At the same time, fraud has grown in scale and complexity. According to the Banque de France, payment fraud will represent a loss of 1.2 billion euros by 2022, a considerable sum which is unlikely to diminish as fraudulent transactions continue to increase. Around 70% of these fraudulent transactions come from online banking.

The fight against fraud is therefore one of the most important concerns for online banking, but other sectors are also beginning to address the issue.

Identity fraud, business fraud

The term fraud is part of everyday language and can have a wide variety of definitions. It’s possible to “defraud” a metro ticket, an insurance policy, or a loyalty account with a major retailer.

When it comes to computer fraud, particularly banking fraud, we distinguish between identity fraud and business fraud.

The former involves manipulation of the issuer’s identity data, the context in which he/she accesses the service, or information relating to his/her authentication and authorization. This can be detected by analyzing the user’s authentication behavior, the machine he is using, the IP address from which he is connecting, and so on.

The second involves manipulating data relating to the transaction itself, the banking profile of the sender and receiver, and the context in which the transaction was carried out. Indicators of business fraud could be, for example, a receiving IBAN from an unusual country, a large transaction amount, etc.

The two types of fraud and their detection rely on different signals, but these two protection mechanisms can and must exchange and feed off each other to provide additional context and enable a more holistic analysis of risk.

This need for synchronization has led to a recent organizational rapprochement between business fraud and IAM teams.

What risks are covered by identity fraud detection?

Identity fraud conceals many different uses. Detecting it therefore covers a wide range of risks that are difficult to apprehend today. Here is a non-exhaustive list of techniques used by attackers that could be detected by an anti-fraud tool:

• SIM swapping: SIM swapping involves convincing the victim’s telephone provider to send a new SIM card to the attacker, who can then validate double authentication requests via OTP by pretending to be the victim.
• MFA fatigue: MFA fatigue involves sending a large number of MFA validation notifications, to the point where the victim ends up accepting the request and inadvertently authorizing access to one of their accounts.
• Social engineering: social engineering is used in attacks targeting an individual, where the attacker gathers information about them and their bank account, then exploits it to extract money from them. An increasingly common example is bank advisor fraud, in which an attacker poses as the victim’s advisor and urges him or her to make a bank transfer, often under the pretext of a risk of… fraud.
• Bots: attack automation opens up new possibilities for attackers, who can target a large number of accounts in a single campaign. By emulating devices or launching massive phishing campaigns, it is becoming increasingly easy to recover personal information and passwords.

Banks in the lead, but joined by new players

Unsurprisingly, the banking sector has a head start on these issues. Firstly, because the impact of fraud is very real, and the bank is a prime target. Secondly, because users are accustomed to, and even reassured by, significant security processes at the expense of their user experience. Finally, because the massive shift to online banking has raised questions that other sectors didn’t have to ask themselves immediately.

Today, fraud detection for an online bank focuses on three key stages of the user journey:

• Enrolling a new device.
• Validating a payment.
• Performing sensitive actions on the account, such as adding a beneficiary for transfers.

While the banking sector is undoubtedly the most affected and the most protected, other sectors are beginning to address the issue of fraud detection. Retail, e-commerce, and luxury goods, for example, are all in the crosshairs of attackers. This is forcing these sectors to devise new processes and invest in the fight against fraud, in turn driving the evolution of solutions and practices to limit the impact on business.

New technological advances: protocols and algorithms

The pressure of attacks explains much of the interest in fraud detection solutions. These have developed rapidly, embedding more and more functions and demonstrating a growing capacity to combat the complex attacks that are on the rise.

Recent technological advances in fraud detection are manifold, but two main mechanisms have made these solutions more powerful: the ability to exchange information between detection bricks, and the precision of risk estimation algorithms.

The first mechanism is a product of the current trend towards standardization of detection protocols and signals, enabling the various IS bricks to pool the information gathered and the appropriate reactions. The Shared Signals working group (Okta, Cisco, Disney, OpenID Foundation, etc.), for example, has produced a framework used in two protocols: Continuous Access Evaluation Protocol (CAEP) and Risk Incident Sharing and Coordination protocol (RISC).

The second mechanism – the precision of algorithms – is based on the growing number of criteria that can be exploited. A few years ago, a detection engine relied on IP analysis, geolocation and a few identity attributes. Today, the criteria are multiplied, including the user’s own behavior (mouse movements, typing speed), analysis of the devices used (model, OS, browser), account history, common user paths, as well as a panoply of weak signals from other applications or IS bricks. This multiplication of signals entering the algorithms enables a much more refined analysis of each transaction, and an ever more pertinent estimation of risk.

AI and orchestration in the fight against fraud

Increasing the number of criteria helps to improve algorithms, but to get the most out of this information it is essential to take advantage of the capabilities of Machine Learning and artificial intelligence. Each criterion becomes a dimension enabling AI to dynamically learn user behaviours (such as common paths, mouse click locations or typing speed) and what constitutes a normal, non-risky access context, in order to better detect anything that deviates from it.

Despite AI’s ability to produce a decision from a very large number of parameters, it remains a victim of the setbacks of all decision algorithms: false positives. And with the interest of new sectors, which need to balance security and user experience to limit negative impacts on business, the management of false positives is an issue in its own right for software publishers. Today, detection models can be adjusted in several ways: by training them recurrently, to adapt them to new use cases; by playing with the weights of the criteria, according to the customer’s context; and by going back over the decisions taken by the algorithm in order to report false positives.

Beyond these adjustments, fraud detection solutions offer great flexibility in terms of orchestration, i.e. the reaction to be implemented in response to the algorithm’s recommendations. In this way, it is possible to limit the impact on users, by using invisible challenges for low-risk transactions, and by limiting constraining requests such as MFA or deferred manual processing to high-risk transactions. Orchestration also makes it possible to implement the tool progressively: reactions can be limited to raising alerts transmitted to a SIEM tool, for example, to refine the algorithm, then moving on to effective, real-time blocking.

Conclusion

The fight against fraud is a subject that concerns many sectors. While the banking sector is ahead of the game, with e-commerce and luxury goods following suit, any organization can be targeted by fraud. This implies a wide range of use cases and issues to which fraud detection solutions can often, but not always, respond.

The sector of activity, the context, the recurrence and type of attacks, the impact and associated risk, as well as the resources that can be deployed – all these dimensions need to be taken into account to contextualize countermeasure solutions. These solutions may be expensive or unsuitable, despite the innovative mechanisms put in place, and other remediation mechanisms may need to be considered depending on the context.

This is the case with anti-bot solutions, for example, or risk-based authentication mechanisms, or simply the redesign of certain business processes to make them intrinsically more resilient to fraud. These remedies can accompany a fraud detection solution or be sufficient to counter the cases of fraud observed in the context studied.

Cet article Fighting fraud: a new challenge for digital identity? est apparu en premier sur RiskInsight.

Regal digital identity brings together all the information essential to formally authenticate an individual or organization in the digital world. This includes personal identification data, electronic certificates and biometric information. This identity is crucial for securing electronic transactions, facilitating access to online public services and protecting citizens’ rights and privacy.

In France, a program was launched in 2018 to create a high-guarantee digital regal identity. At the same time, France is committed to the introduction of a smart ID card with a chip, which will form the basis of this electronic identification. This authentication mode will be integrated into FranceConnect+ created at the end of 2021, an online identification and authentication service of minimum substantial level.

Examples of use cases depending on the target :

Companies

A potential B2E use case could be re-registration and access recovery. The use of regalian digital identity becomes particularly relevant in companies where employee authentication relies exclusively on FIDO passkeys linked to a device, often their phone. If this device is lost, the employee is unable to authenticate. With regalian digital identity, access recovery is simplified. Employees can use their digital identity to restore their access, then get a new phone and re-enroll their FIDO passkeys. In this way, the re-registration and access recovery process is greatly facilitated, guaranteeing enhanced service continuity.

On the CIAM side, banks could use regalian digital identity to verify the identity of customers when opening online accounts or carrying out sensitive transactions, and thus improve the security level of their service and their KYC (know Your Client) process. Currently in France, customers can use FranceConnect to authenticate themselves with banks such as BNP Paribas when opening online accounts, guaranteeing secure and simplified identity verification. Similarly, e-commerce sites could use the regalian digital identity to enable users to authenticate themselves securely when purchasing products, further enhancing security and reducing the risk of fraud.

In the context of the extended enterprise (a form of organization enabling collaboration between a company, its subsidiaries and its partners), the secure enrolment of partners to access the company’s information systems (IS) is crucial. The challenge is to increase the level of confidence in enrolment, while at the same time making it easier.
The use of the European Identity Wallet or other identity wallet could significantly simplify and secure this process. Partner employees could prove their identity to the company they wish to collaborate with, using their identity wallet. Here’s how it could work:

First of all, for the initial registration employees of partner organizations use their identity wallets to register with the main company’s system. Identity is then verified using electronic certificates and other secure information.
Once registration has been validated, these employees can access the main company’s information systems. The identity wallet enables secure authentication in line with corporate security standards. Or secure enrolment in the company’s local authentication systems.
The identity wallet can also be used to manage and modulate access rights according to the specific roles and needs of partner employees, reducing the risk of over-provisioning and increasing security.

If identity information changes (for example, if an employee changes position or responsibility), access can be updated seamlessly via the identity portfolio, without the need for cumbersome administrative processes.
Imagine a construction company working with various subcontractors on different projects. Subcontractors’ employees can use their identity portfolio to authenticate themselves and access project plans and documents hosted on the main company’s IS. This ensures that only authorized and verified employees have access to sensitive information, and that their access can be quickly modified or revoked if necessary.

Citizens

Regalian digital identities offer citizens numerous advantages, notably by simplifying access to various online services and reinforcing the security of digital transactions. In France, for example, insured persons can use their digital identity via the Ameli service to access their personal space. This enables them to consult their reimbursements, book appointments with healthcare professionals and manage other aspects of their medical cover securely online.

Similarly, for tax purposes, French citizens can use their régalienne digital identity via impots.gouv.fr. This feature facilitates online tax declarations, enabling users to fill in their returns, consult their tax notices and track their payments and refunds simply and securely.

Beyond France, other European countries are also implementing digital identity solutions to improve access to public services. Students, for example, will benefit greatly from the regalian digital identity for their administrative procedures. They will be able to use it to enroll in universities, access their transcripts, and manage their student accounts in a secure and simplified way. What’s more, international students will also be able to use this identity to validate their residency status and access various public and academic services without the hassle of paper procedures.

In Spain, regalian digital identity enables citizens to electronically sign official documents via the FirmaDigital.gob.es service. This solution is used for tasks such as signing rental contracts, submitting administrative documents, and other procedures requiring a legal signature. This makes administrative processes more efficient and secure, eliminating the need for physical signatures and reducing the risk of fraud.

The European Identity Wallet (EUDI)

The European Identity Wallet (EUDI Wallet) is a major initiative by the European Commission to provide EU citizens with a secure, interoperable way of managing their digital identity across borders. Designed to offer a convenient and secure solution, EUDI Wallet will enable citizens to store and share their electronic credentials seamlessly, while preserving their privacy and complying with the EU’s strict data protection standards.
This concept emerges against the backdrop of the increasing digitization of European society and the need to reinforce trust in online transactions. With the diversity of electronic identification systems used across the EU, EUDI Wallet aims to harmonize these systems and facilitate access to cross-border digital services, such as public services, commercial transactions and online interactions with businesses.
The EUDI Wallet will therefore function as a secure digital wallet where citizens can store their identification information such as electronic certificates, biometric data and identity documents. They will be able to use this wallet to authenticate themselves online and access a range of digital services across the European Union.
With the EUDI Wallet, citizens will be able to easily access their healthcare data, such as patient summaries and electronic prescriptions, anywhere in the EU, promoting better continuity of care. In addition, Wallet will enable diplomas and professional qualifications to be securely managed and verified, simplifying the recognition of qualifications and promoting worker mobility. Finally, it will facilitate online transactions by ensuring strong, harmonized authentication, thereby boosting confidence in cross-border e-commerce.

In order to carry out these use cases, the European Commission has defined two main scenarios describing very basically the portfolio’s use flows;

To date, the countries of the European Union have agreed on the content to be included in the European wallet, and have agreed on a global standard for the project, with a target implementation date of 2026. What remains to be done is to finalize the standard, draw up precise technical specifications for it, and develop the technical solutions to be implemented in each European country to ensure compatibility with the established standard.

Conclusion

The introduction of the European Identity Wallet (EUDI Wallet) represents a crucial step towards a more integrated and digitized digital Europe, offering numerous benefits to citizens and businesses across the European Union. In France, the adoption of EUDI Wallet will depend on several key factors. Firstly, the establishment of a robust regulatory framework that complies with data protection standards such as the RGPD will be essential to ensure user confidence and the security of their personal data. In addition, public confidence in the security and reliability of EUDI Wallet will play a decisive role in its widespread adoption. Public awareness and education campaigns on the benefits and security measures of EUDI Wallet could help build this confidence.

However, the most important element for EUDI Wallet will be the rate of adoption by private services. The involvement of private companies is crucial, as they provide a large proportion of the services used daily by citizens. Widespread adoption by the banking, healthcare, education and other private services sectors would ensure wider and regular use of the wallet, making its integration more fluid and natural for users.

The technology is still emerging and not yet mature enough to be implemented immediately. However, given the many potential benefits, it is crucial to follow this technology closely and adopt it as soon as possible. This is particularly true for the banking sector and extended enterprise use cases, where EUDI Wallet could bring significant improvements in security, transaction fluidity and operational efficiency.

Nevertheless, by overcoming these obstacles and taking advantage of the opportunities offered by EUDI Wallet, France could play a leading role in building a more secure, innovative and connected digital Europe for years to come.

Cet article The European identity wallet, the digital identity of the state soon to be in our pockets est apparu en premier sur RiskInsight.

What is the extended enterprise?

The extended enterprise is a group of entities and economic players working together on common projects. Companies have always needed to collaborate by sharing resources and exchanging data. To achieve this, the employees of each of these companies need to be able to interact securely with external users.
These external users can be suppliers, subcontractors, B2B customers, subsidiaries (that do not share the same IS), and so on. Collaboration can take many forms and can be time limited.
Because of this diversity of scenarios, it is neither possible nor relevant to define a single answer to every IAM project for the extended enterprise. The strategy to be adopted by any company wishing to address this issue will depend on its own context and specific use cases.
An extended enterprise IAM strategy can be initiated by answering two key questions: how should IAM governance and delegation be handled with the various partners? And, what type of solution on the market best covers these use cases?

What type of governance?

There are 4 main approaches to IAM governance in the extended enterprise. The choice of one of these approaches will depend mainly on two criteria: the level of IAM maturity of the various stakeholders and the sensitivity of the resources accessed.

Which vendor’s solution?

A number of functionalities clearly distinguish CIAM editor solutions (customer scope) from Workforce IAM solutions (employee scope). These two types of solutions are at opposite ends of the spectrum referring to the criteria analyzed in the diagram below.

Extended enterprise (B2B) use cases can be positioned over a wide range of this spectrum for each criterion, depending on the context. It is therefore difficult to respond to them with traditional workplace IAM or CIAM solutions, however more and more software publishers are offering new dedicated modules to meet these new needs.

What new technologies to facilitate implementation?

One of the key factors in the success of an extended enterprise project is the ability to decentralize IAM processes and mechanisms. The technological advances presented in the table below make it possible to rethink traditional approaches to identity and access management from this angle. They offer more flexible solutions, adapted to the diversity of use cases encountered, thus enabling greater decentralization, particularly with less mature partners, thanks to identity wallets and passkeys:

In this quest for solutions adapted to a wide range of use cases, it is imperative to keep abreast of market developments and constantly assess the relevance of proposed solutions to the specific needs of each context.

Cet article Which IAM for the Extended Enterprise? est apparu en premier sur RiskInsight.