Sue Marquette Poremba recently had the chance to interview Reed Taussig, president and CEO of ThreatMetrix, about cloud security and security issues we can expect to see in the coming year.
Poremba: Tell me a bit about ThreatMetrix.
Taussig: ThreatMetrix is a leading provider of customer-facing, online fraud management solutions. Our global fraud prevention network, delivered using the software-as-a-service (SaaS) model, is based on third-generation device identification and transaction behavior tracking technology that drives three customer solutions: New Account Origination, Payments and Logins. Using ThreatMetrix device identification, coupled with our advanced rules engine, machine learning, and fuzzy matching technology, ThreatMetrix customers are able to stop first-time fraud and recognize valued returning customers more effectively than competing alternatives.
"It is interesting to me that a unified approach to stopping cybercrime has not been adopted in most industries."
Exiting 2010, ThreatMetrix had approximately 350 customers, serving a variety of industries including retail, financial services, social networking, e-commerce and payment processors.
Poremba: Even though working in the cloud is gaining traction in industry, there are still a lot of concerns about security. Is security for the cloud different than security for more traditional forms of computing? And why is securing the cloud more difficult, if it is?
Taussig: This is a great question and observation. There is a silver lining in every cloud and every cloud has a silver lining, so to speak.
The advantage of cloud-based security, at least as it pertains to ThreatMetrix, is the availability of shared information. For example, ThreatMetrix profiles approximately 15 million devices per day. If your e-mail address is being used on five separate computers, on three continents, in four different time zones, it is likely that your account (in this case, at least an e-mail account) has been compromised. Cloud-based fraud detection, because it collects data from hundreds or even thousands of sources, allows you to detect these kinds of anomalies.
On the other hand, in order to participate in the cloud, the customer (a bank for example) must trust its supplier that no data breach will occur. In the case of many regulated financial institutions, any supplier that manages personally identifiable information (PII), financial information or other non-public information (NPI) must conform to the same regulations, rules and penalties as the bank itself in order to be able to process this information.
The trade-off is that cloud computing provides global shared intelligence combined with much lower total cost of ownership. This needs to be balanced with the fact that as a customer you are delegating the security of your data to a third party as opposed to managing it internally.
In order to address these concerns, industry standards have been applied in certain areas. Visa and MasterCard's PCI compliance rules, which are very strict and laced with penalties for non-compliance, are a good example of the industry taking steps to ensure data security in the cloud. Every online credit card transaction is ultimately processed in the cloud. In addition to the retailer receiving the data, a company like CyberSource (a leading payment processor), the issuing bank of the consumer's credit card, the receiving bank (the bank taking the deposit on behalf of the retailer), and the credit card brand are all going to touch that transaction.
Having said the above, it is not more difficult to protect information in the cloud than it is to protect that information behind a firewall; the exception being that in some cases the cloud supplier itself may have access to PII or NPI. If it is a shared environment, there is the possibility of information leakage between customers. Information in the cloud can be encrypted, it can have extensive access controls around it, and it can be protected from intentional and unintentional breach just as information that is limited to a single customer presence. However, it is true that cloud-based suppliers -- in order to protect against unauthorized breach (intentional breach) or data leakage between customers on a shared environment (unintentional breach) -- must take added precautions in order to safeguard the information.
Poremba: How does fraud prevention fit into cloud security issues?
Taussig: The detection and elimination of Internet-based fraud is particularly well suited to a cloud-based solution because that information from many different sources can be analyzed to locate transactional anomalies. Companies that run behind-the-firewall fraud solutions are limited to only those customers or devices that visit their site. With cloud-based security, that data field is expanded to all customers supported by that cloud provider; in so doing, it offers a much richer picture of the fraud landscape.
Poremba: I saw that you have outlined some trends and predictions for the coming year. One of them was less reliance on cookies and personally identifiable information. Could you talk about this a bit? What changes will users see if there are fewer cookies? And when you say less reliance on PII, in what way?
Taussig: Historically, cookies and cookie equivalents such as local stored objects (LSO) have been used to identify devices to stop fraud and to authenticate returning customers. An example of this is when you log into your bank account or online brokerage account. In most cases, you will see a message pop up that states, "Please wait while we authenticate your login." What the bank or brokerage company is doing is looking for a browser cookie or an LSO that identifies your device as one that they have seen before. If that cookie or LSO is not present, you may have purchased a new computer or are logging in from a friend's or family member's computer. The bank will typically issue some kind of challenge response like, "Who was your favorite teacher?" in order to authenticate that you are in fact you.
To make matters worse, recently, in response to user privacy concerns, the FTC has proposed new rules that will require customers to opt-in to accept cookies in order to stop overly aggressive advertising. In addition, all of the browser companies have provided "Private Browsing" options in their products. In both cases, these actions suppress the identification of browser cookies and LSO's. The effect is the same as if you had deleted your cookies or LSO's.
Fraudsters are fully aware of these developments and use them to their advantage to cloak their device in an effort to make it harder to detect returning devices. A popular use by fraudsters of taking advantage of the private browsing feature is to purchase products from a single merchant using multiple stolen credit cards. By cloaking their devices either through the use of private browsing or deleting cookies, the fraudster can appear to the merchant as a new and unique customer each time they make a purchase. In so doing, they evade the velocity rules that a merchant's fraud detection system enforces. Likewise, in the banking world, fraudsters will apply for multiple accounts using different stolen or synthetic identities from the same device. By suppressing or wiping cookies, the bank often believes that the device is a new device representing a new customer in each instance.
The other major issue is that of personally identifiable information (PII).
More and more consumers are becoming aware of the fact that the information you provide over the Internet never goes away. In response, governments are proposing very strict privacy laws that will increase the costs and liabilities of compliance to all businesses. However, stolen identities resulting from malware and phishing attacks mean that as many as 5 percent of all new account registrations are fraudulent, resulting in significant losses to financial institutions and other companies. Social networking sites, including dating sites and others, are in most cases unable to collect PII due to customers' reluctance to provide such information. The net result is that the requirement to validate a customer's identity in the absence of personally identifiable information is becoming more and more important.
Using the ThreatMetrix Fraud Network, our customers are able to validate the identity of an individual in the absence of PII. In contrast to most identity matching solutions such as Experian, TransUnion and Equifax, ThreatMetrix does not assert in the positive that John Doe really is John Doe. Instead, ThreatMetrix provides a confidence score on a per-transaction basis that a given identity may or may not be who that person claims to be.
The other striking example of identity verification in the absence of PII is in social networking. While you may be willing to provide Bank of America with all of the PII listed above, it is unlikely that you would be willing to provide that same information to a dating site, a social gaming company such as Zynga or a social networking site. This notwithstanding, these companies still need to authenticate that John Doe is John Doe. The reason they need to authenticate the identity of an individual is because in many cases access to that social networking site simultaneously provides you with access to the entire customer base of that site. The net result is that spammers take advantage of these sites to gain access to thousands of like-minded individuals to send spam to.
In the case of social networking sites, ThreatMetrix once again provides negative, as opposed to positive, assertion of the identity of an individual. What we are looking for is anomalies that are associated with the application that would indicate that this is a fraudulent transaction. These include the items listed above in addition to the use of e-mail addresses across multiple devices, IP ranges that may be disallowed, and so forth.
The collection of PII is going to be less and less accepted by consumers while at the same time more and more regulated by governments. One of the interesting outcomes of these regulations around PII is that once I assert that John Doe really is John Doe, I have crossed the line into the realm of PII and therefore will be subject to the regulations and disclosures around that fact. The answer to this problem, in order to avoid costly regulatory compliance, is to assert in the negative. By stating that for this particular transaction ThreatMetrix believes that John Doe probably really isn't John Doe, it is good enough to solve the problem of stolen identities as detailed in the above use scenarios, which are common across social networking sites and financial institutions.