Closing the Retail Cybersecurity Gap Between Breaches and Fraud

While retailers are getting better at combatting cybersecurity threats to customer data, few are prepared to combat the fraud that happens after a hack. A new cooperative effort announced today between LexisNexis Risk Solutions and the Retail Cyber Intelligence Sharing Center (R-CISC) will give retailers new resources for bridging the gap between cyber theft and fraud prevention.

The R-CISC is the retail industry’s cybersecurity consortium for sharing intelligence, alerts and solutions to fight cyber threats. LexisNexis Risk Solutions will join the consortium as a Premier Associate Member, and make available to R-CISC members the many fraud-fighting services available within its LexisNexis® Fraud Defense Network.

In turn, LexisNexis Risk Solutions will leverage the alerts and threat intelligence in R-CISC’s arsenal to enhance its products and services for its retail customers. The R-CISC will also make available its analysts and capabilities to help LexisNexis Risk Solutions assess its own cyber alerts.

The collaboration is one of the first to combine the substantial resources of identity theft and fraud prevention organizations to offer retailers an end-to-end solution for mitigating their cyber risks. We recently sat down with Vikram Dhawan, Sr. Director Product Management of LexisNexis Risk Solutions; Kimberly Sutherland, Senior Director, Fraud Management of LexisNexis Risk Solutions along with Brian Engle, Executive Director of R-CISC to discuss the ramifications of the announcement.

LexisNexis Risk Solutions: What is the need for retailers that is driving this announcement?

Dhawan: Retailers don’t have broad visibility into identity fraud and lack critical knowledge around how to mitigate it. By working together, we give them a comprehensive set of resources and expertise for fighting cyber risks from the initial theft of identities and personal information to fraud attempts using those stolen identities. This is a first-of-its-kind effort covering the full lifecycle of retail cyber threats.

Sutherland: Fraud is a costly problem for retailers that is only getting worse. Our 2016 LexisNexis True Cost of Fraud℠ report found that every dollar of fraud cost merchants $2.40, up from $2.23 from the previous year. We also discovered that the volume of fraud rose sharply—from a monthly average of 156 to 206 successful fraudulent transactions, and from 177 to 236 prevented fraudulent transactions. Greater visibility into fraud is needed to help retailers reverse this trend.  

Engle:Cyber-criminals are persistent and their methods are increasingly sophisticated. No industry, institution or government agency is immune from attack. The retail industry is a target for cyber criminals that seek to steal customer information and payment details in data breaches and point of sale attacks. After a breach occurs, the number of retailers attacked by criminals using the information to commit fraud increases exponentially. In the past, retailers have had limited means to combat the potential fraud from stolen personal information. The LexisNexis Fraud Defense Network complements the R-CISC’s cybersecurity resources by filling in these gaps.

LexisNexis: What roles do the R-CISC and the Fraud Defense Network currently play in the market?

Sutherland: The Fraud Defense Network is an initiative that gives insights into fraudulent or suspicious activity by connecting organizations across different industries with resources, experts and powerful data analytics.

Dhawan: LexisNexis Risk Solutions established the Fraud Defense Network because fraudsters have become more sophisticated and often cross industry boundaries to commit crimes on multiple fronts. The tried and true fraud mitigation methods of the past had become less effective. Members can benefit greatly from a cross-industry view to attack the problem more effectively and proactively.

Engle:The R–CISC is proud to serve as the conduit for collaboration, intelligence sharing and cooperation as the trusted cybersecurity community for retailers worldwide. We do this by building and sustaining valuable programs, partnerships, products and opportunities that enable our members to grow in their trust–based relationships, strategic knowledge and tactical capabilities. 

Through the R-CISC, retailers of all sizes share cybersecurity intelligence on incidents, threats, vulnerabilities, and associated threat remediation; as a community, we understand that we are stronger together

LexisNexis: How can R-CISC member retailers benefit from the LexisNexis Fraud Defense Network? Conversely, how is the Fraud Defense Network enhanced with R-CISC resources?

Dhawan: Managing retail fraud can be challenging. The Fraud Defense Network provides both resources and technology for fraud mitigation. Our retail customers in the R-CISC membership can leverage our comprehensive data and analytics to quickly and confidently recognize good customers and good transactions while stopping bad ones, from their eCommerce sites to brick-and-mortar stores to mobile transactions.

Sutherland: I agree. Because the Fraud Defense Network is a cross-industry initiative, retailers can gain from both the data already gleaned from other industries like financial services, insurance and government, as well as from insights and intelligence for fraud prevention already refined in these industries. For example, retailers can take advantage of data available from financial services when vetting a newly opened customer account.

The value-add that R-CISC brings to the Fraud Defense Network are the early threat alerts. In other words, early awareness. The earlier retailers can be aware of the potential fraud, the more able they will be to stop it at their door.

Engle:Warning signs and indications of criminal activity come in many stages: prior to a data breach as attackers launch campaigns of attacks with phishing and the exploitation of vulnerabilities; during the dropping of malware intended to exfiltrate data; in the underground markets where the information is sold after a breach occurs; and during the fraud activities that monetize the theft of the data. Using the trust-based exchange of information occurring within the R-CISC membership, combined with the detection and threat intelligence that identifies the criminal underground activity along with the fraud alerts that the Fraud Defense Network can provide, R-CISC member retailers can be highly disruptive to criminals making it much more difficult for them to be successful.

LexisNexis: Will there be any new resources or services created through this collaboration?

Dhawan: Threats and alerts from the R-CISC will be integrated into the products and services offered through the Fraud Defense Network. LexisNexis will also offer its products and services to R-CISC members. We are also working to develop new services integrating our respective expertise.

Engle:Adding fraud-related detection information and mitigation techniques to the arsenal of cybersecurity tools available to R-CISC members will initially be very valuable to retailers. Our strengths of collaboration through bringing together formidable experts within the cybersecurity and fraud related fields will help to develop more in the future as we combine forces. We look forward to the potential of new services and resources that will come as the result of our teams working together.

LexisNexis: How does this collaborative effort specifically create an end-to-end solution for retailers? What are all the parts of the puzzle?

Engle:Cybersecurity efforts have largely been focused on everything leading up to a breach event. Strategies have included shoring up the payment transaction with end-to-end encryption, bolstering extensive layers of protection and defensive measures, and developing improved detection and monitoring capabilities to thwart cybersecurity breaches of payment card and customer information. The R-CISC serves this part of the threat cycle with threat intelligence and cybersecurity information sharing throughout our members to get ahead of any breaches. The resulting fraud that occurs after the breach of payment card information and customer account credentials necessitates the convergence of cybersecurity strategies with fraud detection and mitigation, and the R-CISC/LexisNexis collaboration pulls both ends of the cybercrime spectrum together to enable retailers to more quickly detect and defend against costly fraud activities.

Dhawan: That’s where the Fraud Defense Network kicks in. It brings to retailers the fraud fighting  capabilities and intelligence derived from sharing across different industries – like finance, retail, telecommunications, insurance, government, law enforcement and health care – because fraudsters don’t always have a particular bias for a given industry. They tend to ‘follow the money,’ deliberately exploiting gaps in systems to perpetrate fraud and hide their tracks.

Sutherland: In addition, the Fraud Defense Network builds on the R-CISC’s great work to give retailers a dedicated platform to share best practices and contribute to the body of knowledge of fraud. They gain access to our data, analytics and linking technology. They also can tap into our ongoing stream of research and other information on fraud prevention. And they can help contribute to a larger cross-industry fraud mitigation effort by sharing information through our contributory database.

About the R-CISC
The Retail Cyber Intelligence Sharing Center (R-CISC) is the trusted cybersecurity community for retailers, consumer services retailers, and cyber security industry partners worldwide. Created in 2014 in response to the increased number and sophistication of attacks against our industries, the R-CISC supports traditional retailers, online commerce, wholesalers, restaurants and the food service industry, entertainment, lodging, professional sports leagues and organizations providing other consumer services.
https://r-cisc.org

About LexisNexis Risk Solutions
LexisNexis Risk Solutions is a leader in providing essential information that helps customers across industries and government predict, assess and manage risk. Combining cutting-edge technology, unique data and advanced analytics, LexisNexis Risk Solutions provides products and services that address evolving client needs in the risk sector while upholding the highest standards of security and privacy. LexisNexis Risk is part of RELX Group, a world-leading provider of information and analytics for professional and business customers across industries.
http://www.lexisnexis.com/risk/