ArcSight FraudView Whitepaper

Summary:

The article provided offers an overview of ArcSight FraudView, a risk modeling approach designed to assess the level of risk associated with transactions and detect suspicious behavior by monitoring various factors such as login locations, device identifiers, IP addresses, and more. Here's a summary of its key features and benefits: 1. **Automated Escalation Process**: ArcSight FraudView includes an automated escalation process with early warning rule sets that help detect suspicious activities not significant alone but when compared to other similar actions by the same account, which may indicate fraudulent behavior. This is achieved through three levels: Watch list, Suspicious list, and Top Loss Countries. 2. **Risk Assessment**: The system analyzes various transaction attributes such as payment activity, country-specific transactions, or account access to identify statistically significant patterns of activity that may indicate fraud. It can be tailored according to specific requirements by analyzing default indicators. 3. **Real-Time Detection and Alerts**: ArcSight FraudView provides real-time dashboards and on-demand reports that display account status information, enabling quick decision-making regarding which accounts warrant closer scrutiny. When anomalies are detected through its pattern detection engine, automatic rule creation, and real-time correlation engine, it triggers alerts for further investigation. 4. **Integration with External Solutions**: The system integrates seamlessly with external case management solutions, allowing notifications to alert analysts when specific rules are triggered, enhancing the overall fraud detection and investigation process within an organization. 5. **Incident Investigation and Collaboration**: Analysts can use the incident investigation feature to analyze suspicious patterns in transactions or groups of events indicative of fraud. Annotation allows multiple fraud analysts to collaborate seamlessly without redundant efforts by marking cases under investigation. 6. **Scalability and Flexibility**: ArcSight FraudView operates independently across various devices and applications, making it an effective tool for maintaining 24/7 visibility into organizational activity without constant human intervention. It is also flexible enough to be tailored according to specific requirements. In summary, ArcSight FraudView is a comprehensive fraud detection tool that provides real-time monitoring, automated escalation processes, and advanced analytics to identify potential fraudulent activities within an organization. By leveraging its unique capabilities and integrating with external solutions, it aims to enhance the effectiveness of fraud detection in financial institutions while supporting secure use of online transaction platforms.

Details:

The whitepaper "ArcSight FraudView" from ArcSight, Inc., outlines the growing issue of trust deficit in online banking due to increasing instances of fraud, malware, hackers, and organized criminals exploiting sophisticated methods to steal money from clients. As more users conduct transactions online, the amount of dollars moved via these services has skyrocketed. The whitepaper highlights recent examples such as "man in the browser" attacks and phishing scams targeting authentication credentials, as well as stolen payment card numbers used for illegal purchases. The document emphasizes that trust is critical for consumer confidence in financial services provided over the internet. President Obama has highlighted that a country's financial systems are part of its critical infrastructure, alongside military, power, and communication systems. The consequences of online fraud for banks, insurers, and brokerages can be significant, affecting their reputation and customer trust, as well as increasing operational costs to combat such threats. The article discusses the challenges faced by financial institutions due to increasing online fraud, which can lead to reduced trust and potential loss of customers. It introduces ArcSight FraudView as a solution designed to detect and mitigate various types of online fraud, including fraudulent account takeovers through tactics like phishing, smishing, spear-phishing, and vishing. ArcSight FraudView helps in reducing fraud by focusing on three key areas: account takeover, transaction detection, and account creation. It monitors factors such as time between account creation and use, machine IP address usage patterns, and more to identify potential unauthorized access due to account takeovers. The tool also considers multiple accounts from the same IP address or instances where different channels show suspicious activity related to a single customer, indicating possible fraud. In summary, ArcSight FraudView is presented as an essential tool for financial institutions looking to combat online fraud and protect their customers' trust in digital banking services. ArcSight FraudView is designed to address various forms of potential fraud by implementing risk ratings during attempted account logins and analyzing transaction-level factors such as IP addresses and locations post-authentication. It effectively detects pre-authentication fraud through multiple IP addresses accessing one account or conversely, single IP addresses accessing multiple accounts before successful authentication. By promptly identifying these anomalies, ArcSight FraudView can significantly reduce the risk of fraudulent access to an account. In cases where a criminal gains access to a legitimate account after authentication, ArcSight FraudView continues to monitor and rate transactions for signs of potential fraud based on factors such as usage patterns, destination country, and requestor IP address. This proactive approach not only helps in detecting but also prevents fraudulent activities by monitoring transaction-level indicators like IP addresses and locations at the time of transaction rather than relying solely on ex post facto forensic analysis. Furthermore, ArcSight FraudView is adept at identifying and preventing fraudulent account creations, such as unauthorized additions of bill payees in online banking accounts. By implementing risk ratings during login attempts and analyzing transaction-level factors, ArcSight FraudView provides a robust solution for safeguarding against various types of fraud, thereby minimizing the potential impact of these fraudulent activities on financial institutions and their customers. The common method for creating new accounts and making payments involves a "man in the browser" (MITB) attack where a bot sits between the user and the bank, displaying normal banking web pages to the customer while secretly adding new bill payees and related payments. Customers are unaware of these additions, which occur within authenticated and encrypted sessions with banks. Later, when customers receive their paper statements, they may notice that money has been removed due to these unauthorized actions. ArcSight FraudView can detect MITB attacks by applying rules to account events such as bill payee creation. For instance, if the create payee page is invoked multiple times within a minute, it suggests an increased likelihood of a MITB attack. The system applies a wide range of related rules to detect fraudulent accounts and transactions in real time, alerting bank fraud analysts so they can take action to mitigate risk promptly. ArcSight FraudView's unique capabilities for fraud detection include cross-channel detection, which allows it to correlate actions across various channels to assess broader risks. For example, criminals might exploit a compromised debit card and related account information to spread transfers across multiple channels such as ATM, online banking, and merchant transactions. This broad correlation capability helps in detecting fraudulent activities more effectively than narrowly focused solutions. ArcSight FraudView is a fraud detection solution designed to identify and prevent various types of financial fraud by analyzing transactions across multiple channels such as wire transfers, cash withdrawals from ATMs or convenience stores, and online purchases. The system operates in real-time and integrates rules for evaluating account or transaction events based on risk levels. It has three main capabilities: 1. Multi-Channel Transaction Analysis: ArcSight FraudView collects data from various transactions including but not limited to wire transfers, cash withdrawals using a payment card at an ATM or convenience store, and online purchases using the card number. Although these individual transactions might seem low-risk, if they occur within a short time frame (30 minutes), it could indicate account takeover fraud. The system's ability to correlate different types of data across multiple channels helps detect potentially fraudulent activities that may otherwise go undetected. 2. Real-Time Evaluation: Unlike traditional fraud detection systems that focus on post-incident analysis, ArcSight FraudView evaluates transactions and events in real time based on pre-defined rules. This allows for quicker identification of potential fraudulent activities and immediate actions such as applying risk ratings to transactions or blocking suspicious ones by notifying internal banking systems. 3. Multi-Path Risk Analysis: The system employs multiple fraud detection engines, which helps in detecting novel types of fraud that may evade initial detection due to their unique characteristics. These engines can analyze individual events on a risk scale from 1 to 10 and trigger alerts if the score is above a certain threshold (e.g., above 7). Additionally, it uses automatic pattern recognition techniques that consider multiple related events together, helping identify patterns indicative of fraudulent activities. Overall, ArcSight FraudView aims to enhance security by proactively identifying potential fraud scenarios in real-time and minimizing losses through quick detection and blocking of fraudulent transactions. ArcSight FraudView is a sophisticated fraud detection system that utilizes seven integrated components to identify fraudulent activities in real-time. This technology can be deployed either as a standalone appliance or installable software. At its core lies the Multi-Factor Risk Scoring Engine, which employs an escalating risk model to assess risks against external factors and generates a composite risk score for each transaction or account event. This engine dynamically evolves as it operates, incorporating outputs from other fraud detection technologies. It rates events using this risk model, allowing customization in real-time according to specific business needs. The risk rating helps analysts focus on the most critical transactions by enabling investigations and responses tailored to the identified risks. The risk model can import attributes from external sources like blacklists, which allows it to evaluate event risks against lists of known hostile IP addresses or compare a user's host machine with a list of trusted devices. Customers have the option to bring in their own lists of suspicious payees, countries, or fraudulent tax identification numbers for more targeted risk assessment. The engine is supported by several other components such as the correlation, trending, and pattern detection engines. The correlation engine detects suspicious activity and adds attributes back into the risk model, affecting future transactions from that account or destined for those payees with increased risk scores. Trending functions compile statistical data about monitored accounts, which forms part of the overall risk assessment. In summary, ArcSight FraudView's comprehensive approach to fraud detection leverages a multi-faceted engine and integrated components capable of real-time risk analysis and dynamic adjustment based on customizable risk models and external feed imports. ArcSight FraudView evaluates transactions against a risk engine to determine their level of risk based on deviation from normal behavior patterns. High-risk transactions are flagged with higher scores, while standard activities have lower scores. Transactions can be customized or manually manipulated if needed but automation is generally preferred due to its efficiency. The evaluation includes various indicators like destination risk (payee country and suspicious payee), transaction risk (transaction type and level of escalation), device risk (origin attributes like geo-location and system information), and account risk (status in the Early Warning Account Escalation process). Each event is analyzed against default indicators, which can be tailored as per requirements. ArcSight FraudView is a risk modeling approach that can assess the level of risk associated with transactions as they occur. The system detects suspicious behavior by monitoring login locations, device identifiers, IP addresses, and other factors to create a risk score for each transaction. When an account logs in from a country considered risky or updates its contact information, it receives a higher risk score. If the criminal's pattern involves logging in, changing account info, and making money movements, subsequent transactions will have progressively higher risk scores based on their escalation process through three levels: Watch list, Suspicious list, and Top Loss Countries. The product has an automated escalation process with early warning rule sets that help detect suspicious activities not significant alone but when compared to other similar actions by the same account, which may indicate fraudulent behavior. The process begins with adding accounts to the Watch list, followed by the Suspicious list if continued suspicious activity is observed. If the account's behavior remains consistently suspicious after a configurable amount of time or based on repeated patterns, it will be placed in Top Loss Countries, indicating high-risk transactions and potential financial loss for the organization. ArcSight FraudView is a software tool designed to help organizations investigate potential fraudulent activities within their operations. It provides analysts with the ability to identify suspicious transactions or events, called needles in a stack of data, and prioritize them for further investigation. The system offers real-time dashboards and on-demand reports that display account status information, enabling quick decision-making regarding which accounts warrant closer scrutiny. The analyst desktop within ArcSight FraudView includes features such as incident investigation, annotation, case management, notification, and response. Incident investigation allows analysts to analyze specific transaction events or groups of events for unusual patterns and flows indicative of fraud. Annotation enables multiple fraud analysts to collaborate seamlessly without redundant efforts by marking the transactions that are currently under investigation, thus informing other analysts about active cases. If necessary, investigators can escalate a case to another level by annotating and assigning it to another user within the system. The built-in case management system automatically creates cases when predefined rules are triggered or manually created based on an ongoing investigation. Cases can be assigned to any analyst in the organization and tracked through resolution, with performance metrics for individual analysts being reported against operational objectives such as time to resolution and open vs. closed cases. Furthermore, ArcSight FraudView integrates seamlessly with external case management solutions, allowing notifications to alert analysts when specific rules are triggered, thus enhancing the overall fraud detection and investigation process within an organization. ArcSight FraudView is a system designed to detect fraudulent activities by maintaining continuous monitoring and providing real-time alerts when anomalies are detected through its pattern detection engine, automatic rule creation, and real-time correlation engine. The system analyzes collected data to identify statistically significant patterns of activity that may indicate fraud across various transaction attributes such as payment activity, country-specific transactions, or account access. Once a fraudulent pattern is identified, it can be marked for future use in detecting similar activities through the correlation engine, which evaluates transactions against multiple fraud detection rules in real-time and optionally historical datasets to validate patterns of compromise. This system's capabilities allow it to operate independently across various devices and applications, making it an effective tool for maintaining 24/7 visibility into organization activity without constant human intervention. The ArcSight FraudView whitepaper discusses how intelligent data collectors, such as SmartConnectors, facilitate the collection of data from various business applications like a call center VoIP records and internet-facing portal logons. These connectors convert raw data into standardized formats for enhanced analysis, using methods including time stamp correction, bandwidth throttling, and event filtering. ArcSight FraudView includes pre-built rule sets tailored for online fraud detection, which can be easily defined by analysts without coding expertise. The whitepaper highlights the importance of efficient fraud detection in financial institutions as consumers increasingly use the internet, emphasizing that new techniques and technologies deployed by criminals pose a threat to this potential growth. ArcSight FraudView is a fraud detection tool that integrates with other fraud detection technologies to enhance its capabilities and provide unique online fraud detection features. It leverages the real-time data collection and correlation capabilities developed by ArcSight over the past decade, which have been proven effective in protecting some of the world's most demanding banks and government agencies. By focusing on online fraud, ArcSight FraudView aims to support the potential of the internet as a global transaction platform while ensuring its secure use. For more information, you can contact ArcSight at info@arcsight.com or 1-888-415-ARST.