Four enterprise scenarios for Web fraud detection systems

Expert Ed Tittel describes use cases for Web fraud detection systems and products and explains how they can increase account and transaction security.

While consumers use a mix of Web browser settings and protection software to help defend against malware and malicious attacks, they expect organizations to be much more vigilant and highly protective of their data. Essentially, consumers expect organizations to be bulletproof. The problem is, no company or government agency is immune from cyberattacks. In fact, they face a barrage of attacks almost continuously.

Organizations that allow users to create online accounts and/or those that engage in online financial transactions need Web fraud detection systems as part of a layered defense to detect fraud and help protect confidential assets. These organizations are at risk for bogus account origination, account takeover and payment fraud, to mention a few. And, because of the nature of business in which they engage, most of these organizations are required to comply with one or more U.S. regulations and standards, such as the Gramm-Leach-Bliley Act and the Payment Card Industry Data Security Standard. Web fraud detection systems can go a long way toward helping organizations meet requirements and maintain compliance.

The following sections describe industries that are particularly susceptible to Web fraud and how Web fraud detection systems have reduced risk as well as chargebacks and other losses.

Use case #1: Banking and financial services

According to the Kroll 2013/2014 Global Fraud Report, about 75% of financial institutions have experienced fraud, second only to manufacturing; and 29% of the institutions have experienced information theft, loss or attack. The banking and financial services industry is often cited as one of the most victimized industries.

With millions of people and companies conducting online banking every day, many Web fraud detection (WFD) vendors zero in on the needs of the financial services industry. Web fraud detection systems use behavioral or rule-based analytics to monitor online activity and account holder behavior to detect and respond to suspicious activity. For example, a WFD tool would be able to detect an online banking customer adding a new payee to his or her account and then immediately making a payment to that payee. A WFD product may also monitor for phished credentials, malware infections and spoofed devices, as well as provide highly effective end-user device or browser protection by blocking threats at the source -- preventing them from affecting the transaction process.

Use case #2: Retailers and e-commerce

Although credit card photos and real-time checking account verification have helped reduce some types of fraud at in-store points of sale, online fraud remains a growing threat for the retail and e-commerce industry.

Organizations that allow users to create online accounts and/or those that engage in online financial transactions need a Web fraud detection system as part of a layered defense to detect fraud and help protect confidential assets.

These organizations must protect transactions and confidential information while providing an optimal shopping experience in order to gain new customers and keep current customers satisfied. Industry players require Web fraud detection systems that provide insight into customer purchasing behavior and can detect fraud with high accuracy and minimal false positives.

Note: A false positive occurs when a customer tries to make a legitimate transaction that is blocked, perhaps because the transaction was made in a city, state or country other than where the person normally conducts business. False positives are a pain for the customer, and they cost retailers money in the way of additional customer support and/or lost sales.

Use case #3: Social networking

Social networking users are exposed to serious and widespread threats every day, from social engineers posing as legitimate users or companies, to account takeovers to phishing and pharming attacks.

Note: Phishing and pharming attacks use legitimate looking links that fool people into clicking them. Once clicked, a malicious file with malware may run and gather data from the user's computer, or the user is redirected to a fraudulent website in order to extract confidential data.

Any company that hosts a social networking site must be concerned with security to protect its visitors and its brand. Consider a financial institution that uses social media to engage with its customers or to market services and solicit applications for new accounts. If a malicious user spoofs the site, it can easily post a phony application that gathers personal information from unsuspecting users and then steal their identity or withdraw funds from bank accounts. The victim company's reputation will be tarnished, at a minimum, and existing customers may lose trust and move to a different company.

Companies can use WFD to monitor social media and other websites for brand mentions, and identify social media threats quickly and take appropriate action.

Use case #4: Government agencies

Many government entities conduct business with consumers and employees on the Web, such as administering student loans and mortgages, issuing Social Security cards, accepting tax payments and administering payroll direct deposits. Although agencies are required to use strong security measures, they are also prime targets for attackers and are extremely susceptible to account takeovers, access credential theft and fraudulent transactions.

A comprehensive Web fraud detection system protects user logins, performs device profiling and analyzes user identities and behavior to detect risky situations, such as attempted logins using stolen credentials, botnets employing a password-guessing algorithm and replay attacks or session hijacks.

How compliance helps reduce the impact of fraud

The Gramm-Leach-Bliley Act requires financial institutions to protect customers' private financial information. Organizations must implement a secure method of capturing and storing personally identifiable information and validate user credentials during account access. Web fraud detection systems minimize the number of account takeover and new account origination incidents by detecting unauthorized or fraudulent users posing as legitimate users.

Payment Card Industry Data Security Standard is a global standard, not a U.S. regulatory law, which requires merchants who accept payment cards to protect consumer information with proper security controls. Web fraud detection systems provide real-time monitoring of transactions and detect the use of stolen payment cards and other forms of fraud.

The benefits of Web fraud detection systems

In addition to the industries featured in this article, many more can benefit from Web fraud detection systems, such as payroll services, payment aggregators, healthcare providers, the insurance industry and more. Once the need for WFD is established, the next step is to select a product that best meets an organization's unique needs. 

Next Steps

In part one of this series, find out about the basics of Web fraud detection in the enterprise.

Learn about technologies that thwart online banking fraud.

This was last published in September 2015

Dig Deeper on Web application and API security best practices