Fraud Mobility: Exploitation Patterns and Insights

Similar documents
Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

Reduce fraud losses and improve operational efficiency with advanced fraud detection technology

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

Personal Cybersecurity

Combating Cyber Risk in the Supply Chain

Phishing Activity Trends

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

Putting security first for critical online brand assets. cscdigitalbrand.services

Phishing Activity Trends Report August, 2005

Phishing Activity Trends Report August, 2006

Training and Certifying Security Testers Beyond Penetration Testing

2015 VORMETRIC INSIDER THREAT REPORT

Building a Threat Intelligence Program

OPTIMIZATION MAXIMIZING TELECOM AND NETWORK. The current state of enterprise optimization, best practices and considerations for improvement

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Teradata and Protegrity High-Value Protection for High-Value Data

6th Annual 15miles/Neustar Localeze Local Search Usage Study Conducted by comscore

The Interactive Guide to Protecting Your Election Website

ASSESSMENT LAYERED SECURITY

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

Enterprise D/DoS Mitigation Solution offering

Samu Konttinen, CEO Q3 / 2017 CORPORATE SECURITY REVENUE UP BY 11% - GOOD GROWTH CONTINUED

The most extensive identity protection plan available

Business Data Analytics

Cyber Security and Cyber Fraud

TOP RISK CONCERNS MERCHANT DATA BREACHES. Presented by Ann Davidson, VP of Risk Consulting at Allied Solutions

- Samsung Tablet Photo - Tablets Mean Business. Survey of IT pros reflects growing trend toward tablets for workforce mobility and more

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Security in a Converging IT/OT World

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Target Breach Overview

Who We Are! Natalie Timpone

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

CYBER INSURANCE MARKET WATCH SURVEY EXECUTIVE SUMMARY. October 2016

Mobile Security / Mobile Payments

Socioeconomic Overview of Ohio

Kentucky IT Consolidation

National Travel Associates

Good Technology State of BYOD Report

in collaboration with

Best Practices Guide to Electronic Banking

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Real-time Fraud Detection with Innovative Big Graph Feature. Gaurav Deshpande, VP Marketing, TigerGraph; Mingxi Wu, VP Engineering, TigerGraph

ISACA West Florida Chapter - Cybersecurity Event

Ways Global FOR RETAIL

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

Second International Barometer of Security in SMBs

2017 RIMS CYBER SURVEY

Power of the Threat Detection Trinity

Riding the Mobile Banking Wave

Phishing Activity Trends Report October, 2004

Is Your Payment Card Data Secure Enough?

How To Build or Buy An Integrated Security Stack

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

NEXT GENERATION SECURITY OPERATIONS CENTER

Security in India: Enabling a New Connected Era

Machine Learning and Advanced Analytics to Address Today s Security Challenges

Panda Security 2010 Page 1

Embedded Technosolutions

Securing Americans Identities: The Future of the Social Security Number

5LINX ID GUARD Product Overview. Credit/Presenter Goes Here

DIGITAL IDENTITY TRENDS AND NEWS IN CHINA AND SOUTH EAST ASIA

Hybrid IT for SMBs. HPE addressing SMB and channel partner Hybrid IT demands ANALYST ANURAG AGRAWAL REPORT : HPE. October 2018

CASE STUDY TOP 10 AIRLINE SOLVES AUTOMATED ATTACKS ON WEB & MOBILE

PCI DSS v3. Justin

THALES DATA THREAT REPORT

Emerging Technologies The risks they pose to your organisations

June 2012 First Data PCI RAPID COMPLY SM Solution

Building Resilience in a Digital Enterprise

Cyber Attacks & Breaches It s not if, it s When

Phishing Activity Trends

The Top 6 WAF Essentials to Achieve Application Security Efficacy

ROI CASE STUDY IBM SPSS CITY OF LANCASTER. ROI: 1301% Payback: 1.5 months Average annual benefit: $1,344,338. Cost : Benefit Ratio 1 : 45.

Introduction to Data Science

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

Revenue and earnings increase

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

BUFFERZONE Advanced Endpoint Security

Cybersecurity and Data Protection Developments

June 2 nd, 2016 Security Awareness

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

SIEM: Five Requirements that Solve the Bigger Business Issues

Stop in the name of EMV! Is merchant regulation breaking your heart? April 4, Amegy Bank, a division of ZB, N.A. Member FDIC

State of Mobile Commerce. Q

CICS insights from IT professionals revealed

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Protect Your Data the Way Banks Protect Your Money

Scam Call Trends and Projections Report

As Enterprise Mobility Usage Escalates, So Does Security Risk

The US Contact Center Decision-Makers Guide Contact Center Performance. sponsored by

WHITE PAPER THE SOCIAL MEDIA FRAUD REVOLUTION A STUDY OF THE EXPANSION OF CYBERCRIME TO NEW PLATFORMS

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

CHANGING FACE OF MOBILITY RAISES THE STAKES FOR ENDPOINT DATA PROTECTION

The Hidden Costs of Free Database Auditing Comparing the total cost of ownership of native database auditing vs. Imperva SecureSphere

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

Transcription:

WHITEPAPER Fraud Mobility: Exploitation Patterns and Insights September 2015

2 Table of Contents Introduction 3 Study Methodology 4 Once a SSN has been Compromised, it Remains at Risk 4 Victims Remain Vulnerable within Specific Markets in the Short-Term 6 Victims often Reappear in Different Industries over the Long-Term 7 Conclusions 7

Introduction 3 Identity theft places a burden on victims and presents tremendous challenges to businesses and government agencies. In 2014, the nature of the breaches had migrated from financial access to identity theft. In fact, 54% of all data breaches were described as identity theft, a dramatic increase from the 20% seen in 2013. 1 Consumers and enterprises are less equipped to deal with the pain, inconvenience, and long-term implications of identity theft fraud as it is substantially more damaging than financial fraud. Enterprises must constantly solve a significant problem: how to determine whether the personally identifiable information (PII) presented on the application is truly the legitimate individual or a fraudster. The greatest challenge to fraud prevention and detection is understanding the speed and cross industry patterns (known as mobility) with which a fraudster will use an identity. There are predictable mobility patterns in how fraudsters initiate financial access fraud in the payment space and how fraudsters transact across industries. For example, it is common for a fraudster that has compromised credit card information, to create a counterfeit card and make a small purchase (perhaps at a gas station). Then, if successful with the small purchase, the fraudster will buy a big-ticket item in a different industry (such as an expensive electronic device). 2 In this study, ID Analytics explores whether similar patterns are identifiable when looking at identity theft patterns. Identity Theft Facts In 2014, 12.7 million US consumers (5.2% of the US population) were victims of identity theft 4 This resulted in over 16 billion dollars of loss to the enterprise 5 Between January and August 2015 alone, nearly 140 million records were compromised in a total of 505 breaches 6 Traditional identity-fraud management technologies lack access to data that is updated frequently enough, or these systems lack information from multiple industries. For example, those enterprises relying on home-grown solutions only have visibility into their own customers. On the other hand, enterprises that rely on bureau or public records-based solutions may have limitations in terms of the industries that are covered and the freshness of their data assets. ID Analytics analyzed the trends and mobility patterns by determining if fraudsters follow a pattern within and across industries. What behavior does a victim s identity exhibit before and after a fraudulent event? What is the longterm behavior for a victim s identity and how does it compare to a legitimate identity? Research indicates that fraud exhibits predictable patterns over time and across industries that have important implications for its prevention. For over a decade, ID Analytics has operated the ID Network, a crossindustry data consortium built for the purpose of enterprise risk management and identity fraud protection. This puts ID Analytics in a unique position to analyze consumer events. Enterprise clients submit more than 55 million consumer-asserted identity elements every day for fraud, credit and identity verification purposes via loan applications, check-order requests, wireless service contracts, and other use cases. Enterprises then describe which events performed normally and which ones went on to be confirmed as identity fraud. In addition, the ID Network is the largest repository of identity fraud in the United States: it contains 3.3 million confirmed fraud events 3. 1 http://breachlevelindex.com/pdf/breach-level-index-annual-report-2014.pdf 2 http://www.cnbc.com/id/46907307 3 The terms application, transaction and event are used interchangeably in this study given that there are different types of transactions in the ID Network, however, the majority are new-account openings associated with loan or service applications. 4 Javelin Strategy and Research 2015 Identity and Fraud 5 Javelin Strategy and Research 2015 Identity and Fraud 6 http://www.idtheftcenter.org/images/breach/itrcbreachstatsreportsummary2015.pdf

Study Methodology 4 ID Analytics studied the behavioral trends for the fraud victims, and non-compromised consumers using historic records and client-reported fraud from the ID Network. Isolating the Social Security number ( SSN ) asserted on the applications as a proxy for an individual, SSNs were isolated into two groups in order to determine mobility patterns. The first group includes SSNs that have been associated by the enterprise with a confirmed fraud. This group is referred to throughout the study as a compromised identity. The second group consists of SSNs that were not associated with confirmed fraud. An SSN from this group is referred to throughout the study as a non-compromised identity. This study analyzed 68 million SSNs of both victims and non-victims over the last five years within the United States. In addition, a smaller subset of applications were isolated to better understand behavior patterns of a single identity over time. This allowed ID Analytics to analyze the differences in behavior surrounding a confirmed fraudulent event compared to behaviors for non-compromised identities. Once a SSN has been Compromised, it Remains at Risk an identity displays the first instance of confirmed fraud, it becomes a compromised identity and exhibits a higher velocity pattern than the non-compromised identity in both the short-term (the first 180 days after the event occurs) as well as the long-term (more than 180 days after the event occurs). To illustrate the difference in behavior of a non-compromised identity as well as a compromised identity let s examine the behavior of two examples, meet Tony and Fred. Case Study 1: Tony, a non-compromised identity Tony has been seen in the ID Network five times over eleven years with an overall application rate of roughly one application every two years Tony s SSN was never associated with a client-confirmed fraud The event of Tony s non-compromised application (randomly chosen from all the noncompromised applications) was seen in December 2008 on a retail credit-card application Prior to this event, Tony was seen submitting two applications, approximately one every two and a half years (both seen in the retail credit card industry) Case Study 2: Fred, a compromised identity Applications with Fred s SSN were seen in the ID Network without any associations to fraud for 11 years averaging roughly one new application every five years. During this time Fred was seen applying to two bankcard enterprises In February 2014, Fred s SSN was first reported by a telecommunications client as being associated with a fraudulent application. Later that same day, Fred s SSN was seen in a new account application that went on to be confirmed as a fraudulent event in the retail credit card industry and there were three additional new-account applications with three different telecommunication enterprises (one of which resulted in a third instance of confirmed fraud) The following day, Fred s SSN was seen on an application for a retail credit card October 2014, two new applications with Fred s SSN are submitted to retail card issuers and later confirmed as associated with fraud by the enterprises

Fred and Tony s behavior is representative of the compromised and non-compromised identity behaviors observed in the study. In general, non-compromised identities are seen on a new application within the ID Network roughly once every five years. The compromised identities behave the same way that non-compromised identities do prior to their first association with fraud. the first confirmed fraudulent event, the following two years show the victim s SSN being asserted at an accelerated rate of 1.5 applications every year. 5 Figure 1: Pre and Post Application Velocity for a Compromised Application vs a Non-Compromised Application Compromised identity 6xs higher within the first day Compromised identity 5xs higher after 360 days 3 1 6 2 3 4 5 360-720 180-360 90-180 30-90 10-30 2-10 0-1 Day 0-1 Day 2-10 10-30 30-90 90-180 180-360 360-720 Compromised Identity Non-Compromised Identity Fraudulent Event Non-Fraudulent Event Just as in the example of Fred and Tony, the velocity surrounding a non-compromised identity (Tony) remains consistent over time while the velocity of a compromised identity (Fred) typically increases once it has been seen as a confirmed fraud. (1) The application volume patterns for compromised identities and non-compromised identities are similar until ten days prior to the known fraudulent event (point two on figure 1) (2) Compromised identities are seen applying for new accounts at a rate 5 times greater than non-compromised identities for the ten days prior to the confirmed fraud event (3) Once the compromised identity becomes a confirmed fraud, the application volume patterns between the compromised identity and the non-compromised identity diverge significantly. (4) In the first ten days after an identity is seen as compromised, the victim s SSN is seen with an increased velocity 7.5 times the velocity of the non-compromised identity (point four in figure 1). Of the frauds occurring within the 0-10 day timeframe, 46% occurred within the first 24 hours of the fraudulent event. (5) 90 days after the confirmed fraud, the application volume returns to a rate similar to that of the non-compromised identities. (6) The application volume for compromised identities spikes 180 days after the first reported fraud event (point 6). It is likely that the confirmed fraud was detected within the first 90 days and the fraudulent behavior is stopped temporarily, however the application volume remains elevated for compromised identities and never returns to the same rates as those of the noncompromised identities

Victims Remain Vulnerable within Specific Markets in the Short-Term 6 Application rates for compromised and non-compromised identities vary in how the identity is seen across industries. ID Analytics expected to see that when an identity was compromised, it would quickly be used for fraudulent new-account applications in multiple industries. Surprisingly, the analysis shows that subsequent applications using the compromised identity were more likely to stay within the same industry rather than cross industries within the first 360 days. Figure 2: Short-Term Movement within Industry Sectors Probability of Crossing Industry 70% 60% 50% 48% 53% 55% 57% 62% 63% 40% 30% 20% 10% 0% 21% 23% 17% 16% 13% 7% 0-10 10-30 30-90 90-180 180-360 360+ Days Non-Fraudulent Event Fraudulent Event Non-Compromised Compromised Figure 2 shows that the probability of an identity applying within a single industry varies greatly between compromised and non-compromised identities. Intuitively, an uncompromised identity may apply to multiple industries within six months. Compromised identities are seen staying within the same industry at a much higher rate than the non-compromised identities. the instance of a confirmed fraud there is a high velocity of applications submitted within the first ten days. During this time, 93% of multiple fraud occurrences took place within the same industry. Often when compromised identities have a high velocity of applications over a short time period, they occur within the same industry but are seen at multiple enterprises. This behavior is most acutely demonstrated in the telecommunications industry. ID Analytics studied the application volume for compromised identities from telecommunication clients within 10 days of the initial fraud event and learned that whenever there was a second confirmed fraud event, 97% of these subsequent frauds occurred in the telecommunications industry.

Victims often Reappear in Different Industries over the Long-Term 7 360 days, identities with a second instance of confirmed fraud are more likely to reappear within a different industry. Figure 2 shows a 174% increase in the probability of the victim s SSN to cross industry after 360 days. The industry that is most impacted by this long-term cross industry movement is the bankcard industry. Bankcard is the only industry in which the second instance of confirmed fraud after 360 days has a higher probability of staying in the same industry rather than to cross industries. In addition, both retail and telecommunications show the highest probability of industry movement into the bankcard industry after 360 days. On average, 48% of the time when a confirmed fraud that occurred in the telecommunications or retail space it then moves into the bankcard industry when another instance of confirmed fraud occurs 360 days later. Conclusion Risk managers should look at ways to update their new-account risk management strategies. The study shows clear differences in how compromised identities behave over time as compared to non-compromised identities. Risk managers should be aware that spikes in volume for a particular identity could be a leading indicator for an imminent fraudulent event. Spikes are only visible through the use of a real-time, identity-fraud management solution. Compromised identities clearly exhibited a pattern of new-account application volume above the rates for non-compromised identities. the first instance of a confirmed fraud, the velocity patterns of a compromised identity drastically increase and do not return to the velocity patterns of a non-compromised identity within the following two years. This implies that speed is of the essence in not only fraud detection, but also in collaborating with prospective victims to make them aware of how their identities have been compromised. To be most effective, a fraud solution should include real-time updates since compromised identities have a high probability of staying within the same industry and moving between multiple enterprises in the first few days after the initial fraud event is detected. The study shows that a compromised identity will most likely be exploited with many enterprises within a particular industry. Fraud solutions that include cross-industry visibility are also important for long-term fraud detection as victim s identity will often be exploited in a new industry 360 days after the initial fraud event. Choosing the Right Fraud Solution is Key to Reducing Identity Fraud Enterprises that have been able to grow their customer base safely beyond their current footprints have used tools designed to recognize complex data patterns in near-real time with cross-industry insights. Access to these types of solutions are key to their fraud prevention strategies because of these offerings are receptive to how identity fraud morphs over time and across industries. A strong fraud solution includes cross-industry visibility, depth of coverage, real-time data to track application velocity, and large number of confirmed fraud tags as part of the underlying data network. Data breaches have put enterprises under constant and increasing threat. ID Analytics provides industry leading solutions to help enterprises to best keep pace with the rapidly changing nature of fraud. With over a decade of experience in identity risk management, ID Analytics state of the art fraud solution includes cross-industry, up-to-the-minute visibility into identity and behavior. To learn more about fraud solutions, contact us at marketinginfo@idanalytics.com or 858-312-6200 or visit us at www.idanalytics.com

2015 ID Analytics. All rights reserved. www.idanalytics.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback