Security Experts:

Debunking the Top User Experience, Security, and Fraud Myths

I’ve always enjoyed Adam and Jamie’s approach on the Discovery Channel show MythBusters. One by one, Adam and Jamie have taken commonly held, but seldom challenged, beliefs and tested their validity. What I like most about the show is its scientific rigor. Adam and Jamie approach testing each belief as a controlled experiment - trying their hardest to get as accurate an evaluation as possible.

The same rigor should, in theory, be applied to many things in life, including security and fraud. Unfortunately, in practice, this is not the case as often as it should be. What specifically am I referring to?

In my discussions with enterprises, I’ve repeatedly encountered the same set of commonly held beliefs. I’m not sure that these beliefs would stand up to the MythBusters test. What surprises me most, though, is that as an industry, we seem so reluctant to subject commonly held beliefs to scientific rigor. If they’re true, they’ll pull through - the truth can take being questioned.

Here are a few of the commonly held beliefs I come across quite regularly:

  • There is no fraud problem here: I hear this one quite a bit. As I mentioned above, the truth has no problem being questioned. So you likely won’t be surprised that I begin politely questioning this one when I hear this statement. What does your fraud prevention workflow look like? What data sources do you review as part of your fraud program? What technologies do you have in place? How do you adapt to the changing tactics of attackers and fraudsters? What sources of intelligence do you rely on? Not surprisingly, if there aren’t a lot of substantive or thought out answers to these questions, it may mean that the reason there is no fraud problem is because no one is looking at the data in a way that might tell a very different story. Often, looking more closely at the environment busts this myth right away.
  • Reducing friction increases security risk: For some reason, it is a widely held belief that making it difficult for legitimate users to access resources they are entitled to access improves security. Of course, this doesn’t seem to make much sense logically. It should be easy for legitimate users to access resources that they are allowed to access and difficult for them, and attackers, to access resources that they are not allowed to access. Putting draconian measures in place to make access more difficult doesn’t actually improve security. In fact, quite the opposite. It actually weakens security by encouraging users to find workarounds to the draconian measures. These workarounds themselves often introduce additional risk. Designing intelligent authentication and authorization mechanisms that reduce user friction while maintaining a high level of security are a great way to prove this statement to be a myth.
  • Reducing friction increases fraud: It should be easy for legitimate users to perform legitimate transactions when using an online application. The data show that the conventional wisdom that states that it must be otherwise has not, historically, resulted in reduced fraud. What it has accomplished, however, is a migration of users from high-friction environments to lower-friction environments, often costing enterprises topline revenue. There are technologies that allow enterprises to safely differentiate between legitimate users performing legitimate transactions and fraudsters performing fraudulent transactions. Leveraging these technologies can safely reduce friction without introducing additional fraud, thereby putting this myth in its place.
  • Detecting fraud necessitates a large number of false positives: I’m not sure why we as security and fraud professionals accept that detecting fraud (true positives) necessitates creating a whole bunch of noise (false positives) along with it. For some reason, many people in our industry measure the effectiveness of a product by the number of alerts that it produces. This metric never made much sense to me. False positives are an indication that a fraud technology is functioning poorly, rather than functioning well. Modern fraud technologies are evidence of this - using a variety of techniques, they are able to detect a high percentage of fraud with a very low volume of false positives. These technologies seal the fate of this myth.
  • Detecting fraud necessitates a rule-based approach: Time and time again, I encounter a rule-based mindset for fraud detection. The problem with a rule-based approach is that we can only detect the known knowns. In other words, a rule-based approach will only detect fraud that we know about - fraud that we have experienced in the past and then subsequently created a rule to detect. The problem with this approach is that most fraud losses come from the unknown unknowns - fraud that we have not encountered in the past and therefore are not even aware that we need to be on the lookout for. Modern fraud technologies are able to examine a large number of variables, including behavior, environment, and activity variables. This approach allows those fraud technologies to detect unusual, anomalous, and suspicious activity, even if it has never been seen before, thereby debunking this myth.
view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.