Upload
iovation
View
302
Download
0
Tags:
Embed Size (px)
Citation preview
2© 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
ROADMAP FOR THE PRESENTATION
Mobility, Privacy,
& Security
What’s in an
Identity?
Assessing Risks,
Whether High or
Low
3© 2013 The Corporate Executive Board Company. All Rights Reserved.
HOW DO YOU DEFINE “IDENTITY”
We tend to view identity
in the sense of a
collective set of
information that informs
a single entity, but each
data point has identity as
well.
i-den-ti-ty
1. The collective aspect of the set of characteristics by which a thing is definitively
recognizable or known.
2. The set of behavioral or personal characteristics by which an individual is recognizable as a
member of a group.
3. The quality or condition of being the same as something else.
4. The distinct personality of an individual regarded as a persisting entity; individuality.
5. Information, such as an identification number, used to establish or prove a person's
individuality, as in providing access to a credit account.
Source: www.thefreedictionary.com/identity
CEB TowerGroup Retail Banking
4© 2013 The Corporate Executive Board Company. All Rights Reserved.
USER-CENTRIC VIEW OF IDENTITY
Know Your Customer, or
“KYC” is a fundamental
component of service
delivery and security,
and helps maintain
various ways of
establishing user
identity.
CEB TowerGroup Retail Banking
5© 2013 The Corporate Executive Board Company. All Rights Reserved.
ATTRIBUTE-CENTRIC VIEW OF IDENTITY
Persistent and non-
persistent identities can
be relatable to different
people, devices, and
financial instruments.
CEB TowerGroup Retail Banking
6© 2013 The Corporate Executive Board Company. All Rights Reserved.
DEVICE-CENTRIC VIEW OF IDENTITY
Devices have as many
identifiable
characteristics and
history of activity as their
users do.
Phones, desktop PCs, mobile devices and other technology enablers have their
own history.
CEB TowerGroup Retail Banking
7© 2013 The Corporate Executive Board Company. All Rights Reserved.
MOBILE-DEVICE CENTRIC VIEW
Highly mobile,
personalized, easily lost,
extremely capable
devices have identities
as complex as
individuals.
CEB TowerGroup Retail Banking
8© 2013 The Corporate Executive Board Company. All Rights Reserved.
ROADMAP FOR THE PRESENTATION
Mobility, Privacy,
& Security
What’s in an
Identity?
Assessing
Risks, Whether
High or Low
CEB TowerGroup Retail Banking
9© 2013 The Corporate Executive Board Company. All Rights Reserved.
EVOLVING FFIEC GUIDANCE LAYERED SECURITY
EXPECTATIONSFFIEC is a catalyst for
adoption, not for
development.
2001 Guidance provided a
framework for risk-based
analysis of electronic
commerce, but made no
specific recommendation.
2005 Guidance update
replaced the 2001 document
and further reinforced the
need for 2-factor
authentication and increased
customer education.
Authentication in an Electronic Banking Environment
August 8, 2001
Authentication in an Internet Banking Environment
October 12, 2005
Supplement toAuthentication in an Internet
Banking Environment
June 28, 2011
• The 2011 Guidance Supplement states that a “layered
security program will contain the following two elements,
at a minimum.”
– Detect and Respond to Suspicious Activity
• At login and authentication
• At initiation of transactions involving transfer of funds
– Control of Administrative Functions
• Business, or multi-user accounts require enhanced controls
and tools for permission delegation
CEB TowerGroup Retail Banking
10© 2013 The Corporate Executive Board Company. All Rights Reserved.
WHERE DO YOU DRAW THE LINE?
Not Fraud Might be Fraud? Definitely Fraud
?
The measure of
responsibility is based
on the FSI’s
implementation of
“commercially
reasonable” controls, but
also should be based on
customer ease of use.
How do your risk assessments account for transactions that require
additional security?
CEB TowerGroup Retail Banking
11© 2013 The Corporate Executive Board Company. All Rights Reserved.
NORMAL V. ABNORMAL
What does an identity
typically do? Previous
activity, frequency, and
relationships with other
identities are key to
consider.
What does an identity typically do?
FFIEC – “Fraud detection and monitoring systems that include consideration of customer history and behavior“
Debit $100 Known
Location
Known
Device
Associated
Recipient
Debit $100 Known
Location
Unknown
Device
Unassociated
Recipient
ACH $10K Known
Location
Unknown
Device
Associated
Recipient
ACH $10K Unknown
Location
Known
Device
Unassociated
Recipient
Credit $3500 Unknown
Location
Known
Device
Associated
Recipient
Credit $10K Unknown
Location
Known
Device
Associated
Recipient
CEB TowerGroup Retail Banking
12© 2013 The Corporate Executive Board Company. All Rights Reserved.
HIGH V. LOW-RISK
Not all transactions are
equal, and the type,
amount, origin,
destination, and other
factors can be used to
determine risk.
Which transactions deserve increased analysis and decisioning?
Debit $100 Known
Location
Known
Device
Associated
Recipient
Debit $100 Known
Location
Unknown
Device
Unassociated
Recipient
ACH $10K Known
Location
Unknown
Device
Associated
Recipient
ACH $10K Unknown
Location
Known
Device
Unassociated
Recipient
Credit $3500 Unknown
Location
Known
Device
Associated
Recipient
Credit $10K Unknown
Location
Known
Device
Associated
Recipient
CEB TowerGroup Retail Banking
13© 2013 The Corporate Executive Board Company. All Rights Reserved.
EXPECTED V. UNEXPECTED
Using only a specific
history of activity can be
too limiting, as
infrequent but legitimate
transactions occur, and
introducing additional
security is unwarranted.
How do you accommodate new spending patterns without impeding the
customer?
Debit $100 Known
Location
Known
Device
Associated
Recipient
Debit $100 Known
Location
Unknown
Device
Unassociated
Recipient
ACH $10K Known
Location
Unknown
Device
Associated
Recipient
ACH $10K Unknown
Location
Known
Device
Unassociated
Recipient
Credit $3500 Unknown
Location
Known
Device
Associated
Recipient
Credit $10K Unknown
Location
Known
Device
Associated
Recipient
CEB TowerGroup Retail Banking
14© 2013 The Corporate Executive Board Company. All Rights Reserved.
ROADMAP FOR THE PRESENTATION
Mobility,
Privacy, &
Security
What’s an
Identity?
Assessing Risks,
Whether High or
Low
CEB TowerGroup Retail Banking
15© 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TOWERGROUP RETAIL BANKING
MOBILE BANKING MATURITY CURVE
Financial institutions are focused now on building the first versions of mobile banking, adding functionality to attract users.
Mobile Banking
Maturity Curve, 2012-2015
Source: CEB TowerGroup
• With higher than
expected adoption
rates occurring at most
banks, it is now time to
push for the return on
investment both by
enabling strategic
marketing and
measuring profitability
and retention.
• While some first mover
institutions are
currently testing
biometric
authentication and
ATM integration, 2015
is the forecasted date
for large-scale
deployment of these
features.
Achieving Critical Mass Creating A Preferred Channel
2012 2013 2014
• Basic Banking in Apps
• Comprehensive OS/Device
Deployment
• Text Banking
• Critical Mass of Users
• Marketing & Sales Enablement
• Multi-Channel Integration
• Recognizable Security
Ad
op
tio
n
• Loan Origination & Servicing
• ATM Integration
• Biometric Authentication
2015
16© 2013 The Corporate Executive Board Company. All Rights Reserved.
HOW WILL GUIDANCE CONTINUE TO EVOLVE?
With many organizations
still striving to
accommodate provisions
under 2011 FFIEC
supplement, the
possibility for another
update is real, and likely
needed.
Authentication in an Electronic Banking Environment
August 8, 2001
Authentication in an Internet Banking Environment
October 12, 2005
Supplement toAuthentication in an Internet
Banking Environment
June 28, 2011
• Update to accommodate mobile on its way?
• While current guidance applies to mobile banking as
well, mobile devices are referenced more as an out-of-
band authentication method for online banking
Authentication in a Highly Mobile Internet Banking Environment
2014?
CEB TowerGroup Retail Banking
17© 2013 The Corporate Executive Board Company. All Rights Reserved.
AS OF 2013, FFIEC IS OUT-OF-DATE
Since 2011, mobile
services, big data
analytics, and fraud
management services
have evolved further still.
Current Guidance – Capability Gap Analysis
How do you respond to NON-suspicious activity?
“High-risk” transactions may deserve special focus, but “low-risk” transactions
should be considered as well.
Risk-based approach should require more authentication for high-risk,
and an easier transaction path for low-risk.
Streamlining the process for lower risk transactions alleviates staffing
and can increase customer satisfaction.
The guidance takes a very user-centric view of identity
Recognizes device identification as an authentication method.
Is inclusive to other measures not specifically called out.
Mobile devices are not excluded or exempted, but special recognition is
required.
Mobile devices are still Internet-enabled and monitoring protections extend to
them, so they are covered under the 2011. But with the evolution of mobile
banking services, the guidance is incomplete.
CEB TowerGroup Retail Banking
18© 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TOWERGROUP RETAIL BANKING
EVERY CHANNEL IN YOUR POCKET
Fully-integrated
peripherals and a shared
platform provide
opportunities for real-
time individual and
collaborative service
delivery.
Fully Integrated Peripherals and Shared Platform Provide
Functions & Services and Integrated Peripherals, 2013
Source: Mobile is an Opportunity for a More Secure Channel, CEB
TowerGroup, May 2012
• There are single-point
solutions, but mobile
users will interact with
FSIs through a single
communications device.
• A customer servicing
strategy must strive for a
consistent experience
and all mobile access
points.
• All access points must be
individually and
collectively secured.
19© 2013 The Corporate Executive Board Company. All Rights Reserved.
PRIVACY ≠ ANONYMITY
Consumers understand
some of their information
will be tracked, and
expect the information to
be used to service and
secure their accounts.
Consumer Desired Mobile Functions
41%
43%
44%
46%
51%
54%
Sending automated bill pay reminders
Depositing a check from my mobile phone
Transferring money to accounts outside of myaccount
Sending notice of a low balance
Making a payment on a loan or a bill
Sending notice of irregular account activity orchanges to account notification
Source: Mobile Banking Survey Report, Varolli Corporation, January 2013
CEB TowerGroup Retail Banking
20© 2013 The Corporate Executive Board Company. All Rights Reserved.
PRIVACY POLICIES MAKING THEIR WAY TO MOBILE
The White House, FTC,
and EU Justice
Commission, among
others, are pushing for a
consistent definition of
privacy practices, and
mobile devices garner
special focus.
UI Composition Example for Mobile App Transparency Proposal
Source: National Telecommunications and Information Administration (NTIA)
CEB TowerGroup Retail Banking
23© COPYRIGHT • IOVATION
ISSUE TARGET DAMAGES
New AccountOrigination
• Bank
• Consumer Identity
• Merchant
Financial Loss
Operational Expense
Brand Damage
Customer Churn
Risk-BasedAuthentication
• Bank
• Customers
Account Takeover
Breach Notifications
Loss of Trust
Customer Churn
Mobile Security• Bank
• Customers
Phones Compromised
Account Takeover
Customer Churn
Market Share
FINANCIAL SERVICES: TOP FRAUD ISSUES
24© COPYRIGHT • IOVATION
• Consumers buying smartphones
• Convenience of mobile banking
• Timing coincided with bank
starting to offer the service
MOBILE BANKING ADOPTION
Source: Federal Reserve System, Consumers and Mobile Financial Services, March 2013
THE PRIMARY DRIVERS
25© COPYRIGHT • IOVATION
MOBILE BANKING ADOPTION
“The use of mobile banking has
increased by more than a third in the
past year, and it appears likely to
continue to increase as more and more
consumers use smartphones.”
- FEDERAL RESERVE SYSTEM
26© COPYRIGHT • IOVATION
ACCESS METHODS
• Mobile web browser
• Text messaging
• Mobile app
POPULAR ACTIVITIES
• Checking balances and recent transactions (33%)
• Transferring money between accounts (21%)
• Depositing checks (17%)
• Receiving text message alerts from bank (17%)
• Making bill payments (17%)
MOST COMMON BANKING ACTIVITIES
27© COPYRIGHT • IOVATION
• Banking needs met without mobile usage (54%)
• Concern about security (49%)
• No reason to use it (47%)
• Do not own a smartphone (40%)
• Lack of trust in technology to process transactions properly
(14%)
• Cost of data access on mobile phones (11%)
• Small size of mobile phone screen (10%)
• I don’t do the banking in my household (5%)
GENERAL REASONS FOR NON-ADOPTION
28© COPYRIGHT • IOVATION
SPECIFIC REASONS
• Hackers accesses their phone remotely (30%)
• Losing their phone or having it stolen (11%)
• Experiencing data interruption by a 3rd party (9%)
• Companies misusing personal information (3%)
• Malware or viruses being installed (2%)
MOST COMMON RESPONSE
• Concerned with all of these security risks (44%)
MOBILE SECURITY CONCERNS
29© COPYRIGHT • IOVATION
INDUSTRY 2012 JAN – JULY JULY
All 15% 17% 19%
Financial Services 11% 18% 20%
Dating / Social 14% 25% 30%
Retail 7% 12% 14%
IOVATION’S VIEW: 2013 MOBILE USAGE GROWTH
32© COPYRIGHT • IOVATION
Tie together fraud that
may be happening on the
web.
Implement iovation’s
SDKs into your mobile
banking apps to uncover
related devices in
iovation’s global shared
network.
ASSOCIATING RELATED DEVICES
33© COPYRIGHT • IOVATION
• Business Rule
• Triggers when the device does not have iOS or
Android as its native operating system
MOBILE EMULATION DETECTION
34© COPYRIGHT • IOVATION
1. IDENTIFICATION
2. EVIDENCE
Has this device been seen before?
WHAT WE DO
Has anyone had a bad experience?
35© COPYRIGHT • IOVATION
FRAUD & ABUSE EVIDENCE TYPES
FINANCIAL• Credit Card Fraud
• ACH/Debit Fraud
• Friendly Chargeback
• Insufficient Funds
• Potential Fraud
• Shipping Fraud
• Counterfeit Money Order
• Click Fraud
• Affiliate Fraud
• First Party Fraud
• Loan Default
MISCONDUCT• Chat Abuse
• Spam
• Abusive to Support
• Promotion Abuse
• Policy Violations
• Customer Harassment
• Inappropriate Content
• Profile Misrepresentation
• Solicitation
• Code Hacking
• Arbitrage Betting
• Gold Farming
CHEATING• Collusion
• Chip Dumping
• All-in Abuse
• Trading Restriction
ID THEFT• True Identify Theft
• Synthetic Identity Theft
• Phishing
• Account Takeover
B2B FINANCIAL• Business Identify Theft
• Fictitious Business
• Business Takeover
• Dealer Fraud
• Payment Evasion
• Business Misrepresentation
OTHER• High Risk
• Under or Over Age
• Requested Exclusion
36© COPYRIGHT • IOVATION
VALUE OF SHARING
Sharing automatically
gives you access to
fraud evidence placed
by other iovation clients.
3X INCREASE IN
FRAUD CATCH
4X INCREASE IN
FRAUD CATCH
37© COPYRIGHT • IOVATION
Financial Services
bad device crossover
with other industries:
VALUE OF CROSSOVER
Bad devices are 2X
as likely to be seen by
other online sites.
57%
38© COPYRIGHT • IOVATION
1. IDENTIFICATION
2. EVIDENCE
3. ASSOCIATIONS
Has this device been seen before?
WHAT WE DO
Has anyone had a bad experience?
Does the device have connections?
42© COPYRIGHT • IOVATION
1. IDENTIFICATION
2. EVIDENCE
3. ASSOCIATIONS
4. ANOMALIES
Has this device been seen before?
WHAT WE DO
Have any anomalies been found?
Has anyone had a bad experience?
Does the device have connections?
43© COPYRIGHT • IOVATION
POWERFUL RULES ENGINE: MAKE IT WORK FOR YOU
Geolocation Evasion Evidence Velocity
Evaluate location by
country, region, city,
ISP. Peer through
proxies with Real IP.
Analyze device
characteristics
to flag users
attempting to skirt
recognition.
Tap millions of fraud
records such as credit
card
fraud or account
takeover attempts.
Set thresholds to
detect excessive
activity such as
creation of multiple
accounts.
44© COPYRIGHT • IOVATION
1. Evidence Exists (known fraud)
2. Country List (high risk &/or
sanctioned countries in both real
and stated IPs)
3. Accounts per Device
4. Geolocation Mismatch
5. Age of Account/Device Pair
6. ISP Watch List (high risk ISPs)
BUSINESS RULES FOR ACCOUNT TAKEOVER ATTEMPTS
Result REVIEW
Rule Set Payment
Rule Geolocation Mismatch
Score -1
Account 180155824
Device 3000000003169400
45© COPYRIGHT • IOVATION
NORMAL & EXPECTED
Normal user activity from known devices, Geolocation
and good reputation.
EXAMPLE: Paying an established payee from a known
mobile device from a known Geolocation.
LOW RISK
47© COPYRIGHT • IOVATION
ABNORMAL & EXPECTED
Unusual user activity from devices known to the
account and appropriate Geolocation.
EXAMPLE: Applying for multiple credit cards
in a short time period but from a known
device and appropriate Geolocation.
MEDIUM RISK
49© COPYRIGHT • IOVATION
NORMAL & UNEXPECTED
Normal user activity but from new devices
or unusual geolocations.
EXAMPLE: Checking your credit card
balance from a known device but from
an unusual geolocation.
MEDIUM RISK
51© COPYRIGHT • IOVATION
ABNORMAL & UNEXPECTED
Atypical user activity from devices with reputation,
suspicious Geolocation, behavior pattern concerns.
EXAMPLE: Multiple credit card applications come
through on the same device, but for different people.
HIGH RISK