The Fraud Examiner

How to Choose the Best Cyberfraud Prevention Solution
 

David Balaban  

Founder, MacSecurity.net and Privacy-PC.com                                 


As large-scale incidents of cyberfraud, like the Colonial Pipeline ransomware attack and T-Mobile data breach, have been increasing, fraud examiners need to be integrating tools that help protect against cyberfraud into their fraud prevention plans. Anti-fraud systems or products have protected cyber environments from account hijacking, identity theft and fraudulent transactions for many years. However, few people know that there are different types of products with specific characteristics. 

As its name suggests, an anti-fraud system is meant to detect and prevent fraudulent activities. Financial institutions were the first to use these systems at the beginning of the 2010s, following large-scale attacks that targeted e-banking systems. Later, other sectors — including e-commerce, client loyalty systems, gaming services, contextual ad platforms and insurance — implemented anti-fraud solutions too. Fraud prevention systems are pivotal whenever online transactions and trade take place.

Anti-fraud systems examine online transactions and other user actions to assess the fraud risk level posed. A common anti-fraud system consists of standard and system-specific rules, filters and lists that each action is checked against. Today, the machine-learning technology built into anti-fraud system enhances its performance by analyzing the client's data and detecting patterns.

Types of anti-fraud systems

There are two basic categories of anti-fraud solutions. The first type deals with transactions — commonly referred to as transaction fraud detection. To detect fraudulent activities, these systems apply a signature method and machine learning to cover a huge number of financial operations and actions taken by users and employees.

A signature method builds upon specific rules. This approach uses triggers that get activated following a preset algorithm or filters. Filters can flag transactions that are too large or frequent, transactions in atypical locations and other questionable actions that require additional verification.

The modern anti-fraud system has several hundred of these rules in its arsenal. However, this method has disadvantages — for example, the need to constantly revise old rules and create new ones.

A machine learning approach processes large amounts of data and implements algorithms that detect hidden correlations between users’ actions — which could indicate fraud. For example, banks have a database of past transactions with blocked operations flagged (such as fund transfers without the client's approval). The anti-fraud suite learns these transactions and forms patterns leading to denied transactions. Later, it can independently detect and terminate transactions that have signs of fraud. 

The other category of anti-fraud systems refers to browser anti-fraud systems. Unlike the first category, this does not analyze transactions or other activities. It collects various technical details about the user's session — such as the device used to initiate the transaction, the connection channel or user behavior, like keystrokes, touchpad/mouse movements, etc.

A browser anti-fraud system can detect credential theft resulting from a phishing attack or a data breach, as well as detect a fraudster’s account at the initial stage when he is only attempting to sign up.

An anti-fraud solution of this type examines many technical inputs and a variety of types of user behavior involving different devices, while transaction fraud detection systems do not implement these routines. Designing a session or browser anti-fraud system involves complex technical efforts. This limits its market presence for now.

    Fraud

    Criteria for selecting your best anti-fraud system

    Since each type of anti-fraud category examines a different data set, both types of anti-fraud systems should be used simultaneously to achieve complete protection against fraud. Banks, payment systems, crypto-exchanges, brokers, electronic currency exchange services, bonus program services and other financial platforms are among the type of clients that benefit from utilizing both browser and transaction fraud prevention. 

    At the same time, a mix of the two types of anti-fraud solutions would be excessive for some companies. Certain organizations, like companies that offer users a personal account, but do not have internal payment systems may stick to browser anti-fraud only. Like all anti-fraud plans, you should begin with a fraud risk assessment to determine what your risks are and which type, or both, are needed for your organization. Here are some things to consider:

    • Price: When assessing potential anti-fraud systems, the price should be transparent. In addition to the cost of the product itself, this amount should include deployment, fine-tuning, training of system administrators and other related costs. Your anti-fraud system price cannot exceed the losses it is to prevent. 
    • Testing: When evaluating systems by the functionality that is used to determine the level of risk, the most objective indicators will be those you can draw specific conclusions from. For example, whether a VPN server was used when accessing the site, is it possible to remotely access the device, etc. These are the indicators that can be determined quite accurately.
    • Machine Learning and AI: If available, AI and ML algorithms identify risks by analyzing big data and build patterns and regularities.
    • Maintaining Data Privacy: Another aspect to review is whether the system needs to collect confidential and personal data of the clients — a good system shouldn’t need to. This helps to prevent potential data breaches  and eliminates the need to obtain the client's consent to process personal data by a third party.

    Again, no single system is the ultimate protection from every kind of cyberattack. The key challenge an efficient anti-fraud system should address is to make an attack so complex and costly that a fraudster would give up and switch to other more accessible systems.

    There are a variety of products currently on the market that meet all or most of the above criteria. However, the performance of a specific anti-fraud system is subject to its internal algorithms that its developers do not disclose.

    Different anti-fraud products applied to different websites, and used under different operating conditions, will differ in performance and detection level. To be most confident in your choice, conduct comparative pilot testing of several solutions to ensure you have the best anti-fraud solution for your organization’s specific needs.

    Anti-fraud systems are extremely effective and efficient tools to combat fraudulent activities in the digital space. Ultimately it is up to you and your organization to research, compare and adopt a system that addresses your unique fraud risks.