By Mike Russell
Have you caught a whiff of what the dark web burped up in January? A database of 2.2 billion unique usernames and associated passwords rose out of the depths. Much of the data set has long since decayed into obsolescence: passwords changed, accounts closed. Nevertheless, would-be fraudsters will wade through the dregs for useable remnants and to hone their skills. When future breaches spill valid credentials onto the dark web—to be sold in secret until they’re fully monetized—those illicit skills will be put to credential stuffing attacks. Hold your nose.
Two more eventualities are just as likely. First, fraudsters will sniff out passwords that have been re-used across multiple accounts, including ones for your customers on your digital properties. Second, your customers—whose accounts are taken over due in part to their own poor security hygiene—will hold your organization responsible.
In concert, these three factors invite a question: Will your organization’s fraud and security teams take this ‘new normal’ as an opportunity to improve their cross-functional communication and collaboration? Both teams could benefit.
The benefit of greater cross-functional collaboration
“The security team holds a lot of transactional information that would be great for the fraud team to ingest,” says Frank McKenna, chief fraud strategist for PointPredictive. “Who’s logging in, from where, and when. Blacklisted IP addresses and devices. Services that block distributed denial-of-service attacks. Combining these high-quality data points with transactional information can boost the value of fraud models—and reduce false positives—by 10 to 25 percent.”
The security team would benefit, too, says McKenna. When they need to calculate a new technology’s potential return on investment, adding in use cases from the fraud team could improve the math. That applies to established technologies, too. The fraud team may find novel ways to get more value out of those investments.
“Working together, both are more business-relevant than each is independently,” adds Michael Thelander, director of product marketing at Venafi. “If you start treating fraud events like security events, then you start to think about adapting and applying incident response practices, which improves the overall response. For the security team, money saved from fraud is a clear business-level metric. Also, the extra feedback from the fraud team could enrich the security team’s root cause analysis, which would help the team better prepare for the next incident. Overall, collaboration between the two teams introduces a virtuous loop of exploit detection, post-exploit analysis and business improvements.”
This degree of collaboration isn’t commonplace yet. Why? Timing and funding.
“Historically, fraud was reactive, executed on previous transactions,” Thelander wrote while at iovation. “In contrast, security focused on real-time moments of initiation: the creation of an account or the precursor to a transaction. These functions grew up separately in large part due to their funding: fraud prevention originated with a physical loss prevention team and was funded from a risk budget. Security came later as digital access overtook physical access. Now they both operate in real time, but often act as if they’re in different ‘philosophical time zones.’”
“A security operation center protecting the outer extreme of an organization is fundamentally doing the same job as a fraud team,” says Michael Yeardley, senior director of fraud and identity for LexisNexis Risk Solutions. “They’re both looking at anomalies, risks, and behavior outside of the norm. The fraud team's looking at individual customers. The security team’s looking at the behavior of a particular set of data points. I'm not saying you have one single system to do both, but I think that sharing of knowledge, techniques, tools, and success stories between the teams could be valuable.”
How to foster collaboration
It could take a big hairy attack to open a view into the potential for greater collaboration between the teams. Or, the change could just come from an individual with the vision and desire to help the organization.
“By the time I was Fraud Manager for an online retailer, I tended to take an approach of wanting to help others understand what we did with the hope that there would be some benefit to our team,” explains Karisse Hendrick, chargeback and fraud consultant at Chargelytics. “Meeting other departments where they were, on the terms they cared about, and having more perspective on the problem helped dramatically change how we all worked together. That approach was more effective than coming with an alarmist ‘the sky is falling’ tone, which sums up my initial strategy for reaching across business functions.”
“This is the fine art of good fraud management,” adds McKenna. “A good fraud leader understands the business of growth. They should focus on quantifying risk to the bottom line. So, for example, if you're considering whether to increase login attempts from three to five, that may mean $1 million more in fraud loss every year, but it could yield an additional $5 million in revenue. The fraud manager has to do a risk-reward analysis and accept when the potential reward may be worth the extra risk.”
Hendrick recommends a simple approach to bring the two teams together: lunchtime presentations (aka ‘brown bag lunches’). “Whenever you educate people in other areas of the company about the impact of fraud and why it matters and what it looks like for your company, you're training allies. Then you start to have people from security seeking you out to share tidbits like ‘We're seeing a lot of traffic with these IP addresses and these devices, but they’re low enough that they aren’t hitting our velocity rules, could these be signs of fraud?’ Once you educate them, they’ll be more likely to contact you when they notice suspicious activity that doesn’t set off their own defenses. For that team-building effort, I’ve personally had a lot of success with the humble brown bag lunch.”
Train allies over lunch
“Brown bag lunches have been popular and effective at educating colleagues on other teams about fraud and its importance to the organization,” adds McKenna. “A series of brown bag lunches could begin with something simple. In ‘Fraud 101,’ attendees might learn about the types of transactions that are declined, how much the business loses to fraud, and how much the fraud team saves the business. Quantifying the impact helps others to understand how targeted fraud strategies are, and dispels the myth that the fraud department wants to decline everything.”
After that primer, fraud leaders have a few options for follow-up presentations. With the security team, a show-and-tell of all the fraud tools used to stop fraud—and the types of data they generate—could be quite productive.
Another topic could compare the organization’s performance against industry averages: the rate of fraud loss, decline rate, and false positive rate. Those sorts of numbers will help colleagues to understand the fraud team’s contribution. This kind of information isn’t always available on the internet, but it is shared informally through round tables and smaller meetings at industry events.
For a perennial topic, McKenna suggests presenting on individual high-dollar fraud cases. These stories complement the data suggested for earlier presentations, and give attendees a sense of what fraud looks like ‘in the wild.’ If, for example, a fraud ring managed to get away with a large order, walk attendees through a post-event analysis.
“People love the stories. They’re memorable and they spur your colleagues to think ‘How, in my role, could I stop that from happening again?’” adds Hendrick, but with a caveat. “Stories come easy to fraud managers, but it's data that will win both respect and confidence from other departments. I used to deliver information to my executive team via anecdotes. They were fascinated, but then some would start to see fraud everywhere. Others accused me of making generalizations, and not dealing in facts. That taught me to use stories as a complement to the data.”
If you decide to work to educate your colleagues, strive to learn as much as you teach.
“It's really good to have a bigger view of your company,” adds Hendrick. “If you’re hunched over a microscope, focused on the 2% to 5% of your sales that you're responsible for, then you won’t get the whole picture. That’s why it’s so important to develop relationships across functions. You just never know what you might need, the questions that will come up, or whom in your company you might want to talk to.”
Establishing those relationships now will generate a tailwind, a welcome asset for whatever belches out of the dark web next.
Mike Russell is a freelance writer and strategist for online fraud prevention companies. His writing can be found at https://pivotalwriting.com/.