Relying on consumers to protect themselves or on malware detection solutions to keep pace with the ever-growing list of variants is to play a dangerous game. What is needed is a more holistic, covert, and subtle approach.
Organisations need to protect themselves by using a layered security model:
- Intelligence: smart organisations are constantly monitoring the environment to identify potential threats as they are forming, much like a meteorologist will look at budding tropical depressions to identify potential hurricanes.
- Security: organisations need to enact strong authentication measures and multiple factors to make it harder for those with pilfered credentials to easily use them. The challenge is to provide security that doesn’t introduce too much friction for legitimate customers. This is often a difficult balancing act.
- Detection: even before a theft has occurred, organisations need to prioritise the detection of surveillance activities and employ systems able to stop an attack before additional damage can be done.
Risk management is often dictated by the philosophy of the practitioner. Authentication and transactional fraud detection can provide good protection but passively assuming that those functions are in place, and performing as expected, can also lead to a false sense of confidence.
For the true security practitioner (the realist) — those who see the glass as three-quarters empty and those that assume that their customer accounts have all been compromised — the ability to detect transactional money-movement activities as they happen is seen as completely reactive. In many cases, detecting attacks at this point may, in fact, be too late; as much as two weeks too late.
Conversely, stopping an attack during the surveillance period is critical. It is during this stage that a threat is often first identified and can be actively stopped. Without visibility into the attempted theft, however, organisations may find themselves scrambling to keep pace with the ever-changing tactics of attackers.
Getting to Work
To make the most of your fraud-prevention measures and counter fraudsters surveillance tactics, there are three actions that should be considered.
- Get as much visibility into your ecosystem as possible. This includes: who is logging in, what transactions are taking place, how loyalty programs are implemented and protected, what devices are used by which customers for what purposes and so on. This will make it easier to recognize unusual patterns that may be signs of danger.
- Make time your ally. Detection is the key to reducing risk, minimizing loss and protecting your brand. If you depend solely on perimeter defences to keep the criminals out or are waiting for the attempted movement of customer funds, it is too late. The moment an individual enters your environment, begin observing their behaviours. As soon as you have observations in hand, begin making risk assessments based on your business rules. Build evidence. This approach can improve the experience of legitimate customers by allowing you to better cater to their needs and expectations. But in the case of fraudsters, it means you can detect them much earlier and react appropriately.
- Assess your needs and assemble your arsenal. There are a lot of technology options, so take an inventory of threats and understand which solutions will best defend against the most sophisticated attackers. As you develop a better understanding of the dangers you face, you will be able to determine what tools and technology will best meet your strategic business needs.
Avoiding the potential damage that fraudulent acts can cause to your valuable reputation, customer experience and the organisation’s bottom line needs to be the paramount goal of everyone involved with fraud detection and risk reduction. Data breaches that have occurred at other businesses can have a direct impact to the security of your customer’s accounts.
Recognising this point and raising this issue internally within your business may help you get ahead of potential risks and keep you out of the news. And remember, there are great solutions that are battle-hardened and purpose-built to detect the use of compromised credentials before they result in damages. Seek them out and begin to include them in the future strategy for your organisation’s security. It’s at that level that customers will trust and do more business online and businesses have the ability to effectively grow and succeed.