Fraud Detection

Full Title or Meme

An existing process in ecommerce where the Relying Party collects the claims about the user and the context of the request (which will likely include user behavior and value of the transaction) into a Trust Vector for processing by a Fraud Detection Service. The result will be used to make the Authorization decision, or it might initiate a continued collection of user claims for a retry.

Context

• Today any company that handles money on the internet has some level of Fraud Detection, most of the smaller companies relying on Trusted Third Parties.
• The original use of Fraud Detection was in financial payments. https://corpgov.law.harvard.edu/2016/02/07/fincen-know-your-customer-requirements/

Problems

• When publicly accessible data is used in fraud detection, it is only a matter of time before the fraudsters collect that data and use it to impersonate Subjects. See the wiki page on Digital Fingerprints.

Solutions

• Collect Attribute information about Subjects that is not known to attackers.
• Use a Credential that is protected from disclosure on a user's device to provide evidence of the Presence of the user at their device.

References

• See the wiki page on Digital Fingerprints for some Fraud Detection techniques and the attackers' work-around to those techniques.
• Synonyms include: Attested Corroborated.