The interplay between threat intelligence and fraud scoring systems

The interplay between threat intelligence and fraud scoring systems

Imagine you’re ordering a taxi in a ride-hailing app like Uber or Bolt. 

You choose the pick-up location, your destination, the ride category, and you confirm your payment method. All being well, you get assigned a driver in seconds. 

What is hidden from view are all the security checks, threat intelligence and fraud scoring systems that whirr into action in the background. 

The app itself checks its integrity. At the same time, the fraud system validates the payment method via authorization as well as your ride history and contextual information such as location, price and other parameters. This is necessary because for the ride-hailing company all sorts of threats are present at the moment of ordering a ride. And they have a big responsibility to prevent fraud, stay secure as a company, and make the ride itself as safe as possible for both the driver and the rider.  

In today's rapidly-evolving mobile ecosystem, security isn’t just a nice to have. It's a critical component that can significantly impact consumer trust and business growth. As mobile developers navigate through this complex landscape, two key concepts often surface as rods for robust security: Threat Intelligence and Fraud Scoring Systems. While each is powerful in its own right, their true potential is unlocked when there is synergy between the two.

This article exists to explain what each of them does and to explore how this interplay can be achieved. In other words, we’ll examine the ways in which threat intelligence can significantly enhance the capabilities of fraud scoring systems. 

Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) are two relevant concepts in this context, but our focus will not be on these solutions in isolation. Instead, we’ll explore the broader picture, emphasizing how real-time and predictive threat intelligence can be effectively incorporated into fraud scoring algorithms to create a more secure and resilient mobile environment.

Our hope is that this article will give you a comprehensive understanding of how these technologies can be harmonized to fortify your mobile applications against an array of security threats. Whether you're a mobile developer keen on implementing advanced security features, or a CTO strategizing the overall security posture of your organization, read on.

What threat intelligence platforms and fraud scoring systems do

To fully grasp the intricate relationship between threat intelligence platforms and fraud scoring systems, it's important to first understand what each does and why they are pivotal in the realm of mobile security.

Threat Intelligence Platforms

Threat Intelligence refers to the collection, analysis, and dissemination of information related to cybersecurity threats. In the context of mobile security, threat intelligence can provide real-time insights into emerging vulnerabilities, malware, and attack vectors that specifically target mobile platforms (and apps) like Android and iOS.

Key components of Threat Intelligence include Indicators of Compromise (IoCs), as well as Tactics, Techniques and Procedures(TTPs). 

Indicators of Compromise (IoCs) are specific data points that are used to detect unauthorized or malicious activities within a system. These indicators serve as red flags that can trigger alerts or can initiate automated responses. In the context of mobile security, IoCs are crucial for identifying potentially harmful behavior or vulnerabilities that could compromise an application or the device itself. 

Let’s look at an example. A threat intelligence platform might be aware of an IP address (or a selection of addresses) which is known to belong to compromised systems. Similarly, malicious URLs often host phishing sites or malware. Monitoring the URLs that a mobile app interacts with can help in identifying potential threats. 

Another indicator can be a file hash. Every file has a unique hash value that can be used to identify it. If a mobile application downloads a file with a hash that matches a known piece of malware, it's an indicator of compromise.

Tactics, Techniques, and Procedures (TTPs) refer to the behavioral patterns and methods employed by attackers during a cyber-attack. Unlike Indicators of Compromise (IoCs), which tend to link to data points, TTPs provide a more holistic view of how an attacker operates. 

Tactics are the high-level objectives behind an attack, such as gaining unauthorized access or exfiltrating data. For example, an attacker might use social engineering tactics to trick a user into revealing their authentication credentials. 

The methods used to execute these tactics are called techniques. In a mobile context, techniques could include exploiting a vulnerability in the operating system or using malicious code injection.

Procedures are the specific steps or sequences of actions taken by an attacker to execute a technique. For instance, the procedure for a SQL injection attack would include crafting malicious SQL queries and identifying the point of injection in the application.

Fraud Scoring Systems

Fraud Scoring Systems are algorithms designed to evaluate the risk associated with a particular action or transaction within a digital environment, such as a mobile application. 

These systems assign a risk score based on various metrics and indicators, facilitating real-time decision-making processes. For example, a high-risk score could trigger additional authentication steps before a mobile payment is approved, thereby adding an extra layer of security. 

Fraud Scoring Systems operate at least two metrics. Risk Score is a numerical representation of the likelihood that a given transaction or action is fraudulent. The score is usually calculated based on a set of weighted variables such as user behavior patterns, geolocation, and transaction history. Or it might be calculated based on the ML models. 

Another metric, called Confidence Level, indicates the reliability of the risk score and is often expressed as a percentage. A high confidence level suggests that the risk score is likely to be accurate, while a low confidence level may necessitate further investigation.

Fraud scoring leverages different approaches to evaluating the metrics of a particular action. One of the methods is a decision tree. 

Imagine we have a set of attributes for the same user who was booking a ride in the intro of this article - their location, payment method, mobile OS version, timezone, and so on. We can make the following conclusions: if the user had 15 rides, allow a new ride. If not, check if the timezone matches their location. If it does not, then request additional verification.

Another method that emerges from decision trees is called Random Forest. It is an ensemble learning method that combines multiple decision trees for a more robust and accurate model.

Neural Networks are more complex algorithms capable of capturing intricate patterns. But these may require more computational resources, accurate learning, and careful experimentation.

A well-tuned fraud scoring system can enhance user experience by reducing friction in legitimate transactions while adding additional checks only for risky activities. After all, how long would you continue using a ride-hailing app if it asked you to take a selfie for verification every time you were booking a ride home?  

Fraud Detection Systems bring a lot of value. But they also come with their own challenges and considerations. One of these is minimizing false alarms without compromising on security. This requires regular tuning of the methods and algorithms. Anti-Fraud should battle malicious users; but anti-fraud measures can drive trustful users away. We’ll explore this later in the article, but one of the benefits of a good threat intelligence system is that it can improve attack data, and so reduce false alarms over time.  

Another challenge of Fraud Systems is that they require as much data about a user, as possible. Ensuring that the collection and processing of data complies with regulations like GDPR and CCPA is crucial. Failing to implement these measures will result in financial losses due to fines, not to mention losing the trust of your customers.

Also worth noting is that as the user base grows, the fraud scoring system must be able to handle a larger volume of transactions without performance degradation.

An overview of EDR and XDR

While Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) are not the central focus of this article, their relevance in the broader context of threat intelligence and fraud scoring systems cannot be overlooked. 

EDR is a cybersecurity technology that focuses on monitoring, detecting, and responding to threats at the endpoint level. This includes mobile devices, laptops, and desktop computers. EDR solutions offer real-time monitoring, threat hunting, and automated responses to identified threats. EDR can provide real-time threat intelligence that can be integrated into fraud scoring systems, thereby enhancing their effectiveness. 

For example, if an EDR system detected malware on a mobile device, this information could then be used to adjust the risk score for transactions originating from that device.

If you were to start collecting and correlating data from multiple security layers, say from endpoints, networks, and cloud services, this would be XDR.

Beyond real-time monitoring, XDR offers enhanced analytics and broader contextualization of security incidents by incorporating data from multiple sources.

XDR's comprehensive view of the threat landscape can be invaluable for fine-tuning fraud scoring algorithms. Say your XDR system identified a network-level attack targeting a mobile application's backend. This could influence the risk assessment of transactions processed through that application.

Let's consider another example: 

A financial application on the iOS platform allows users to manage their bank accounts, make payments, and invest in stocks. Given the sensitive nature of the data and transactions involved, security is a top priority. The application is already using a basic fraud scoring system to evaluate the risks associated with each transaction. But to enhance its security posture, the development team decides to integrate an Endpoint Detection and Response (EDR) solution.

First of all, the team chooses an EDR solution that offers a Software Development Kit (SDK) specifically designed for mobile applications. This EDR SDK should be integrated into the iOS application using Swift or Objective-C. This allows the EDR solution to monitor system-level activities on the device where the application is installed.

The EDR solution would also require configuration to monitor specific Indicators of Compromise (IoCs) relevant to mobile security, such as suspicious API calls, unauthorized data access, or abnormal resource utilization.

Once integrated and configured, the EDR solution can begin monitoring in real-time. It checks for signs of malware, data exfiltration, or any other suspicious activities. The EDR solution can also be configured to receive threat intelligence feeds, which helps in identifying new and emerging threats targeting the iOS platform.

If the EDR detects any suspicious activity, it can take predefined actions like sending an alert to the user, forcing a logout, or even isolating the application to prevent further potential damage.

Then the real-time threat intelligence data gathered by the EDR is fed into the existing fraud scoring system. And if the EDR detected a keylogging malware attack, the risk score for transactions initiated from that device would be elevated.

Creating synergy between threat intelligence platforms and fraud scoring systems

The integration of threat intelligence into fraud scoring systems is a transformative approach that significantly elevates mobile security. 

One of the key elements in this integration is the use of threat intelligence feeds. These feeds can come from a variety of sources, including commercial providers and open-source platforms such as MISP (Malware Information Sharing Platform). These feeds deliver real-time data on Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs), which we covered earlier.

To translate this valuable data into fraud scoring systems, RESTful APIs are commonly employed. These APIs facilitate the seamless transfer of threat intelligence, usually in JSON format. In some scenarios, threat intelligence data might be stored in databases like PostgreSQL or MongoDB and then synchronized with the fraud scoring system at regular intervals.

Once threat intelligence data is integrated, the fraud scoring algorithms can adapt in real-time. For instance, if a new type of mobile malware is identified, the risk scores for transactions originating from devices exhibiting similar behavior can be automatically elevated. This dynamic risk scoring is further enhanced by the application of conditional logic based on the incoming threat intelligence. For example, transactions originating from an IP address that has been flagged as suspicious could trigger additional authentication steps.

The integration also opens the door for automated responses, especially when coupled with Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) systems. Actions such as isolating a compromised device or flagging a transaction for manual review can be automated, thereby increasing the system's responsiveness to emerging threats.

On the predictive front, machine learning models like Gradient Boosting or Neural Networks can be trained on historical data that has been enriched with threat intelligence. This enables the fraud scoring system to predict future fraud attempts with higher accuracy. 

Feature engineering plays a crucial role here, as attributes derived from threat intelligence such as the frequency of malicious IP addresses or known phishing URLs can be used to improve the model's predictive capabilities. Statistical methods like Z-score or clustering algorithms like K-means can also be applied for anomaly detection, adding another layer of predictive insight.

As we mentioned earlier, while the synergy between threat intelligence and fraud scoring systems brings huge amounts of value, you should be aware that there are some compliance risks.

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) dictate how data, including personal identifiers often found in threat intelligence, should be collected, stored, and processed. Non-compliance can result in significant fines and reputational damage.

For mobile apps handling financial transactions, adherence to the Payment Card Industry Data Security Standard (PCI DSS) is essential, too. This standard outlines requirements for secure data transmission and storage, which directly impacts how threat intelligence is integrated into fraud scoring algorithms.

Industry-specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare apps, may also impose additional constraints. These often require the use of specific encryption algorithms or security protocols like Transport Layer Security (TLS).

We don't include this to make you think twice about the benefits of the synergy we’ve outlined in this article but rather to act as a warning to do so in a data compliant manner.

The integration we’ve explored in this article offers a multi-faceted approach to security that is dynamic, adaptive, and predictive. Whether you’re looking to fortify mobile payment transactions or enhance multi-factor authentication protocols, the synergy between these two domains provides a robust framework for mitigating risks and blocking fraudulent activities.

And it’s an approach that aligns well with the compliance and regulatory requirements that govern mobile applications today. From real-time adaptation to predictive analytics, the practical applications are vast and compelling, offering mobile developers, CTOs, security managers, and others involved in mobile app development a nuanced understanding of the evolving threat landscape.

The upshot of the interplay between threat intelligence and fraud scoring systems is the ability to equip mobile apps with the resilience and agility they need to navigate the intricate web of modern cybersecurity challenges. 

If your organization is looking to safeguard user trust and ensure business growth, then it’s certainly an approach you should strongly consider.

We recently reported on some aggregated data from our own threat intelligence platform, Alice.

Read the short report.