The company announced its new multi-factor authentication product, Falcon One for Online AccessWednesday. The product uses neural network technology to monitor online transactions and learn customer behavior patterns. The product is targeted at U.S. banks, which are under pressure to implement guidance from the U.S. Federal Financial Institutions Examination Council's (FFIEC),'a cross-agency group, to find alternatives to simple username and password security for online bank accounts.
Falcon One works with other Fair Isaac anti-fraud technology as part of the company's EDM (Enterprise Decision Management) solution. It tracks online behavior, such as how a customer has used online banking in the past. That data is combined with analysis of the computer initiating an online transaction, said Ted Crooks, vice president of Global Fraud Solutions at Fair Isaac.
Like other anti-fraud companies, Fair Isaac notes the IP address an account holder typically uses for online banking and raises flags when a session is initiated from a new address. But the company digs deeper into the remote host, noting details such as the system clock setting and screen resolution to determine whether the machine is different from that used in prior sessions, Crooks said.
The software also monitors other characteristics of account holders, such as their style of typing and mouse movements to determine whether the user attempting a transaction is the actual account holder. Characteristics such as the speed and character pattern that account owners type, as well as whether they are a jittery or staid mouse user are individual and nearly impossible to mimic, Crooks said.
The company also monitors traffic on outbound communications channels, noting how a customer links to an online banking session and whether there are delays in online session traffic that could signal a "man in the middle" attack, he said.
Despite the wealth of data gathered from online banking customers, Crooks said that Fair Isaac is sensitive to concerns about snooping. The Falcon One Software combines back-end analysis with a Web browser plug-in that collects data without breaking the browser security model, or "sandbox," he said.
None of the data collected necessarily signals fraud. Instead, the company weighs the data to calculate a risk measurement for the online sessions. Banks can take that information and decide whether to change the course of a session. For example, users could be asked to enter an additional one-time password that is sent to their cell phone or a pre-approved e-mail address, Crooks said.
Online risk monitoring companies such as Fair Isaac, RSA Security, and Cyveillance have become more prominent in recent years, as online fraud has exploded. An April 2006 report by RSA Security found that online fraud is evolving, with phishing and pharming attacks "the most sophisticated, organized and innovative technological crime waves" facing online businesses.
Fraudsters have new tools at their disposal and are able to adapt more rapidly than ever, RSA said in its report.
Banks are struggling to keep up with nimble, online criminal groups that can use information stolen in one online channel to conduct fraud in another, Crooks said.
Those groups, most based outside the United States, are now well-funded and well-organized, with technology experts working side by side with old fashioned scammers and "mules" or foot soldiers, Crooks said.
"Nobody is doing anything about them," Crooks said. "We can put up walls and swamps, but nobody is going after them," he said.
Although credit card fraud has been rampant online for years, checking and savings accounts have largely been spared. But that is changing.
A major security breach at an online retailer, reportedly OfficeMax, in 2005 led to the reissue of hundreds of thousands of debit cards by U.S. banks in early 2006, as well as sporadic reports of consumer debit card fraud and identity theft tied to that theft.
"Customers are more sensitive to their money being stolen from checking and savings accounts than from credit cards," Crooks said. "In the end, banking is a confidence game. If you don't have confidence in the [banking] channel, that's not good for a bank."