|inform. educate. connect.||
Issue #18 - June 2013
Anomaly Detection: The What, How and Why Behind Using It to Prevent Fraud
By Tiffany Riley, Guardian Analytics
As stated in the June 2011 Guidance Supplement, the FFIEC expects all institutions that allow high-risk online transactions to have layered security controls that include the ability to detect anomalies and effectively respond to suspicious or anomalous activity related to initial login and the initiation of electronic banking transfers.
The Guidance goes on to explain why the agencies chose anomaly detection as a required layer of online banking security:
In short, the agencies expect all institutions to have anomaly detection because
it works! Anomaly detection solutions have been in place at institutions of all
sizes for years and are proven to identify a wide array of online banking
attacks. So, what is anomaly detection, and what are the different types?
In short, the agencies expect all institutions to have anomaly detection because it works! Anomaly detection solutions have been in place at institutions of all sizes for years and are proven to identify a wide array of online banking attacks. So, what is anomaly detection, and what are the different types?
Anomaly Detection – A
Here are three specific approaches to anomaly detection. All qualify as “anomaly detection” in that they look for differences when compared to a norm, but the differences between them lies in how that norm is established.
Which Technique is Best?
Additionally, in a federal court judgment on a case regarding liability for commercial account takeover and fraud, the judge cited that the bank did not act in good faith when executing over $1 million in wire transfers because the amounts, timing and destination of the wires were all significantly different from the customer’s normal banking activity, again suggesting that an individual behavior monitoring approach is preferable.
The most effective anomaly detection approach focuses on individual account holder behavior. Different users quite naturally have different banking behavior. Behavior-based anomaly detection solutions develop a model of each account holder’s behavior, and then compare every activity in every session, from login to logout, to historical patterns for that user. This avoids having to develop and maintain rules and decreases the number of false positives.
In addition, because behavior-based anomaly detection focuses on account holder activity instead of looking for a particular type of attack or malware, it can detect newly emerging threats immediately, without having to wait for the particulars of the new scheme to be documented.
Examples of what behavior-based anomaly detection monitors include the following (also see the figure above for additional examples):
Knowing your customers’ behaviors can greatly reduce fraud and respond to threats more readily.