Identity theft, fraudsters, and what to know to prevent an attack

An Experian identity and fraud expert shares insight on the importance of identity management and being able to identify real-time fraud

mask costume
Sergio (Creative Commons BY or BY-SA)

For consumer-facing enterprises and companies that process a lot of credit card transactions, protecting PII is a concern that keeps security teams up at night. 

Steve Platt, executive vice president of fraud and identity at Experian, said, "All of our clients are under attack from the fraudsters. Seventy-four percent of banks report fraud increase every year."

While it used to be that you could use relatively simple means to detect fraud, the persistent threats demand a variety of intelligent capabilities that work in concert. Platt noted that providing a layered approach enables them to both mitigate attacks and ensure clients have a good user experience.

"You need to have a system in place to look at those patterns of fraud that provide alerts in real time. Real time proactive monitoring solution that provides indications to you so that you can act on them," Platt said.

The knee-jerk reaction to threats for many security professionals is to tighten the locks. "With so many attack types, the first reaction we have is put more locks on the door. Add more prevention. When you do that, you protect your company but also put up a lot of hurdles for good customers to jump over which creates a very bad consumer experience," Platt said.

Steve Platt, executive vice president of fraud and identity at Experian

The goal for providing both security and a positive customer experience should be to have the best protections but hide from customers so that their online experience is very easy. Platt said, "To engineer the illusion of simplicity in the face of essential complexity. This is not an easy problem to solve, but we can make it look very easy and simple to consumers and clients."

For many consumer-facing companies, access to history is critical to strengthening security. "With no history, there is a higher risk. You need that historical behavior for reference," Platt said.

Behavior analytics, automation, machine learning, and other intelligent capabilities that have the ability to do really complex math in a millisecond are just a few of the layers needed to detect and prevent identity fraud. "It’s a whole host of different data elements that come together and are then weighted based on the risk of fraud. The tools are looking at every element of a transaction and the extent to which that looks strange compared to the current transaction so that the end result is a score that is very easy for security professionals to use," explained Platt.

More importantly, he said, "Having the information isn’t enough. It needs to be packaged in real time to root out fraud."

For those who are new to security, the tricks to fraud detection and prevention are not something you can read in a book. "It’s trial by fire on the front lines. The best way to learn is to find a way to work as part of the group so that you can see first hand the real attack vectors and mitigation strategies," Platt said.

Platt has been in the fraud industry for 15 years, providing a variety of different solutions to clients ranging from credit card issuers who make decisions in a millisecond or two to  online banking authentication and a host of different services that protect different sectors. "It has taken me a long time to build up that library of how to detect and respond," Platt said. Given that fraud is only going to increase over time as IoT and new payment authentication methods come to market, big data will continue to be a big security concern. 

[ MORE: Data breach numbers still high in 2015 ]

One of the pitfalls to keeping up with security trends, Platt said, "Is that there is a certain pace that organizations work at and putting changes in place can be difficult. You have to be able to make changes immediately, so you always want systems that can be changed and modified at the pace of fraud not at the pace of IT organizations."

The pace of attacks has increased through technology, and according to Platt, "Some studies say that up to one-third of all traffic online is non-human."

Innovation is driving change at a rapid pace, but while the technology available to people in the security industry is fast, it is changing  just as fast for the bad guys. Platt said, "The pace of innovation is helping all of us so that every new attack can be identified and stopped."

I'll leave you with these thoughts: If it's true that by 2020 the average person will have 50 internet connected devices, all collecting PII, does the value of that data decrease? Or as data becomes more secure, does it increase in value because criminals have to use the same sophisticated intelligence that the good guys have in place to protect the crown jewels? 

I'd love to read your responses in the comment section!

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.