The problem with fighting fraud — according to GIACT EVP of Product David Barnhardt in this week’s edition of the PYMNTS Topic TBD — is how much information fraudsters have at their fingertips about regular consumers. Between the Equifax hack last year, the Exactis hack last month and the thousands of other data breaches, big and small, that happened between them (not to mention before them), the average American consumer can rest assured that some or all of their personal data is floating around the dark web these days.
With consumer data now available in what Barnhardt called “wholesale” quantities, fraudsters have a real incentive to create synthetic identities — fraudulent consumer profiles, engineered to defeat traditional fraud detection solutions by using as much real consumer data as possible.
He said, “The situation we see all of the time with our customers is they experience a fraud where almost everything looked right. The ‘customer’ in question used all the right real data: real address, right name, right social security number, right password. The two things that were different is that they placed a different phone number in as their contact point and signed up for text notifications.”
Of course, in these cases, appearances were deceiving. The “customer” was really a fraudster who came into a verification process armed with all they knew would be necessary to fool the system. The dispositive data (the phone number and new contact method), Barnhardt noted, is crucial but easy to overlook, since it is only when one goes under the surface that the problem with the data sends up a red flag.
“The closer look says this is a prepaid phone, opened in another city 20 days ago,” he said, “which sends up a huge red flag. And those red flags can be found, but companies need to look at data in much greater detail to really see minute discrepancies. In this case, it is two pieces of secondary data that trigger the discovery that this is a fraud.”
The key, he said, is not to simply try to associate a customer with a data set, but to think about all the metadata that underlies the data set that a customer creates and leaves evidence of throughout all their interactions on the web. That metadata, he noted, is the customers’ digital DNA, and firms that want to fight the next evolutionary phase of fraud will need to whip out their microscopes, so to speak, to find it if they want to win the battle.
GIACT’s fraud-fight tool focuses on consumer metadata as “digital DNA,” Barnhardt noted, because... [it] is much harder for a fraudster to spoof.
The Brazen Fraudster
Fraudsters get a lot of credit for being inventive, creative and even for being diabolical geniuses, but Barnhardt noted that is probably giving the fraudsters of the world a bit more credit than they are owed. Fraudsters, he noted, are often a lot more brazen than they are brilliant. They are well-versed and studied in the weak points of traditional fraud-fighting methods, and even some AI approaches to the problem.
He said, “They understand probabilistic methods of fighting fraud with a scoring mechanism. They know that when the system scans the results, it will appear to be 85 to 95 percent correct and pass the transaction through. The devil here is literally in the details.”
Fraudsters also know that siloing is a weak point for even large organizations with advanced fraud-fighting tools, and that sometimes fooling the payments end of things starts with an attack further up the chain.
Understanding the entire customer lifecycle is important, Barnhardt said, because fraudsters will look to break into any part of the service chain where they can find an easy access point. That means, when companies start seeing a sudden spike in returns and charge-offs, it looks like a payments problem, but it’s really a bit more nuanced than that. When firms look closer, he explained, it’s not that there aren’t fraud detection tools in place on the payments end — quite the opposite, they usually have excellent tools for that. Every individual transaction they approve “make perfect sense, if one is only looking at transactions.”
The problem, according to Barnhardt, is that the fraud happened early in the customer lifecycle, during the enrollment process, when a fraudster using a synthetic identity managed to be issued an account or services to which they never should have had access.
“Companies have siloed enrollments away from payment and identification — they treat them as separate entities. But fraud operators are comprehensive in their attacks, which means the companies holding them off need to be as well,” he said.
Customers, Barnhardt noted, leave digital fingerprints all over the internet that give fraud fighters two important pieces of context to review transactions against: what a consumer normally does and how long that has been their normal behavior. Since fraud operators can intercede at any point in a consumer profile, service providers need to take an active look at the customer’s entire lifecycle and compare it against every new request that is thrown at them. And for a layer of additional challenge in payments, all of that matching and verification must happen in real time.
“Whether funds are being disbursed or debited, the customers on both ends of the transaction expect that funds requested will be sent on demand when requested. But, unless we want the advent of faster payments to also be the advent of faster fraud, companies need to really complete the picture of who their customer really is,” he said.
GIACT’s fraud-fight tool focuses on consumer metadata as “digital DNA,” Barnhardt noted, because the deeper look — not just on identity points (name, address, social security number, etc.) — at the specific individual connections and use patterns of those things creates something that is much harder for a fraudster to spoof.
He added, “How long has a customer been using an email address, how many phone lines do they use, who is their provider, how long has that been that customer’s provider, how often do they use a certain email address for commerce — these are a history of associations that fraudsters have a hard time replicating.”
The goal, he noted, is to spot even small discrepancies within that set for the entirety of a consumer lifecycle, basically to find things that are glaringly out of step: a customer who has used the same email address for all their eCommerce for 12 years, with one account set to send alerts and info to another much newer email address; a customer with a one-off, temporary phone number associated with a handful of accounts but absolutely nothing else; or a customer with very a controlled monthly spend, who routinely has zero balances, suddenly running up thousands in credit card bills. All those things might be happening for a legitimate reason, but those sorts of out-steps should at least alert providers that further data is needed.
“It can be a lot harder for fraudsters to do true-name fraud when that customer name is associated not just with data points, but a richly developed set of temporal connections between them,” Barnhardt said.
Fraud Proofing The Future
Thieves, Barnhardt added, are persistent and adaptable. It was only four years ago that the biggest concern in fraud protection was credit-card spoofing. With the rise of EMV, that line is becoming less lucrative, so fraudsters changed the nature of their game with strengthened online attacks and synthetic identity skills. Cybercriminals aren’t committed to a tactic, they are just looking for an outcome and will exploit whatever weakness they can find to make that outcome happen.
“Tech is going to change,” he said, “and we as [a] provider owe it to our customers to keep coming up with innovative solutions that can detect tomorrow’s crimes.”
And tomorrow’s crimes are coming, he noted, despite the most innovative solutions for locking out fraudsters. No matter how good the fraud-fighting technology gets (with AI and data analytics, with biometric authentication techniques, with sophisticated profiling), the reality is that there is no individual silver bullet that will put the fraudsters down.
H e said, “I look at biometrics and I think, when you are looking at a customer face, why not also scan the iris and ask for a voiceprint so you are using three biometrics at once. And even then, couple that data with traditional and non-traditional data sources to be sure that not just individual pieces match up, but everything that is happening makes sense at the same time.”
Then, Barnhardt noted, after doing all of that, understand that in the future of fighting fraud, with the most sophisticated technology available, losses are still going to happen and sometimes fraudsters will find a big loophole.
“When we’ve got enrollment fraud under control, fraudsters will move on to the next thing. Maybe it will be internet-connected devices or provisioning apps, or the payments process itself,” he said.
There is no fraud-proofing the future. However, he noted, there are better and faster ways to fight fraud, and the future of that is not just in looking at snapshots of transactions, but in understanding — in real time — the entire profile of the consumer making the request.
He added, “When you look at it holistically and consider the task as managing a customer lifecycle, at least you aren’t playing whack-a-mole with fraudsters, because you are more quickly able to find where to look for fraud.”