CHALLENGE THE NORM
In this post, Jason Lane-Sellers, Mobileum's Offering Manager for Fraud & Security discusses the most recent Communications Fraud Control Association (CFCA) event in California where he was a guest speaker. He shares his key take-aways from the event regarding the big issues being discussed and some of the proposed solutions including:
- How the Internet of Things (IoT) is likely to become a huge playground for fraudsters
- Robocalling, and how it now needs to be tackled
- Account Takeovers are the modern attack on identity
Last week (14-16 March 2017) I spoke at the CFCA’s Winter Educational Event in Anaheim, California. While definitely nowhere near as chaotic as the hustle and bustle of Mobile World Congress, these educational events, alongside the GSMA’s Fraud and Security Group (FASG) events, help the industry to come together and exchange information on the latest fraud threats and issues impacting both the industry and, of course, the customer. These events also allow operators and solution providers to share information on new business practices, or best practice experiences.
The first event of the year is always important as it tends to set the tone for the rest of the year. So, what was the main theme arising out of this event I hear you ask?
The overarching theme was definitely data services and the growth of these services across the operator’s product portfolio, in particular, the ever-increasing focus on the “Internet of Things” (IoT). The mobile world in particular is seeking to drive expansion and profit by connecting and integrating technology, service and devices.
THE PROBLEM OF IOT & FRAUD
This expected IoT growth means several things from a fraud and security perspective. Although the growth of the number of these devices and their corresponding services can help both the industry and the consumer, it carries with it new operational issues and new forms of attack and compromise.
These connected devices are often designed to give a user the ability to connect to a digital world securely and seamlessly, but unfortunately, they also give the opportunity for fraudsters to gain access to, and insight of, an individual. Accessing a consumer’s device could easily give insight to a customer’s identity, social profile and much more, which can allow manipulation of the service, the account or indeed the customer themselves.
In an enterprise world, the risk of connected devices and service technology compounds. If criminals can attack the connected architecture and take control of devices (such as a vehicle) or switch off vital services or supplies of critical infrastructure, then this can obviously have severe and heretofore unknown consequences.
The problems for the operator are many. IoT appears to be the future, but the current operations within operators often struggle, even now, with the vast volumes of data in transit. This becomes a bigger problem when you add to this the need to identify new and constant threats and issues within such vast pools of data. Alongside the need to secure the IP world, there are existing known risks, breaches and compromises within the current telecoms technical infrastructure (such as the well reported SS7 & Diameter risks) that need to be addressed.
DEALING WITH IOT & FRAUD
Certainly, one of the key take-aways from the educational event was the common understanding that fraud and security teams must move away from their traditional approaches and mentality in addressing these problems and, instead, need to start “Challenging the Norm”. So, what does this mean?
Traditional approaches to fraud & security have very much been silo mentality-based. This involves utilising fixed types of analysis and identification based on strict rules or simple firewall controls, and generally only looking at single aspects of risk or responsibility in isolation.
Organisations around the world have embraced big data analytics concepts for all aspects of marketing, segmentation and customer experience. Now is the time for fraud and security teams to also embrace these same concepts.
Much of the conversation at the event was around how fraud and security groups need to utilise big data analytics, machine learning and other such advanced analytical approaches to manage the ever-present and ever-evolving fraud and security risks within the IoT and data services world.
Big data gives the ability for fraud operations to understand and process vast amounts of data from within the company and to accurately profile and understand behaviour, whether that behaviour is linked to a customer, a device, a connected service, or on an enterprise level of infrastructure. Data analytics modelling can assist in defining the norm on all these levels, and more particularly can identify and highlight anomalies, inconsistencies or outliers that typically may be hidden deep within the haystack.
A separate, yet related, aspect in addition to big data analytics capability, is the ability to combine the detection capability with action. IP-based issues can cause vast of amounts of damage in a short period of time, so while early identification is key, immediate action is just as critical.
These capabilities will be essential in moving forward into the IP/IoT world. Fraud and security teams need to be empowered to identify threats in progress, track and profile risks, understand true behaviour and act instantaneously to reduce financial or reputational impact.
The solution was clear; the time for utilising big data analytics within fraud has come, due to the explosive growth of the IP world and the challenging direction of IoT.
On another note, there were some more traditional issues discussed during the recent event.
One of the other issues raised was the rise and growth of robocalling, the automation of calls to mass numbers of customers, in the North American market. This has a dual negative impact.
Firstly, due to the scale and nature of these robocalling operations, they tend to drive high revenue costs (for actions such as CNAM lookup charges) as well as the interconnection and interactions between multiple operators.
Secondly, these calls tend to annoy customers and interrupt customers' services and telecoms experience. More often than not these affected customers tend to blame their own network operator.
The robocalling issue has reached such a scale of late that the Federal Communications Commission (FCC) in the United States is now taking a stance and forcing operators to tackle the issue. Although often seen as a low-tech issue (when compared with, for example, IoT), operators may have to take a similar approach to truly tackle the issue to the satisfaction of the FCC. Large scale analytics and real-time action or interception of these types of calls will be necessary in order to manage the ongoing problem.
Another discussion of note was around the changing nature of identity and subscription fraud. At the event it was reported, both in presentations and discussions, that operators were seeing a real move away from traditional forms of identity fraud and subscription based attacks. It was no surprise to this writer, that the move was towards Account Takeover (ATO), this being the modern attack on identity.
I have consistently stated over the past few years that ATO is the fastest growing issue within the telecoms and financial marketplaces and it currently shows no sign of abating.
In fact, the risk of ATO is exacerbated by all of the issues mentioned above. The move to IoT assists the fraudsters in effective social engineering of the customer, whereby they can obtain personal insight, profile, social and other information about a customer simply and effectively via the IoT world or, indeed, using good old-fashioned robocalling to gather information. This information is then utilised to compromise accounts, and it is a truth that in many operators, existing accounts are not as strictly monitored, verified or controlled as new accounts.
In conclusion then, the key learnings from the event were that, in the move to IP, the connected world and the Internet of Things, fraud and security departments cannot stand still. They must engage and embrace the new big data capabilities as used by other areas of the business, to be truly capable of analysing and monitoring all the necessary data in order to understand the new world, the new “customer” and to identify and manage the risks going forward.
This will be a difficult change for many, but is essential in order to address the risks we face today.
Download our Counter Fraud Analytics brochure to find out how Mobileum can help you fight fraudsters by challenging the norm.