ISMG - Fighting Business Email Compromise

•Fraud and Breach Prevention Summit Miami

Anand Sureka | Guardian Analytics

Behavioral Analytics for Preventing

Fraud Today and Tomorrow

•April 12-13, 2016 – Miami, FL

Fraud & Breach Prevention Summit Chicago #ISMGSummits2

About the Speaker

Anand Sureka

Senior Solutions Engineer, Guardian Analytics

Anand Sureka is a Senior Solutions Engineer at Guardian Analytics. He has spent over a

decade working with banks to develop and integrate software solutions into online banking

and payment services, including fraud detection, personal financial management, bill pay,

ACH transfers and credit card payment services. Prior to joining Guardian Analytics, Anand

was a principle consultant for the professional services team at Envestnet-Yodlee.


•Fraud and Breach Prevention Summit Miami

Behavioral Analytics - Preventing

Fraud Today

•April 12-13, 2016 – Miami, FL

Anand Sureka


Banks Facing Unprecedented Trust Issue

Demise in trust

Legacy and silo approaches failing - increase in fraud

Can’t hold back -competitive pressure forcing innovation

New approach is needed

Trust

Competitive

pressures

Third party providers

Competitive Banks

Speed

Convenience

Simplicity

Products/Services

Customer experience

Operational Costs

Data breaches

• Malware

Social engineering

Single channel

Cross-channel

Customer Access

Customer Data


New Requirements for Fraud Prevention

Support

payment /channel

innovation

Improve

customer

experience

Increase

operational

efficiency

Address

modern

fraud


Meeting The New Requirements

Identity

Threat specific

Payment/channel slice

Behavior

Threat agnostic

Holistic view

Legacy Modern

Rules/scenarios Analytics


Success Starts With Broad View of Behavior

OOBAChannelDelete

OOBAChannelEdit

PasswordChange

UserCreate

UserDelete

UserEdit

UserEnrollmentCreate

UserEnrollmentDelete

UserEnrollmentEdit

UserView

Informational

CheckImageView

AccountCreate

AccountDelete

AccountEdit

AlertCreate

AlertDelete

AlertEdit

ExternalAccountLink

InternalAccountLink

MFAOptionsChange

RemoteDepositCapture

ReportView

OOBAChannelCreate

WireTemplateApprove

WireTemplateCreate

WireTemplateDelete

WireTemplateEdit

WireTemplateSubmit

WireTemplateApprove

WireTemplateCreate

WireTemplateDelete

WireTemplateEdit

WireTemplateSubmit

HTTPAcceptEncoding

HTTPAcceptLanguage

HTTPClientIP

HTTPCookie

HTTPForwarded

HTTPForwardedFor

HTTPHost

HTTPLocation

HTTPProxy

HTTPReferer

HTTPRequestURI

BrowserPlugins

Cookie

CookiesEnabled

DeviceID

FontList

JavaEnabled

LanguageBrowser

LanguageSystem

LanguageUser

Latitude

Longitude

Direction

ToAccount

ToAccountType

FromAccounType

AmountinUSDollars

Status

StatusReason

RecurringPayment

ReceivingBankID

ReceivingBankName

Recipient

OtherInstructions

DestinationType

ACHParticipantDelete

ACHParticipantEdit

ACHParticipantSubmit

ACHTemplateApprove

ACHTemplateCreate

ACHTemplateDelete

ACHTemplateEdit

ACHTemplateSubmit

ACHParticipantApprove

ACHParticipantCreate

WireApprove

WireCreate

WireDelete

WireEdit

WireSubmit

WireEvent

BillPayApprove

BillPayCreate

BillPayDelete

BillPayEdit

BillPaySubmit

ACHBatchApprove

ACHBatchCreate

ACHBatchDelete

ACHBatchEdit

ACHBatchSubmit

ACHCreditEntry

ACHDebitEntry

TransferApprove

TransferCreate

TransferDelete

TransferEdit

TransferSubmit

MFA Challenge

Login

UTCTimestamp

SingleSignOn

Logout

DeviceRegistered

Channel

Company ID

ASNs

Network attributes

HTTPVia

HTTPXClusterClientIP

HTTPXForwarded

HTTPXForwardedFor

HTTPXTrusteerRapport

ImmutableCompanyID

ImmutableUserID

IPAddress

IPv6Address

SessionID

SignOnID

OSPlatform

ScreenResolution

TimeZoneOffset

UserAgentString

UserAgentStringDOM

Phone Number

GPS events

Wifi/Bluetooth/NFC

Hardware

HTTPAccept

HTTPAcceptCharsets

PayeeApprove

PayeeCreate

PayeeDelete

PayeeEdit

PayeeSubmit

TransferTemplateApprove

TransferTemplateCreate

TransferTemplateDelete

TransferTemplateEdit

TransferTemplateSubmit

Login/Access

Account Activity

Transactions


Real-time Behavior-based Risk Scoring

Login/Access

Account Activity

Transactions

Risk score every event

Each event updates risk

LL

ML

H

Rule

Rule

Behavioral Analytics•Individual •Population

•

Risk Data

Machine Learning


Risk-based Intervention

Login/Access

Account Activity

Transactions

Risk score every event

Each event updates risk

LL

ML

H

Rule

Rule

•Behavioral Analytics•Individual •Population

•

Risk Data

Rules-driven interdiction

Risk-driven interdiction

Policies drive interdiction actions(for any risk score)

Fraud & Breach Prevention Summit Chicago #ISMGSummits10 •1

0

Guardian Analytics Protects


Partnership with The Norman Group

“To stay competitive, financial institutions need to

continually enhance their customer-facing products and

back-end technology platforms, and in parallel, rapidly

advance their capabilities to protect offerings and

channels. We are excited to combine our technical and

project management expertise in conjunction with

Guardian Analytics Omni-Channel Fraud Prevention

solutions to help financial institutions maintain a strong

pace of innovation without increasing their fraud risk.”

- Rob Grzeszczak, President and Managing Director


Use Case #1 – Reducing Challenges for Large

Commercial Bank

Domestic Cash Movement Application

Global Cash Movement Application

Wire Processing

System

ACH Processing

System

Client

Business Banking

Private Banking

Wealth Management

Performance Analysis/Risk Mgmt

Market Investment/ Fund Mgmt

External Deposit Services

Foreign Exchange

Benefits Management

Benefits Participant

Retail Banking

Business BankingCentral Authentication

•Guardian Analytics Online Behavioral Analytics

Risk scores

drive stepped up

authentication


Use Case #2 – ACH, Same Day ACH

• NACHA files transmitted or uploaded

• Files processed upon receipt

• Alerts published within minutes

ODFI

$$ to customer

Guardian Analytics ACH Behavioral Analytics

ACH Batch

Risk scores

ACH Batch

Risk scores

ACH Batch

Risk scores


Use Case #3 – Wire Fraud

Detection Rates

Alert Volumes

Low

Low

High

High

Trust too little

Know when to trustKnow when NOT to trust

Trust too much

Over $100KAnd internationalAnd new recipient

Over $100KOr internationalOr new recipient

The Wire Fraud Challenge


Analytics Innovations to Raise and Lower Trust

Learn each individual originator behavior over time to determine risk

Learn new recipient ratio, typical

beneficiary patterns (i.e. keeps false positives for title companies down)

Look to see if we can raise or lower trust of a

beneficiary

If multiple wires to same “bene”

spread out, can raise trust

If many in rapid

succession, less trust

worthyUse what we’ve

learned from other fraud

Mule

Match in mule db?

Recipient

Originator


Putting It All Together

Would beneficiary be expected?

(new beneficiary ratio, beneficiary and FI

location/region)

Are the originator’s wire actions normal?

(timing, velocity, type, accounts, direction, use of

instructions, content of instructions)

Are the wires typical?

(type, amount)

Originator Model

Wire Behavioral Analytics

Cross-institution risk data(Network effect)

Beneficiary Model

Is this a high or low risk beneficiary?

(beneficiary history with other originators, name/

account number match, suspected mule)

Self learningNo rules to write

Not threat specificAdapts to new threat

Automatic updates to analytics

100+ attributes from wire system


Approach Highly Effective With BEC

New beneficiaries common (40%

of wires to new beneficiaries)

BEC beneficiary FIs vary (domestic,

international, banks, credit unions)

Spoofed CEO email

Spoofed supplier email

Legitimate user

(CFO or controller)

•Online

•Fax

•Branch

•Criminal beneficiary

• or mule

Criminals do their

homework on their

targets and prey on

urgency, sense of

duty and importance

Legitimate user logs into

online banking or

requests the wire

(legacy ATO detection

methods don’t work)

BEC amounts

within typical

range of client

wires


Behavioral Analytics Detects Account Takeover and Business Email Compromise

Spoofed CEO email

Spoofed supplier email

Legitimate user

(CFO or

controller)

•Online

•Fax

•Branch

•Wire transfer

Amount

Expected OBI use

Velocity

Beneficiary

Beneficiary FI

Beneficiary Location

Name/account number changes and

match

Individual and

Bank Population Originator ModelsCross-originator

Beneficiary Models

Guardian Analytics uses originator, population and cross-originator beneficiary models to accurately detect fraud with low alert volume; no rules or

scenarios to define

Criminal can spoof

email sender, content

language, style, wire

amounts

But they cannot

spoof how an

originator sends a

wire


Recent Successes

Fraud prevented$19M in last two months

(primarily BEC, have not missed fraud)

Efficiency gainsBank reduced reviews to only

high risk wires (50-100 wires/day)

Client experienceReduced callbacks

Reduction in alerts has freed time to discuss possible BEC with

clients in more detail

Bank with ~4,000 wires per day

Fraud prevented$500K in last six months

(BEC and ATO, have not missed any fraud)

Efficiency gainsReduced reviews 70%

(75/day)

Increased wire risk management coverage 400%

Client experienceFaster processingFewer callbacks

(1-5/day)

Bank with nearly 2,000 wires per day


Behavioral Analytics In The

FutureAnand Sureka


Meeting The New Requirements

Identity

Threat specific

Payment/channel slice

Behavior

Threat agnostic

Holistic view

Behavior + context

Threat agnostic

Omni-channel

Legacy Modern Next-Generation

Rules/scenarios Analytics Analytics


Unified Omni-channel Fraud Prevention

•Channels

•Payments

•ATM

•Contact Center

•POS

•Branch

•Online

•Mobile

•Bill Pay

•Debit

•Wire

•ACH

•P2P

C

u

s

t

o

m

e

r

s

a

r


Unified Omni-channel Fraud Prevention

Channels

Payments

•ATM

•Contact Center

•POS

•Branch

•Online

•Mobile

•Bill Pay

•Debit

•Wire

•ACH

•P2P

Fraud prevention should be omni-channel, too

Enterprise API

Omni-Channel

Risk Engine

Omni-Channel

Visual Analytics

Payments Channels Devices Locations Risk Data


New Requirements for Fraud Prevention

Support

payment /channel

innovation

Improve

customer

experience

Increase

operational

efficiency

Address

modern

fraud

Questions?

Follow Guardian Analytics

Thank You for Attending!