SlideShare a Scribd company logo

Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detection For Online Banking

Alan McSweeney, profile picture
Alan McSweeney

- The document discusses implementing a real-time fraud detection solution for online banking that analyzes transactions as they occur to identify potentially fraudulent activity. - It proposes a system that collects data from transactions and user profiles, analyzes them for anomalies, makes decisions about transactions, and responds by flagging suspicious transactions or notifying incident handlers. - Key components include rules engines to classify transactions based on multiple factors, complex event processing to handle high transaction volumes, and integrating the system with existing banking processes and authentication methods.

TechnologyEconomy & FinanceBusiness
1 of 12
Downloaded 416 times
1
2
3
4
5
6
7
8
9
10
11
12
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Alan McSweeney
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Contents Online Bank Fraud ..........................................................................................2 Online Bank Fraud ..........................................................................................3 Real Time Fraud Detection Solution Architecture............................................4 Internet Banking Logical Transaction Layers...............................................4 Real-Time Fraud Detection Solution Framework .........................................5 Real-Time Fraud Detection Solution Architecture........................................6 Rules Engine and Decision Making Facility..................................................8 Complex Event Processing/Event Driven Application Architecture and Approaches to Fraud Analysis..........................................................................9 Implementing a Real-Time Fraud Detection System ...................................... 10 The behaviour characteristics of online banking fraud are: • Continuous behaviour changes by criminals • Very high growth rates • Sophisticated advanced and changing fraud techniques To effectively detect and stop fraud before it happens, banks will require insight into user activity in real-time. This will be provided by a real-time online banking fraud detection and analysis solution. There are many small software vendors operating in this area and the market is still quite fragmented. There will be consolidation as vendors merge and are taken over or go out of business. There is an emerging technology in the form of Complex Event Processing (CEP) that is suitable for real-time online banking fraud detection. As part of the implementation of any real-time online fraud solution, banks will need to implement new business processes to support any solution. This will be a key element of any overall solution. A complete solution will consist of the following components: • Continuing customer education • Possible additional two-factor authentication for customers using some form of key generation tool • Profiling customer access and maintaining an up-to-date list of fraud sources to determine if a known source of fraudulent activity • Implementation of real-time fraud detection and handling system or systems • Checking transactions in real time • Handling of suspicious transactions • Processes to link all these elements together Page 2
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Online Bank Fraud This whitepaper provides an introduction to the end-to-end landscape of online banking fraud and its detection and handling. Online banking fraud can arise in a number of ways: 1. By some form of identity theft where the banking authentication details of legitimate users are stolen and used for criminal and fraudulent purposes such as phishing and crimeware attacks 2. By some form of security breach that allows criminals access to bank banking systems 3. By fraudulent activity by bank employees The numbers of crimeware- 4. By persons closely associated with legitimate users gaining access to their spreading URLs infecting PCs authentication details and performing fraud with password-stealing code rose 93 percent in Q1, 2008 to 6,500 The common thread in all this is people who are the weakest link in any security sites, nearly double the previous system. high of November, 2007 - and an increase of 337% percent from the Of these sources of fraud, phishing in all its forms will be the one that gives rise number detected end of Q1, 2007. to most concern. It will be the mechanism by which criminals get access to account information in order to defraud customers. Phishing typically employs both a social engineering and a technical approach (Crimeware) to steal consumers’ personal identity data and financial account access details. Crimeware is software that performs illegal actions not requested by a user running the software that are typically intended to yield financial benefits to the distributor of the software. Social-engineering schemes use spoofed e-mails purporting to be from legitimate sources to lead consumers to counterfeit websites designed to trick recipients into divulging financial account authentication data. Source: AntiPhishing Working Group Essentially, crimeware is divided into two broad categories: http://www.antiphishing.org Q1 2008 Phishing Activity Trends 1. Social Engineering – this involves an e-mail with an address or an Summary attachment that directs the user to the fraudulent site or inflects the user’s PC with criminal software 2. Security Exploits – these take advantage of flaws in software such as user’s operating system, browser or elements of the internet infrastructure used to gain access to the bank’s online banking site. Unfortunately crimeware is a fact of life in the online world. Crimeware is distributed in many ways such as: • Social engineering attacks convincing users to open a malicious email attachment containing crimeware • Injection of crimeware into legitimate web sites via content injection attacks such as cross-site scripting Page 3
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Number of Attacks: • Exploiting security vulnerabilities through worms and other attacks on security flaws in operating systems, browsers, and other commonly installed software • Insertion of crimeware into downloadable software that otherwise performs a desirable function. Any approach to preventing fraud needs to take account of these mechanisms and to ensure that the bank does not perform any actions that could be mistaken and misused in these contexts, such as: • Sending mails to customers that could then be confused with phishing mails Source: AntiPhishing Working • Providing users with separate downloadable software to perform functions Group such as security checking and PC fingerprint generation http://www.antiphishing.org Q1 2008 Phishing Activity Trends Real Time Fraud Detection Solution Architecture Summary Internet Banking Logical Transaction Layers In terms of examining the options for real-time fraudulent transaction analysis and determining the architectures and solutions available, there are four relevant logical layers: Frequency and Cost of Attack by Type of Attack Source: US National Consumer League, 2007 These layers are: Page 4
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking 1. User Physical Access and Location – this layer consists of the device being used by the user to perform the access, its characteristics, its physical location and other user details such as mobile telephone, mail address. 2. Internet Communication – this refers to the physical internet layer. 3. User Authentication Layer – this layer consists of the authentication information users must supply and other authentication mechanisms such as physical tokens that users might use during the authentication process. 4. Front-End Internet Banking Application – this is the suite of applications that form the Internet accessible layer of the banking systems. 5. Back-End Banking Systems and Data Warehouse and User History – this consists of the back-end banking systems and the data warehouse storing user access history. Real-Time Fraud Detection Solution Framework Implementing an effective mechanism for preventing Internet fraud will involve a multi-layer approach with multi-factor authentication and verification. It is important to understand that incidents will occur. Any system involving people will at some stage be compromised. Also, it may not be possible or worthwhile to implement a solution that is 100% secure. This may involve substantial incremental cost over a solution that is close to 100% secure that may not be justified. An integral part of any fraud detection solution is an incident handling system and associated processes. At a minimum, these should: • Contain the damage • Preserve/duplicate of the compromised system's state for further analysis • Contact the Police and the Bank’s legal department if required • Restore operations of compromised system, if relevant • Analyse problem and determine incident cause • Document incident and recovery details • Update control agents/implementation details based on analysis • Update incident response plan, if required The illusion of 100% security can be dangerous as it can lead to complacent behaviour and a substitute for sound practices. It can also cause IT users to behave more recklessly. Note that security compliance endorses an overall environment including technology and processes and not just a specific technology. The elements of an overall solution can include some of all of: Page 5
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Real-Time Fraud Detection Solution Architecture A real-time fraudulent transaction analysis and detection system will operate in parallel to the normal transaction pipeline. The transaction pipeline will consist of the following steps: 1. User will initiate the transaction using a device such as, but not limited to, work or home PC 2. The user will use an internet connection to access the bank’s internet banking system 3. The user will authenticate with the bank’s internet banking system 4. The user will performing banking transactions 5. The data warehouse will be updated with information collected during the transaction Page 6
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking In parallel, the real-time fraudulent transaction analysis and detection system will operate. It should not insert itself into the transaction pipeline as this will delay transaction processing as well as involve higher implementation costs due to the integration effort. Details of transactions should be taken in real-time at two key points: 1. User access to gather details on how the user is accessing the system 2. Transaction to gather details on what transactions the user is performing This real-time information is then compared with user access history and transaction history details to determine if the transaction is likely to be fraudulent. At a high-level, the real-time fraudulent transaction analysis and detection system will consist of a core Collect-Analyse-Decide-Respond cycle. These stages will perform the following tasks: • Collect – information on the transaction will be collected. This will consist of access information, session information and transaction details. The collection component will gather information from multiple sources at multiple stages both through the transaction life cycle and off-line from other sources such as watchlists of addresses involved in fraud. • Analyse – the transaction information collected will be analysed both within itself and also be compared with historical information collected. Based on the two sets of data, the transaction will be scored with respect to its probability that it is fraudulent. • Decide – there will be a decision engine that determines if the transaction is fraudulent. Page 7
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking • Respond – based on the decision taken a response action will be determined. This process needs to happen in real-time as transactions are happening. It needs to be scalable to handle large-volumes of transactions without delaying overall transaction processing. The real-time fraudulent transaction analysis and detection system will also provide additional functions: • Reporting and Monitoring – the system should provide reporting and monitoring facilities to report on fraud analysis activities, system throughput, performance and other areas • Offline Analysis – this will provide other non-real-time analysis facilities that allow patterns across multiple transactions to be identified • Administration – the system can be administered and managed allow actions such as new rules to be defined and the operation system to be tuned and modified. Rules Engine and Decision Making Facility This is a flexible rules-engine that takes data from multiple sources to identify transactions as potentially fraudulent: The classification will be based on multiple factors, such as: Current Transaction Details Users Profiles Transaction Amount Users Ages Transaction Type Users Locations Users Jobs Transaction History Details Transaction Frequency Session Details Transaction Type Frequency IP Address Page 8
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Account Activity Browser Type User Profile Session History Details User Age IP Addresses User Location Browser Types User Job Previously Known Sources of Fraud IP Addresses Associated With Fraud This information will be combined to assess the probability of the transaction being fraudulent: • Current Transaction Details – this will provide a profile of the transaction being performed • Transaction History Details – this will allow the current transaction to be compared against previous transactions • User Profile – this will provide a profile of the user performing the transaction • Users Profiles – this will provide a profile of all users against which the current user’s profile and the profile of the current transaction against the profile of transactions performed by similar users can be compared • Session Details – this will provide details on the internet access session • Session History Details – this will allow the current session details to be compared against previous sessions to allow changes to be identified • Previously Known Sources of Fraud – this will allow the current session details to be compared known access details associated with fraud Complex Event Processing/Event Driven Application Architecture and Approaches to Fraud Analysis There is an emerging technology in the form of Complex Event Processing (CEP) that is suitable for real-time online banking fraud detection. The topic of CEP is itself very complex. This section provides some very brief information to support its inclusion as an option for implementing a real-time fraud analysis solution. The high-level architecture of a Complex Event Processing (CEP)/Event Driven Application (EDA) architecture is: Page 9
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking The core logical elements of this approach are: • Continuous Query Engine - Processes high volumes of streaming data • SQL-based Event Processing Language (EPL) – extends SQL to handle streaming events EPL is SQL-based. It provides easier integration to relational data and the data storage facility. The key extension within EPL is the ability to handle streaming data provided by WHEN ... THEN statements rather than conventional IF ... THEN statements. Details on the levels of spending by US banks on A CEP application typically comprises of four main component types: consumer authentication and fraud detection in 2006, 1. Adapters interface directly to the inbound event sources. Adapters classified by the value of their understand the inbound protocol, and are responsible for converting the deposits. event data into a normalised data that can be queried by a processor (i.e. event processing agent, or processor). Adapters forward the normalised event data into Streams. 2. Streams are event processing endpoints. Among other things, streams are responsible for queuing event data until the event processing agent can act upon it. 3. The event processing agent removes the event data from the stream, processes it, and may generate new events to an output stream. 4. The Decide step listens to the output stream, The Decide step forward on the generated events to external event sinks such as a case management system. Source: Gartner Implementing a Real-Time Fraud Detection System Any practical approach to real-time anti-fraud will consist of the following activities: • Continuing customer education • Possible additional two-factor authentication for customers using some form of key generation tool • Profiling customer access and maintaining an up-to-date list of fraud sources to determine if a known source of fraudulent activity • Implementation of real-time fraud detection and handling system or systems • Checking transactions in real time Page 10
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking • Handling of suspicious transactions • Processes to link all these elements together Each of these will go some way to preventing fraud. Taken together they will form a comprehensive solution. Planned increase in spending intentions in 2007 from 2006 by these banks. In terms of the previous transaction pipeline, the additional steps required will be: 1. Before completing the transaction, the banking system would invoke a function to check the status of the transaction within the Decision engine. 2. The checking function will interrogate the Decision engine to get the result of the transaction check. 3. If the Decision engine has reached a decision about the transaction, this would be provided to the application status check. 4. If the transaction was determined to be suspicious, it would be written to a suspend queue where it would be held according to defined rules. 5. If the transaction was determined not to be suspicious, it would be Source: Gartner processed as normal. 6. The incident handling component would be notified. Page 11
Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking For more information, please contact: alan@alanmcsweeney.com Page 12

More Related Content

PDF
IS and IT Auditor Roles in Today's New Economy
Goutama Bachtiar
 
PDF
IT Governance - Governing IT: Do or Die?
Eryk Budi Pratama
 
PPTX
Practical Cloud - Stephen Betts (Avanade)
Spiffy
 
PPTX
Red Hat Forum Norway 2017 - Red Hat on Azure Partners in Digital Innovation
Vadim Zendejas
 
PDF
Modern IT Service Management Transformation - ITIL Indonesia
Eryk Budi Pratama
 
PDF
Industry 4.0 : How to Build Relevant IT Skills
Eryk Budi Pratama
 
PDF
RPA (Robotic Process Automation), POA (Process Oriented Architecture) And BPM...
Alan McSweeney
 
PPT
Approach To It Strategy And Architecture
Alan McSweeney
 
IS and IT Auditor Roles in Today's New Economy
Goutama Bachtiar
 
IT Governance - Governing IT: Do or Die?
Eryk Budi Pratama
 
Practical Cloud - Stephen Betts (Avanade)
Spiffy
 
Red Hat Forum Norway 2017 - Red Hat on Azure Partners in Digital Innovation
Vadim Zendejas
 
Modern IT Service Management Transformation - ITIL Indonesia
Eryk Budi Pratama
 
Industry 4.0 : How to Build Relevant IT Skills
Eryk Budi Pratama
 
RPA (Robotic Process Automation), POA (Process Oriented Architecture) And BPM...
Alan McSweeney
 
Approach To It Strategy And Architecture
Alan McSweeney
 

What's hot (19)

PDF
ICT Association Suriname Presentation On eGovernment 2012
Cyril Soeri
 
PDF
ITIL With Information Security
vikasraina
 
PPTX
Orientation in IT Audit
Suman Thapaliya
 
PDF
Technology Risk Services
sarah kabirat
 
PPTX
Enterprise Architecture
Axis Technology, LLC
 
PPTX
Enterprise Architecture and Information Security
John Macasio
 
PPT
IO Journey All Up
baselsss
 
PDF
Security-by-Design in Enterprise Architecture
The Open Group SA
 
PDF
Nine HIPAA Compliance Questions to ask Yourself
LERNER Consulting
 
PDF
Agile Solution Architecture and Design
Alan McSweeney
 
DOCX
Task 2
BIBEKCHAUDHARYBScHon
 
PPT
Chapter 5
Dr. Muath Asmar
 
PDF
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
PPTX
Final Presentation
chris odle
 
PPT
Chapter 2
Dr. Muath Asmar
 
PDF
Outsourcing & Cloud Computing
visionetinternasional
 
PDF
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Perficient, Inc.
 
PPTX
Security For Business: Are You And Your Customers Safe
woodsy01
 
DOC
Securing Citizen Facing Applications Presentation Notes
edwinlorenzana
 
ICT Association Suriname Presentation On eGovernment 2012
Cyril Soeri
 
ITIL With Information Security
vikasraina
 
Orientation in IT Audit
Suman Thapaliya
 
Technology Risk Services
sarah kabirat
 
Enterprise Architecture
Axis Technology, LLC
 
Enterprise Architecture and Information Security
John Macasio
 
IO Journey All Up
baselsss
 
Security-by-Design in Enterprise Architecture
The Open Group SA
 
Nine HIPAA Compliance Questions to ask Yourself
LERNER Consulting
 
Agile Solution Architecture and Design
Alan McSweeney
 
Task 2
BIBEKCHAUDHARYBScHon
 
Chapter 5
Dr. Muath Asmar
 
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
Final Presentation
chris odle
 
Chapter 2
Dr. Muath Asmar
 
Outsourcing & Cloud Computing
visionetinternasional
 
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Perficient, Inc.
 
Security For Business: Are You And Your Customers Safe
woodsy01
 
Securing Citizen Facing Applications Presentation Notes
edwinlorenzana
 
Ad

Viewers also liked (20)

PDF
Project Failure Reasons and Causes
Alan McSweeney
 
PDF
Forget Big Data. It's All About Smart Data
Alan McSweeney
 
PDF
Getting Good And Staying Good At (Out)Sourcing
Alan McSweeney
 
PDF
Data Audit Approach To Developing An Enterprise Data Strategy
Alan McSweeney
 
PDF
The Myth Of Requirements
Alan McSweeney
 
PDF
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...
Alan McSweeney
 
PDF
Don’t Mention The “A” Word – Trends In Continuing Business And IT Misalignment
Alan McSweeney
 
PDF
Conway's Law, Cognitive Diversity, Organisation Transformation And Solution D...
Alan McSweeney
 
PDF
Translating Big Raw Data Into Small Actionable Information
Alan McSweeney
 
PDF
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Alan McSweeney
 
PDF
Introduction To Business Architecture – Part 1
Alan McSweeney
 
PDF
Complexity and Solution Architecture
Alan McSweeney
 
PDF
Whitepaper Exchange 2007 Changes, Resilience And Storage Management
Alan McSweeney
 
PDF
Whitepaper Server Virtualisation And Storage Management
Alan McSweeney
 
PDF
Digital Transformation And Enterprise Architecture
Alan McSweeney
 
PDF
Systems Analysis And Design Methodology And Supporting Processes
Alan McSweeney
 
PDF
Whitepaper Practical Information Technology Governance
Alan McSweeney
 
PDF
Structured Approach to Solution Architecture
Alan McSweeney
 
PDF
Supplier And Service Provider Governance
Alan McSweeney
 
PDF
Tender Evaluation Process Notes
Alan McSweeney
 
Project Failure Reasons and Causes
Alan McSweeney
 
Forget Big Data. It's All About Smart Data
Alan McSweeney
 
Getting Good And Staying Good At (Out)Sourcing
Alan McSweeney
 
Data Audit Approach To Developing An Enterprise Data Strategy
Alan McSweeney
 
The Myth Of Requirements
Alan McSweeney
 
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...
Alan McSweeney
 
Don’t Mention The “A” Word – Trends In Continuing Business And IT Misalignment
Alan McSweeney
 
Conway's Law, Cognitive Diversity, Organisation Transformation And Solution D...
Alan McSweeney
 
Translating Big Raw Data Into Small Actionable Information
Alan McSweeney
 
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Alan McSweeney
 
Introduction To Business Architecture – Part 1
Alan McSweeney
 
Complexity and Solution Architecture
Alan McSweeney
 
Whitepaper Exchange 2007 Changes, Resilience And Storage Management
Alan McSweeney
 
Whitepaper Server Virtualisation And Storage Management
Alan McSweeney
 
Digital Transformation And Enterprise Architecture
Alan McSweeney
 
Systems Analysis And Design Methodology And Supporting Processes
Alan McSweeney
 
Whitepaper Practical Information Technology Governance
Alan McSweeney
 
Structured Approach to Solution Architecture
Alan McSweeney
 
Supplier And Service Provider Governance
Alan McSweeney
 
Tender Evaluation Process Notes
Alan McSweeney
 
Ad

Similar to Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detection For Online Banking (20)

PDF
White paper Real Time Transaction Analysis and fraudulent transaction detecti...
Ajay Alex
 
PDF
Winning the war on cybercrime keys to holistic fraud prevention
CMR WORLD TECH
 
PDF
Paper id 35201568
IJRAT
 
PDF
Why is cyber security a disruption in the digital economy
Mark Albala
 
PDF
9 3
Hai Nguyen
 
PDF
Study on Phishing Attacks and Antiphishing Tools
IRJET Journal
 
DOCX
Globally.docx
GermanERuizCorrales
 
PDF
Securing And Protecting Information
Laura Martin
 
PDF
Banking and Modern Payments System Security Analysis
CSCJournals
 
PDF
Ethical Hacking Interview Questions and Answers.pdf
ShivamSharma909
 
PPTX
cybersecurity understanding in simple way
mithubain20043897
 
PDF
Cybersecurity in BFSI - Top Threats & Importance
manoharparakh
 
PDF
A survey on detection of website phishing using mcac technique
bhas_ani
 
PDF
ProjectReport_Finalversion
Mamoon Ismail Khalid
 
PDF
IRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET Journal
 
PDF
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
PPTX
Domain 3 of CEH v11 System Hacking Phases and Attack Techniques.pptx
Infosectrain3
 
PDF
Cybersecurity Slides
Jim Kaplan CIA CFE
 
PDF
Module 3-cyber security
Sweta Kumari Barnwal
 
PPTX
Training on Cyber Security & Awareness for employees
soumyapaul29
 
White paper Real Time Transaction Analysis and fraudulent transaction detecti...
Ajay Alex
 
Winning the war on cybercrime keys to holistic fraud prevention
CMR WORLD TECH
 
Paper id 35201568
IJRAT
 
Why is cyber security a disruption in the digital economy
Mark Albala
 
9 3
Hai Nguyen
 
Study on Phishing Attacks and Antiphishing Tools
IRJET Journal
 
Globally.docx
GermanERuizCorrales
 
Securing And Protecting Information
Laura Martin
 
Banking and Modern Payments System Security Analysis
CSCJournals
 
Ethical Hacking Interview Questions and Answers.pdf
ShivamSharma909
 
cybersecurity understanding in simple way
mithubain20043897
 
Cybersecurity in BFSI - Top Threats & Importance
manoharparakh
 
A survey on detection of website phishing using mcac technique
bhas_ani
 
ProjectReport_Finalversion
Mamoon Ismail Khalid
 
IRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET Journal
 
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
Domain 3 of CEH v11 System Hacking Phases and Attack Techniques.pptx
Infosectrain3
 
Cybersecurity Slides
Jim Kaplan CIA CFE
 
Module 3-cyber security
Sweta Kumari Barnwal
 
Training on Cyber Security & Awareness for employees
soumyapaul29
 

More from Alan McSweeney (20)

PDF
The Solution Architect As Product Manager.pdf
Alan McSweeney
 
PDF
Data Architecture for Solutions.pdf
Alan McSweeney
 
PDF
Solution Architecture and Solution Estimation.pdf
Alan McSweeney
 
PDF
Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...
Alan McSweeney
 
PDF
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
Alan McSweeney
 
PDF
IT Architecture’s Role In Solving Technical Debt.pdf
Alan McSweeney
 
PDF
Solution Architecture And Solution Security
Alan McSweeney
 
PDF
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Alan McSweeney
 
PDF
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Alan McSweeney
 
PDF
Solution Security Architecture
Alan McSweeney
 
PDF
Solution Architecture And (Robotic) Process Automation Solutions
Alan McSweeney
 
PDF
Data Profiling, Data Catalogs and Metadata Harmonisation
Alan McSweeney
 
PDF
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Alan McSweeney
 
PDF
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
Alan McSweeney
 
PPTX
Operational Risk Management Data Validation Architecture
Alan McSweeney
 
PDF
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Alan McSweeney
 
PDF
Ireland 2019 and 2020 Compared - Individual Charts
Alan McSweeney
 
PDF
Analysis of Irish Mortality Using Public Data Sources 2014-2020
Alan McSweeney
 
PDF
Ireland – 2019 And 2020 Compared In Data
Alan McSweeney
 
PDF
Review of Information Technology Function Critical Capability Models
Alan McSweeney
 
The Solution Architect As Product Manager.pdf
Alan McSweeney
 
Data Architecture for Solutions.pdf
Alan McSweeney
 
Solution Architecture and Solution Estimation.pdf
Alan McSweeney
 
Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...
Alan McSweeney
 
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
Alan McSweeney
 
IT Architecture’s Role In Solving Technical Debt.pdf
Alan McSweeney
 
Solution Architecture And Solution Security
Alan McSweeney
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Alan McSweeney
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Alan McSweeney
 
Solution Security Architecture
Alan McSweeney
 
Solution Architecture And (Robotic) Process Automation Solutions
Alan McSweeney
 
Data Profiling, Data Catalogs and Metadata Harmonisation
Alan McSweeney
 
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Alan McSweeney
 
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
Alan McSweeney
 
Operational Risk Management Data Validation Architecture
Alan McSweeney
 
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Alan McSweeney
 
Ireland 2019 and 2020 Compared - Individual Charts
Alan McSweeney
 
Analysis of Irish Mortality Using Public Data Sources 2014-2020
Alan McSweeney
 
Ireland – 2019 And 2020 Compared In Data
Alan McSweeney
 
Review of Information Technology Function Critical Capability Models
Alan McSweeney
 

Recently uploaded (20)

PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
August Patch Tuesday
Ivanti
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Encapsulation theory and applications.pdf
gurumoop
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
August Patch Tuesday
Ivanti
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Approach and Philosophy of On baking technology
30anthuong17
 
project resource management chapter-09.pdf
ssuser00e6e21
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 

Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detection For Online Banking

  • 1. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Alan McSweeney
  • 2. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Contents Online Bank Fraud ..........................................................................................2 Online Bank Fraud ..........................................................................................3 Real Time Fraud Detection Solution Architecture............................................4 Internet Banking Logical Transaction Layers...............................................4 Real-Time Fraud Detection Solution Framework .........................................5 Real-Time Fraud Detection Solution Architecture........................................6 Rules Engine and Decision Making Facility..................................................8 Complex Event Processing/Event Driven Application Architecture and Approaches to Fraud Analysis..........................................................................9 Implementing a Real-Time Fraud Detection System ...................................... 10 The behaviour characteristics of online banking fraud are: • Continuous behaviour changes by criminals • Very high growth rates • Sophisticated advanced and changing fraud techniques To effectively detect and stop fraud before it happens, banks will require insight into user activity in real-time. This will be provided by a real-time online banking fraud detection and analysis solution. There are many small software vendors operating in this area and the market is still quite fragmented. There will be consolidation as vendors merge and are taken over or go out of business. There is an emerging technology in the form of Complex Event Processing (CEP) that is suitable for real-time online banking fraud detection. As part of the implementation of any real-time online fraud solution, banks will need to implement new business processes to support any solution. This will be a key element of any overall solution. A complete solution will consist of the following components: • Continuing customer education • Possible additional two-factor authentication for customers using some form of key generation tool • Profiling customer access and maintaining an up-to-date list of fraud sources to determine if a known source of fraudulent activity • Implementation of real-time fraud detection and handling system or systems • Checking transactions in real time • Handling of suspicious transactions • Processes to link all these elements together Page 2
  • 3. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Online Bank Fraud This whitepaper provides an introduction to the end-to-end landscape of online banking fraud and its detection and handling. Online banking fraud can arise in a number of ways: 1. By some form of identity theft where the banking authentication details of legitimate users are stolen and used for criminal and fraudulent purposes such as phishing and crimeware attacks 2. By some form of security breach that allows criminals access to bank banking systems 3. By fraudulent activity by bank employees The numbers of crimeware- 4. By persons closely associated with legitimate users gaining access to their spreading URLs infecting PCs authentication details and performing fraud with password-stealing code rose 93 percent in Q1, 2008 to 6,500 The common thread in all this is people who are the weakest link in any security sites, nearly double the previous system. high of November, 2007 - and an increase of 337% percent from the Of these sources of fraud, phishing in all its forms will be the one that gives rise number detected end of Q1, 2007. to most concern. It will be the mechanism by which criminals get access to account information in order to defraud customers. Phishing typically employs both a social engineering and a technical approach (Crimeware) to steal consumers’ personal identity data and financial account access details. Crimeware is software that performs illegal actions not requested by a user running the software that are typically intended to yield financial benefits to the distributor of the software. Social-engineering schemes use spoofed e-mails purporting to be from legitimate sources to lead consumers to counterfeit websites designed to trick recipients into divulging financial account authentication data. Source: AntiPhishing Working Group Essentially, crimeware is divided into two broad categories: http://www.antiphishing.org Q1 2008 Phishing Activity Trends 1. Social Engineering – this involves an e-mail with an address or an Summary attachment that directs the user to the fraudulent site or inflects the user’s PC with criminal software 2. Security Exploits – these take advantage of flaws in software such as user’s operating system, browser or elements of the internet infrastructure used to gain access to the bank’s online banking site. Unfortunately crimeware is a fact of life in the online world. Crimeware is distributed in many ways such as: • Social engineering attacks convincing users to open a malicious email attachment containing crimeware • Injection of crimeware into legitimate web sites via content injection attacks such as cross-site scripting Page 3
  • 4. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Number of Attacks: • Exploiting security vulnerabilities through worms and other attacks on security flaws in operating systems, browsers, and other commonly installed software • Insertion of crimeware into downloadable software that otherwise performs a desirable function. Any approach to preventing fraud needs to take account of these mechanisms and to ensure that the bank does not perform any actions that could be mistaken and misused in these contexts, such as: • Sending mails to customers that could then be confused with phishing mails Source: AntiPhishing Working • Providing users with separate downloadable software to perform functions Group such as security checking and PC fingerprint generation http://www.antiphishing.org Q1 2008 Phishing Activity Trends Real Time Fraud Detection Solution Architecture Summary Internet Banking Logical Transaction Layers In terms of examining the options for real-time fraudulent transaction analysis and determining the architectures and solutions available, there are four relevant logical layers: Frequency and Cost of Attack by Type of Attack Source: US National Consumer League, 2007 These layers are: Page 4
  • 5. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking 1. User Physical Access and Location – this layer consists of the device being used by the user to perform the access, its characteristics, its physical location and other user details such as mobile telephone, mail address. 2. Internet Communication – this refers to the physical internet layer. 3. User Authentication Layer – this layer consists of the authentication information users must supply and other authentication mechanisms such as physical tokens that users might use during the authentication process. 4. Front-End Internet Banking Application – this is the suite of applications that form the Internet accessible layer of the banking systems. 5. Back-End Banking Systems and Data Warehouse and User History – this consists of the back-end banking systems and the data warehouse storing user access history. Real-Time Fraud Detection Solution Framework Implementing an effective mechanism for preventing Internet fraud will involve a multi-layer approach with multi-factor authentication and verification. It is important to understand that incidents will occur. Any system involving people will at some stage be compromised. Also, it may not be possible or worthwhile to implement a solution that is 100% secure. This may involve substantial incremental cost over a solution that is close to 100% secure that may not be justified. An integral part of any fraud detection solution is an incident handling system and associated processes. At a minimum, these should: • Contain the damage • Preserve/duplicate of the compromised system's state for further analysis • Contact the Police and the Bank’s legal department if required • Restore operations of compromised system, if relevant • Analyse problem and determine incident cause • Document incident and recovery details • Update control agents/implementation details based on analysis • Update incident response plan, if required The illusion of 100% security can be dangerous as it can lead to complacent behaviour and a substitute for sound practices. It can also cause IT users to behave more recklessly. Note that security compliance endorses an overall environment including technology and processes and not just a specific technology. The elements of an overall solution can include some of all of: Page 5
  • 6. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Real-Time Fraud Detection Solution Architecture A real-time fraudulent transaction analysis and detection system will operate in parallel to the normal transaction pipeline. The transaction pipeline will consist of the following steps: 1. User will initiate the transaction using a device such as, but not limited to, work or home PC 2. The user will use an internet connection to access the bank’s internet banking system 3. The user will authenticate with the bank’s internet banking system 4. The user will performing banking transactions 5. The data warehouse will be updated with information collected during the transaction Page 6
  • 7. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking In parallel, the real-time fraudulent transaction analysis and detection system will operate. It should not insert itself into the transaction pipeline as this will delay transaction processing as well as involve higher implementation costs due to the integration effort. Details of transactions should be taken in real-time at two key points: 1. User access to gather details on how the user is accessing the system 2. Transaction to gather details on what transactions the user is performing This real-time information is then compared with user access history and transaction history details to determine if the transaction is likely to be fraudulent. At a high-level, the real-time fraudulent transaction analysis and detection system will consist of a core Collect-Analyse-Decide-Respond cycle. These stages will perform the following tasks: • Collect – information on the transaction will be collected. This will consist of access information, session information and transaction details. The collection component will gather information from multiple sources at multiple stages both through the transaction life cycle and off-line from other sources such as watchlists of addresses involved in fraud. • Analyse – the transaction information collected will be analysed both within itself and also be compared with historical information collected. Based on the two sets of data, the transaction will be scored with respect to its probability that it is fraudulent. • Decide – there will be a decision engine that determines if the transaction is fraudulent. Page 7
  • 8. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking • Respond – based on the decision taken a response action will be determined. This process needs to happen in real-time as transactions are happening. It needs to be scalable to handle large-volumes of transactions without delaying overall transaction processing. The real-time fraudulent transaction analysis and detection system will also provide additional functions: • Reporting and Monitoring – the system should provide reporting and monitoring facilities to report on fraud analysis activities, system throughput, performance and other areas • Offline Analysis – this will provide other non-real-time analysis facilities that allow patterns across multiple transactions to be identified • Administration – the system can be administered and managed allow actions such as new rules to be defined and the operation system to be tuned and modified. Rules Engine and Decision Making Facility This is a flexible rules-engine that takes data from multiple sources to identify transactions as potentially fraudulent: The classification will be based on multiple factors, such as: Current Transaction Details Users Profiles Transaction Amount Users Ages Transaction Type Users Locations Users Jobs Transaction History Details Transaction Frequency Session Details Transaction Type Frequency IP Address Page 8
  • 9. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking Account Activity Browser Type User Profile Session History Details User Age IP Addresses User Location Browser Types User Job Previously Known Sources of Fraud IP Addresses Associated With Fraud This information will be combined to assess the probability of the transaction being fraudulent: • Current Transaction Details – this will provide a profile of the transaction being performed • Transaction History Details – this will allow the current transaction to be compared against previous transactions • User Profile – this will provide a profile of the user performing the transaction • Users Profiles – this will provide a profile of all users against which the current user’s profile and the profile of the current transaction against the profile of transactions performed by similar users can be compared • Session Details – this will provide details on the internet access session • Session History Details – this will allow the current session details to be compared against previous sessions to allow changes to be identified • Previously Known Sources of Fraud – this will allow the current session details to be compared known access details associated with fraud Complex Event Processing/Event Driven Application Architecture and Approaches to Fraud Analysis There is an emerging technology in the form of Complex Event Processing (CEP) that is suitable for real-time online banking fraud detection. The topic of CEP is itself very complex. This section provides some very brief information to support its inclusion as an option for implementing a real-time fraud analysis solution. The high-level architecture of a Complex Event Processing (CEP)/Event Driven Application (EDA) architecture is: Page 9
  • 10. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking The core logical elements of this approach are: • Continuous Query Engine - Processes high volumes of streaming data • SQL-based Event Processing Language (EPL) – extends SQL to handle streaming events EPL is SQL-based. It provides easier integration to relational data and the data storage facility. The key extension within EPL is the ability to handle streaming data provided by WHEN ... THEN statements rather than conventional IF ... THEN statements. Details on the levels of spending by US banks on A CEP application typically comprises of four main component types: consumer authentication and fraud detection in 2006, 1. Adapters interface directly to the inbound event sources. Adapters classified by the value of their understand the inbound protocol, and are responsible for converting the deposits. event data into a normalised data that can be queried by a processor (i.e. event processing agent, or processor). Adapters forward the normalised event data into Streams. 2. Streams are event processing endpoints. Among other things, streams are responsible for queuing event data until the event processing agent can act upon it. 3. The event processing agent removes the event data from the stream, processes it, and may generate new events to an output stream. 4. The Decide step listens to the output stream, The Decide step forward on the generated events to external event sinks such as a case management system. Source: Gartner Implementing a Real-Time Fraud Detection System Any practical approach to real-time anti-fraud will consist of the following activities: • Continuing customer education • Possible additional two-factor authentication for customers using some form of key generation tool • Profiling customer access and maintaining an up-to-date list of fraud sources to determine if a known source of fraudulent activity • Implementation of real-time fraud detection and handling system or systems • Checking transactions in real time Page 10
  • 11. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking • Handling of suspicious transactions • Processes to link all these elements together Each of these will go some way to preventing fraud. Taken together they will form a comprehensive solution. Planned increase in spending intentions in 2007 from 2006 by these banks. In terms of the previous transaction pipeline, the additional steps required will be: 1. Before completing the transaction, the banking system would invoke a function to check the status of the transaction within the Decision engine. 2. The checking function will interrogate the Decision engine to get the result of the transaction check. 3. If the Decision engine has reached a decision about the transaction, this would be provided to the application status check. 4. If the transaction was determined to be suspicious, it would be written to a suspend queue where it would be held according to defined rules. 5. If the transaction was determined not to be suspicious, it would be Source: Gartner processed as normal. 6. The incident handling component would be notified. Page 11
  • 12. Real Time Transaction Analysis and Fraudulent Transaction Detection for Online Banking For more information, please contact: alan@alanmcsweeney.com Page 12