Online fraudsters might want to try some method acting classes before they attempt to log in to an online banking session
using a stolen user name and password. New technology from Fair Isaac claims to be able to spot fishy Web sessions by, among
other things, comparing mouse movements and typing mannerisms with those of the account holder.
The company announced its new multi-factor authentication product, Falcon One for Online Access Wednesday. The product uses
neural network technology to monitor online transactions and learn customer behavior patterns. The product is targeted at
U.S. banks, which are under pressure to implement guidance from the U.S. Federal Financial Institutions Examination Council's
(FFIEC), a cross-agency group, to find alternatives to simple username and password security for online bank accounts.
Falcon One works with other Fair Isaac anti-fraud technology as part of the company's EDM (Enterprise Decision Management)
solution. It tracks online behavior, such as how a customer has used online banking in the past. That data is combined with
analysis of the computer initiating an online transaction, said Ted Crooks , vice president of Global Fraud Solutions at
Fair Isaac.
Like other anti-fraud companies, Fair Isaac notes the IP address an account holder typically uses for online banking and raises
flags when a session is initiated from a new address. But the company digs deeper into the remote host, noting details such
as the system clock setting and screen resolution to determine whether the machine is different from that used in prior sessions,
Crooks said.
The software also monitors other characteristics of account holders, such as their style of typing and mouse movements to
determine whether the user attempting a transaction is the actual account holder. Characteristics such as the speed and character
pattern that account owners type, as well as whether they are a jittery or staid mouse user are individual and nearly impossible
to mimic, Crooks said.
The company also monitors traffic on outbound communications channels, noting how a customer links to an online banking session
and whether there are delays in online session traffic that could signal a "man in the middle" attack, he said.
Despite the wealth of data gathered from online banking customers, Crooks said that Fair Isaac is sensitive to concerns about
snooping. The Falcon One Software combines back-end analysis with a Web browser plug-in that collects data without breaking
the browser security model, or "sandbox," he said.
None of the data collected necessarily signals fraud. Instead, the company weighs the data to calculate a risk measurement
for the online sessions. Banks can take that information and decide whether to change the course of a session. For example,
users could be asked to enter an additional one-time password that is sent to their cell phone or a pre-approved e-mail address,
Crooks said.
Online risk monitoring companies such as Fair Isaac, RSA Security , and Cyveillance have become more prominent in recent
years, as online fraud has exploded. An April 2006 report by RSA Security found that online fraud is evolving, with phishing
and pharming attacks "the most sophisticated, organized and innovative technological crime waves" facing online businesses.
Fraudsters have new tools at their disposal and are able to adapt more rapidly than ever, RSA said in its report.
Banks are struggling to keep up with nimble, online criminal groups that can use information stolen in one online channel
to conduct fraud in another, Crooks said.
Those groups, most based outside the United States, are now well-funded and well-organized, with technology experts working
side by side with old fashioned scammers and "mules" or foot soldiers, Crooks said.
"Nobody is doing anything about them," Crooks said. "We can put up walls and swamps, but nobody is going after them," he said.
Although credit card fraud has been rampant online for years, checking and savings accounts have largely been spared. But
that is changing.
A major security breach at an online retailer, reportedly OfficeMax , in 2005 led to the reissue of hundreds of thousands
of debit cards by U.S. banks in early 2006, as well as sporadic reports of consumer debit card fraud and identity theft tied
to that theft.
"Customers are more sensitive to their money being stolen from checking and savings accounts than from credit cards," Crooks
said. "In the end, banking is a confidence game. If you don't have confidence in the [banking] channel, that's not good for
a bank."
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
