. Instead there is an abundance of diverse techniques that are deployed dependent on the risk appetite of the organisation.

      This is partly due to the fact that although Identity itself is simply a collection of characteristics which can be verified there are many levels of confidence. This is despite Identity being a unique piece of information associated with that individual or entity. The characteristics used can be either inherent or are assigned by another and so not all characteristics have the same importance or weight.  For example, the colour of a person's hair, their height, build and other physical characteristics are all part of a person's identity, but they are alone insufficient to identify an individual. However if we know a person’s gender, their data of birth and perhaps their postcode (zip-code) then that combination may well be sufficient to identify a subject.

      In real world transactions say in a retail store an individual will inherently carry some of the characteristics that form the identity of the person originating the transaction. Generally, physical traits are visible during a transaction - for example when someone purchases a book from a book store, the book dealer may remember the buyer's race, gender, hair colour, height or build.

      In cyberspace however we do not have the luxury of being presented with a set of inherent identity characteristics and this is perhaps the major difference between real space and cyberspace - there is no secondary information at hand. This is because digital transactions are just the communication of a stream of binary bits and they do not carry any separate information relevant to identity. In a real world transaction there is a multitude of inseparable secondary information that is available to both parties to authenticate one another when interacting. For example a customer will be confident that they are dealing with a reputable dealer due to their high street presence and shop frontage. This does not apply in an online transaction. Thus for authentication purposes, additional information needs to be transmitted to enable identification and authentication such as the store identifying its self via a trusted digital certificate.

      Uniqueness

      An important principle of determining an online identity is that no two identities should be the same. However that requires that each identity will map to a unique set of characteristics. The issue being that two people may share some of the same characteristics, such as being the same gender, age, height, race, hair and eye colour but that does not mean that they have the same identity. After all not even identical twins can have the same identity even though they share all physical characteristics including their DNA. Therefore, when two identities have character sets that are the same, there will be a need to search for new information that adds details that distinguish the identities from each other such as a name, address or social security number. Therefore identity is a multi-facet concept but it doesn’t apply just to humans as it also relates to things such as animals, companies, machines, devices and sensors such as in the Internet of Things.

      To mitigate this shortcoming there is a mathematical quantity which allows us to measure how close a characteristic comes to revealing somebody's online identity uniquely. That quantity is called entropy, and it's often measured in bits.

      Entropy: a measure of uniqueness

      Intuitively you can think of entropy being a generalization of the number of different possibilities there are for a random variable: if there are two possibilities, there is 1 bit of entropy; if there are four possibilities, there are 2 bits of entropy, etc. Adding one more bit of entropy doubles the number of possibilities.

      Because there are around 7.5 billion humans on the planet, the identity of a random, unknown person contains just under 33 bits of entropy (two to the power of 33 is 8 billion). When we learn a new fact about a person, that fact reduces the entropy of their identity by a certain amount. There is a formula to say how much:

      ΔS = - log2 Pr(X=x)

      Moreover Identity also evolves over time, as more information is gathered and hence more characteristics become evident everyday. An analogy would be with identical twins as they share the same DNA code and so are considered to be identical however they are not as they develop differently both within the womb and of course as they grow as children they will pick up a knock here and a scar there. Consequently by the time they reach adulthood there will be many diverse characteristics that will be useful in their identification such as a visible scar, a broken nose, dental records, x-rays and of course their fingerprints. With online systems such as ecommerce a customer’s identity will also be embellished every time they visit the online store as both their browsing habits and their preferences will be recorded and added to their ever burgeoning profile. When they make a purchase this too will embellish their profile as will the method they choose for payment and delivery, and all this information can be amalgamated into an identity classifier set pertaining to that individual.

      The distinction between characteristics, classifiers and identity is not standard and often depends on the nature of the transactions. For example if we consider the earlier formula on entropy;

      ΔS = - log2 Pr(X=x)

      And then look at some examples for different characteristics we can demonstrate this point.

      Starsign: ΔS = - log2 Pr(STARSIGN=Capricorn) = - log2 (1/12) = 3.58 bits of information

      Birthday: ΔS = - log2 Pr(DOB=2nd of January) = -log2 (1/365) = 8.51 bits of information

      Note that if you combine several facts together, you might not learn anything new; for instance, having knowledge of someone's Starsign doesn't reveal anything new if their birthday was already known.

      What happens when facts are combined depends on whether the facts are independent. For instance, if you know someone's birthday and gender, you have 8.51 + 1 = 9.51 bits of information about their identity because the probability distributions of birthday and gender are independent. But the same isn't true for birthdays and starsign. For example if we know someone's birthday, then we already know their starsign, and being told their starsign doesn't increase our knowledge. Hence the goal is to calculate the change in conditional entropy of the person's identity where we consider all the observed variables, and then we derive the probabilities for new facts conditional on all the facts we already know.

      Hence we have;

      ΔS = -log2 Probability (Gender=Female|DOB=2nd of January) =

      -log2(1/2) = 1, and

      ΔS = -log2 Probability(Starsign=Capricorn|DOB=2nd of January)=

      -log2(1) = 0.

      In between cases are also possible: if I knew that someone was born in December, and then I learn that they are a Capricorn, I still gain some new bits of information, but not as much as I would have if I hadn't known their month of birth:

      ΔS = -log2 Probability (Starsign=Capricorn|month of birth=December)=-log2 (10/31) = 1.63 bits.

      In the examples above, each starsign and birthday was assumed to be equally probable. The calculation can also be applied to facts which have non-uniform likelihoods. For instance, the likelihood that an unknown person's ZIP code is 90210 (Beverley Hills, California) is different to the likelihood that their ZIP code would be 40209 (part of Louisville, Kentucky). As of 2017, there were 22,330 people living in the 90210 area, only 350 in 40209, and around 7.625 billion on the planet.

      Knowing my ZIP code is 90210: ΔS = - log2 (22,330/7,625,000,000) = 18.21 bits

      Knowing my ZIP code is 40209: ΔS = - log2 (350/7,625,000,000) = 23.81 bits

      As of 2017, identifying someone from the entire population of the planet required:

      ΔS = log2 (1/7625000000) = 32.6 bits of information.

      Conservatively, we can round that up to 33 bits.

      So for instance, if we know someone's birthday, and we know their ZIP code is 40209, we have 8.51 + 23.81 = 32.32 bits; that's almost, but perhaps not quite, enough to know who they are: there might be a couple of people who share those characteristics. Add in their gender, which is another 1 bit gives 33.32 bits, and we can probably say exactly who the person is.

      Nonetheless, in virtually all cases it is a unique characteristic that serves as the main representation or identifier for identity. This is as much to do with database schemas as anything else but having one unique characteristic even if it has to be constructed and provided such as a member ID makes fast efficient and unique identification much easier. For example, each person’s social security number is unique and can be used to identify an individual. However the level of identity is important and although social security ID may be a unique identifier it may not be a suitable identity characteristic in all cases. For example although a Social Security Number may be mandatory for government or health care business it is too much information for most other ecommerce or even business purposes. Hence, it will be the requirements of the transaction that will determine the amount of one's identity that is required. Some transactions do not need to uniquely identify the purchaser such as in a bar or restaurant, all that is required is some proof that you are of legal age to purchase alcohol. However other transactions do depend on the unique identification of the individual—which requires knowledge of an identifier – such as an ecommerce store as orders and billing must be assigned to a unique customer account and identity for it to work, Finally, some situations as we have seen will require full knowledge of a person's identity such as with tax, health care or any other communications with the government.

      In real world transactions, we deal with large character sets as it is difficult for the parties to selectively withhold or reveal portions of their identity as most forms of identification contain more information than is needed for any transaction. For example, a drivers license may have the identity characteristics of a name, address and date of birth but it may also have a picture that will confirm the individuals physical characteristics providing greater confidence that the holder is who they claim to be and not just someone in possession of the licence. Unfortunately many of these secondary characteristics of identity are not typically available in online transactions. Hence, in contrast to real world scenarios, there is a requirement in efficient online transactions to handle only portions of identity, which are a subset of characteristics that can be disassociated and verified on their own by a third party. This unbundling of a person’s identity characteristics may raise several issues for no longer is it as easy or straightforward to verify a person’s real world identity due to the loss of secondary characteristics yet it can still fulfill the requirements of uniqueness in an online environment, but it also enables several other intriguing possibilities.

      Unbundling Characteristics

      The unbundling of certain characteristics from a complete identity-set is necessary to separate and process characteristics or single traits of identity. Unbundling facilitates the ability to exchange identity information that is at a level that is sufficient, mutually acceptable and which can be verified easily. Unbundling of specific characteristics also provides for efficient authentication via the least revealing means such as by providing a combination of the weakest traits i.e. username/password. Furthermore, it also creates the framework for anonymous transactions as it is then possible to merely verify the chosen identity information without ever revealing the person’s name, address or any personal identifiable information (PII) such as when verifying against an anonymous email address. However, the really important thing is that it enables online users to control the relationship and strength of the link between their real world and online-identities.

      What this means is that in cyberspace the ability for users to unbundled their identity characteristics at the granularity they are comfortable with means they can separate their actual identity from their interaction, content and transactions. Hence the famous internet meme ‘On the internet no-one knows that your a dog!" – As we will see later that fallacy of internet anonymity is rarely true.

      Of course when an individual restricts their identity traits that they are willing to reveal to a website they seriously weaken the link between their online and real world identity. For example for most non commercial websites a simple

      Enjoying the preview?
      Page 1 of 1