verisign fraud 101 for banking industry guidebook
DESCRIPTION
A banking industry guidebook for detecting frauds. Very useful.TRANSCRIPT
INDUSTRY GUIDEBOOKFFrraauudd 110011 ffoorr BBaannkkiinnggq
Guard AgainstFraud and Identity Theft
Guard AgainstFraud and Identity Theft
Sponsored by:
Banks look to superior,layered identity protection
and fraud detection to help meet
FFIEC Guidance
Online fraud and identity theft have becomemajor headaches for banks today. Onlinefraud and identity theft not only lead to sig-nificant financial losses, but also they candamage a bank’s reputation, disclose customerinformation and lead to data corruption. In 2005, approximately 10 million adults in the U.S. were victims
of some type of identity theft. More than 50 million accounts
were compromised.
These factors have prompted the Federal Financial
Institutions Examination Council (FFIEC) to issue guidance for
protecting online banking. Although the FFIEC guidance is
focused on the risks and risk management techniques asso-
ciated with the Internet delivery channel, its principles also
apply to all electronic banking activities.
Citing the fact that single-factor authentication does not
sufficiently address account fraud and identity theft, the
FFIEC guidance essentially says that it’s no longer sufficient
for banks to authenticate customers for high-risk transac-
tions involving access to customer information or movement
of money from one party to another with simply a user name
and password. According to the FFIEC, “where risk assess-
ments indicate that the use of single-factor authentication is
inadequate, financial institutions should implement multi-
factor authentication, layered security or other controls rea-
sonably calculated to mitigate those risks.”
Good News and Bad NewsThe FFIEC guidance comes as both good news and bad
news to banks. The good news is that the FFIEC is giving
financial institutions – many of which have not taken proac-
tive steps to address the problem of identity theft and online
fraud – a positive direction and guidelines on fraud preven-
tion methods.
The bad news is that the FFIEC guidance presents a
challenge to banks in that they must complete the risk
assessment and implement risk mitigation activities by year-
end 2006.
Fight Fraud, Meet FFIEC Compliance
FFrraauudd 110011 ffoorr BBaannkkiinngg INDUSTRY GUIDEBOOK FFrraauudd 110011 ffoorr BBaannkkiinngg INDUSTRY GUIDEBOOK
Fraud will always remain elusive
because fraudsters are getting
smarter. Solutions to address fraud
must be highly flexible and detect
and react to fraud that they have
never seen before.
Sponsored by
q
While the FFIEC does not specifically recommend or
endorse any particular solution, stating that the selection
and use of authentication technologies depend on the
results of the financial institution’s risk assessment, one thing
is very clear. Where risk assessments indicate that the use of
single-factor authentication is inadequate, banks should
implement multifactor authentication, layered security or
other controls to mitigate the risks.
Banks may choose to authenticate customers through
something a person knows (such as password or PIN), some-
thing a person has (such as a physical device or token that
that must be physically connected to a computer), or some-
thing physical that is unique to
each person (biometrics recog-
nize a physical characteristic like a
fingerprint, voice pattern or hand
geometry). Multifactor authenti-
cation uses two or more of these
factors to verify customer identity.
Today, all banks are certainly
aware of the online fraud prob-
lem. However, they vary consider-
ably in their approach to dealing
with this concern. With the inci-
dences of phishing and pharming,
and the resulting negative media
coverage, there’s some confusion
in the banking industry as to how
large, and what type, of a threat online fraud really is, as well
as how to address the problem.
While it’s essential for banks to fight fraud, it’s also
important to understand why it is so difficult to do. First,
there are many types of fraud, including internal, external
and indirect fraud, which come through the misuse of vari-
ous systems. There is a spectrum of fraudsters, from those
who commit basic phishing attacks to those who know how
to take advantage of corporate networks.
Fraud will always remain elusive because fraudsters are
getting smarter.They can change how they approach access-
ing confidential data every day. This means that the solutions
to address fraud must be highly flexible and able to detect
and react to fraud that systems have never seen before.
Nico Popp, vice president and general manager,VeriSign
Authentication Services, characterizes fraud detection as an
arms race. “Even as we introduce new solutions, fraudsters
are going to displace the problem. Right now, it’s easy for
them,” Popp says.“The phishing attacks are not very sophis-
ticated because the user is very easy prey. But as we start
deploying solutions, including fraud detection, risk-based
authentication and site authentication, we raise the bar and
make it more difficult for them.”
Popp contends that banks will not be successful in the
long run if they deploy point solutions. “The fraudsters are
very smart at taking advantage of the network, so we have to
take a network approach to fighting fraud,” Popp notes.
“An issue we face right now is that our identities are
everywhere and reside in different silos. We all have identities
with the IRS, the government, banks, healthcare providers
and credit card companies,” says Popp. “We can either pro-
tect the silos one by one, or we
can fix the infrastructure by tak-
ing a network approach so we’ll
be in a much better position to
propagate changes and secure
everyone more quickly.”
Facing the FraudChallengesFraud is a major concern for the
public, and customers’ fear of
fraud has become a problem for
banks. “It’s very confusing for
banks to figure out if they need to
solve a public relations problem,
or if they need to solve a true
fraud situation out there,” says Jed Putterman, VeriSign’s
director of fraud detection services.
Banks have short-term, medium-term and long-term
challenges when confronting the issue of fraud. In the short
term, banks’ biggest challenges are compliance risk and
reputational risk. Banks must comply with regulatory
requirements and guidance. In addition, they must safe-
guard their reputations. “One of the main concerns of the
bank right now is not to be in the news because of a major
break-in,” notes Popp.
“When consumers see that someone can break into a
40-million-record database, they get very worried about
their own online information,”explains Popp.“That’s the best
case. The worst case is that the online channel could
collapse, which would lead to huge negative business conse-
quences. We’re not there yet, though. There’s still good
adoption of online banking.”
In the medium term, banks are challenged with the hard
dollar costs of fraud. These costs may be directly tied to an
G2 G3
TThhee ggoooodd nneewwss iiss tthhee FFFFIIEECC iiss ggiivviinngg ffiinnaanncciiaall iinnssttiittuu--ttiioonnss,, mmaannyy ooff wwhhiicchh hhaavveennoott ttaakkeenn pprrooaaccttiivvee sstteeppss ttooaaddddrreessss tthhee pprroobblleemm ooff iiddeennttiittyy tthheefftt aanndd oonnlliinneeffrraauudd,, gguuiiddeelliinneess oonn ffrraauuddpprreevveennttiioonn mmeetthhooddss..
q
Online fraud and identity theft have becomemajor headaches for banks today. Onlinefraud and identity theft not only lead to sig-nificant financial losses, but also they candamage a bank’s reputation, disclose customerinformation and lead to data corruption. In 2005, approximately 10 million adults in the U.S. were victims
of some type of identity theft. More than 50 million accounts
were compromised.
These factors have prompted the Federal Financial
Institutions Examination Council (FFIEC) to issue guidance for
protecting online banking. Although the FFIEC guidance is
focused on the risks and risk management techniques asso-
ciated with the Internet delivery channel, its principles also
apply to all electronic banking activities.
Citing the fact that single-factor authentication does not
sufficiently address account fraud and identity theft, the
FFIEC guidance essentially says that it’s no longer sufficient
for banks to authenticate customers for high-risk transac-
tions involving access to customer information or movement
of money from one party to another with simply a user name
and password. According to the FFIEC, “where risk assess-
ments indicate that the use of single-factor authentication is
inadequate, financial institutions should implement multi-
factor authentication, layered security or other controls rea-
sonably calculated to mitigate those risks.”
Good News and Bad NewsThe FFIEC guidance comes as both good news and bad
news to banks. The good news is that the FFIEC is giving
financial institutions – many of which have not taken proac-
tive steps to address the problem of identity theft and online
fraud – a positive direction and guidelines on fraud preven-
tion methods.
The bad news is that the FFIEC guidance presents a
challenge to banks in that they must complete the risk
assessment and implement risk mitigation activities by year-
end 2006.
Fight Fraud, Meet FFIEC Compliance
FFrraauudd 110011 ffoorr BBaannkkiinngg INDUSTRY GUIDEBOOK FFrraauudd 110011 ffoorr BBaannkkiinngg INDUSTRY GUIDEBOOK
Fraud will always remain elusive
because fraudsters are getting
smarter. Solutions to address fraud
must be highly flexible and detect
and react to fraud that they have
never seen before.
Sponsored by
q
While the FFIEC does not specifically recommend or
endorse any particular solution, stating that the selection
and use of authentication technologies depend on the
results of the financial institution’s risk assessment, one thing
is very clear. Where risk assessments indicate that the use of
single-factor authentication is inadequate, banks should
implement multifactor authentication, layered security or
other controls to mitigate the risks.
Banks may choose to authenticate customers through
something a person knows (such as password or PIN), some-
thing a person has (such as a physical device or token that
that must be physically connected to a computer), or some-
thing physical that is unique to
each person (biometrics recog-
nize a physical characteristic like a
fingerprint, voice pattern or hand
geometry). Multifactor authenti-
cation uses two or more of these
factors to verify customer identity.
Today, all banks are certainly
aware of the online fraud prob-
lem. However, they vary consider-
ably in their approach to dealing
with this concern. With the inci-
dences of phishing and pharming,
and the resulting negative media
coverage, there’s some confusion
in the banking industry as to how
large, and what type, of a threat online fraud really is, as well
as how to address the problem.
While it’s essential for banks to fight fraud, it’s also
important to understand why it is so difficult to do. First,
there are many types of fraud, including internal, external
and indirect fraud, which come through the misuse of vari-
ous systems. There is a spectrum of fraudsters, from those
who commit basic phishing attacks to those who know how
to take advantage of corporate networks.
Fraud will always remain elusive because fraudsters are
getting smarter.They can change how they approach access-
ing confidential data every day. This means that the solutions
to address fraud must be highly flexible and able to detect
and react to fraud that systems have never seen before.
Nico Popp, vice president and general manager,VeriSign
Authentication Services, characterizes fraud detection as an
arms race. “Even as we introduce new solutions, fraudsters
are going to displace the problem. Right now, it’s easy for
them,” Popp says.“The phishing attacks are not very sophis-
ticated because the user is very easy prey. But as we start
deploying solutions, including fraud detection, risk-based
authentication and site authentication, we raise the bar and
make it more difficult for them.”
Popp contends that banks will not be successful in the
long run if they deploy point solutions. “The fraudsters are
very smart at taking advantage of the network, so we have to
take a network approach to fighting fraud,” Popp notes.
“An issue we face right now is that our identities are
everywhere and reside in different silos. We all have identities
with the IRS, the government, banks, healthcare providers
and credit card companies,” says Popp. “We can either pro-
tect the silos one by one, or we
can fix the infrastructure by tak-
ing a network approach so we’ll
be in a much better position to
propagate changes and secure
everyone more quickly.”
Facing the FraudChallengesFraud is a major concern for the
public, and customers’ fear of
fraud has become a problem for
banks. “It’s very confusing for
banks to figure out if they need to
solve a public relations problem,
or if they need to solve a true
fraud situation out there,” says Jed Putterman, VeriSign’s
director of fraud detection services.
Banks have short-term, medium-term and long-term
challenges when confronting the issue of fraud. In the short
term, banks’ biggest challenges are compliance risk and
reputational risk. Banks must comply with regulatory
requirements and guidance. In addition, they must safe-
guard their reputations. “One of the main concerns of the
bank right now is not to be in the news because of a major
break-in,” notes Popp.
“When consumers see that someone can break into a
40-million-record database, they get very worried about
their own online information,”explains Popp.“That’s the best
case. The worst case is that the online channel could
collapse, which would lead to huge negative business conse-
quences. We’re not there yet, though. There’s still good
adoption of online banking.”
In the medium term, banks are challenged with the hard
dollar costs of fraud. These costs may be directly tied to an
G2 G3
TThhee ggoooodd nneewwss iiss tthhee FFFFIIEECC iiss ggiivviinngg ffiinnaanncciiaall iinnssttiittuu--ttiioonnss,, mmaannyy ooff wwhhiicchh hhaavveennoott ttaakkeenn pprrooaaccttiivvee sstteeppss ttooaaddddrreessss tthhee pprroobblleemm ooff iiddeennttiittyy tthheefftt aanndd oonnlliinneeffrraauudd,, gguuiiddeelliinneess oonn ffrraauuddpprreevveennttiioonn mmeetthhooddss..
q
FFrraauudd 110011 ffoorr BBaannkkiinngg INDUSTRY GUIDEBOOK
G4
online break-in, or they may be more difficult to link to
online activity. Banks may not believe they are losing money
online, but identity theft often occurs cross-channel.
Therefore, it isn’t immediately clear how often identities are
stolen online, then used by criminals to steal money offline.
For example, a fraudster can get into a customer’s bank
account, look at the customer’s checks, then create counter-
feit checks.This would be reported as offline identity theft or
fraud, but it is enabled by an online break-in.
The long-term challenges are more elusive and less
concrete. These challenges have to do with trust, whether
consumers will maintain their trust in the bank and in the
Web channel itself.
“It’s the cost of fraud in the medium term and the fear of
fraud that become the real challenge,” says Popp.“That’s the
long-term strategy banks grapple with.”
The most forward-thinking and savvy banks understand
that what’s at stake is trust in the Internet, which is a strate-
gic business issue. Online transactions cost banks a small
fraction of the price of a branch or phone transaction, so
banks have a vested interest in
keeping customers online.
“If you look at financial
institutions worldwide, they
have drawn huge benefits and
efficiencies by moving people
and business to the Web. Online
banking is one example,” Popp
points out. “If consumers start
saying that the Internet is not as
secure as they once thought,
they may stop using the
Internet for transacting business. All the business value that
has been created by moving people online these past years
is at stake now.”
A Pleasant User ExperienceBut while protecting consumers from fraud is essential and
assuring them that their online transactions are safe is
critical, maintaining a pleasant user experience is equally
important. In today’s fast-paced world, consumers want a
quick, efficient and hassle-free user experience. They don’t
want to be bothered with numerous, arduous steps to be
authenticated by Web sites.
“Solutions out there will impact not only banks’ back-
end systems but also how a user interacts with the bank,
which surely will change,” says Kerry Loftus, director of
authentication services for VeriSign.“It’s not just the compli-
cation of the technology integration, but also how the user
experience will change. Banks have to strike a balance.”
The authentication solution can be a point of differenti-
ation for banks competing for new customers and in customer
retention. “Banks must consider what the authentication
solution will mean to them in comparison to competitors,”
she points out.“Each bank also must think about the ramifi-
cations if it does something adverse to the user experience.
If they make the user experience frustrating or difficult, they
might see customers leave the bank and take their business
elsewhere.”
“But banks can actually boost customer satisfaction
by using the right solution. Banks can increase their cus-
tomer base because they position themselves as a security
thought-leader and a best-practice provider of secure
banking online, so the rewards there can be huge,”
Loftus says.
Meeting the DeadlineWhile some banks are poised and ready to meet the FFIEC
guidance, other banks are not up
to speed with customer authenti-
cation methods. Many banks
haven’t identified the systems they
want to put in place, or they
haven’t started the implementa-
tion process. Unfortunately, many
institutions are still at risk of not
meeting the guidance by the
year-end deadline.
“The FFIEC guidance has really
jumpstarted activity among banks. It has brought the prob-
lem of authenticating customer identity to the forefront,
which forces banks to make some decisions,” says
Putterman. “The FFIEC guidance has acted as a catalyst for
banks to begin to get this moving. Before, many banks were
simply not taking the initiative to do something in the short
term.”
Banks may still be confused about exactly what the
FFIEC requires. They may not have done sufficient research
to understand what system they need to put in place to
meet the guidance.
Larger banks seem to be generally well-positioned to
have an adequate authentication system in place by year-
end. These banks, typically thought-leaders in the industry,
tend to be in the forefront of technology adoption. Some
FFrraauudd 110011 ffoorr BBaannkkiinngg INDUSTRY GUIDEBOOK
banks are lagging far behind, however, and are scrambling to
implement a solution by the Dec. 31, 2006 deadline.
Luckily, Putterman says, a number of solutions will get
banks quickly to a point where they can not only meet
compliance by the end of the year, but also get the necessary
systems and foundations in place to considerably enhance
their security moving forward.
Accepted, Reliable, Scalable, InteroperableThe FFIEC guidance on how to authenticate introduced the
idea into almost every financial institution that they have to
look beyond first-factor authentication – simple user name
and password – and look at an additional method for identi-
fying their customers. The additional authentication doesn’t
necessarily have to be a traditional second factor, like a
token, but it does have to be a method that goes beyond
the basic user name and password method that everyone
uses today.
Four Ways to Detect Unusual Activity
An effective authentication method has to be accepted
by the customer and be reliable, scalable and interoperable
with existing systems. To garner customer acceptance, the
solution must be invisible and uncomplicated for a consumer
to use.
A superior fraud detection system should use four cate-
gories of information to detect unusual activity: computer,
clock, connection and category. The most effective fraud
detection system uses characteristics about the user’s
computer, operating system, browser and other characteris-
tics that make each computer unique. Fraud detection soft-
ware can also use information about when each transaction
occurred. A fraud detection engine should use information
about the user’s connection to the Internet, including IP
address, geo-location and connection speed. In addition, a
fraud detection system can look at the transaction type and
user type, such as student or high-net-worth individual.
Most commercial fraud detection systems include a
rules engine, which allows banks to code rules for common
patterns of fraud.The rules engine checks each transaction to
see if it fits into any predetermined pattern of fraud or high-
risk transactions. Rules-based systems can be extremely
powerful and effective, but their effectiveness depends on
including the right rules. Rules-based systems can protect
banks only from known types of attacks, and as banks learn
to identify known attacks, fraudsters change their methods
to create new attacks. It can take only one new attack to
inflict significant damage and loss.
Banks can also use anomaly detection systems to
address the deficiencies of rules-based systems.
These machine-learning anomaly detection
systems rely on clustering algorithms that
group similar transactions into a small number
of clusters, each representing a common pat-
tern of activity. If a transaction does not fit into
any cluster, it is classified as an anomaly. The
bank can then investigate the anomaly to
gauge if it is fraudulent or legitimate.
VeriSign® Identity ProtectionVeriSign Identity Protection (VIP) is a compre-
hensive suite of identity protection and
authentication services that allow consumer-
facing applications to provide a secure online
experience for end users at a reasonable cost.
VIP consists of both on-premise and VeriSign-
hosted components that can be accessed
through standard network protocols for easy integration
into existing Internet applications. VIP offers both invisible
security through VIP Fraud Detection Service and more visi-
ble security through VIP Authentication Service.
VIP Fraud Detection Service provides banks with an
invisible means of delivering proactive protection to their
customers. It does not require a change to the user experi-
ence or a change in how a person uses a Web site. It delivers
protection to consumers and takes a self-learning approach
G5
WWhhaatt ’’ss aatt ssttaakkee iiss ccoonnssuummeerrttrruusstt iinn oonnlliinnee bbaannkkiinngg..OOnnlliinnee ttrraannssaaccttiioonnss ccoosstt bbaannkkss aa ffrraaccttiioonn ooff tthheepprriiccee ooff bbrraanncchh oorr pphhoonneettrraannssaaccttiioonnss..
q
Banks can detect fraud by gathering information from a variety of sources, including characteristics about a user’s computer, when the transaction occurred, the user’s connectionand the transaction type.
FFrraauudd 110011 ffoorr BBaannkkiinngg INDUSTRY GUIDEBOOK
G4
online break-in, or they may be more difficult to link to
online activity. Banks may not believe they are losing money
online, but identity theft often occurs cross-channel.
Therefore, it isn’t immediately clear how often identities are
stolen online, then used by criminals to steal money offline.
For example, a fraudster can get into a customer’s bank
account, look at the customer’s checks, then create counter-
feit checks.This would be reported as offline identity theft or
fraud, but it is enabled by an online break-in.
The long-term challenges are more elusive and less
concrete. These challenges have to do with trust, whether
consumers will maintain their trust in the bank and in the
Web channel itself.
“It’s the cost of fraud in the medium term and the fear of
fraud that become the real challenge,” says Popp.“That’s the
long-term strategy banks grapple with.”
The most forward-thinking and savvy banks understand
that what’s at stake is trust in the Internet, which is a strate-
gic business issue. Online transactions cost banks a small
fraction of the price of a branch or phone transaction, so
banks have a vested interest in
keeping customers online.
“If you look at financial
institutions worldwide, they
have drawn huge benefits and
efficiencies by moving people
and business to the Web. Online
banking is one example,” Popp
points out. “If consumers start
saying that the Internet is not as
secure as they once thought,
they may stop using the
Internet for transacting business. All the business value that
has been created by moving people online these past years
is at stake now.”
A Pleasant User ExperienceBut while protecting consumers from fraud is essential and
assuring them that their online transactions are safe is
critical, maintaining a pleasant user experience is equally
important. In today’s fast-paced world, consumers want a
quick, efficient and hassle-free user experience. They don’t
want to be bothered with numerous, arduous steps to be
authenticated by Web sites.
“Solutions out there will impact not only banks’ back-
end systems but also how a user interacts with the bank,
which surely will change,” says Kerry Loftus, director of
authentication services for VeriSign.“It’s not just the compli-
cation of the technology integration, but also how the user
experience will change. Banks have to strike a balance.”
The authentication solution can be a point of differenti-
ation for banks competing for new customers and in customer
retention. “Banks must consider what the authentication
solution will mean to them in comparison to competitors,”
she points out.“Each bank also must think about the ramifi-
cations if it does something adverse to the user experience.
If they make the user experience frustrating or difficult, they
might see customers leave the bank and take their business
elsewhere.”
“But banks can actually boost customer satisfaction
by using the right solution. Banks can increase their cus-
tomer base because they position themselves as a security
thought-leader and a best-practice provider of secure
banking online, so the rewards there can be huge,”
Loftus says.
Meeting the DeadlineWhile some banks are poised and ready to meet the FFIEC
guidance, other banks are not up
to speed with customer authenti-
cation methods. Many banks
haven’t identified the systems they
want to put in place, or they
haven’t started the implementa-
tion process. Unfortunately, many
institutions are still at risk of not
meeting the guidance by the
year-end deadline.
“The FFIEC guidance has really
jumpstarted activity among banks. It has brought the prob-
lem of authenticating customer identity to the forefront,
which forces banks to make some decisions,” says
Putterman. “The FFIEC guidance has acted as a catalyst for
banks to begin to get this moving. Before, many banks were
simply not taking the initiative to do something in the short
term.”
Banks may still be confused about exactly what the
FFIEC requires. They may not have done sufficient research
to understand what system they need to put in place to
meet the guidance.
Larger banks seem to be generally well-positioned to
have an adequate authentication system in place by year-
end. These banks, typically thought-leaders in the industry,
tend to be in the forefront of technology adoption. Some
FFrraauudd 110011 ffoorr BBaannkkiinngg INDUSTRY GUIDEBOOK
banks are lagging far behind, however, and are scrambling to
implement a solution by the Dec. 31, 2006 deadline.
Luckily, Putterman says, a number of solutions will get
banks quickly to a point where they can not only meet
compliance by the end of the year, but also get the necessary
systems and foundations in place to considerably enhance
their security moving forward.
Accepted, Reliable, Scalable, InteroperableThe FFIEC guidance on how to authenticate introduced the
idea into almost every financial institution that they have to
look beyond first-factor authentication – simple user name
and password – and look at an additional method for identi-
fying their customers. The additional authentication doesn’t
necessarily have to be a traditional second factor, like a
token, but it does have to be a method that goes beyond
the basic user name and password method that everyone
uses today.
Four Ways to Detect Unusual Activity
An effective authentication method has to be accepted
by the customer and be reliable, scalable and interoperable
with existing systems. To garner customer acceptance, the
solution must be invisible and uncomplicated for a consumer
to use.
A superior fraud detection system should use four cate-
gories of information to detect unusual activity: computer,
clock, connection and category. The most effective fraud
detection system uses characteristics about the user’s
computer, operating system, browser and other characteris-
tics that make each computer unique. Fraud detection soft-
ware can also use information about when each transaction
occurred. A fraud detection engine should use information
about the user’s connection to the Internet, including IP
address, geo-location and connection speed. In addition, a
fraud detection system can look at the transaction type and
user type, such as student or high-net-worth individual.
Most commercial fraud detection systems include a
rules engine, which allows banks to code rules for common
patterns of fraud.The rules engine checks each transaction to
see if it fits into any predetermined pattern of fraud or high-
risk transactions. Rules-based systems can be extremely
powerful and effective, but their effectiveness depends on
including the right rules. Rules-based systems can protect
banks only from known types of attacks, and as banks learn
to identify known attacks, fraudsters change their methods
to create new attacks. It can take only one new attack to
inflict significant damage and loss.
Banks can also use anomaly detection systems to
address the deficiencies of rules-based systems.
These machine-learning anomaly detection
systems rely on clustering algorithms that
group similar transactions into a small number
of clusters, each representing a common pat-
tern of activity. If a transaction does not fit into
any cluster, it is classified as an anomaly. The
bank can then investigate the anomaly to
gauge if it is fraudulent or legitimate.
VeriSign® Identity ProtectionVeriSign Identity Protection (VIP) is a compre-
hensive suite of identity protection and
authentication services that allow consumer-
facing applications to provide a secure online
experience for end users at a reasonable cost.
VIP consists of both on-premise and VeriSign-
hosted components that can be accessed
through standard network protocols for easy integration
into existing Internet applications. VIP offers both invisible
security through VIP Fraud Detection Service and more visi-
ble security through VIP Authentication Service.
VIP Fraud Detection Service provides banks with an
invisible means of delivering proactive protection to their
customers. It does not require a change to the user experi-
ence or a change in how a person uses a Web site. It delivers
protection to consumers and takes a self-learning approach
G5
WWhhaatt ’’ss aatt ssttaakkee iiss ccoonnssuummeerrttrruusstt iinn oonnlliinnee bbaannkkiinngg..OOnnlliinnee ttrraannssaaccttiioonnss ccoosstt bbaannkkss aa ffrraaccttiioonn ooff tthheepprriiccee ooff bbrraanncchh oorr pphhoonneettrraannssaaccttiioonnss..
q
Banks can detect fraud by gathering information from a variety of sources, including characteristics about a user’s computer, when the transaction occurred, the user’s connectionand the transaction type.
FFrraauudd 110011 ffoorr BBaannkkiinngg INDUSTRY GUIDEBOOK
G6
to fraud detection, adapting to customer usage habits unique
to that individual. VIP Fraud Detection Service is also an eco-
nomical way to address regulatory compliance, including
FFIEC guidance.
VIP Fraud Detection Service uses advanced anomaly
detection technology to detect fraudulent logins and trans-
actions in real-time, without having to affect a legitimate
users’ online experience. It identifies fraud with both rules-
based systems and a behavioral engine. If the system detects
a suspicious transaction, users can rapidly confirm their
identities using an automated system that may query the
user to identify him or herself further with a one-time pass-
word, a unique question and answer, e-mail, SMS, automated
call or a customer service call.
VeriSign’s Integrated Platform for Fraud Detection
Banks implement VIP Fraud Detection Service as on-
premise software that runs in a data center. It’s completely
invisible to the end user and doesn’t require any client soft-
ware, cookie or Flash object to be installed on the user’s
machine. The rule engine is designed for scalability and
speed, with out-of-the-box rules for login. The behavioral
engine is based on unsupervised clustering algorithms. In
addition to known fraud patterns, the behavioral engine can
defeat zero-day attacks by flagging user activity that is
inconsistent with their past behavior. The system offers
increased robustness, as it is built on true clustering technol-
ogy. It is less maintenance-intensive than a solution solely
based on a rules engine. And because VIP Fraud Detection
Service is not limited to a fixed or predetermined set of
parameters or rules, it is applicable to transaction fraud as
well, not just login fraud detection.
The service will also integrate with the VIP Fraud
Intelligence Network, which will be a set of shared services
that builds on the VIP Fraud Detection Service and VIP
Authentication Service, and which VeriSign intends to make
generally available to customers in 2007. The Network will
allow critical fraud data and signatures to be shared across
VIP-enabled Web sites of network members.
Where VIP Fraud Detection Service provides invisible
fraud protection, VIP Authentication Service provides visible
security for e-commerce applications. VIP Authentication
Service allows banks to easily issue and accept multiple
credentials from each user and is ideal for high value, high
risk transactions.VIP Authentication Service includes various
options for supplemental multiple factor authentication,
including standalone hardware devices like
One-Time Password (OTP) tokens and
voice-enabled OTP, OTP-enabled cell
phones and SMS OTP. VIP Authentication
Service leverages a shared validation infra-
structure operated by VeriSign that allows
banks to deploy strong authentication
without having to manage and operate
their own self-standing authentication
infrastructure.
VeriSign provides banks with protec-
tion from a security partner they can trust.
VeriSign has been providing authentication
solutions for 10 years and fraud detection
for five years. VeriSign is a recognized
leader in the security field and is already
providing authentication services to a half-
million Web sites, including 47 of the 50 largest e-commerce
sites. VeriSign is also the sole authentication vendor that
leverages a global network infrastructure.
For more information, go to VeriSign at www.verisign.co
© 2006 CMP Media LLC, CMP Integrated Marketing Solutions. All Rights Reserved.
SENIOR VICE PRESIDENT: Joseph Braue
PUBLISHER: Pamala McGlinchey
MANAGING DIRECTOR, CUSTOM CONTENT SERVICES: Elliot Kass
SR. DIRECTOR OF PROJECT MANAGEMENT: Karen White
SR. PROGRAM MANAGER: Lisa Broscritto
DESIGN TEAM: CMP Creative Services
FOR MORE INFORMATION: [email protected] or 212-600-3114
Consumers
MajorityUsers
SelectUsers
Fraud Intelligence 2nd Authentication Factor Validation
Validation
Low-risk
High-risk
Login ID
Password
Login ID
Password
OTP
VIP Network
VIPAUTH
Validation
VIPFDS
Extra AuthenticationTelephone, SMS, Secret Phrase
RiskEngine
1%
99%
VeriSign’s VIP Fraud Detection Service is simple and unobtrusive for both Web sites and end users.If the system detects a suspicious transaction, users can quickly confirm their identities using anautomated system. This automated system may query the user to identify themselves further withcredentials such as a one-time password, unique question and answer, e-mail, SMS, automatedcall or a customer service call.