After Heartbleed:
how to prevent compromised credentials from turning into compromised accounts
sidebar imageThe security world was taken by surprise earlier this month when researchers discovered Heartbleed, a large-scale threat that exploits security vulnerability in OpenSSL. This liability gave hackers access to servers for many Websites and put consumers’ credentials and private information at risk. Since the discovery, most organizations with an online presence have been trying to determine whether their servers incorporate the affected versions of OpenSSL. However, the impact will be felt even by organizations that do not use OpenSSL, as some consumers could reuse the same password across sites and their password may have been compromised elsewhere.

The new vulnerabilities online and in the mobile space increase the challenges that security professionals face, as fraud education is a necessity for companies. We spoke with our internal fraud experts to find out their recommendation in the wake of the Heartbleed bug and what companies can do to help mitigate future occurrences. Three important areas stood out:

Authentication
The importance of multidimensional and risk-based authentication cannot be overstated. Experian Decision Analytics and 41st Parameter® recommend a layered approach when it comes to responding to future threats like the recent Heartbleed bug. Such methods include combining comprehensive authentication processes at customer acquisition with proportionate measures to monitor user activities throughout the life cycle.

"Risk-based authentication is best defined and implemented in striking a balance between fraud risk mitigation and positive customer experience," said Keir Breitenfeld, Vice President of Fraud Product Management for Experian Decision Analytics. "Attacks such as the recent Heartbleed bug further highlight the foundational requirement of any online business or agency applications to adopt multifactor identity and device authentication and monitoring processes throughout their Customer Life Cycle."

Some new authentication technologies that do not rely on usernames and passwords could be part of the broader solution. This strategic change involves the incorporation of broader layered-security strategy. Using only authentication puts security strategists in a difficult position since they must balance:

  • Market pressure for convenience (Note that some mobile banking applications now provide access to balances and recent transactions without requiring a formal login.)
  • New automated scripts for large-scale account surveillance.
  • The rapidly growing availability of compromised personal information.
Layered security
"Layered security through a continuously refined set of ‘locks’ that immediately identify fraudulent access attempts helps organizations to protect their invaluable customer relationships," said Mike Gross, Global Risk Strategy Director for 41st Parameter. "Top global sites should be extra vigilant for an expected rush of fraud-related activities and social engineering attempts through call centers as fraudsters try to take advantage of an elevated volume of password resets."

By layering security consistently through a continuously refined set of controls, organizations can identify fraudulent access attempts, unapproved contact information changes and suspicious transactions.

Device intelligence
Device intelligence is another critical component when assessing online and mobile fraud. In order to be fraud-ready, there are three areas that companies must address: device recognition, device configuration and device behavior.

Device recognition — Online situational awareness starts with device recognition. In fraudulent activity there are no human users on online sites, only devices claiming to represent them. Companies need to be able to detect high-risk fraud events. A number of analytical capabilities are built on top of device recognition:

  • Tracking the device’s history with the user and evaluating its trust level.
  • Tracking the device across multiple users and evaluating whether the device is impersonating them.
  • Maintaining a list of devices previously associated with confirmed fraud.
  • Correlation of seemingly unrelated frauds to a common fraud ring and profiling its method of operation.
Device configuration — The next level of situational awareness is built around the ability to evaluate a device’s configuration in order to identify fraudulent access attempts. This analysis should include the following capabilities:

  • Make sure the configuration is compatible with the user it claims to represent
  • Check out internal inconsistencies suggesting an attempt to deceive
  • Review whether there any indications of malware present
Device behavior — Finally, online situational awareness should include robust capabilities for profiling a device’s behavior both within individual accounts and across multiple users:

  • Validate that the device focus is not on activity types often associated with fraud staging.
  • Confirm that the timing of the activities do not seem designed to avoid detection rules.
By proactively managing online channel risk and combining device recognition with a powerful risk engine, organizations can uncover future fraud trends and potential attacks.

Learn more about protecting your organization with fraud intelligence products and services from 41st Parameter, a part of Experian.
I am interested in learning more about protecting my online channel with Experian and 41st Parameter. Please contact me:
• Get the tools you need to impact security and risk strategies NOW in your organization

• Discover real-world strategies for preventing and detecting fraud online while not imposing on your valued customers

• Learn how to maximize your customer profitability with friction-free eCommerce

  • Start My Free Pilot

Legal & Conditions   Privacy Policy

© 2014 Experian Information Solutions, Inc. All rights reserved.
Experian and the Experian marks used herien are trademarks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein are the property of their respective owners.