Difference between revisions of "Fraud Detection"
From MgmtWiki
(→Solutions) |
(→Solutions) |
||
Line 9: | Line 9: | ||
==Solutions== | ==Solutions== | ||
* Collect [[Attribute]] information about [[Subject]]s that is not known to attackers. | * Collect [[Attribute]] information about [[Subject]]s that is not known to attackers. | ||
− | * Use a [[Credential]] that is protected from disclosure on a user's device to provide evidence of the | + | * Use a [[Credential]] that is protected from disclosure on a user's device to provide evidence of the presence of the user at their device. |
==References== | ==References== |
Revision as of 10:24, 21 August 2019
Full Title or Meme
An existing process in ecommerce where the Relying Party collects the claims about the user and the context of the request (which will likely include user behavior and value of the transaction) into a Trust Vector for processing by a Fraud Detection Service. The result will be used to make the Authorization decision, or it might initiate a continued collection of user claims for a retry.
Context
- Today any company that handles money on the internet has some level of Fraud Detection, most of the smaller companies relying on Trusted Third Parties.
- The original use of Fraud Detection was in financial payments. https://corpgov.law.harvard.edu/2016/02/07/fincen-know-your-customer-requirements/
Problems
- When publicly accessible data is used in fraud detection, it is only a matter of time before the fraudsters collect that data and use it to impersonate Subjects. See the wiki page on Digital Fingerprints.
Solutions
- Collect Attribute information about Subjects that is not known to attackers.
- Use a Credential that is protected from disclosure on a user's device to provide evidence of the presence of the user at their device.
References
Synonyms include: Attested Corroborated.