Inside RSA’s state-of-the-art fraud intelligence command center

As cybercriminals get better at compromising financial accounts and stealing funds, vendors are beefing up their defensive tools to prevent fraud and abuse. I had an opportunity while I was in Israel to visit RSA’s Anti-Fraud Command Center (AFCC), the nerve center of a division that is devoted to protecting consumers’ financial records and funds. The AFCC is an example of what a state-of-the-art web threat and fraud intelligence operation looks like.

The center began its life in 1999, when it was created by a company called Cyota. RSA bought Cyota in 2005, and RSA in turn was gobbled up by EMC and then Dell two years ago. The center is part of RSA’s consumer division, which has a series of products not intended for consumer use but for defending consumers’ endpoints that are targeted for fraud. If you think about phishing attacks or account compromises for banking customers, that will put you in the right frame of mind. The center is located outside of Tel Aviv and has a second facility operating on the Purdue University campus in Indiana that is mostly staffed by students.

How the AFCC works

The idea behind the center is to proactively monitor a bank’s transactions and notify RSA’s banking clients when something is amiss. The best situation is to anticipate fraudulent activity before it has any monetary impact, so that both bank and customer are protected from any eventual harm. The AFCC processes about 100 million transactions a day, and it finds about 0.1 percent of them have potential fraud elements.

About 100 analysts staff three full shifts that work out of the center for monitoring and notification functions. Another several hundred staffers tend to the algorithms and software that is used to screen the various transactions.

David Strom

“We now get a lot more social engineering than in the past, and the criminals are getting craftier, too,” says the center’s director Daniel Cohen. He has been with RSA for eight years and has seen all types of criminal behavior. “The least amount of fraud always happens right on Christmas Day,” he says. “By then everyone has purchased all their gifts and there isn’t anything happening online.” Pretty much any other day will see all sorts of attacks that are keyed to the calendar: Valentine’s Day, the Olympics, Easter, whatever.

To combat these attacks, RSA and many other vendors (such as CA, ThreatMetrix/Lexis, NICE/Actimize, and IBM/Trusteer) have created adaptive authentication products that continually screen an account for anomalies such as geolocation, odd transaction patterns, and other things that depart from the usual pattern of activity from an account holder. Adaptive authentication, the intelligent use of multi-factor authentication based on a user’s profile or actions, is finding increased use as static passwords are ineffective at stopping a determined hacker, and RSA’s tool is called FraudAction.

As CSO wrote about recently, “Companies need to strike a balance between users reaffirming who they are without inhibiting their work” with painful authentication hurdles, and that is where the command center comes into play. Using machine learning, RSA’s software scores the relative risk of each activity and uses that score to determine whether a transaction is authentic or suspect. The analysts in the command center view the troubled transactions and investigate further.

Fraudsters and criminals are getting smarter

Most of us by now are familiar with the times our credit card charges are blocked because we forgot to notify our bank that we are traveling overseas or are making an unusual purchase. To counter this, criminals are getting better at using what is called omni-channel attacks. This refers to how an attack touches many different banking systems.

For example, a fraudster will often start out trying to gain access via a phone call to the bank’s customer center while trying to compromise the bank’s website and at the same time running a smartphone app. In years past, this required three disparate systems to track the fraudulent use, but now RSA and most of its competitors are getting better at keeping track of these different events across whatever channel is used. Moreover, their software can correlate the various events to paint a full picture of what the fraudster is trying to do.  

While I was at the center, I saw firsthand how easy it was to purchase stolen credit cards and use criminal bank accounts to launder my ill-gotten gains. It took a few seconds to enter search queries into Google and click on the results.

Engaging with the enemy

To dive deeper, RSA’s analysts spend a good part of their day texting criminals on various IM systems, trying to get them to give up pertinent information that in turn is transmitted to the relevant bank or law enforcement entity. The analyst can string one of these criminals along for months or years before they realize that they aren’t dealing with another criminal, mainly because they are so motivated by greed and because the RSA analysts are good at reeling them in.

How do they find these criminals? That is also easy: The criminals belong to numerous Facebook and other social media groups and openly market their services. “It used to be cybercriminals hid in the dark corners of the internet, but in the past several years, they have become quite open about advertising their services, and they now are everywhere. The criminals want to build their online reputation as much as a legitimate business person does,” says Cohen.

At the center, RSA analysts see criminals attacking from all over the world. I met one of their analysts who communicates in eight different languages. “Some countries are just hotbeds of criminality, such as Russia, China, and Eastern Europe,” says Cohen. Some regions are notorious or have specialized skills. “A lot of evil comes out of Russia, and you can see online markets for drugs, for credit cards, even murder-for-hire services. The Chinese are more noted for selling illegal hardware,” he says.

What about examining state-sponsored attacks? “Being primarily focused on protecting consumers, we do not analyze those types of threats,” says Cohen. “When we uncover new attack vectors, we obviously inform our customers, but the critical path is enhancing the risk engine to better detect the new attacks. We are trying to beat the attackers with better data.”

“At some point our analytics will be so good that criminals will find it doesn’t pay to try to phish financial services,” says Cohen. “It will be too much trouble and won’t be worth the effort.” While that time isn’t yet here, RSA sees it coming soon. Let’s all hope they and other vendors who offer these tools will continue to get better.