Fraud Detection & Account Security for Improved Security on the Web

Risk-based authentication checks the authentication process based on a risk assessment:

• If your risk assessment is low, you can log on without multi-factor authentication (MFA), for example.
• If your risk assessment is medium, you will be asked to use MFA to ensure that you are authorised to access to user account.
• If the risk assessment is too high, the system may block the user and will send you a notification asking you to confirm that you did in fact attempt to access the system.

The risk score is calculated based on different signals such as geolocation, device, fingerprint or behavioural biometrics.

Customers can define their own rules for calculating the risk assessment based on their requirements.

What Is the Difference to Adaptive Authentication?

There is no official definition to distinguish between risk-based and adaptive authentication.

In the case of risk-based authentication, a risk number is always used to specify how authentication is to proceed.

With adaptive authentication, a risk number or a fixed rule determines the number and type of authentication steps required.

Here at Nevis, we refer to adaptive authentication as our streamlined system that is based on configurable rules. Risk-based authentication uses more complex risk calculation methods.

Enhancing adaptive authentication with geo-velocity

Geo-Velocity as an enhancement of adaptive authentication refers to using geolocation information to optimise the accuracy of adaptive authentication.

Geo-Velocity minimises the risk of fraud by integrating an additional security feature by monitoring the user's location. Not only is the current location considered, but also the user's speed of movement to detect unusual activity. For example, if a user moves from one region to another within a few minutes, this may indicate that an unauthorised person is trying to access the system.

What is an Account Takeover (ATO)?

An account takeover is an identity attack during which an unauthorised person uses a range of attack methods such as phishing, credential stuffing and session hijacking to gain control over a legitimate account. The fraudster then uses this account to make unauthorised transactions.

Account takeover protection includes the measures initiated to prevent an account takeover.

Credential Stuffing: Credential stuffing is a type of cyberattack where unauthorised persons attempt to use stolen credentials to log into another unrelated service. Since many users reuse the same password and the same username or the same email address to log into their user accounts, credential stuffing often leads to success for cybercriminals.

Phishing: phishing is a form of social engineering in which an attacker sends a fraudulent message to persuade a person to reveal confidential information. The attacker then uses this information to gain access to the user account.

Session hijacking: this is where an attacker compromises a legitimate user session by stealing or predicting a valid session identifier to gain unauthorised access. The session can be compromised in different ways, for example, by man-in-the-middle attacks or client-side attacks such as trojans or malware.

How To Prevent Account Takeovers With Nevis

• Multi-factor authentication (MFA) can lower the risk considerably. Analyses by Microsoft have shown that MFA can prevent 99.9 % of credential stuffing attacks.
• Risk-based authentication is another method that can be used to trigger additional security procedures such as SMS-TAN or MFA queries depending on the available knowledge about user behaviour, location and known devices. You can enhance convenience for legitimate users if you only request MFA for authentications with an elevated level of risk.
• The use of passwordless or anti-phishing authentication options (FIDO2) helps reduce the likelihood of phishing or credential stuffing attacks.
• As a centre of expertise for authentication, Nevis can significantly reduce the risk of many web attacks, for instance, using session hijacking, CSRF, cross-site scripting (XSS) or interrupted session controls.

Payment fraud is the term used to describes all types of false or illegal transactions carried out by cybercriminals. The perpetrator steals money, personal property, interest payments or sensitive information from the victim via the internet.

Nevis offers a variety of strong defences against fraudulent or unauthorised transactions:

• Multi-factor authentication (including passwordless authentication) makes it more difficult for a cybercriminal to masquerade as another user and to authenticate themself in that user’s name.
• Adaptive authentication uses additional signals such as geolocation, IP address or device information to make a user account a harder target.
• Transaction confirmation using our mobile authentication function. The use of a secondary method to confirm every transaction is a mandatory provision of the PSD-2 regulation, for example.
• One of the most sophisticated functions that Nevis offers in this area is the use of behavioural biometrics to check customer interactions after the first authentication. Information about typing behaviour is collected and compared with typical user typing behaviour in order to detect attackers who have taken over a user session. Depending on the risk assessment, Nevis can:
• make the authentication requirements stricter and request an additional authentication factor (MFA)
• send an email notification to the user to inform them of a suspicious login attempt
• send risk assessments and information to a system for detecting payment fraud The system for detecting payment fraud uses other parameters such as the payment target, payment history, etc. to decide whether it to accept the risk or stop the payment.

To protect users, the integrity of their mobile phones must also be secured. It is also essential to detect if this integrity has been breached. Our mobile SDK and our apps are protected against reverse engineering, manipulation, API exploits and other attacks that could endanger your users. Protection is also guaranteed by mobile authentication procedures and transaction signing.

• Mobile app hardening makes it difficult for cybercriminals to carry out an attack. Additional levels of defence are used to protect the passwordless authentication method.
• Code obfuscation makes it difficult for an attacker to understand the code. The entire mobile SDK is obfuscated in such a way that the code is incomprehensible to a hacker who attempts to attack the authentication of your application.
• Anti-tampering is an important active measure that protects mobile apps. Anti-tampering mechanisms include integrity checks, the detection of debugging tools and instrumentation frameworks that are attempting to change the app runtime. The Nevis SDK immediately terminates every operation if it detects tampering.
• Root protection (Android) and jailbreak protection (iOS) warn the application if the device security is at risk, and prevent the mobile app from starting under these conditions. Rooting or jailbreaking describes the process used to gain full administrator rights on a mobile device, which allows security restrictions in the operating systems to be bypassed.
• Nevis works with Digital.AI (formerly Arxan) and uses its proprietary security functions to protect apps against reverse engineering, tampering, API exploits and other attacks that could endanger your company and your customers.