While enterprises try to determine how to boost their cybersecurity, adding independent security blocks, fraudsters are developing their next steps to stay ahead of detection. CARTA, an approach introduced by Gartner and offered by Mastercard under its Connected Intelligence umbrella, is the proactive approach to keep security tools connected and detect cybercriminals.
Protecting your organization against hackers and fraudsters is an arms race, where bad actors react quickly to new security tools. Not only are they effectively bypassing security systems, but they are also doing so with great innovation and skill.
Meanwhile, security experts have to re-examine their methods to understand who their good users are to offer them a better experience and detect fraud at its different stages. However, as we know, there is no such thing as a one-size-fits-all solution to protect your evolving digital platform. Many platforms increase friction for customers in an attempt to increase security. Unfortunately, too often, the bad guys get whitelisted and go unchecked in future activities. This only increases the problem as fraud continues while the good users’ experience worsens.
“We really have to have a level of distrust in everything all the time,” says Neil McDonald, VP analyst at Gartner Inc. McDonald says this research led Gartner to recommend continuously accessing and monitoring every entity and its behaviours for relative levels of risk and trust, or CARTA (Continuous and Adaptive Risk and Trust Assessment).
Be Reactive and Proactive
Trust and security are not static states. As we know, fraudsters often evolve more quickly than security. While you still need to invest in platforms that block and react to security breaches, you also need to predict and prevent the future risk that stems from the exposed user records. Gartner recommends incorporating tools that are connected to each other to get the deepest insights possible, focusing on malware detection, bot detection, behavioural analysis, event monitoring, and more (Akif Khan, Gartner, Take a CARTA Approach to Building a Successful Payment Fraud Detection Strategy for Digital B2C Channels, August 2019).
A single, integrated solution that accepts data from across all platforms to avoid a siloed effect, where bad guys can slip through, is what’s needed, says Gartner analyst Akif Khan. With this, he suggests, enterprises need to adopt a continuous and adaptive risk and trust assessment (CARTA) approach. He writes that “rather than looking at individual security tools, this approach leverages multi-layered security connected through thousands of data-based decision points that mitigate fraud at every step throughout the customer journey.”
How is cybersecurity like a video game?
No, it’s not about action heroes or your favorite avatar. In 2D games, users experience a flat world. Assets are standard renderings, like text, pictures, videos, and a simple gaming interface. Think now what happens when you strap on VR goggles and enter the virtual reality world. Video is captured with two 360 degree cameras that allow playback in two different screens – one in each lens of your headset. The Connected Intelligence or CARTA approach is like putting your VR goggles on and combining the different tools that give you color, texture, dimension, and vibration, giving you real-life experience with events happening simultaneously all around you.
Gartner’s premise is much the same. In traditional security platforms, you have very limited views of transactions as they are not connected to each other. For example, a purchase request from an account may look normal, but that account could have had 20 failed logins from different IPs and only one successful login attempt over 24 hours. As the data from those failed logins is not connected to the checkout, the purchase will go through seamlessly. When the chargeback comes in – because it will – the merchant would only look at the purchase-related information, see no anomalies, and be unable to adapt its security to prevent similar future attacks.
But in a CARTA approach, which is another name for Mastercard’s Connected Intelligence approach that it has been promoting for the last two years, all assessments are combined and happening in parallel, supported by machine learning that follows your organization’s policies and rules to process risk. Most importantly, this assessment doesn’t happen at checkout only, but behind the scenes and in real-time at every step where the user interacts with the platform. This approach to security allows to block, flag the event for manual intervention, or elevate the trust of the user. It will assess every event, from every channel, preferably for every form of online fraud.
With this approach, data comes from multiple channels and stages of the user interaction, making anomalies evident before it is too late. A verified user who is suddenly exhibiting different behavioral biometrics will be flagged, and an attempted account takeover from multiple devices will be caught in real-time.
This holistic approach, first brought up by Mastercard two years ago, is slowly adopted by companies and analysts alike. While some organizations are still struggling to keep up to fraud using traditional methods, those using the CARTA method are making it the new black of cybersecurity frameworks.
For more information on the CARTA approach, Gartner’s report Take a CARTA Approach to Building a Successful Payment Fraud Detection Strategy for Digital B2C Channels provides a great background.
We’ll talk about how to make your organization ready for CARTA in our next post.