Same but different: Ensuring fraud and infosec teams speak one language
Same but different: Ensuring fraud and infosec teams speak one language
Internet hackers today are infuriatingly agile and sophisticated, quickly adjusting course when fraud prevention solutions succeed. To keep consumers best protected, hackers' quick wittedness should be matched on the organisational side. But the truth is, most companies today still approach consumer security the same ol' way – in silos.
 
While often the result of legacy company structures, keeping fraud and infosec teams separate isn't just an internal problem. With the IT department responsible for information and data in one camp, and the risk and compliance executives dealing with fraud in another, communication breaks down and so, too, does the possibility of an integrated and strategic approach to strengthening security and fraud prevention. But today's threats and risks have grown too complex for these disciplines to work separately any longer. The disciplines must unite together under one head - like a CSO or CISO - or establish systems and procedures that support continual communication and collaboration.
 
Getting the team on board is only half the battle, though. Even once there's buy-in from fraud and infosec teams, there are often fundamental disconnects in perceptions and points of view that can get in the way of working together. While both teams may see the connection between building strong defensive strategies (infosec) and identifying instances of when those strategies fail (fraud), the same words can mean very different things to each discipline.  
 
So, how does an organisation unite its fraud and infosec teams? In order to be successful, the perception of teamwork must be shifted to a common continuum rather than isolated problem domains. And to achieve this shift, fraud and infosec teams need to start speaking the same language. When it comes to communication breakdowns, there's one major culprit: same-named activities across the fraud and infosec teams that hold very different meanings.

Account takeover

Account takeover fraud can wreak havoc on a business and its reputation with its customers. Since fraudsters are continually on the lookout for new ways to phish, trick and breach their way into stealing a brand's stockpile of customer data, organisations must be vigilant and unified in their approach to preventing account takeover.

The problem in most organisations is, when a fraudster uses legitimate credentials to achieve an account takeover, it comes down to a detection problem for the fraud team. To tackle account takeover, the fraud team aims to identify what velocities or behaviors will help them see future fraudsters' “good” activity as bad.

For the infosec team, account takeover opens up a whole new set of prevention questions. What methods can be employed to obtain good credentials? Where is the attack coming from? Was the server or end-user targeted? How did we miss it?

Exploits

Exploits serve as another example where the fraud and infosec teams hold widely different perspectives. With exploits, the infosec team often makes the assumption that prevention can't succeed as a security model. Instead, the focus should be on post-exploit detection and prevention. The infosec team can also take a preventive approach, focusing on devaluing the underlying data through tokenisation and encryption.

For the fraud team, on the other hand, prevention is the most essential aspect of getting ahead of potential exploits. Realistically, prevention must be balanced with authentication in order to outsmart fraudsters, but the fraud team sees the goal as prevention first and detection second, if and when systems fail.

A “converged” view will continually -- and healthfully -- balance prevention and detection. 

Spoofing

There are several kinds of spoofing, which range from phishing email spoofs to URL spoof attacks. Regardless of the approach, fraudsters aim to gain unauthorised access to a user's information by tricking the user into sharing it.

Preventing fraudsters from successfully spoofing users is strongly rooted in successful authentication for the infosec team. Dynamic multifactor authentication enhances security by adding contextual indicators that pick up on risks, anomalies and evidence of device spoofing. This strengthens security along with improving the user experience, delivering a one-two punch. Conversely, the fraud team's approach aims to determine how to better identify key device characteristics to differentiate between the good guys and the bad guys. 

To fight fraud today, organisations must create a common lexicon to avoid communication breakdowns and establish a united front. Connecting the “how” (like a server compromise or bulk credential purchase on the Dark Web) to the “what” (credential stuffing or password spraying) helps create a fuller picture of threat risk across both teams. Drawing the line from those threats to a “result” - like a breached account or cash theft - completes the entire picture and allows an after-action assessment that's broader than either separate team can conduct on their own. 

Some organisations are already starting to make progress. In a recent report authored by Aite Group, 63 percent of financial institutions stated their fraud and information security departments share attack data and touted the benefits of doing so. Ultimately, converging the fraud and infosec teams in any organisation allows for better overall security and fraud prevention. It enriches dialogue, vocabulary and efforts of both teams - bringing value for both sides of the business. Joined together, both functions are more relevant to an organisation - and its customers - than working independently. 

Contributed by Michael Thelander, senior director product marketing, iovation and

Julie Conroy, research director, Aite Group.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.