Interview: Smart fraudsters move in-house

IT Week: As head of security and risk at IT security consultancy Detica, can you explain what trends you are seeing?

David Porter: Basic security measures such as firewalls are now pretty bog-standard and commoditised. Government organisations are now championing information assurance and more of our work is focused on this.

Organisations often have certain people who are worried about data security, while other people are worried about the quality of the data, and then a third group is more interested in business relevance. Information assurance is about grasping all three nettles, because data needs to be secure, good quality and relevant.

What problems do you encounter when helping companies to prevent fraud?

So many fraud-prevention systems are created by techies, and often they aren't maintainable. If you build a fraud-prevention system you must ensure it's maintainable and adaptable, because criminals change their behaviour. It doesn't surprise me that chip and PIN has proved fallible because in many cases implementation has been pretty sloppy.

Where does the major fraud threat come from today?

Most of our fraud work deals with an internal threat – even people who have worked at firms for a long time can be up to no good. They could be angry at their employer, or have got into financial difficulty and are susceptible to bribery, or they may have been put there by organised criminals.

How do firms overcome this kind of threat?

In a range of ways, including the soft approach of appealing to organisations not to turn a blind eye to security; it's about persuading people to play their part. The harder approach involves implementing systems that analyse the behaviour of employees, like credit card firms do with their customers.

What other trends in security threats have you noticed?

There is more collusion with people on the outside. Most card fraud detection tools are based on behavioural analysis and transaction monitoring, but these systems are limited because many aren't built in a structured manner and aren't amenable to enhancements. They are based on known security violations, which means they're modelled on the behaviour of stupid criminals who got caught – we want to know about the activity of the smart ones. Also, fraudsters have become wary. The systems are looking for obvious behavioural traits, so instead of one person pulling off a job, criminals will take a fragmented approach, dividing activities between employees into discrete tasks that sneak under the radar of conventional detection systems.

How can firms combat this?

They need to use a fragmented detection system like our Net Reveal product. Rather than profiling someone down to their shoe size, it is more interested in entities and the relationship between people. The idea is to link little bits together to make a big picture.

About David Porter
Porter started his career as an artificial intelligence researcher at The Knowledge-Based Systems Centre.

He developed his security and anti-fraud expertise working at Deloitte Consulting and Unisys.