Fighting Against Cybercriminals: Using The FBI’s Out-of-the-Box Approach

Originally published in United States CyberSecurity Magazine

It is no exaggeration that cybercrime, if not addressed effectively, could change the shape of the economy. Its costs are predicted to reach $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015, according to Cybersecurity Ventures [1]. If it were measured as a country, cybercrime would be the world’s third-largest economy after the U.S. and China. Thus to combat this aggressive battle with Fraudsters, companies are now equipping themselves with sophisticated Machine Learning (ML) algorithms. Yet to advance in this fight, they could inherit the unique approaches from the FBI who have intensive experience in dealing with numerous types of cybercriminals.

This article highlights those approaches by pointing out the differences in capturing and preventing frauds between corporations and the FBI. After that, it introduces a fresh perspective that could help companies reassess their battles with cybercriminals.

HOW DO E-COMMERCE COMPANIES DETECT FRAUDS?

Before exploring the methodologies that firms use to detect frauds, it is essential to understand their business model and cash flow.

Example in an e-commerce platform, customers shop for a product in a partner’s store and then check out and pay for that product in a secured payment gateway or virtual terminal. The acquirer bank of the partner will then verify the payment and transfer money to the partner’s merchant banks. Throughout this process, depending on where the weakest link is, fraudsters attack either customers, partners or the payment system.

Thus, a company’s security department is usually organized into three horizontal pillars: customer fraud, partner fraud and payment fraud. It is often strengthened by three vertical layers: rule base, Machine Learning algorithm and third-party detection. Rule base is normally the quick solution, sometimes referred to as tactical intelligence to capture and prevent fraud in operation. Machine Learning is more complicated and sometimes referred to as strategic intelligence to fight frauds at scale. Third-party detection is to draw on the vendor’s expertise in combating frauds. Those mechanisms are so advanced and sophisticated that they in fact, help companies withstand large volumes of attacks.

But every system, even the most innovative one, has its own flaws, and fraudsters unfortunately are among the smartest hackers.

For instance, ransomware previously could be detected through its unique signature. However, hackers nowadays are creative enough to produce malware that replicates itself and changes certain attributes every time; therefore, making the investigation much more challenging. Along with malware, account takeover (usually through social engineering) was one of the two most pervasive threats. The danger of this attack lies in its potentiality to quickly avoid complicated algorithms that companies are relying on to flag out frauds in real-time. As hackers steal the credentials of victims, it is arduous to distinguish between genuine and compromised accounts.

The above examples reveal the underlying reason that topnotch algorithms fail to detect those attacks. It is because the fraudsters are getting better at hiding their identity, either through hiding its signature or compromising a legitimate account.

THE POWER OF THE LAST MILE OF MONEY FLOW IN FRAUD DETECTION

While this reality poses an impediment to the enterprise’s security mechanism, looking at it from a different perspective could come across as a silver lining: Regardless of what the fraudsters are trying to hide, there is one thing that is both typical among themselves and very hard to neglect, of which the FBI many times successfully takes advantage, is their ultimate motivation- which is often after money and/or identity theft.

If it is financial motivation, criminals have to transfer the money to their pockets at some point. They can either transfer to their bank accounts, then withdraw cash at ATMs, or launder the money through crypto markets or fund illegal transactions through the dark web. In spite of advanced techniques to hide their identity when hacking the system, this last step is often taken down by the authorities thanks to the information provided by financial institutions. For example, within 90 days of the campaign in 2021, the U.S. Nationwide Enforcement Action against Money Mule could recover $3.7 million in fraud proceeds and arrested 30 individuals [2]. Those numbers are a lot higher when joining forces with other countries. To illustrate, with the support of around 400 banks and financial institutions in the European Money Mule Action, 7000 fraudulent transactions have been reported, preventing a total loss estimated at nearly €70 million [3].

Despite that impressive result, the big question is how to reproduce this strategy in corporate’s environment? Some may argue that unlike conventional organizations, the FBI has the privilege of accessing more financial data through requesting most banks to reveal suspicious transactions. Yet few are aware that even the money flows visible to companies can still be explored and effectively assist the battle against cybercriminals.

Back to the case of partner account takeover above, the crucial data points could reside in the last mile of the money flow — when the money goes out of the merchant bank accounts. Many times, the compromised accounts being reported are just the tip of the iceberg of the much larger impact. Only when companies are able to gather more data points, can the investigation be progressed faster and easier. Those data points can relate to merchants such as name, addresses, types, etc. To assist the extrapolation process, some of the questions that are sharp to ask are:

• Whether any other partners (whose accounts have not yet been reported as being compromised) also associate to the same merchant name and address?
• If yes, whether there were any changes in the merchants, and since what time?
• What are the common characteristics of those fraudulent merchants?

Then just like the FBI catches mules through analyzing their behaviors in comparison with average citizens with the same demographics and psychographics, companies could also build the models to find the clusters of suspect behaviors, and compare with the normal behaviors of average merchants in the city or country.

The power of the last mile of money flow does not stop here. Before registering the merchants, partners usually have to go through a lengthy and secured process to get approval from the banks. Yet once being approved, fraudsters can sneakily change the merchant type. A change in merchant type could trigger an alert but is not necessarily flagged as fraud. However, if companies expand the investigation, they could be surprised at the possibility that some of the fake accounts which bypassed the security checks earlier are now being weaponized to perpetrate more frauds and remain undetected. Therefore, from this small piece of information, companies could revise its ruleset and update the detection models to help eliminate them from the platform.

Learning from the FBI’s approach in tracing down the money flow, especially the last mile, companies can make progress in the detection and the design of the fraud prevention algorithms.

THE POWER OF CAUSAL INFERENCE IN FRAUD PREVENTION

Another challenge in the battle against cybercriminals is that Machine Learning, although quite efficient in detecting the correlation in fraudulent activities, is insufficient for robust predictions and reliable decision-making. In the real world, many things could intervene and change the environment on which the prediction relies. Cybercriminals are swift enough to seize this gap. When altering the attack to not reach certain thresholds or to change the setting that could trigger the fraud prevention rules, they could remain unnoticeable. An obvious illustration is that they have been successful in many cases using deepfakes to bypass the facial recognition system.

Nevertheless, once again, learning from the FBI’s methodology could potentially help companies outsmart cybercriminals. The officers have their own unique way to study the fraudsters, targets. and their association with multiple events. It is not uncommon to see in documentaries that they rely on a powerful tool — the detective board. On the board (either physical or digital), photos of suspects, victims and incidents are identified. Each of those objects are clearly connected by threads or arrows to show the relationships between them. The goal of the board is to exploit visual graphs to clearly explain the observation and connect the dots between events. Following the relationships (often causal reasoning) exposed on the board, the FBI can step by step solve the puzzles.

It turns out that this concept is not brand new in the data science and statistical learning world, and has been piloted successfully in some innovative companies. It is referred to as causal inference — the process of identifying causes in data. Unlike correlation, causality maintains its consistency even when the distributions of a problem are slightly altered, hence it can assist in resolving Machine Learning’s generalization challenge.

Guided by joint formal reasoning over observations and auxiliary information about data collection procedures or other domain knowledge, causal ML methods are grounded in the stable and independent mechanisms that govern the behavior of a system being modeled. As a result, these methods promise robustness to exogenous changes and accurate modeling of counterfactual or “what-if” scenarios that are core to scientific experimentation, comprehension, and decision-making [4].

If this method is employed effectively, it could potentially help solve two big hurdles in fraud detection and prevention. First, due to ethical concerns, not all experiments to assess the impact of fraud rules are implemented in reality. In those cases, causal inference can enable the possibility of the estimation to be available with observational data. Second, causal inference could assist in predicting the degradation of model performance due to changes in data and relationships between output and input; therefore, it helps companies update the models in time to cope with changes in fraudster’s new attacking techniques.

CONCLUSION

History has demonstrated that, in a battle, it is not about racing against who has the most innovative mechanism, it is about finding the right dead spot of the rivals that could eventually make the difference in the outcome. In combating against cybercriminals, although fraudsters are pretty fast in changing their behaviors, companies could consider reassessing their neglected data and the application of causal inference as robust weapons to attack their enemy’s dead spot and thus gain the upper hand.

Originally published in United States CyberSecurity Magazine: https://www.uscybersecurity.net/csmag/fighting-against-cybercriminals-using-the-fbis-out-of-the-box-approach/

References:

[1] Sausalito, Calif. (2020, November). “Cybercrime To Cost The World $10.5 Trillion Annually By 2025“: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

[2] The U.S. Attorney’s Office. (2021, December) “U.S. Department of Justice Announces Results of Nationwide Enforcement Action Against Money Mules“: https://www.justice.gov/usao-edmo/pr/us-department-justice-announces-results-nationwide-enforcement-action-against-money

[3] Europol. “European Money Mule Action leads to 1 803 arrests“: https://www.europol.europa.eu/media-press/newsroom/news/european-money-mule-action-leads-to-1-803-arrests

[4] Microsoft. “Causality and Machine Learning“: https://www.microsoft.com/en-us/research/group/causal-inference/