By Gunnar Peterson, CISO, Forter
Fraudsters are inventive and meticulous in combing through the entire system to find weaknesses and gaps they can exploit in order to make illicit gains. Whether the insertion or extraction points are technical, process, or operational weak points, their top concern is reliability and efficiency. The harder the attackers work, the more challenging it is for defenders to outsmart and outdo them.
On the defenders' side, there is the information security team who is concerned with code-level or configuration-level vulnerabilities, and the fraud team who manages business-orientated weaknesses. Defenders should work across organisational spaces — both fraud and cybersecurity teams and tools to increase friction to fraudsters’ attempts. Tools, organisational structure, and culture vary among cybersecurity and fraud teams, and industry leaders often assume building fusion centres as the best way to stop fraudsters in their tracks.
Whether fraud and cybersecurity teams work together or independently, they need tools to help them identify risky behaviours quickly and can recognise that bad actors all behave differently.
The business value of fraud fusion
Bringing together cybersecurity and fraud teams in a fraud fusion centre provides clear value to organisations. Fraud events like account takeovers create a negative customer experience, especially for many of the most valuable customers. Financial loss in both fraud loss and top-line revenue, plus the hassle of unwinding from fraud events, create a harmful stew of events for companies and customers. Account takeover events can occur when ownership of protecting the customer session is divided across departments. The fraud fusion centre is positioned to bring a 1+1=3 value from the combination of cybersecurity teams and fraud working hand in hand to defend account security at an identity level. Note that I use the fraud fusion concept not to denote a single physical centre or organisational team structure, but rather a centre of collaboration across disparate teams.
Leverage the network effect on threat intelligence
The catalyst for Fraud Fusion centres is the network effect. In the same way that Visa, Mastercard, Amex, and Discover networks allow you to stroll into a remote tropical island on vacation and swipe a small piece of plastic to pay for your hotel, the network effect can also work to a defender’s advantage. Defenders can leverage the network effect’s strength in numbers to identify and separate malice from legitimate customers. The key for defenders is identifying the right trust networks and how to plug into them.
The fact that you see these attackers for the first time does not mean that it is the first time they are attacking an organisation like yours. Networked threat intelligence adds a vital level of visibility to detect and block account takeovers in real-time.
Cybersecurity and fraud collaboration
To maximise utility, teams must collaborate on fraud prevention in several ways, especially on operational and technical levels.
Operational and technical collaboration
Creating value in fraud fusion centres means collaboration with fraud and cybersecurity teams. There are several ways to accomplish this. From an operational viewpoint, there are opportunities to coordinate closely in incident and event response to ensure the required data is gathered quickly.
Cybersecurity teams typically have excellent visibility and monitoring of the user session journey from account creation, authentication, authorisation, and other events. Cybersecurity teams focus on protecting the user’s journey across their session journey, ensuring authentication and authorisation work as expected. Fraud teams meanwhile focus on account takeover and anomalies, such as velocity and abuse.
These different focus areas mean that the tooling, process, and personnel are quite different, but at the same time, fraudsters are not deterred by organisational silos. In fact, they seek them out. The nuanced themes where one department ends and another begins are happy hunting grounds for fraudsters to find and exploit them.
Use Cases for Fusion centre opportunity
A fraud fusion centre allows organisations to align data, technical and operational capabilities to enforce security controls and rigorous fraud detection capabilities across various use cases. Fraudsters increasingly leverage automation via bots and human-assisted automation to attack systems at multiple points:
Account creation: registering and testing fake and test accounts manually and via bots.
Login: including credential stuffing via stolen credentials.
Profile updates: communications routed to fraudster-controlled numbers/emails, disable notifications – may include locking a user out of the account.
Transfer of value: payments or value moving around or exiting the account.
The main underlying touch point for the use cases listed here is to ensure that at these critical points, threat intelligence and trust networks are used to inform these decisions and make the best decision for the user at each step in the journey.
Preventing fraud requires intelligent solutions
The end goal is for fraud systems to gain as much visibility as is practically useful, moving to omnichannel eventually. The best near-term opportunities are using identity-based visibility and detection that links session visibility which cybersecurity teams can provide with real-time threat intelligence and attacker tactics that fraud systems can deliver. Analytics should be in place to measure success over time. Response systems should be coordinated where events like step-up authentication can be handled and incident response where required.
As fraudsters invest in automation, rules-based systems have become part of the problem. Solutions require not static rules which fraudsters can game, but rather intelligent automation based on real-time trust networks that identify malice, fraud, and abuse across the user session.