In a world of scammers, fraudsters and bad actors, there are two immutable rules thoroughly entrenched in the consciousness of IT professionals trying to stop them. Rule 1: If there is something to monetize, cybercriminals will find it. Rule 2: If you have a loophole or weak control on your website, cybercriminals will find it.
The well-regarded Brian Krebs, in a recent post referenced the use of multi-factor authentication as a solution to prevent consumer fraud, in this case on Amazon.com.
As described by Krebs, this "multi" or two-factor authentication requires any criminal fortunate enough to come up with a stolen account user name and password to have a 'second' factor - such as a cell phone number - to have carte blanche on Amazon's site.
In this case, however, with multi-factor authentication turned on, Amazon "remembers" each user and each user's device. Anyone trying to use any credentials tethered to that account will have the site automatically prompt for the correct code from that second stored 'factor' (such as mobile device phone number, text/SMS message and so on). Without being able to successfully complete that 'circuit' (e.g. authenticate on two factors), Amazon won't let the faux user load up a shopping cart.
Web behavior analytics is another layer being used more pervasively by merchants and other e-commerce providers to detect fraud. Behavioral analytics solutions parse user behavior, looking for suspicious behavior patterns outside what is typical for a majority of visitors to the website. For example, how they navigate the site from page to page - does it comport to other "normal" user sessions around the same time? Are the user's page transitions, click-times and frequency of clicks by page outside what's normally observed? By isolating variances, web behavior analytics can interpret and project them to demonstrate that some level of fraud may be occurring.
One recent post contends that behavioral analytics can not only identify anomalies at the transaction level - the same IP address simultaneously opening hundreds of accounts within minutes of each other - but also when it comes to individual card-not-present (CNP) transactions. For example, think of an individual purchasing multiple one-way trip tickets in a single transaction. While this could be perceived as something anomalous, on its own it might not raise any red flags. However, if instead that individual navigated almost immediately to the shopping cart for check out, but without page views based on different departure dates, times and airlines, well, that type of behavior almost always demands further scrutiny.
What follows are a sample of simple rules a behavioral analytics solution could use to identify potential threats:
- Suspect activity following an email change, especially when the change was done in a very quick, deliberate fashion. In other words, they've likely done this before.
- Email updates to multiple accounts from the same IP address.
- Account credential checking. At some point an IP will check multiple login credentials after stealing password information from other sites (as more often than not, most customers are prone to recycling the same passwords across multiple sites)
- Multiple IPs accessing the same account, especially from disparate geo-locations
In general, multi-factor authentication as well as behavioral analytics represent only pieces of the entire fraud prevention puzzle for today's IT security focused professionals. In fact, only when you thoroughly understand the user experience on your site, calibrate to its threat horizon, and have threaded to multiple access points, can you even hope to keep the the bad guys from taking advantage of them - or you.
Category: RSA Fundamentals, Blog Post
Keywords: Authentication, Consumer Security, Cybercrime, Cybercrime and Fraud, Web Behavior Analytics