All posts by Bill Sallurday
Newest technology doesn’t mean best when it comes to stopping fraud I recently attended the Merchant Risk Conference in Las Vegas, which brings together online merchants and industry vendors including payment service providers and fraud detection solution providers. The conference continues to grow year to year – similar to the fraud and risk challenges within the industry. In fact, we just released analysis, that we’ve seen fraud rates spike to 33% in the past year. This year, the exhibit hall was full of new names on the scene – evidence that there is a growing market for controlling risk and fraud in the e-commerce space. I heard from a few merchants at the conference that there were some “cool” new technologies out to help combat fraud. Things like machine learning, selfies and other two-factor authentication tools were all discussed as the latest in the fight against fraud. The problem is, many of these “cool” new technologies aren’t yet efficient enough at identifying and stopping fraud. Cool, yes. Effective, no. Sure, you can ask your customer to take a selfie and send it to you for facial recognition scanning. But, can you imagine your mother-in-law trying to manage this process? Machine Learning, while very promising, still has some room to grow in truly identifying fraud while minimizing the false positives. Many of these “anomaly detection” systems look for just that – anomalies. The problem is, we’re fighting motivated and creative fraudsters who are experts at avoiding detection and can beat anomaly detection. I do not doubt that you can stop fraud if you introduce some of these new technologies. The problem is, at what cost? The trick is stopping fraud with efficiency – to stop the fraud and not disrupt the customer experience. Companies, now more than ever, are competing based on customer experience. Adding any amount of friction to the buying process puts your revenue at risk. Consider these tips when evaluating and deploying fraud detection solutions for your online business. Evaluate solutions based on all metrics What is the fraud detection rate? What impact will it have on approvals? What is the false positive rate and impact on investigations? Does the attack rate decline after implementing the solution? Is the process detectable by fraudsters? What friction is introduced to the process? Use all available data at your disposal to make a decision Does the consumer exist? Can we validate the person’s identity? Is the web-session and user-entered data consistent with this consumer? Step up authentication but limit customer friction Is the technology appropriate for your audience (i.e. a selfie, text-messaging, document verification, etc...)? Are you using jargon in your process? In the end, any solution can stop 100% of the fraud – but at what cost. It’s a balance - a balance between detection and friction. Think about customer friction and the impact on customer satisfaction and revenue.
Loyalty fraud and the customer experience Criminals continue to amaze me. Not surprise me, but amaze me with their ingenuity. I previously wrote about fraudsters’ primary targets being those where they easily can convert credentials to cash. Since then, a large U.S. retailer’s rewards program was attacked – bilking money from the business and causing consumers confusion and extra work. This attack was a new spin on loyalty fraud. It is yet another example of the impact of not “thinking like a fraudster” when developing a program and process, which a fraudster can exploit. As it embarks on new projects, every organization should consider how it can be exploited by criminals. Too often, the focus is on the customer experience (CX) alone, and many organizations will tolerate fraud losses to improve the CX. In fact, some organization build fraud losses into their budgets and price products accordingly — effectively passing the cost of fraud onto the consumers. Let’s look into how this type of loyalty fraud works. The criminal obtains your login credentials (either through breach, malware, phishing, brute force, etc.) and uses the existing customer profile to purchase goods using the payment method on file for the account. In this type of attack, the motivation isn’t to receive physical goods; instead, it’s to accumulate rewards points — which can then be used or sold. The points (or any other form of digital currency) are instant — on demand, if you will — and much easier to fence. Once the points are credited to the account, the criminal cashes them out either by selling them online to unsuspecting buyers or by walking into a store, purchasing goods and walking right out after paying with the digital currency. A quick check of some underground forums validates the theory that fraudsters are selling retailer points online for a reduced rate — up to 70 percent off. Please don’t be tempted to buy these! The money you spend will no doubt end up doing harm, one way or another. Now, back to the customer experience. Does having lax controls really represent a good customer experience? Is building fraud losses into the cost of your products fair to your customers? The people whose accounts have been hacked most likely are some of your best customers. They now have to deal with returning merchandise they didn’t purchase, making calls to rectify the situation, having their personally identifiable information further compromised and having to pay for the loss. All in all, not a great customer experience. All businesses have a fiduciary responsibility to protect customer data with which they have been entrusted — even if the consumer is a victim of malware, phishing or password reuse. What are you doing to protect your customers? Simple authentication technologies, while nice for the CX, easily can fail if the criminal has access to the login credentials. And fraud is not a single event. There are patterns and surveillance activities that can help to detect fraud at every phase of your loyalty program — from new account opening to account logins and updates to transactions that involve the purchase of goods or the movement of currency. As fraudsters continue to evolve and look for the least-protected targets, loyalty programs have come to the forefront of the battleground. Take the time to understand your vulnerability and how you can be attacked. Then take the necessary steps to protect your most profitable customers — your loyalty program members. If you want to learn more, join us MRC Vegas 16 for our session “Loyalty Fraud; It’s Brand Protection, Not Just Loss Prevention” and hear our industry experts discuss loyalty fraud, why it’s lucrative, and what organizations can do to protect their brand from this grey-area type of fraud.
Looking at true fraud rate I’ve talked with many companies over the years about their fraud problems. Most have a genuine desire to operate under the fraud prevention model and eliminate all possible fraud from their systems. The impact on profit is often the primary motivation for implementing solutions, but in reality most companies employ a fraud management schema, offsetting the cost of fraud with the cost of managing it. There are numerous write-ups and studies on the true cost of fraud. What most people don’t realize is that, for each item lost to fraud, a business operating on 10 percent net profit margins will need to sell 10 times the amount of product in order to recover the expense associated with the loss. These hard costs don’t include the soft dollar costs, such as increased call center expenses to handle customer calls. Recently, some organizations have started to add reputational risk into their cost-of-fraud equation. With the proliferation of social media, a few unhappy customers who have been victims of fraud easily can impact an organization’s reputation. This is an emerging fuzzy cost that eventually can be tied back to lost revenue or a drop in share price. Most companies say with pride that their acceptable fraud rate is zero. But when it comes time to choose a partner in fraud detection, it almost always comes down to return on investment. How much fraud can be stopped — and at what price? More informed organizations take all operational expenses and metrics into consideration, but many look at vendor price as the only cost. It’s at this point that they start to increase their acceptable fraud rate. In other words, if — hypothetically — Vendor A can stop only 80 percent of the fraud compared with Vendor B, but Vendor A costs less than 80 percent of what Vendor B costs, they’ll choose Vendor A. All of a sudden, their acceptable fraud rate is no longer zero. This method of decision making is like saying we’ll turn off the security cameras for 20 percent of the day because we can save money on electricity. On the surface, I understand. You have to be accountable to the shareholders. You have to spend and invest responsibly. Everyone is under pressure to perform financially. How many executives, however, take the time to see where those lost dollars end up? If they knew where the money went, would they change their view? We must be vigilant and keep our acceptable fraud rate at zero.
Electronic signatures and their emerging presence in our Internet-connected world I had the opportunity to represent Experian at the eSignRecords 2015 conference in New York City last week. The concept of electronic signature, while not new, certainly has an emerging presence in the Internet-connected world — as evidenced by the various attendee companies that were represented, everything from home mortgages to automobiles. Much of the discussion focused on the legal aspects of accepting an electronic signature in lieu of an in-person physical signature. The implications of accepting this virtual stamp of approval were discussed, as well as the various cases that already have been tried in court. Of course, the outcome of those cases shapes the future of how to properly integrate this new form of authorization into existing business processes. Attendees discussed the basic concept of simply accepting a signature on an electronic pad as opposed to one written on a piece of paper. That act alone has many legal challenges even though it provides the luxury of in-person authentication through a face-to-face meeting. The complexities and risk increase exponentially when these services are extended over the Internet. The ability to sign documents virtually opens up a whole new world of business opportunities, and the concept certainly caters to the consumer’s need for convenience. However, the anonymity of the Internet presents the everyday challenge of balancing consumer expectations of greater ease of use with necessary fraud prevention measures. Ultimately, it always comes back to understanding who is actually signing that document. All of this highlights the need for robust authentication and security measures. As more and more legal documents and contracts are passed around virtually, the opportunity to properly screen and verify who has access to the documents gets more critical. Many organizations still rely on the tried-and-true method of knowledge-based authentication (KBA), while many others have called for its end. KBA continues to soldier on as an effective way to ensure that people on the other end of the wire are who they say they are by asking questions that — presumably — only they know the answers to. In most cases, KBA is viewed as a “check the box” step in the process to satisfy the lawyers. In certain cases, that’s all you need to do to ensure compliance with legal policy or regulatory requirements. It starts to get tricky is when there’s more on the line than just “check the box” actions. When the liability of first- or third-party fraud, becomes greater than simple compliance, it’s time to implement tighter security, while at the same time limiting the amount of friction caused by the process. Many in attendance discussed the need for layers of authentication based on the type of documents that are being processed and handled. This speaks directly to the point that one size does not fit all. As the industry matures and acceptance of e-signatures increases, so too does the need for more robust, flexible options in authentication. Another topic — that was quite frankly foreign to everyone we talked to — was the need for security around the concept of account takeover. When discussing this type of fraud, most attendees did not even consider this to be a hole in their strategy. Consider this fictional scenario. I’m responsible for mergers and acquisitions for my publicly traded company. I often share confidential information via electronic means, leveraging one of the many electronic signature solutions on the market. I become a victim of a phishing attack and unknowingly provide my login credentials to the fraudster. The fraudster now has access to every electronic document that I have shared with various organizations — most of which have been targets for mergers and acquisitions. Fraudsters are creative. They exploit new technologies — not because they’re trendsetters, but because oftentimes these new technologies fail to consider how fraudsters can benefit from the system. If you are considering adopting e-signature as a formal process, please consider implementing: Flexible levels of authentication based on the risk and liability of the documents that are being presented and what they are protecting FraudNet for Account Takeover, which enhances security around access to these critical documents to protect against data breaches Not only the needs and experiences of your own business, but customer needs as well to enable to the best possible customer interactions If you haven’t considered implementing e-signature technology into your business process, you should — but be sure to have your fraud team present when considering the implementation.
While walking through a toy store in search of the perfect gift for a nephew, I noticed the board game Risk, which touts itself as “The Game of Global Domination.” For those who are unaware, the game usually is won by players who focus on four key themes: Strategy — Before you begin the game, you need a strategy to attack new territories while defending your own Attack — While you have the option to sit back and defend your territory, it’s better to attack a weakened opponent Fortify — When you are finished attacking, it’s often best to fortify your position Alliances — While not an official part of the game, creating partnerships is necessary in order to win These themes also are relevant to the world of real-life fraud risk prevention. The difference is that the stakes are real and much higher. Let’s look at how these themes play out in real-life fraud risk prevention: Strategy — Like in the game, you need a strategy for fraud risk detection and prevention. That strategy must be flexible and adaptable since fraudsters (your enemies) also continuously adapt to changing environments, usually at a much quicker, less bureaucratic pace. For example, your competitors (other countries) may improve their defenses, so fraudsters will mount a more focused attack on you. Fraudsters also may build alliances to attack you from different vectors or channels, resulting in a more sophisticated, comprehensive strike. Attack — As the game begins, all players have access to all competitors (countries). This means that fraudsters might have the upper hand in a certain area of the business. You can sit back and try to defend the territory you already “own,” where fraudsters have no traction, but it’s best to be aggressive and attack fraudsters by expanding your coverage across all channels. For example, you might have plenty of controls in place to manage your Web orders (occupied territory), but your call center operations (opponents’ territory) aren’t protected, i.e., the fraudsters “own” this space. You need to attack that channel to drive fraudsters out. Fortify — In the game, you can fortify your position after a successful move — that is, move more troops to your newly conquered territories. In real life, you always have the option to fortify your position, and you should constantly look for ways to improve your controls. You can’t afford to maintain on your current position, because fraudsters constantly are looking for weaknesses. Alliances — In business, we often are hesitant to share information with our competitors. Fraudsters use this to their advantage. Just as fraudsters act in a coordinated fashion, so must we. Use all available resources and partners to shore up your defenses Leverage the power of consortium data Learn new methods from traditional competitors Always team up with internal and external partners to defend your territory If you apply these themes, you will be positioned for global domination in the fight against fraud risk. You can read more about fraud-prevention strategies in our recent ebook, Protecting the Customer Experience. As a side note, I’m always ready for a game of Risk, so contact me if you’re interested. But be forewarned — I’m competitive.
Learn More Image
