Profile: Guardian Analytics – fraud prevention and detectionby Steve Ragan - Jun 13 2009, 20:00
Profile: Guardian Analytics – fraud prevention and detection
Guardian Analytics is that small company you might know if you work in the financial sector or have various ties to security. For those who don't register anything when reading the name, Guardian Analytics specializes in online account fraud prevention. It does this by collecting various bits of information and creating behavior-based models of users and combines that with risk management and forensics.
The company's core product is FraudMAP, which is comprised of two components. One component is a risk application, which enables monitoring, investigation, and resolution via a smart visual interface and allows easy at-a-glance access to the collected information. The second component is the risk engine -- the workhorse of FraudMAP. What the risk engine does is merge analytics and behavior-based models of a user to create a unique profile of the individual.
Most people have a pattern when they access their Internet banking or financial accounts online. For example, when users access their accounts, the first thing they do is check their checking account, next they click over to their savings balance, and finally they pay some bills. It’s a routine most people never give a second thought to. One way or another, everyone has a pattern.
The risk engine inside FraudMAP will notice this pattern and use it in two ways, first creating a profile that knows who a person is by how they act once logged in. This limits false positives. Things tracked in the pattern include everything from login to logout. All the behavior aspects mentioned in the user pattern are monitored, but also how the user logged in, when the user logged in, the machine they used, the network they used, the browser used, and more.
The second way the pattern is used is the most important as it raises red flags the moment it is deviated from. Once a deviation is noticed, the actions are halted in real time (a wire transfer from your Ohio bank to some bank in Nigeria, for example) or an investigation alert is sent to the fraud teams within a bank.
When bank account information is stolen, the first thing criminals do is login and scout around a bit. Recon missions by criminals are done to confirm the account information stolen is legitimate and that there is money in the account -- not to mention collecting all of the information they can while in there.
“Criminals rely on their online account reconnaissance steps going undetected. By recognizing in-session anomalous behavior as it occurs, it is possible to shut down fraudulent activity before loss occurs,” the company pointed out in an April newsletter.
“An online breach is often just the first step of a cross-channel scheme where the financial fraud occurs in another channel. By correlating online session activity with offline activity, today it is possible to expose cross-channel fraud schemes.”
During an interview at RSA, Guardian Analytics told The Tech Herald a story that could almost come off as a sub-plot in a Hollywood film:
A criminal starts by using social engineering to call a bank and resets the password to an online account. In addition to altering the password, the criminal also alters the phone number associated to it. Once done, the criminal then logs in and checks the account. While inside, he or she looks at the check images, and collects personal information on the owner as well as their signature.
Armed with a completely new identity, the criminal goes to a different bank and opens a new account in the victim’s name. Once the new account is created, the criminal starts transferring money from the stolen account into the newly created account, keeping it below $10,000 USD so no flags are raised. Because the names match and other personal information -- including the signature -- no one thinks twice about the transfer until the real owner notices all their money missing.
FraudMAP could have helped in several areas. The instant the criminal logged in with the newly reset password, a flag would have been raised, but once the wire transfer was initiated, it would have been halted. What are the odds that the original owner routinely moved several thousands of dollars at a time? Slim to none, and that’s only one reason a red flag would have been sent up. Simply failing the other patterns set on the account would have shortened the crime spree much sooner.
Investigations are another important aspect to FraudMAP. For example, if one criminal is busted on a compromised account, that account would be red flagged. Once a single account is flagged, other accounts that exhibited similar patterns are flagged as well. There is a solid access trail for investigation teams to follow. These access trails would allow the banks to replace stolen funds, for example, if there is confirmed fraud-related loss on the account. FraudMAP has rules that will automatically block some actions and send an alert, but it also allows the bank to control things. So if someone manually allowed what was later discovered to be fraud, the audit will show this.
Just over 18 months old, Guardian Analytics is an interesting company to keep an eye on in the future. There is plenty of room for it to grow, and there’s no doubt it will keep adding to FraudMAP.
For more information visit Guardian Analytics online.