Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. Personal Finance

Industry

advertisement 
February 28, 2000
electronic commerce: real time fraud detection
Gary Dougherty
Principal Internet Consultant
Corporate Security Architecture & Engineering
FleetBoston Financial Corporation
617-346-0726
gary_r_dougherty@fleet.com
Issue: Is it possible to detect in ‘real-time’ if someone is fraudulently using a legitimate
person’s credentials to obtain service? Real-time could be 5 seconds to 5 days
depending on the eCommerce product. This detection is very important with the
addition of the Internet as a new customer eCommerce channel.
Background:
Roughly 4 billion U.S. dollars were lost to fraud in 1999 in the credit card channel
alone.
Research and data have determined that organized crime is the main threat to
financial loss. Organized crime can easily obtain large numbers of identification and
authentication credentials of legitimate people.
Current technology tracks patterns of behavior. This pattern matching
mechanism checks if the current purchase/payment pattern matches previous patterns.
This creates the scenario where one is always checking what the losses were 30 to 60
days ago. Pattern matching requires a huge database.
Many fraudulent activities fall below the threshold of pattern matching detection.
A recent fraud occurred where $19.95 was charged on a large subset of 900,000 credit
cards in some cases multiple times over different billing cycles. Only 200 card holders
came forward to complain.
Financial institutions are starting to use the Internet as an additional channel to
provide product to its customer base. This globalization of the footprint for doing
business injects new risks. Data shows that the customers outside the footprint attempt
to defraud the system.
In the telco arena the technology (pattern matching) today takes about 10+ days to
detect someone stealing service. This is probably one reason that the wireless community
is supporting the U.S. Government requirement to have a GPS location system in cell
phones by 2001. One such GPS solution can locate people in canyons or elevators very
effectively. There is currently, in New York City, a gang of 200+ foreign nationals
selling cell phones with a 'warranty' that it can be used for 10 days minimum before being
turned off ($6-700 each). The telcos handle this type of fraud by over building their
networks. Retail stores spread the cost of 'product loss' by increased prices. Financial
institutions lose their working capital. Reinsurance doesn’t usually apply.
Page 1 of 3
February 28, 2000
electronic commerce: real time fraud detection
Gary Dougherty
Principal Internet Consultant
Corporate Security Architecture & Engineering
FleetBoston Financial Corporation
617-346-0726
gary_r_dougherty@fleet.com
Corporate Connections ( or who you can influence)
customer
‘pot of gold’
vendor
‘pot of gold’
connection
corporate
‘pot of gold’
middleware
vendor
‘pot of gold’
connection
2nd party
‘pot of gold’
middleware
vendor
‘pot of gold’
other
corporations
‘pot of gold’
Some examples:
check payment systems (e.g. Checkfree, Citibank)
bill presentment systems (e.g. Checkfree)
credit card merchants (e.g. Visa, MasterCard)
person-to-person payment systems (e.g. Visa, MasterCard)
brokerage systems
Fraud losses (product reduction/loss of capital)
Industry
response
loss
communication
carrier
retailer
financial institution
over build networks
theft of service
increase price
increase fees, take
greater float risks
theft of product
theft of money
Page 2 of 3
re-mediation or
detection
Nov. 2001 GPS
sensor tag
real time fraud
detection
February 28, 2000
electronic commerce: real time fraud detection
Gary Dougherty
Principal Internet Consultant
Corporate Security Architecture & Engineering
FleetBoston Financial Corporation
617-346-0726
gary_r_dougherty@fleet.com
A. Securing the delivery channel
 customer
 vendor
 other corporations
 middleware
 2nd party
Tenets of auditing:
secure delivery
channel
Corporation

Identification of entities
 Authentication of entities
 Authorization or empowerment of entities
 confidentiality
 data integrity
 non-repudiation of transaction
 audit controls or trail
 administration & performance of system
OCC 98-38: Banks must address these tenets in all eCommerce applications
this requires:
strong authentication (though not defined)
change control – process to mitigate changes into production
change management – process to administrate change control
B. Real time Fraud Detection
How does one detect in ‘real time’ when someone is fraudulently using a legitimate
person’s credentials to obtain service?
Note: ‘Real time’ depends on the delivery channel. It could be less than 5 seconds or a
number of days.
fraud use
 customer
 vendor
 other corporations
 middleware
 2nd party
secure delivery
channel
Page 3 of 3
Corporation
Related documents
Using CommonKADS Method to Build Prototype System in
Using CommonKADS Method to Build Prototype System in
WCMSRiskManagement
WCMSRiskManagement
Problem Solving Essay.doc
Problem Solving Essay.doc
The Headright System Yazoo Land Fraud (Allocation By Price)
The Headright System Yazoo Land Fraud (Allocation By Price)
Neural Technologies
Neural Technologies
Fraud: The Other Employee Benefit
Fraud: The Other Employee Benefit
Training Announcement
Training Announcement
Download
advertisement