Over the past few years, I have spoken to countless executives about the challenges of managing fraud risk - from corporate banking to online gaming and digital marketplaces. Whether the goal is to protect billions of investment dollars or prevent bad guys from buying online gaming credits with a stolen credit card, the same sentiments always ring true.
If your website (a) has a login page and (b) allows customers to 'do stuff', then your company is a target for attackers.
One concept used to explain control techniques that has resonated better than most is above vs. below the line controls. Above vs. below the line is a well-known marketing concept that I've re-purposed into a fraud risk paradigm. In marketing, they are defined as:
- Above the Line (ATL). Direct marketing, where the consumer is aware they are being targeted for promotion of a specific product or service, typically delivered via a broad brush media platform. Television advertising is a great example.
- Below the Line (BTL). More subtle, targeted approach to marketing. Often the heavy lifting is executed in the background via customer segmentation and data analysis. User specific content via social media platforms is a common technique. We're often unaware that we're passively ingesting prompts to buy the latest product from a given organization.
When we apply this concept to fraud and security controls, we may tweak the definition slightly, but ultimately the same principles apply.
Above the line controls are those which a consumer can 'touch and feel', whereas below the line controls work in the background. Strong authentication is a great example of an ATL control as it is something that a consumer can directly interact with, such as a step-up challenge they may receive if transacting from an unrecognized device. Threat intelligence, data analysis and customer profiling are examples of BTL controls.
Above the line controls - The good and not so good
Above the line controls are important for protecting the reputation of an organization and providing a baseline level of security. Your company may have the most secure system in the world, but if customers still do not feel secure, then the perception of poor security may become reality.
Contactless credit card transactions are a perfect example. The perception of security for 'tap and go' purchases is mixed, even though the controls are actually far stronger than old school mag-stripes and signatures. No one has ever asked me if it was ok to swipe my card's (un-encrypted) mag-stripe, yet people still ask if it is okay to tap my card! (That is an article for another day)
Although above the line techniques are the starting point for the fraud and security controls of an organization, there are two fundamental weaknesses:
- They can be re-engineered. If customers know how they work, then so do the bad guys.
- Slow to implement, hard to change. Any change means direct customer impact and therefore, has the potential to negatively impact the customer experience and disrupt delivery of the product. Any change needs to be robust, thoroughly tested and implemented with a comprehensive communications plan. This translates to time, money and resources.
Let's take SMS one-time factor passcode (OTP) as an example. On its own, it was a very effective control until attackers figured out how to defeat it with phone porting and mobile malware. Figuring out how to migrate millions of customers from SMS OTP to something more robust is now a big problem for many organizations.
Below the line controls
To balance our control framework, we also need to invest in below the line fraud controls. The key advantages of this approach are:
- They cannot be easily re-engineered. Below the line controls provide long term benefits as they can't be de-compiled and bypassed with brute force effort. How can you understand why an attempted fraudulent transaction has been stopped when there are hundreds of inputs behind that decision? The answer is you can't.
- Agility. No direct customer impact means that you can change, add, remove, and even break these controls without your end customers knowing. This is critical for effective fraud risk management, as the days of a 'set and forget' fraud strategy are long behind us.
To help demonstrate the implications and importance of a balanced fraud risk control approach, let's play out a hypothetical, but real world scenario
Company A Profile: Primarily invests in 'Above the Line' controls including:
- Mandatory SMS one-time passcode for all login events
- Customer education via statement inserts, secure mail and website messaging
- Email notifications of all payments greater than $500
Company B Profile: Primarily invests in 'Below the Line' controls including:
- Online session data. Every customer 'click' across every digital channel
- Threat intelligence. Internal research, open source and commercial
- Risk based, two-factor authentication, for key customer events (e.g. payments)
If you were an attacker, which organization would you target?
For me, it has to be Company A. It has two-factor authentication at the front door, but once you're in, it's Christmas! Just ensure not to get too greedy as you know customers are emailed for every payment greater than $500. It is highly unlikely that you would be detected in the short-term, and you could probably steal large sums of money.
As a bad guy, Company B would be very frustrating to attack and not worth my trouble. Like the typical fraudster, I seek the biggest payday possible with the least amount of effort. Trying to beat dynamic controls that I can't reverse engineer requires investment of time and money, with no guarantee of an outcome. Besides, I have expensive cars to drive, virtual currency to launder and malware coders to pay!
There is no perfect approach, but if I was given the task to build a fraud risk control strategy from scratch and could only invest in three things, it would look something like this:
- Risk-based, strong authentication. Delivery via mobile devices is ideal, as it is facilitated by software so you can adapt as the business and threat environment dictates.
- Data, data and more data. Specifically real-time, click by click, online session data to detect and see a threat as it happens, not days/weeks/months later.
- Threat intelligence function. Smart folks who can research and interpret intelligence from internal, open source and commercial sources.
Just as in the marketing world, the most effective fraud control frameworks use a blend of both approaches to achieve an optimal outcome. Take two minutes out of your day and write down your company's key fraud controls (above or below a line). You might be surprised what it looks like.