1

The Mobile Device: The New Center of the Fraud Prevention Universe

F E B R U A R Y | 2 0 1 7

2

E D D I E G L E N NP R O D U C T M A R K E T I N G M A N A G E R , I O V A T I O N

J U L I E C O N R O YR E S E A R C H D I R E C T O R / A I T E G R O U P

AGENDA

3

n Findings from Aite research

n Mobile device as a solution

n Use cases

n Concluding remarks

4Source: Informationisbeautiful.net

5

$392 $420

$644$760

$844$903

$966

$1,091

2013 2014 2015 e2016 e2017 e2018 e2019 e2020

U.S. Account Takeover Losses, 2013 to e2020 (US$ Millions)

A T O I S O N T H E R I S E I N M A N Y M A R K E T S

Source: Aite Group, 2016

Source: Financial Fraud Action UK, 2016

6

C O M P R O M I S E D D A T A I S Q U I C K L Y S O L D

7

CREDENTIALS GARNER A PREMIUM IN THE UNDERWEB

$3.78$6.43 $3.02 $0.22

Source: Trend Micro, 2016

8

B U S I N E S S E S M U S T B E A S N I M B L E A S T H E C R I M I N A L S

9

UNDERSTANDING THE CUSTOMER’S DIGITAL IDENTITY IS CRUCIAL

10

M O B I L E T O T H E R E S C U E

6%

23%

30%

42%

51%

Healthcare

Public sector

Travel

Financial services

Retail

Mobile as a Percentage of All Transactions by Industry

Source: iovation, 2017

CONSUMERS WITH A SMARTPHONE:

n 72% of U.S. Consumers

n 68% of U.K. Consumers

n 67% of Canadian Consumers

11

MOBILE: THE CENTER OF THE FRAUD PREVENTION UNIVERSE

12

MOBILE AS AN EXTENSION OF

IDENTITY

• Verify that device has not been compromised

• Is device reporting truthful answers?

• Have a comprehensive fraud prevention and authentication strategy

13

IS YOUR MOBILE APP REALLY SAFE?

Security risks for Android are especially concerning

• 2M new strains of Android malware

• Android has 78% market share Severe issues with Android's current

fingerprint scanning framework

Bypass built in security measures; is your app still safeguarded?

Downloading apps from non-official stores put user credentials of your app at risk

Sideloading

Android rooting

Fingerprint hijacking

14

Is the mobile device

telling you the truth?Hardware ID such as IMEIs may not be

unique, available, or even accurate. Device recognition requires a fabric of attributes.

Native geolocation can be bypassed and overridden easily. Other devices signals can indicate its validity.

Geo-location

Is the device ID really static and persistent?

Is your app really running on a mobile emulator or VM?

Emulators, VMs?

15

M O B I L E F R A U D B E H A V I O R

Thwarted Recent Attacks Mobile Emulator

Global Carriers w/ Highest

Cases Of Fraud

• ATO using Jailbroken iPad

• Evasion using ultra cheap Android phones

• 0.001% of mobile traffic

• 50% confirmed fraudulent

• tiGo (Ghana),

• MTN (Nigeria,

Ghana),

• Kcell (Kazakhstan),

• MegaFon (Russia)

16

EVASION

IDENTIFICATION

JAILBROKENGEOLOCATION

SECURITY RISK

ASSOCIATIONS

UNKNOWN DEVICE AUTHENTICATED

The Building Blocksfor a device

intelligence solution

17

n Use a fabric of geolocation attributes to determine true location

n Detect jailbroken/corrupt devices and don’t trust geolocation info from them

G E O L O C A T I O N

18

n Use a fabric of device identifiers, not just one

n Comprehensive device identification – all types of devices

n Keep device identification separate from personal identification

n Readily identify relationships between devices

M O B I L E D E V I C E I D E N T I F I C A T I O N & A S S O C I A T I O N S

19

n Look for behavioral indicators:n Past evidence of fraudn Associated with other devices/accounts that are known fraudulentn Frequent account creationn Frequent account accessn Evading detection (TOR, Proxy)

n Look for device risk indicators:n Geo-location attributes mismatchn Jailbroken/rootedn Device attributes mismatchn Unsafe ISP, IP, country

S e c u r i t y r i s k s , e v a s i o n , j a i l b r o k e n

3 STEPSFor building an online fraud prevention & authentication strategy

21

#1

Keep it frictionless for your users

22

#2Have a comprehensive & consistent online protection strategy

§ Fraudsters look for all points of vulnerabilities

§ Plug one hole and fraudsters will look for another (e.g. what happened to CNP fraud when EMV was introduced?)

§ Desktop web/apps AND mobile web/ apps

§ Fraud prevention AND authentication

23

DEVICE-BASED AUTHENTICATION SERVICE

CUSTOMIZABLE MULTIFACTOR

AUTHENTICATION

GROUP AUTHORIZATION

#3:Scale the level of authentication as

transaction risk increases

24

I O V A T I O N S O L U T I O N S

IOVATION INTELLIGENCE CENTER

GLOBAL DEVICE INTELLIGENCE PLATFORM

DeviceRecognition

DeviceAssociations

ContributedEvidence

DeepAnalytics

MachineLearning

Prod

ucts

Plat

form

DynamicAuthentication Suite

Multi-factor security with exceptional user experience

ClearKey LaunchKey MFA

FraudPrevention Suite

Stop online fraud and abuse in real-time

Fraud Prevention

SureScore

25

U s e c a s e s

26

B U I L D Y O U R S E C U R I T Y W I T H T H E A S S U M P T I O N

that the bad guys will breach the perimeter.

27

G O T O W W W . I O V A T I O N . C O M / R E S O U R C E S

R E S O U R C E S

Fraud Prevention Data Sheet

iovation Fraud Prevention stops online and mobile fraud in real time.

AITE REPORT: THE MOBILE DEVICE

The full report on customer experiences and the role that mobile plays.

28

Thank you.

Julie Conroy| Research DirectorO: +1.617.398.5045jconroy@aitegroup.com

Aite Group is a global research and advisory firmdelivering comprehensive, actionable advice onbusiness, technology, and regulatory issues and theirimpact on the financial services industry. Withexpertise in banking, payments, insurance, wealthmanagement, and the capital markets, we guidefinancial institutions, technology providers, andconsulting firms worldwide. We partner with ourclients, revealing their blind spots and deliveringinsights to make their businesses smarter andstronger.

Visit us on the Web and connect with us on Twitterand LinkedIn.

Q&A