Why the Samsung Galaxy S4 is important to watch for Fraud Management professionals?

Well, we just saw Samsung launch its latest ubergizmo with tons of interesting features, like pause video playback at the blink of the eye. However, there is an important hardware feature of the Samsung Galaxy S4 to note here: finally a Near Field Communications (NFC) chip is embedded in the device (something that Apple left out of the iPhone 5), making it useful for mobile payments, building access control, and lots of other security uses. Issuers, payment services providers and trusted services managers have long been dreaming of mobile phones with NFC chips: not having to send plastic credit cards with EMV chips (or magstripes in the US) but being able to personalize the credit card right on the phone reduces card management costs, improves end user  satisfaction. There is nothing new here. But here's where NFC finally in a mainstream mobile phone can revolutionize fraud management:

1) GPS verification. So if you use it to make a card present transaction by touching your phone NFC credit card to a PayPass or other proximity based credit card reader, the payment authorization platform can immediately know where you are, correlate it with the riskiness of the location (country) and use your location to build a risk score. 

2) More factors and better capabilities for payment authentication. Instead or in addition to asking for a PIN code for transaction authentication, the payment processor can contact your registered phone and - based on risk - can ask for a PIN code signature, or secondary authentication like facial recognition or biometric retina vein recognition to authorize a higher value transaction.

3) Linking the NFC chip to an eWallet. This will be easier than ever before. If the NFC chip is initialized to be a credit card, the eWallet application can check for the presence of it and maybe even use it in a card present transaction. 

 

Mobile application behavior detection: the cheap way to catch fraud

After RSA's acquisition of SilverTail, things are heating up in mobile application level behavioral detection. 

We see fraud management vendors increasingly looking at mobile application behaviors (beyond web fraud management and device fingerprinting) to build out a normal and abnormal behavior profile for the network traffic signatures coming out of the application (similarly to how SilverTail/RSA looks at web traffic signatures). Note that this is clearly a grey area that falls between what device fingerprinting vendors (iovation, 41st Parameter, BlueCava, ThreatMetrix), or risk-based authentication (RBA) vendors (RSA, Entrust, CA/Arcot, etc.) or what traditional back-end, cross-channel transaction monitoring vendors (Actimize, ACI, Detica, SAS, etc.) have been doing. Although device fingerprinting and RBA vendors have long been providing SDKs and APIs for developers to include in their mobile applications, understanding mobile application network traffic and building good and bad behavioral models is becoming something people are increasingly interested in.

Mobile application behavior detection has the benefits of not having to open up application code, not having to define too many security policies or rules. Because of this, mobile application behavior detection and network traffic signature profiling is something we expect to see a lot of vendor interest in the next 9-12 months.

Want to know hardcore survey results on Access Certification and Attestation?

 

Want to know more about Access Certification and Attestation? Would you like to win an iPad and get a courtesy copy of a Forrester report on the findings of a survey on the topic?
 
Forrester is collaborating with the University of British Columbia (UBC) on an Identity and Access Management survey. The main topic of the survey is Access Certification and Attestation, also known as Access Governance. It takes only 15 minutes to complete the survey. In August 2013, Forrester, in collaboration with UBC, will publish the highlights of survey results. 
Here's what we offer for your participation:
 
If you complete the survey, 
  • You will eligible to win a 128 GB iPad in a raffle organized by UBC.
  • Forrester will send you a courtesy PDF copy of the report.
Read more

Forrester's Enterprise Fraud Management Wave is Out!

We just published the Forrester Wave on Enterprise Fraud Management - piece of research that has been consistently asked for by our clients. See how vendors stack up on current offering criteria including statistical models, rules authoring, case management,, and reporting  and strategy criteria including vendor staffing, customer satisfaction and financial stability.

Big Data for Fraud Management

We will be conducting research to look into how big data can be used for better fraud management. We define big data as data of Volume, Velocity and Variety. Our premise is that more and more granular data from more sources allows banks, insurers, government agencies, e-Retailers to cut fraud losses more aggressively.We are interested in your thoughts around this topic.

How Will The Extended Enterprise And Zero Trust Identities Impact Your Identity Administration Processes?

We regularly get inquiries from companies that feel the need to restructure their access controls to support extended enterprise user populations: firms have to support employees, contractors, business partners, customers and keep them contained to be able to access resources (applications, data, etc.) that they have a business need to access. Technology and protocols are catching up here: companies (and vendors too!) are moving to finally support SAML, OAuth and OpenID Connect in bulk. 

The real question, however, is not just access control, but it's also identity administration and attestation. How do you extend your internal provisioning of entitlements to your employees to your business partners or customers? What is the lifecycle of a data asset or piece of intellectual property in the broader ecosystem of identities? OAuth, Claims-based authorization or SAML attribute value injection will provide the infrastructure for enforcing policy decisions, but how do you extend your identity and access governance to the extended enterprise?

We see companies being interested and starting to build on the following to solve these challenges:

1.) Don't solve the problem but ingest a much richer context in your access control solutions (risk based authentication used for internal workforce user access, context variables being passed on to federated Relying Parties to understand that you're at a coffeehouse in a rogue country vs. you're logging in from your normal office and open up the general ledger with read/write access only if you're in your office).

2.) Providing increased delegated administration and attestation services from the cloud so business partners can also participate in these processes. This has been around for some time and will gain more popularity as firms need to remain compliant in the era of the extended enterprise.

Read more

Active Directory Moving To The Cloud?

We hear a lot about cloud IAM vendors offering metadirectories or user repositories in the cloud. We predict that in 1-2 years we'll see AD being moved from on-premises installations into cloud based services. This has a benefit of simpler provisioning, higher availability, muc, much easier support for federation both into SaaS applications and with business partners. Today the only technical difficulty is latency of access to AD in the cloud from on-premises applications, but we believe this will be resolved by some type of customer premises equipment (much like the reverse of Symplified's Identity Router today).  Moving AD into the cloud will also have a huge impact on reducing the cost of AD management and improving delegated administration by providing easy-to-use web interfaces.

Security Intelligence: Should We Send A Guy With A Gun Or A Wrench?

We are kicking off research on security and identity intelligence, which is about understanding risk and detecting abnormal behavior.  One thing is clear: companies don't even *know* what kind of security (SIM, data,  identity, email, etc.) information they should be inspecting to detect security threats and where they should start eating the giant elephant of risk. They clearly need intelligent and automated systems to establish what a normal baseline means in user behaviors and events and then alert on any anomalies - and when they see any changes to normal patterns, understand whether they should send a guy with a gun or a guy with a wrench.  In this research (which will also be the topic of my Security Forum keynote speech) we will look at the interdisciplinary areas between enterprise fraud management, risk based authentication, data protection and identity management. I want to hear about your concerns, issues, and early case studies/solutions in this area.

Blending Cloud IAM Delivery Flavors: Convergence Of In-House And IAM Suite Offerings

Today we see two basic flavors of cloud IAM. One archetype is the model offered by Covisint, VMware Horizon, Symplified, Okta, OneLogin, etc.: these vendors provide relatively tight integration, but less capable identity services based on their respective firm's own intellectual property. Because of the above, these offerings clearly have a short implementation time. The other camp of vendors believes in providing hosted services of "legacy" IAM products: CA Technologies coming out with CloudMinder, Lighthouse adding their own IP to IBM TIM/TAM, Simeio Solutions blending OpenAM and Oracle's identity stack with their own secret sauce, and Verizon Business using NetIQ's IDM stack as a basis for their hosted offering solution.

Read more

Xmas IAM Spending Spree: Quest Software Acquires BiTKOO, Enters IAM Suite Provider Market

With only 4 stack players in Identity and Access Management, it is always welcoming news to see a new company joining the space. Quest Software is on a shopping spree: it acquired e-DMZ (privileged identity management), Völcker Informatik AG (provisioning), Symlabs (virtual directories), and now BiTKOO (XACML entitlement management). Forrester expects that in reaction to its main competitor NetIQ taking over Novell’s IAM portfolio, Quest will expand significantly into the non-Windows, heterogeneous IAM space. Forrester further expects that Symantec and to some degree Intel will follow suit, as both of these companies announced cloud-based IAM offerings.