LexisNexis Risk Solutions is focused on providing its clients with information to predict and manage risk. One area in which it specialises is that of remote authentication of identities, helping customers deal with the onslaught of fraud and compliance in the digital space – such as verifying remote transactions.
Jason Lane-Sellers, director, marketing planning EMEA, Fraud & Identity for LexisNexis Risk Solutions spoke to Hi-Tech Security Solutions to explain what the company does in this respect and to elaborate on some of the daily risks individuals and businesses are exposed to.
To reduce the opportunity for fraud in the digital space, the company has built what Lane-Sellers calls a Digital Identity Network (DIN). This network monitors billions of digital transactions that take place in almost every market area, from digital television to financial transactions, emails, payments and more (about 50 billion transactions annually). From the information gathered, it builds a digital identity for individuals that recognises them when they transact, giving businesses more confidence that the ‘identity’ they are transacting with is actually the person they claim to be.
When an individual wants to open an account, for example, the device, its location, software setup and even if it has remote access software installed, can be used to build the digital identity in order to provide an indication of the veracity of the person transacting. The company currently has between 6000 and 7000 customers making use of this service around the world.
In the digital space, as we mention elsewhere in this handbook, information can easily be collected and collated to form a digital identity. The difference is when it is used in a positive manner that benefits both parties in a transaction, versus the exploitative shenanigans we hear so much about today.
Apart from the ‘usual’ checks that are conducted on device and location etc., the DIM also collects behavioural biometrics, in other words, how each person uses their device. These technologies are not new, but have advanced frighteningly quickly to enable accurate identification, even to the point where the way you choose to transfer money from your bank account will differ when you are doing it by choice and when you are being directed by someone on the phone – by a scammer pretending to be your bank, for example. (See box Behavioural biometrics.)
A targeted example
Following on from above, Lane-Sellers offers a simplified explanation as to how an attack may work. He notes that social engineering has once again revived itself to become the key attack mechanism, not the usual Nigerian prince wanting your help to smuggle money out of the country, but targeted attacks on individuals (and companies) armed with the latest information about you and your digital transactions, life and identity.
First the attackers get your data from a generic breach, which their bots try to use far and wide. If they find your credentials work on, for example, a telecoms site, they log in and collect data, like your payment history. Knowing they have an ‘in’, they then collect more data about you that is available online and can use that to launch an attack on you. This can be from social media where people still seem ignorant of the amount of useful information they post online (useful to criminals) and other breaches. (Who has done one of these ‘quizzes’ on social media where they ask for your date of birth?)
You may then receive a call from your bank about a transaction you didn’t make. Instead of asking you for your information, they can provide you with the relevant data, such as your ID number and tell you that you paid an amount to the telecoms provider on a particular date, giving you the confidence that this really is your bank. From this point, once they have convinced you, an account takeover is pretty easy as they offer to ‘reverse the transaction’ or whatever their scam is.
In cases like this, where you may be guided through doing a transaction on your mobile device, behavioural biometrics is very useful in determining if your behaviours are your own or guided by others. While this may seem intrusive, it has its benefits. Once the attackers have access to your bank account, all it usually takes is a username and password, they can take out loans and transfer money etc. If the usage of the device is different from usual, the bank may flag the transaction for further investigation or ask for more information.
Lane-Sellers says there are two main age groups being targeted with these types of attacks. The elderly without good technical experience is one group, but the under 25s is another. This does not bode well for Africa where the majority of the population is young and transacting via mobiles is the norm. You may make less profit from a 25-year-old, but you can scam more of them in areas where the risks are not understood and where education in technology is poor – like Africa.
And the worst problem is that these are not localised, but global. The attackers can safely sit in another country and empty bank accounts on another continent.
The digital risk
Naturally, collecting information used in the DIN means that LexisNexis and companies like it have a huge collection of very personal and personally identifiable information on each identity. Lane-Sellers assures that the system is compliant with regulations, such as GDPR and others, plus the data is encrypted. If someone were to hack the information they would end up with a lot of junk data.
Moreover, the digital identities the company delas with are not linked to a person, but rather they collate and analyse up to 1500 attributes per identity and create what he calls an ‘identity token’ – basically a digital identity code clients can use in their authentication processes.
And, of course, since we are dealing with the Internet, the verification process is nearly instantaneous and requires no customer interaction. Each client will require a different level of accuracy, so depending on the identity metric returned, they may ask for more information or go ahead with the transaction.
The past 18 months or so have seen millions of people and companies forced to ‘go digital’ and many were not ready for the change. The reality is that the criminal element was already digital and the vast number of new and naïve targets they suddenly had to select from was a delightful gift. Face-to-face fraud is not a thing of the past, but digital fraud is much easier to accomplish and get away with, especially in light of the advanced technologies that criminal operations can afford.
This data collected by this service is used by the company, along with data from its other services, to create it bi-annual cybercrime analysis report to highlight trends in the digital fraud and crime space. While interesting reading, the report also assists customers in preparing to defend against attacks by understanding how they are committed.
As an example, Lane-Sellers explains that the idea of hackers or cybercriminals going after your bank account directly to steal your money is not quite like the movies portray. Firstly, cybercrime is a global operation with multiple levels associated with each attack. (Of course, you get the direct attacks by amateurs, but the professionals are very well organised.)
A data breach may happen in one country with ramifications for people months later in other countries around the world. A charity website or digital TV provider might be breached and the identifying information of people stolen. Since so many people reuse their passwords, bots are set up to try these credentials on other sites to see who is following this insecure process. The cybercriminals often end up with access to corporate sites and other potential targets via these credentials.
Lane-Sellers says LexisNexis has seen tremendous growth of automated bots to test credentials over the last year, a trend that will continue due to the high rate of success – if you steal a million credentials and 100 get you results it’s a great find.
Once targets are identified, the attacks can be aimed at multiple sites around the world at the same time. These attacks can be fraudulent in nature, malware incursions or even ransomware – a recent presentation from KnowBe4 predicted that attacks in future will encompass all these methodologies and more in order to extract maximum value from each victim.
Digital fraud is a reality and it will become more prevalent as the world becomes more digital. One mitigation factor is to make sure people are educated in their personal and business capacity to be aware of the threats out there. But personal responsibility is only one aspect of risk mitigation.
Companies need to get on board and follow the regulations (like the GDPR and PoPIA), not because it is the law, but because these regulations will guide them in securing sensitive information and avoiding the many exploits we’ve seen over the past few years where data was stolen on a massive scale because someone wasn’t bothered to implement basic security processes.
Readers interested in behavioural biometrics can view a short article describing this modality on the LexisNexis website. The article describes how our ‘subconscious tendencies and traceable behaviour patterns’ can be determined on each of the devices we use, which can be used for identification by establishing a ‘a baseline for normal behaviour’.
The behavioural data collected can be grouped into four basic ‘buckets’:
1. Tracking and analysing ‘precise keyboard behaviours on both desktop and digital device keyboards’. These include typing speed, use of function keys and shortcuts, how fields are populated and more.
2. Mouse behaviours can also be analysed, including click volume, speed and location tendencies, curve and movement angles and mouse interactions on specific pages and more.
3. Mobile device technologies such as the accelerometer, gyroscope and magnetometer also provide data for identification.
4. Touchscreen behaviours like pressure, direction, left vs right hand dominance and so forth can also be analysed.
More information is available in the article which can be found at https://blogs.lexisnexis.com/fraud-and-identity-in-focus/behavioral-biometrics-completing-the-identity-verification-puzzle-mdr/, or via the short link: www.securitysa.com/*lexis1
|Tel:||+27 11 543 5800|
|Articles:||More information and articles about Technews Publishing|
© Technews Publishing (Pty) Ltd | All Rights Reserved