© 2007 ibm corporation threat and fraud intelligence ibm’s entity analytics solutions john...

© 2007 IBM Corporation

Threat and Fraud IntelligenceIBM’s Entity Analytics Solutions

John McBride, IBM Solutions Executive

© 2007 IBM Corporation2

Threat & Fraud IntelligenceA High Impact Business Opportunity Is Emerging

Heightened regulatory pressures and an intensifying threat environment demand a new level of Threat & Fraud Intelligence

AMLAML

$590bn to $590bn to $1.5tr, PY $1.5tr, PY 2%–5% of 2%–5% of

GGDPGGDP

Patriot Act Patriot Act

KYCKYC

$10.9 billion $10.9 billion

Health Health InsuranceInsurance

$100bn $100bn lost lost

annuallyannually

Telecom Telecom Fraud Fraud

$55bn $55bn lost lost

annuallyannually

Identity Identity TheftTheft

$8.0 bn $8.0 bn lost lost

annuallyannually

OFAC Hits OFAC Hits Criminal Criminal NetworksNetworks

Risk & Risk & ComplianceCompliance

EntitlementEntitlementFraudFraud

Account Account VerificationVerification

Law Law EnforcemenEnforcemen

tt

Home Home Land Land

SecuritySecurity

Safe Safe BordersBorders

National National SecuritySecurity

BankAtlantic committed ‘serious and systemic’ BSA violations April 27, 2006 - Moneylaundering.com. BankAtlantic provided clients something better than 7-day service – one branch manager opened its doors to drug traffickers and professional money launderers and helped commit their crimes. BankAtlantic Bancorp signed a deferred prosecution agreement and forfeited $10 million to the U.S. Department of Justice for criminally violating the Bank Secrecy Act (BSA)..


Today’s intensifying challenges mandate a fresh approach to managing threat information

Current Approaches have become obsolete.

Why Now?Threat & Fraud Pressures Are Intensifying

Information is compartmentalized – lack of full integration is obscuring visibility

Query State limits ability to address complexity of threats

Untimely – threats identified ex-post facto.

Inaccurate – Broadscale false positives and false negatives

Out of context – lack of decision support/guidance once threat is

identified

Multiplication of threat types, and frequency

Threats are increasingly asymmetrical

Explosion in complexity of threat identification

Frequency of transaction/interactionsTransparency is clouding

Regulatory pressures are increasing

Intensifying profit and business pressures

Information Must Become a

Strategic Asset


Threat & Fraud Challenges Are IntensifyingMultiplying Threat Types with Increased Frequency

FEMA Lost $1Billion to Fraud, ErrorsReport lists problems with hurricane reliefUSA Today, June 14, 2006

Sloppy mistakes and con artists cost FEMA at least $1Billion in disaster relief claims in the six months after last year’s devastating Gulf Coast hurricanes, according to a report by government investigators due out today. The government sent checks to thousands of people who registered with FEMA using information belonging to prison inmates, or who provided only a post office box for the their damaged home.

The investigation found that FEMA lacked basic mechanisms to detect and discourage rampant fraud. One person received 26 FEMA payments totaling $139,000, using 13 different social security numbers, and 13 addresses.

U.S. Government Plans to Overhaul Disaster AidThe New York Times, July 23 2006The Department of Homeland Security, responding to months of criticism and ridicule, is revamping several of its core disaster relief programs…Most important, officials said, emergency cash assistance will be granted only after FEMA officials have used computer records to ensure applicants are not repeatedly signing up for aid, or using false Social Security numbers or fabricated addresses.


Fraud &Threat Pressures Are IntensifyingThreats Are Increasingly Asymmetrical

Two Elderly Women Jailed In Deadly Insurance ScamWashington Post, Tuesday, May 23, 2006; Page A03 LOS ANGELES, May 22 -- Two elderly women devised a complex plot in which they befriended homeless men, took out life insurance policies on them, and then killed the men in hit-and-run accidents in alleys around Los Angeles to collect $2.2 million in payments, police said Monday.

California law allows an insurance company to contest a new policy for two years, Vernon said. "Between the first and second incident, there's a six-year span," Vernon said. "It's very naive to think there haven't been any victims in those six years, especially when you consider they're using these men as certificates of deposit, with a maturity date of two years."

2 Arrested in Homeless Life Insurance ScamLA Times Staff Writers, May 19, 2006 Two women in their 70s were arrested Thursday after they allegedly befriended two homeless men, took out 19 life insurance policies on them and filed claims worth more than $2.2 million after the transients mysteriously died in hit-and-run pedestrian accidents in Los Angeles.

Detectives said they connected the two cases several months ago during a chance meeting between two investigators in the LAPD's West Traffic Bureau squad room. A detective handling the death of Kenneth McDavid, 50, was talking about the peculiarity of the case when another detective interrupted him to say he had worked on a similar-sounding, unsolved hit-and-run six years ago.


Threat & Fraud Challenges Are IntensifyingMultiplying Threat Types with Increased Frequency

Mackenzie created new customer identification numbersA bank manager carried out a £21m fraud on his employers as they named him business manager of the year.

As a business manager at the Royal Bank of Scotland, Donald MacKenzie had the authority to open personal bridging loan accounts.His scam involved creating new customer identification numbers (CINs) using details of customers, sometimes by omitting just one letter from their name.

Last Updated: Tuesday, 6 June 2006, 17:01 GMT 18:01 UK

Mackenzie created new customer identification numbers

IBM’s Threat & Fraud Intelligence platform, utilizing the Name Recognition capability, would have detected the name variations, and helped prevent the fraud


Maiden Names, Deaths, Moves, New Accounts

Name / Address / DOB Deception

Intermediators, Introducers, Beneficiaries,

Pooled Accounts

NefariousUn-IdentifiedThird Parties

Data Islands/Silos/Transposition Errors

Online & Remote Clients

Data Degradation / Data Drift

Multiple Prefixes, Abdul, Fitz, O', De La,

Multiple Name Variants

Phonetic Transposition Errors, Lester - Leicester

Name Order, “Maria del Carmen Bustamante de la

Fuente”

Multiple Titles, Dr., Rev, Haj, Sri., Col

Nicknames, Hammed, Mogs

Ambiguous, Misrepresented, Blurry IdentityThe Challenges Go Beyond Date Silos

??


Full pattern & identity resolutionPattern linked to name, identity & relationship

Complete & Self ImprovingUtilizing all sources of information within the enterprise and beyond

Active & Dynamic Persistent & Autonomic Analysis

On-Line, On Demand & TimelyRespond to threats in real time

In ContextFull decision support and guidance

What’s Needed?Early adopters beginning to recognize requirements

The capability now exists.Integrated Software Platform Business Know

How

Current State Future State

Threat and FraudStatistics & Reporting

Limited Discovery& Analysis

Incomplete View

InformationOverload

Passive & Query Based

© 2007 IBM Corporation

Conquering Enterprise AmnesiaNext Generation Business Intelligence


Human Resources Department

CorporateSecurity

Department

ProspectDatabase

EmployeeDatabase

FraudDatabase

MarketingDepartment

Hiring employees who had previously been arrested for stealing from you!

Consequences of Enterprise Amnesia


ProspectDatabase

EmployeeDatabase

Human Resources Department

CorporateSecurity

Department

InvestigationsDatabase

Marketing department is mailing offers to a person currently in jail for stealing from you!

MarketingDepartment

Consequences of Enterprise Amnesia


Amnesia is Embarrassing

Amnesia is Expensive


Enterprise Intelligence

Requires Persistent Context

The Brain!


M. Randal SmithDOB: 06/07/74713 731 5577

Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577

Record #A-701

Record #B-9103

Observations

FEATURES:Mark Randal Smith

123 Main Street713 731 5577DOB 06/07/74

IdentitiesEvents

JobApplication

Arrest

Employee Database

Fraud Database

Sensors

Problem: Non-Observables and Isolated Perceptions

Non-Observable


Marc R Smith123 Main St713 730 5769


Mark Randy Smith123 Main StreetDOB: 06/07/74713 731 5577 Employee

Database

Fraud Database

Record #A-701The Query

Record #B-9103

SensorsObservations

Consequence of Perception Isolation




The Query Record #A-701

Record #B-9103

Employee Database

Fraud Database

SensorsObservations

Some Observations … are Discoverable

Mark Randy Smith123 Main StreetDOB: 06/07/74713 731 5577




The Query Record #A-701

Record #B-9103

Employee Database

Fraud Database

SensorsObservations

Some Observations … are Undiscoverable



M. Randal SmithDOB: 06/07/74713 731 5577FEATURES:

Mark Randy Smith, M. Randal Smith123 Main Street, 713 731 5577

DOB 06/07/74EVENTS:

Job ApplicationArrest

Constructed Context

SensorsObservations

Record #A-701

Record #B-9103

Employee Database

Fraud Database

First: Context is Pre-Constructed (Features and Events)



PersistentContext

Mark

FEATURES:Mark Randy Smith, M. Randal Smith

123 Main Street713 731 5577DOB 06/07/74

Context is Persisted


SensorsObservations

Record #A-701

Record #B-9103

Employee Database

Fraud Database





Record #A-701


Record #B-9103

Queries

Now the Un-discoverable …



Record #A-701


Record #B-9103


123 Main Street713 731 5577DOB 06/07/74

Persistent Context

Observations

Using Persistent Context


Queries




123 Main Street713 731 5577DOB 06/07/74


Record #A-701


Record #B-9103

Queries Persistent Context

Observations

Enterprise Discovery is Possible



The query could be: - A user with a question

Or, also could be data: - An account opening - A new watch list entry - A background check - An address change - A vendor application - A customer inquiry

Queries

New Think: Treat Data as a Query!


1st principle

If you do not process every new piece of key data (perception) first like a

query … then you will not know if it matters … until

someone asks.


Emile SwelterToronto12/03/72


Record #A-701


Record #B-9103

?

Queries PersistentContext

Observations

New Think: Treat Queries as Data



Record #A-701


Record #B-9103

PersistentContext

ObservationsQueries


In Which Case … Queries can Persist


PersistentContext

Notably, in the Same Data Space


Question answered when it becomes true!

Emilee Swelter321 Ovington PlaceToronto03/12/72

New ObservationPersistentContext


Queries

New Observations Answer Persistent Queries


2nd principle

Treat queries like data to avoid having to ask every

question every day.


New Think: Data and Query Equality

Queries find data

Data finds queries

Data finds data

TraditionalIntelligentSystems

Queries find queries!



Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577 Employee

Database

Fraud Database

Record #A-701

Record #B-9103

ObservationsPersistentContext

Mark


123 Main Street713 731 5577DOB 06/07/74

Sensors

This is Context Construction (Identity Resolution)



123 Main Street713 731 5577DOB 06/07/74

FEATURES:Mark Randy Smith, M. Randal Smith, Randy Smith

123 Main Street, Flat 6 20 Lennox Gardens713 731 5577, 796 064 03 04

DOB 06/07/74, Passport: 001003429002

2 Observations 6 Observations

More Observations More

More Observations (data) = Better Context



EmployeeDatabase

Fraud Database

Record #A-701

Record #B-9103


Mark


123 Main Street713 731 5577DOB 06/07/74

Sensors

!

The Ideal Moment for Enterprise Awareness



3rd principle

Enterprise awareness is computationally most

efficient when performed at the moment the

observation is perceived.


The “data finds the data” …

and “relevance finds the user.”

Towards Enterprise Intelligence

New Paradigm: Perpetual Analytics


Time

Gro

wth

of

Com

pu

ting

Pow

er New

Information

Sensemaking Algorithms

Growing Amnesia Index?

Faster Computing is Producing Greater Amnesia!


Technical Overview


IBM Entity AnalyticsTechnologies

Basic Architecture

Data Sources

Queries

Analytics Engine

Persistent Context

Database

Discovery

SQL DBMS

C++ Code

XML

XML


Enterprise Service Bus

Entity Analyti

cs

Service Oriented Architecture (SOA)

Vendors

EmployeesAnd

Applicants

Arrests

Credit Applications

Investigations

Transactional

Activity

Customer Acquisition


Real World Enterprise Amnesia


Detected Relationships

• 24 active players were known cheaters

• 23 players had relationships to prior arrests/incidents

• 12 employees were themselves

the player

• 192 employees had possible vendor relationships

• 7 employees were the vendor

Data Sources

• 20,000 plus employees

• All vendors

• All slot club & table

games-related players

• In-house arrests/incidents

• Known cheaters

Case Study: Las Vegas Casino



• 2 out of every 1000 employees had been arrested for shoplifting

• 8 out of every 1000 employees were related to known shoplifters

• 9 vendors on the internal security file

• 1 executive related to a vendor (a charity). Possible case of embezzlement.

Data Sources


• 10,000 plus vendors

• 26,000 international security/arrest records (shoplifters, etc.)

Case Study: Retail


Case Study: US Federal Agency


• 140 employee relationships to vendors

• 1451 potential vendor relationships to security risks

• 253 employee relationships to security risk entities

• 2 vendors were the security risk

• “n” employees were the security risk/vendor

Data Sources


• 75,000 plus vendors

• 200,000 plus Type 1 security risk entities

• 200,000 plus Type 2 security risk entities


Katrina Reunification Project Statistics

Total data sources 15

Usable identity records 1,570,000

Unique persons 36,815

Families Reunited >100


Responsible Innovation in Support of Privacy and Civil Liberties

Analytics in the Anonymized Data Space




Database

Fraud Database

Record #A-701

Record #B-9103



123 Main Street713 731 5577DOB 06/07/74

Sensors

Observations Are Anonymized


EmployeeDatabase

Fraud Database

Record #A-701

Record #B-9103



123 Main Street713 731 5577DOB 06/07/74

Sensors

Cd5dced41028cb …00c9782a552a2 …7f2b6e48ea7d0 ……

0d06b31faa7c…B5e341a4b0c…00c9782a552……



EmployeeDatabase

Fraud Database

Record #A-701

Record #B-9103



123 Main Street713 731 5577DOB 06/07/74

Sensors


0d06b31faa7c…B5e341a4b0c…00c9782a552……



EmployeeDatabase

Fraud Database

Record #A-701

Record #B-9103


FEATURES:Cd5dced41028cb7ea51…00c9782a552a2d09b1b…7f2b6e48ea7d042bbe8…

…

Sensors


0d06b31faa7c…B5e341a4b0c…00c9782a552……

Risk of Unintended Disclosure Vastly Reduced


EmployeeDatabase

Fraud Database

Record #A-701

Record #B-9103


FEATURES:Cd5dced41028cb7ea51…00c9782a552a2d09b1b…7f2b6e48ea7d042bbe8…

…

Sensors


0d06b31faa7c…B5e341a4b0c…00c9782a552……

!

Discovery Achieved Post Anonymization!


Record #A-701Matches

Record #B-9103

Discovery



Database

Fraud Database

Record #A-701

Record #B-9103

Observations Sensors

Policy Controls

Policy Controls

Maximizing Discovery - Minimizing Disclosure!


Different Missions – Different Measures

Information sharing with oneself

Information sharing with similar organizations (e.g., private-private or public-public)

Information sharing across organization types (e.g., private-public)

Information sharing across friendly governments

Information sharing across other entities with high levels of bilateral distrust


Technology Status


IBM

Info

. Ser

ver

- E

TL

W

eb S

ervi

ces

MQ

Threat and Fraud Intelligence – Reference Architecture

Acquisition AggregationResolution Analysis Action

Employee

Data

Data

Data

Transactions

Data

Watchlist

Customer

Structured Data

Sources (Inside

Enterprise)

Data

Unstructured

EA

S V

isu

aliz

erIn

vest

igat

ion

Po

rtal

Web

Ser

vice

sM

Q

IBM

-

Fed

era

tio

n S

erv

er

Cas

e M

anag

emen

t

Unstructured Images, Text, Audio, etc

Data

Entity Repository

Data

En

tity

An

alyt

icS

olu

tio

ns

GNR

ALERT!

ALERT!

ALERT!


Founded in 1984 as Language Analysis Solutions (LAS) a professional services firm– The Gold Standard in name recognition and matching

– The domain experts in multi-cultural name recognition

– Early penetration within federal govt, intelligence, border control, and defense

Established name recognition suite validated by our customers– More than 40 successful implementations

– Full name recognition/scoring suite

– Blue chip installations in banking, transportation, travel, homeland security

IBM acquires LAS, March 15 -LAS becomes “IBM Entity Analytic Solutions”– Strong penetration into Financial Services, Insurance,

Healthcare, Retail

Founded in 1983 as Systems Research & Development (SRD) a custom identity-based software consultancy

Technology developed in Las Vegas – Lab for finding bad guys –

First software products introduced in 2001– In-Q-Tel Funding

Strong heritage customer base in Federal Government, Gaming, Financial Services– Customers with extreme low tolerance for risk

IBM acquires SRD, January 2005 -SRD becomes “IBM Entity Analytic Solutions”– Strong penetration into Financial Services,

Insurance, Healthcare, Retail

EAS GNR

IBM EAS & GNRHistory – 47 Combined Years


Threat and Fraud Intelligence Core Capabilities

1. Automatic, non-obvious relationship detection (Social Networks/Syndicates)

2. Attribute-based Identity-resolution (Short Time to Value)

3. Perpetual, real-time analytics and alerting (Business Process Impact)

4. Proactive, insightful, enterprise search (Complete Enterprise View)

5. Multicultural Name Recognition“Ask Every Smart Question,Every Day - Automatically.”


Anonymization – Real (new) Technology

Productized in May 2005

Produces materially similar matching results

Example: Government Customers– To solve cross-compartment exploitation– To solve a complex identity-sharing mission

Example: Health Care Customers– University program in support of anonymous heritability

research (genealogy data correlated with adverse clinical outcome data)

– A life sciences group in support of Lupus research


Heritage Foundation and Center for Democracy and TechnologyTechnologies That Can Protect Privacy as Information Is Shared to Combat

Terrorismhttp://www.heritage.org/RESEARCH/homelanddefense/lm11.cfmhttp://www.cdt.org/security/usapatriot/20040526technologies.pdf

Research Report (Peter Swire)Application of IBM Anonymous Resolution to the Health Care Sector(Available upon request)

Steptoe & Johnson (Stewart Baker)Anonymization, Data-Matching and Privacy: A Case Studyhttp://www.steptoe.com/publications/279d.pdf

Emergent Information Technologies and Enabling Policies for Counter-Terrorism

Robert L. Popp (Editor), John Yen (Editor)June 2006, Wiley-IEEE Presshttp://www.wiley.com/WileyCDA/WileyTitle/productCd-0471776157.html

Markle Foundation – National Security in the Information Age Task ForceThird Report: Mobilizing Information to Prevent Terrorismhttp://www.markle.org/downloadable_assets/2006_nstf_report3.pdf

Reference Materials


Questions?

© 2007 ibm corporation threat and fraud intelligence ibm’s entity analytics solutions john...

Documents

threat fraud pressures

threat fraud challenges

ibm corporation threat

telecom fraud

rampant fraud

multiplying threat types

multiplication of threat

fema officials