ICFraud

ICFraud is the monitoring system of a status of a client environment executing collecting of information, necessary for its work, with the subsequent analysis and identification of undesirable activity.

What is understood as the user's environment? Let's imagine a usual picture of work of the client with the RBS system: the user opens the page of Internet banking in a browser window, drives in the login and the password there and begins work. A client browser and what occurs at the moment on the page of the user – all this is the user's environment.

As soon as the user opens the page of the bank protected by the ICFraud system, the last starts collecting of necessary information and identification of suspicious activity.

Thus, the ICFraud system solves two main objectives at once:

• reveals fraudulent activity at an early stage;
• the main antifraud system reduces the number of false operations.

In a basis of system development the principles of detection of fraudulent activity developed by researchers from around the world together with own conducted researches are underlain.

How does ICFraud work?

Monitoring is performed at the expense of the data from the user environment collected by a js-script.

Data retrieveds are partially processed by a script and sent on the server for the further analysis. In case of identification of fraudulent activity the event, information on which can be received or on demand through API provided by the ICFraud system, or means of PUSH notifications, is generated.

Step by step it looks as follows:

• The client begins to interact with the RBS system of bank.
• On the page of the client the ICFraud system js-script is loaded.
• There is collecting of necessary information on client side to the subsequent monitoring. The acquired information is sent on the ICFraud server.
• The created payment order is processed an antifraud system of bank.
• The antifraud system of bank addresses ICFraud, using API, and obtains information on suspicious activity on client side. (Also there is a possibility of setup of PUSH notifications.)
• Using the acquired information, the antifraud system makes the final decision whether this transaction is client or fraudulent.

At once it is worth noticing that no personal information about the client of bank gathers. ICFraud works only with data which the js-script obtains from the user's environment. For example, treat such data: the list of plug-ins, information on a temporary zone, the additional information allowing to determine browser type by indirect signs.

ICFraud systems capabilities

Formirovaniye of a unique print of the user Formirovaniye of a unique print of an environment of the user will allow to distinguish one environment from another and to collect statistics on actions for each of them. Also thanks to it a system can execute additional analytical checks, quickly reveal changes and "learn" a "good" and "bad" client environment.

Identification of theft of cookie

Theft of cookie, as a rule, leads to receiving an authorized access by the malefactor to online banking of the victim without knowledge of the login and the password. Methods of receiving cookie large number, but ultimate goal same. ICFraud is capable to reveal whether the current session is "stolen" or not.

Identification of remote control

Statistically one of favourite methods of accomplishment of fraudulent activity on computers of the victims is remote connection. Similar connection can be performed as under the pretext of "help" to the trustful victim in the solution of any problem, and the Trojan programs including means of remote control in the arsenal. At the similar attack in an environment of the user there are no significant changes, and can seem that actions are made by the client. ICFraud is capable to reveal similar connections and to inform on it bank.

Identification of use of anonymizers

Use of anonymizers, as a rule, can indicate fraudulent intention of the user. At similar behavior there is a probability that the login and the password were received by the malefactor who tries to hide the true location. It can also mean that someone carries out investigation for distant detection of vulnerabilities of a system. The similar behavior is suspicious during the work with RBS, and ICFraud is capable to reveal such connections.

Identification of bots

As a rule, bots use both for automation of search of vulnerabilities, and for selection of combinations of the login and the password. Anyway work of a bot with the system of online banking is inadmissible.

Identification of implementation of the foreign code in the page of the client

Implementation of the foreign code in the page can be as a consequence by successful XSS of the attack or the inzhekt of the code in traffic, and work of a virus on the user's computer. A widespread effect of implementation of a similar form is display of an additional form for input of personal user information, including the login and the password. Adding of additional tags<script> or<iframe>, loading a branching malicious code from servers of malefactors is also possible<script><iframe>. A system is capable to detect similar anomalies.

Identification of third-party requests from the page of the user

Such requests can also testify to successfully implemented third-party code which tries to interact with servers of malefactors for, for example, transfer user data or loading of a malicious code.

Spoofing any determination

Often externally to resemble the real user, swindlers try to select and use the same software, as at the victim. The attempt to forge an environment of the user can demonstrate fraudulent or virus activity on client side, and the ICFraud system performs the analysis on identification of similar actions.