the mobile device: the new center of the fraud prevention universe with aite & iovation feb 2017
TRANSCRIPT
2
E D D I E G L E N NP R O D U C T M A R K E T I N G M A N A G E R , I O V A T I O N
J U L I E C O N R O YR E S E A R C H D I R E C T O R / A I T E G R O U P
AGENDA
3
n Findings from Aite research
n Mobile device as a solution
n Use cases
n Concluding remarks
5
$392 $420
$644$760
$844$903
$966
$1,091
2013 2014 2015 e2016 e2017 e2018 e2019 e2020
U.S. Account Takeover Losses, 2013 to e2020 (US$ Millions)
A T O I S O N T H E R I S E I N M A N Y M A R K E T S
Source: Aite Group, 2016
Source: Financial Fraud Action UK, 2016
10
M O B I L E T O T H E R E S C U E
6%
23%
30%
42%
51%
Healthcare
Public sector
Travel
Financial services
Retail
Mobile as a Percentage of All Transactions by Industry
Source: iovation, 2017
CONSUMERS WITH A SMARTPHONE:
n 72% of U.S. Consumers
n 68% of U.K. Consumers
n 67% of Canadian Consumers
12
MOBILE AS AN EXTENSION OF
IDENTITY
• Verify that device has not been compromised
• Is device reporting truthful answers?
• Have a comprehensive fraud prevention and authentication strategy
13
IS YOUR MOBILE APP REALLY SAFE?
Security risks for Android are especially concerning
• 2M new strains of Android malware
• Android has 78% market share Severe issues with Android's current
fingerprint scanning framework
Bypass built in security measures; is your app still safeguarded?
Downloading apps from non-official stores put user credentials of your app at risk
Sideloading
Android rooting
Fingerprint hijacking
14
Is the mobile device
telling you the truth?Hardware ID such as IMEIs may not be
unique, available, or even accurate. Device recognition requires a fabric of attributes.
Native geolocation can be bypassed and overridden easily. Other devices signals can indicate its validity.
Geo-location
Is the device ID really static and persistent?
Is your app really running on a mobile emulator or VM?
Emulators, VMs?
15
M O B I L E F R A U D B E H A V I O R
Thwarted Recent Attacks Mobile Emulator
Global Carriers w/ Highest
Cases Of Fraud
• ATO using Jailbroken iPad
• Evasion using ultra cheap Android phones
• 0.001% of mobile traffic
• 50% confirmed fraudulent
• tiGo (Ghana),
• MTN (Nigeria,
Ghana),
• Kcell (Kazakhstan),
• MegaFon (Russia)
16
EVASION
IDENTIFICATION
JAILBROKENGEOLOCATION
SECURITY RISK
ASSOCIATIONS
UNKNOWN DEVICE AUTHENTICATED
The Building Blocksfor a device
intelligence solution
17
n Use a fabric of geolocation attributes to determine true location
n Detect jailbroken/corrupt devices and don’t trust geolocation info from them
G E O L O C A T I O N
18
n Use a fabric of device identifiers, not just one
n Comprehensive device identification – all types of devices
n Keep device identification separate from personal identification
n Readily identify relationships between devices
M O B I L E D E V I C E I D E N T I F I C A T I O N & A S S O C I A T I O N S
19
n Look for behavioral indicators:n Past evidence of fraudn Associated with other devices/accounts that are known fraudulentn Frequent account creationn Frequent account accessn Evading detection (TOR, Proxy)
n Look for device risk indicators:n Geo-location attributes mismatchn Jailbroken/rootedn Device attributes mismatchn Unsafe ISP, IP, country
S e c u r i t y r i s k s , e v a s i o n , j a i l b r o k e n
22
#2Have a comprehensive & consistent online protection strategy
§ Fraudsters look for all points of vulnerabilities
§ Plug one hole and fraudsters will look for another (e.g. what happened to CNP fraud when EMV was introduced?)
§ Desktop web/apps AND mobile web/ apps
§ Fraud prevention AND authentication
23
DEVICE-BASED AUTHENTICATION SERVICE
CUSTOMIZABLE MULTIFACTOR
AUTHENTICATION
GROUP AUTHORIZATION
#3:Scale the level of authentication as
transaction risk increases
24
I O V A T I O N S O L U T I O N S
IOVATION INTELLIGENCE CENTER
GLOBAL DEVICE INTELLIGENCE PLATFORM
DeviceRecognition
DeviceAssociations
ContributedEvidence
DeepAnalytics
MachineLearning
Prod
ucts
Plat
form
DynamicAuthentication Suite
Multi-factor security with exceptional user experience
ClearKey LaunchKey MFA
FraudPrevention Suite
Stop online fraud and abuse in real-time
Fraud Prevention
SureScore
26
B U I L D Y O U R S E C U R I T Y W I T H T H E A S S U M P T I O N
that the bad guys will breach the perimeter.
27
G O T O W W W . I O V A T I O N . C O M / R E S O U R C E S
R E S O U R C E S
Fraud Prevention Data Sheet
iovation Fraud Prevention stops online and mobile fraud in real time.
AITE REPORT: THE MOBILE DEVICE
The full report on customer experiences and the role that mobile plays.
28
Thank you.
Julie Conroy| Research DirectorO: [email protected]
Aite Group is a global research and advisory firmdelivering comprehensive, actionable advice onbusiness, technology, and regulatory issues and theirimpact on the financial services industry. Withexpertise in banking, payments, insurance, wealthmanagement, and the capital markets, we guidefinancial institutions, technology providers, andconsulting firms worldwide. We partner with ourclients, revealing their blind spots and deliveringinsights to make their businesses smarter andstronger.
Visit us on the Web and connect with us on Twitterand LinkedIn.