For the last several years, as the global economy flourished, the opportunities created by removing friction and driving growth guided business strategies governing identity and fraud. The amount of profitable business available in a low-friction environment simply outweighed the fraud that could be mitigated with more stringent verification methods. Now that we’re facing a global crisis, it’s time to reconsider the approach that drove the economic boom that defined that last decade. Recognizing how economic changes impact fraud At the highest level, we separate fraud into two types; third party fraud and first party fraud. In simple terms, third party fraud involves the misuse of a real customer’s identity or unauthorized access to a real customer’s accounts or assets. First party fraud involves the use of an identity that the fraudster controls—whether it’s their own identity, a manipulated version of their own identity, or a synthetic identity that they have created. The important difference in this case is that the methods of finding and stopping third party fraud remain constant even in the event of an economic downturn – establish contact with the owner of the identity and verify whether the events are legitimate. Fraud tactics will evolve, and volumes increase as perpetrators also face pressure to generate income, but at the end of the day, a real person is being impersonated, and a victim exists that will confirm when fraud is taking place. Changes in first party fraud during an economic downturn are dramatically different and much more problematic. The baseline level of first party fraud using synthetic, manipulated and the perpetrator’s own identity continue, but they are augmented by real people facing desperate circumstances and existing “good” customers who over-extend while awaiting a turn-around. The problem is that there is no “victim” to confirm fraud is occurring, and the line between fraud (which implies intent) and credit default (which does not) becomes very difficult to navigate. With limited resources and pressures of their own, at some point lenders must try to distinguish deliberate theft from good customers facing bad circumstances and manage cases accordingly. The new strategy When times are good, it’s easier to build up a solid book of business with good customers. Employment rates are high, incomes are stable, and the risks are manageable. Now, we’re experiencing rapidly changing conditions, entire industries are disrupted, unemployment claims have skyrocketed and customers will need assistance and support from their lenders to help them weather the storm. This is a reciprocal relationship – it behooves those same lenders to help their customers get through to the other side. Lenders will look to limit losses and strengthen relationships. At the same time, they’ll need to reassess their existing fraud and identity strategies (among others) as every interaction with a customer takes on new meaning. Unexpected losses We’ve all been bracing for a recession for a while. But no one expected it to show up quite like it did. Consumers who have been model customers are suddenly faced with a complete shift in their daily life. A job that seemed secure may be less so, investments are less lucrative in the short term, and small business owners are feeling the pressure of a change in day-to-day commerce. All of this can lead to unexpected losses from formerly low-risk customers. As this occurs, it becomes more critical than ever to identify and help good customers facing grim circumstances and find different ways to handle those that have malicious intent. Shifting priorities When the economy was strong, many businesses were able to accept higher losses because those losses were offset by immense growth. Unfortunately, the current crisis means that some of those policies could have unforeseen consequences. For instance – the loss of the ability to differentiate between a good customer who has fallen on hard times and someone who’s been a bad actor from the start. Additionally, businesses need to revise their risk management strategies to align with shifting customer needs. The demand for emergency loans and will likely rise, while loans for new purchases like cars and homes will fall as consumers look to keep their finances secure. As the need to assist customers in distress rises and internal resources are stressed, it’s critical that companies have the right tools in place to triage and help customers who are truly in need. The good news The tools businesses like yours need to screen first party fraud already exist. In fact, you may already have the necessary framework in place thanks to an existing partnership, and a relatively simple process could prepare your business to properly screen both new and existing customers at every touchpoint. This global crisis is nowhere near over, but with the right tools, your business can protect itself and your customers from increased fraud risks and losses of all sorts – first party, stolen identities, or synthetic identities, and come out on the other side even stronger. Contact Experian for a review of your current fraud strategy to help ensure you’re prepared to face upcoming challenges. Contact us
Originally posted by Experian Global News blog At Experian, we have an unwavering commitment to helping consumers and clients manage through this unprecedented period. We are actively working with consumers, lenders, lawmakers and regulators to help mitigate the potential impact on credit scores during times of financial hardship. In response to the urgent and rapid changes associated with COVID-19, we are accelerating and enhancing our financial education programming to help consumers maintain good credit and gain access to the financial services they need. This is in addition to processes and tools the industry has in place to help lenders accommodate situations where consumers are affected by circumstances beyond their control. These processes will be extended to those experiencing financial hardship as a result of COVID-19. As the Consumer’s Credit Bureau, our commitment at Experian is to inform, guide and protect our consumers and customers during uncertain times. With expected delays in bill payments, unprecedented layoffs, hiring freezes and related hardships, we are here to help consumers in understanding how the credit reporting system and personal finance overall will move forward in this landscape. One way we’re doing this is inviting everyone to join our special eight-week series of #CreditChat conversations surrounding COVID-19 on Wednesdays at 3 p.m. ET on Twitter. Our weekly #CreditChat program started in 2012 to help the community learn about credit and important personal finance topics (e.g. saving money, paying down debt, improving credit scores). The next several #CreditChats will be dedicated to discussing ways to manage finances and credit during the pandemic. Topics of these #CreditChats will include methods and strategies for bill repayment, paying down debt, emergency financial assistance and preparing for retirement during COVID-19. “As the consumer’s credit bureau, we are committed to working with consumers, lenders and the financial community during and following the impacts of COVID-19,” says Craig Boundy, Chief Executive Officer of Experian North America. “As part of our nation’s new reality, we are planning for options to help mitigate the potential impact on credit scores due to financial hardships seen nationwide. Our #CreditChat series and supporting resources serve as one of several informational touchpoints with consumers moving forward.” Being fully committed to helping consumers and lenders during this unprecedented period, we’ve created a dedicated blog page, “COVID-19 and Your Credit Report,” with ongoing and updated information on how COVID-19 may impact consumers’ creditworthiness and – ultimately – what people should do to preserve it. The blog will be updated with relevant news as we announce new solutions and tactics. Additionally, our “Ask Experian” blog invites consumers to explore immediate and evolving resources on our COVID-19 Updates page. In addition to this guidance, and with consumer confidence in the economy expected to decline, we will be listening closely to the expert voices in our Consumer Council, a group of leaders from organizations committed to helping consumers on their financial journey. We established a Consumer Council in 2009 to strengthen our relationships and to initiate a dialogue among Experian and consumer advocacy groups, industry experts, academics and other key stakeholders. This is in addition to ongoing collaboration with our regulators. Additionally, our Experian Education Ambassador program enables hundreds of employee volunteers to serve as ambassadors sharing helpful information with consumers, community groups and others. The goal is to help the communities we serve across North America, providing the knowledge consumers need to better manage their credit, protect themselves from fraud and identity theft and lead more successful, financially healthy lives. COVID-19 has impacted all industries and individuals from all walks of life. We want our community to know we are right there with you. Learn more about our weekly #CreditChat and upcoming schedule here. Learn more
Security. Convenience. Personalization. Finding the balance between these three priorities is key to creating a safe and low-friction customer experience. We surveyed more than 6,500 consumers and 650 businesses worldwide about these priorities for our 2020 Global Identity and Fraud Report: Most business are focusing on personalization, specifically in relation to upselling and cross-selling. This is frustrating customers who are looking for increases in both security and convenience. It’s possible to have all three. Read Full Report
If you’ve been on the dating scene in the last few years, you’re probably familiar with ghosting. For those of you who aren’t, I’ll save you the trip to Urban Dictionary. “Ghosting” is when the person you’re dating disappears. No calls. No texts. No DMs. They just vanish, never to be heard from again. As troublesome as this can be, there’s a much more nefarious type of ghosting to be wary of – credit ghosting. Wait, what’s credit ghosting? Credit ghosting refers to the theft of a deceased person’s identity. According to the IRS, 2.5 million deceased identities are stolen each year. The theft often occurs shortly after someone dies, before the death is widely reported to the necessary agencies and businesses. This is because it can take months after a person dies before the Social Security Administration (SSA) and IRS receive, share, or register death records. Additionally, credit ghosting thefts can go unnoticed for months or even years if the family of the deceased does not check their credit report for activity after death. Opportunistic fraudsters check obituaries and other publicly available death records for information on the deceased. Obituaries often include a person’s birthday, address or hometown, parents’ names, occupation, and other information regularly used in identity verification. With this information fraudsters can use the deceased person’s identity and take advantage of their credit rating rather than taking the time to build it up as they would have to with other types of fraud. Criminals will apply for credit cards, loans, lines of credit, or even sign up for a cell phone plan and rack up charges before disappearing. Where did this type of identity theft come from? Credit ghosting is the result of a few issues. One traces back to a discrepancy noted by the Social Security’s inspector general. In an audit, they found that 6.5 million Social Security numbers for people born before June 16, 1901, did not have a date of death on record in the administration’s Numident (numerical identification) system – an electronic database containing Social Security number records assigned to each citizen since 1936. Without a date of death properly noted in the database, government agencies and other entities inquiring won’t necessarily know an individual is deceased, making it possible for criminals to implement credit ghosting schemes. Additionally, unreported deaths leave further holes in the system, leading to opportunity for fraudsters. When financial institutions run checks on the identity information supplied by a fraudster, it can seem legitimate. If the deceased’s credit is in good standing, the fraudster now appears to be a good customer—much like a synthetic identity—but now with the added twist that all of the information is from the same person instead of stitched together from multiple sources. It can take months before the financial institution discovers that the account has been compromised, giving fraudsters ample time to bust out and make off with the funds they’ve stolen. How can you defend against credit ghosting? Luckily, unlike your dating pipeline, there are ways to guard against ghosting in your business’ pipeline. Frontline Defense: Start by educating your customers. It’s never pleasant to consider your own passing or that of a loved one, but it’s imperative to have a plan in place for both the short and long term. Remind your customers that they should contact lenders and other financial institutions in the event of a death and continue monitoring those accounts into the future. Relatives of the deceased don’t tend to check credit reports after an estate has been settled. If the proper steps aren’t taken by the family to notify the appropriate creditors of the death, the deceased flag may not be added to their credit report before the estate is closed, leaving the deceased’s information vulnerable to fraud. By offering your customers assistance and steps to take, you can help ensure that they’re not dealing with the fallout of credit ghosting—like dealing with calls from creditors following up after the fraudster’s bust-out—on top of grieving. Backend Defense: Ensure you have the correct tools in place to spot credit ghosts when they try to enter your pipeline. Experian’s Fraud Shield includes high risk indicators and provides a deceased indicator flag so you can easily weed them out. Additionally, you can track other risk indicators like previous uses of a particular Social Security number and identify potential credit-boosting schemes. Speak to an Experian associate today about how you can increase your defenses against credit ghosting. Let\'s talk
It’s Halloween time – time for trick or treating, costume parties and monsters lurking in the background. But this year, the monsters aren’t just in the background. They’re in your portfolio. This year, “Frankenstein” has another meaning. Much more ominous than the neighbor kid in the costume. “Frankenstein IDs” refer to synthetic identities — a type of fraud carried out by criminals that have created fictitious identities. Just as Dr. Frankenstein’s monster was stitched together from parts, synthetic IDs are stitched together pieces of mismatched identities — some fake, some real, some even deceased. It typically takes fraudsters 12 to 18 months to create and nurture a synthetic identity before it’s ready to \"bust out\" – the act of building a credit history with the intent of maxing out all available credit and eventually disappearing. That means fraudsters are investing money and time to build numerous tradelines, ensure these \"fake\" identities are in good credit standing, and ultimately steal the largest amount of money possible. “Wait Master, it might be dangerous . . . you go, first.” — Igor Synthetic identities are a notable challenge for many financial institutions and retail organizations. According to the recently released Federal Reserve Board White Paper, synthetic identity fraud accounts for roughly 20% of all credit losses, and cost U.S. businesses roughly $6 billion in 2016 with an estimated 41% growth over 2 years. 85-95% of applicants identified as potential synthetic are not even flagged by traditional fraud models. The Social Security Administration recently announced plans for the electronic Consent Based Social Security Number Verification service – pilot program scheduled for June 2020. This service is designed to bring efficiency to the process for verifying Social Security numbers directly with the government agency. Once available, this verification could be an important tool in the fight against the elusive “Frankenstein” identity monster. But with the Social Security Administration\'s pilot program not scheduled for launch until the middle of next year, how can financial institutions and other organizations bridge the gap and adequately prepare for a potential uptick in synthetic identity fraud attacks? It comes down to a multilayered approach that relies on advanced data, analytics, and technology — and focuses on identity. Any significant progress in making synthetic identities easier to detect could cost fraudsters significant time and money. Far too many financial institutions and other organizations depend solely on basic demographic information and snapshots in time to confirm the legitimacy of an identity. These organizations need to think beyond those capabilities. The real value of data in many cases lies between the data points. We have seen this with synthetic identity — where a seemingly legitimate identity only shows risk when we can analyze its connections and relationships to other individuals and characteristics. In addition to our High Risk Fraud Score, we now have a Synthetic Fraud Risk Level Indicator available on credit profiles. These advanced detection capabilities are delivered via the simplicity of a straightforward indicator returned on the credit profile which lenders can use to trigger additional identity verification processes. While there are programs and initiatives in the works to help financial institutions and other organizations combat synthetic identity fraud, it\'s important to keep in mind there\'s no silver bullet, or stake to the heart, to completely keep these Frankenstein IDs out. Oh, and don’t forget… “It’s pronounced ‘Fronkensteen.’ ” — Dr. Frankenstein
Experian is excited to have been chosen as one of the first data and analytics companies that will enable access to Social Security Administration (SSA) data for the purposes of verifying identity against the Federal Agency’s records. The agency’s involvement in the wake of Congressional interest and successful legislation will create a seismic shift in the landscape of identity verification. Ultimately, the ability to leverage SSA data will reduce the impact of identity fraud and synthetic identity and put real dollars back into the pockets of people and businesses that absorb the costs of fraud today. As this era of government and private sector collaboration begins, many of our clients and partners are breathing a sigh of relief. We see this in a common question our customers ask every day, “Do I still need an analytical solution for synthetic ID now that eCBSV is on the horizon?” The common assumption is that help is on the way and this long tempest of rising losses and identity uncertainty is about to leave us. Or is it? We don’t believe it’s the end of the synthetic ID storm. This is the eye. Rather than basking in the calm light of this moment, we should be thinking ahead and assessing our vulnerabilities because the second half of this storm will be worse than the first. Consider this: The people who develop and exploit synthetic IDs are playing a long game. It takes time, research, planning and careful execution to create an identity that facilitates fraud. The bigger the investment, the bigger the spoils will be. Synthetic ID are being used to purchase luxury automobiles. They’re passing lender marketing criteria and being offered credit. The criminals have made their investment, and it’s unlikely they will walk away from it. So, what does SSA’s pending involvement mean to them? How will they prepare? These aren’t hard questions. They’ll do what you would do in the eye of a storm — maximize the value of the preparations that are in place. Gather what you can quickly and brace yourself for the uncertainty that’s coming. In short, there’s a rush to monetize synthetic IDs on the horizon, and this is no time to declare ourselves safe. It’s doubtful that the eCBSV process will be the silver bullet that ends synthetic ID fraud — and certainly not on day one. It’s more likely that the physical demands of the data exchange, volume constraints, response times and the actionability of the results will take time to optimize. In the meantime, the criminals aren’t going to sit by and watch as their schemes unravel and lose value. We should take some comfort that we’ve made it through the first half of the storm, but recognize and prepare for what still needs to be faced.
What do movie actors Adam Sandler and Hugh Grant, jazz singer Michael Bublé, Russian literary giant Leo Tolstoy, and Colonel Sanders, the founder of KFC, have in common? Hint, it’s not a Nobel Prize for Literature, a Golden Globe, a Grammy Award, a trademark goatee, or a “finger-lickin’ good” bucket of chicken. Instead, they were all born on September 9, the most common birth date in the U.S. Baby Boom According to real birth data compiled from 20 years of American births, September is the most popular month to give birth to a child in America – and December, the most popular time to make one. With nine of the top 10 days to give birth falling between September 9 and September 20, one may wonder why the birth month is so common. Here are some theories: Those who get to choose their child’s birthday due to induced and elective births tend to stay away from the hospital during understaffed holiday periods and may plan their birth date around the start of the school year. Several of the most common birth dates in September correspond with average conception periods around the holidays, where couples likely have more time to spend together. Some studies within the scientific community suggest that our bodies may actually be biologically disposed to winter conceptions. While you may not be feeling that special if you were born in September, the actual differences in birth numbers between common and less common birthdays are often within just a few thousand babies. For example, September 10, the fifth most common birthday of the year, has an average birth rate of 12,143 babies. Meanwhile, April 20, the 328th most common birthday, has an average birth rate of 10,714 newborns. Surprisingly, the least common birthdays fall on Christmas Eve, Christmas Day and New Year’s Day, with Thanksgiving and Independence Day also ranking low on the list. Time to Celebrate – but Watch out! Statistically, there’s a pretty good chance that someone reading this article will soon be celebrating their birthday. And while you should be getting ready to party, you should also be on the lookout for fraudsters attempting to ruin your big day. It’s a well-known fact that cybercriminals can use your birth date as a piece of the puzzle to capture your identity and commit identity theft – which becomes a lot easier when it’s being advertised all over social media. It’s also important for employers to safeguard their organization from fraudsters who may use this information to break into corporate accounts. While sharing your birthday with a lot of people could be a good or bad thing depending on how much undivided attention you enjoy – you’re in great company! Not only can you plan a joint party with Michelle Williams, Afrojack, Cam from Modern Family, four people I went to high school with on Facebook and a handful of YouTube stars that I’m too old to know anything about, but there will be more people ringing in your birthday than any other day of the year! And that’s pretty cool.
If you’re a credit risk manager or a data scientist responsible for modeling consumer credit risk at a lender, a fintech, a telecommunications company or even a utility company you’re certainly exploring how machine learning (ML) will make you even more successful with predictive analytics. You know your competition is looking beyond the algorithms that have long been used to predict consumer payment behavior: algorithms with names like regression, decision trees and cluster analysis. Perhaps you’re experimenting with or even building a few models with artificial intelligence (AI) algorithms that may be less familiar to your business: neural networks, support vector machines, gradient boosting machines or random forests. One recent survey found that 25 percent of financial services companies are ahead of the industry; they’re already implementing or scaling up adoption of advanced analytics and ML. My alma mater, the Virginia Cavaliers, recently won the 2019 NCAA national championship in nail-biting overtime. With the utmost respect to Coach Tony Bennett, this victory got me thinking more about John Wooden, perhaps the greatest college coach ever. In his book Coach Wooden and Me, Kareem Abdul-Jabbar recalled starting at UCLA in 1965 with what was probably the greatest freshman team in the history of basketball. What was their new coach’s secret as he transformed UCLA into the best college basketball program in the country? I can only imagine their surprise at the first practice when the coach told them, “Today we are going to learn how to put on our sneakers and socks correctly. … Wrinkles cause blisters. Blisters force players to sit on the sideline. And players sitting on the sideline lose games.” What’s that got to do with machine learning? Simply put, the financial services companies ready to move beyond the exploration stage with AI are those that have mastered the tasks that come before and after modeling with the new algorithms. Any ML library — whether it’s TensorFlow, PyTorch, extreme gradient boosting or your company’s in-house library — simply enables a computer to spot patterns in training data that can be generalized for new customers. To win in the ML game, the team and the process are more important than the algorithm. If you’ve assembled the wrong stakeholders, if your project is poorly defined or if you’ve got the wrong training data, you may as well be sitting on the sideline. Consider these important best practices before modeling: Careful project planning is a prerequisite — Assemble all the key project stakeholders, and insist they reach a consensus on specific and measurable project objectives. When during the project life cycle will the model be used? A wealth of new data sources are available. Which data sources and attributes are appropriate candidates for use in the modeling project? Does the final model need to be explainable, or is a black box good enough? If the model will be used to make real-time decisions, what data will be available at runtime? Good ML consultants (like those at Experian) use their experience to help their clients carefully define the model development parameters. Data collection and data preparation are incredibly important — Explore the data to determine not only how important and appropriate each candidate attribute is for your project, but also how you’ll handle missing or corrupt data during training and implementation. Carefully select the training and validation data samples and the performance definition. Any biases in the training data will be reflected in the patterns the algorithm learns and therefore in your future business decisions. When ML is used to build a credit scoring model for loan originations, a common source of bias is the difference between the application population and the population of booked accounts. ML experts from outside the credit risk industry may need to work with specialists to appreciate the variety of reject inference techniques available. Segmentation analysis — In most cases, more than one ML model needs to be built, because different segments of your population perform differently. The segmentation needs to be done in a way that makes sense — both statistically and from a business perspective. Intriguingly, some credit modeling experts have had success using an AI library to inform segmentation and then a more tried-and-true method, such as regression, to develop the actual models. During modeling: With a good plan and well-designed data sets, the modeling project has a very good chance of succeeding. But no automated tool can make the tough decisions that can make or break whether the model is suitable for use in your business — such as trade-offs between the ML model’s accuracy and its simplicity and transparency. Engaged leadership is important. After modeling: Model validation — Your project team should be sure the analysts and consultants appreciate and mitigate the risk of over fitting the model parameters to the training data set. Validate that any ML model is stable. Test it with samples from a different group of customers — preferably a different time period from which the training sample was taken. Documentation — AI models can have important impacts on people’s lives. In our industry, they determine whether someone gets a loan, a credit line increase or an unpleasant loss mitigation experience. Good model governance practice insists that a lender won’t make decisions based on an unexplained black box. In a globally transparent model, good documentation thoroughly explains the data sources and attributes and how the model considers those inputs. With a locally transparent model, you can further explain how a decision is reached for any specific individual — for example, by providing FCRA-compliant adverse action reasons. Model implementation — Plan ahead. How will your ML model be put into production? Will it be recoded into a new computer language, or can it be imported into one of your systems using a format such as the Predictive Model Markup Language (PMML)? How will you test that it works as designed? Post-implementation — Just as with an old-fashioned regression model, it’s important to monitor both the usage and the performance of the ML model. Your governance team should check periodically that the model is being used as it was intended. Audit the model periodically to know whether changing internal and external factors — which might range from a change in data definition to a new customer population to a shift in the economic environment — might impact the model’s strength and predictive power. Coach Wooden used to say, “It isn’t what you do. It’s how you do it.” Just like his players, the most successful ML practitioners understand that a process based on best practices is as important as the “game” itself.
Be warned. I’m a Philadelphia sports fan, and even after 13 months, I still relish in the only Super Bowl victory I’ve ever known as a fan. Having spent more than two decades in fraud prevention, I find that Super Bowl LII is coalescing in my mind with fraud prevention and lessons in defense more and more. Let me explain: It’s fourth-down-and-goal from the one-yard line. With less than a minute on the clock in the first half, the Eagles lead, 15 to 12. The easy option is to kick the field goal, take the three points and come back with a six-point advantage. Instead of sending out the kicking squad, the Eagles offense stays on the field to go for a touchdown. Broadcaster Cris Collingsworth memorably says, “Are they really going to go for this? You have to take the three!” On the other side are the New England Patriots, winners of two of the last three Super Bowls. Love them or hate them, the Patriots under coach Bill Belichick are more likely than any team in league history to prevent the Eagles from scoring at this moment. After the offense sets up, quarterback Nick Foles walks away from his position in the backfield to shout instructions to his offensive line. The Patriots are licking their chops. The play starts, and the ball is snapped — not to Foles as everyone expects, but to running back Corey Clement. Clement takes two steps to his left and tosses the ball the tight end Trey Burton, who’s running in the opposite direction. Meanwhile, Foles pauses as if he’s not part of the play, then trots lazily toward the end zone. Burton lobs a pass over pursuing defenders into Foles’ outstretched hands. This is the “Philly Special” — touchdown! Let me break this down: A third-string rookie running back takes the snap, makes a perfect toss — on the run — to an undrafted tight end. The tight end, who hasn’t thrown a pass in a game since college, then throws a touchdown pass to a backup quarterback who hasn’t caught a ball in any athletic event since he played basketball in high school. A play that has never been run by the Eagles, led by a coach who was criticized as the worst in pro football just a year before, is perfectly executed under the biggest spotlight against the most dominant team in NFL history. So what does this have to do with fraud? There’s currently an outbreak of breach-fueled credential stuffing. In the past couple of months, billions of usernames and passwords stolen in various high-profile data breaches have been compiled and made available to criminals in data sets described as “Collections 1 through 5.” Criminals acquire credentials in large numbers and attack websites by attempting to login with each set — effectively “stuffing” the server with login requests. Based on consumer propensity to reuse login credentials, the criminals succeed and get access to a customer account between 1 in 1,000 and 1 in 50 attempts. Using readily available tools, basic information like IP address and browser version are easy enough to alter/conceal making the attack harder to detect. Credential stuffing is like the Philly Special: Credential stuffing doesn’t require a group of elite all-stars. Like the Eagles’ players with relatively little experience executing their roles in the Philly Special, criminals with some computer skills, some initiative and the guts to try credential stuffing can score. The best-prepared defense isn’t always enough. The Patriots surely did their homework. They set up their defense to stop what they expected the Eagles to do based on extensive research. They knew the threats posed by every Eagle on the field. They knew what the Eagles’ coaches had done in similar circumstances throughout their careers. The defense wasn’t guessing. They were as prepared as they could have been. It’s the second point that worries me when I think of credential stuffing. Consumers reuse online credentials with alarming frequency, so a stolen set of credentials is likely to work across multiple organizations, possibly even yours. On top of that, traditional device recognition like cookies can’t identify and stop today’s sophisticated fraudsters. The best-prepared organizations feel great about their ability to stop the threats they’re aware of. Once they’ve seen a scheme, they make investments, improve their defenses, and position their players to recognize a risk and stop it. Sometimes past expertise won’t stop the play you can’t see coming.
It’s the holiday season — time for jingle bells, lighting candles, shopping sprees and credit card fraud. But we’re prepared. Our risk analyst team constantly monitors our FraudNet solution performance to identify anomalies our clients experience as millions of transactions occur this month. At its core, FraudNet analyzes incoming events to determine the risk level and to allow legitimate events to process without causing frustrating friction for legitimate customers. That ensures our clients can recognize good customers across digital devices and channels while reducing fraud attacks and the need for internal manual reviews. But what happens when things don’t go as planned? Here’s a recent example. One of our banking clients noticed an abnormally high investigation queue after a routine risk engine tuning. Our risk analyst team looked further into the attacks to determine the cause and assess whether it was a tuning issue or a true fraud attack. After an initial analysis, the team learned that the events shared many of the same characteristics: Came from the same geo location that has been seen in previous attacks on clients Showed suspicious device and browser characteristics that were recognized by Experian’s device identification technology Identified suspicious patterns that have been observed in other recent attacks on banks The conclusion was that it wasn’t a mistake. FraudNet had correctly identified these transactions as suspicious. Experian® then worked with our client and recommended a strategy to ensure this attack was appropriately managed. This example highlights the power of device identification technology as a mechanism to detect emerging fraud threats, as well as link analysis tools and the expertise of a highly trained fraud analyst to uncover suspicious events that might otherwise go unnoticed. In addition to proprietary device intelligence capabilities, our clients take advantage of a suite of capabilities that can further enhance a seamless authentication experience for legitimate customers while increasing fraud detection for bad actors. Using advanced analytics, we can detect patterns and anomalies that may indicate a fraudulent identity is being used. Additionally, through our CrossCore® platform businesses can leverage advanced innovation, such as physical and behavioral biometrics (facial recognition, how a person holds a phone, mouse movements, data entry style), email verification (email tenure, reported fraud on email identities), document verification (autofill, liveliness detection) and digital behavior risk indicators (transaction behavior, transaction velocity), to further advance their existing risk mitigation strategies and efficacy. With expanding partnerships and capabilities offered via Experian’s CrossCore platform, in conjunction with consultative industry expertise, businesses can be more confident during the authentication process to ensure a superb, frictionless customer experience without compromising security.
Your model is only as good as your data, right? Actually, there are many considerations in developing a sound model, one of which is data. Yet if your data is bad or dirty or doesn’t represent the full population, can it be used? This is where sampling can help. When done right, sampling can lower your cost to obtain data needed for model development. When done well, sampling can turn a tainted and underrepresented data set into a sound and viable model development sample. First, define the population to which the model will be applied once it’s finalized and implemented. Determine what data is available and what population segments must be represented within the sampled data. The more variability in internal factors — such as changes in marketing campaigns, risk strategies and product launches — and external factors — such as economic conditions or competitor presence in the marketplace — the larger the sample size needed. A model developer often will need to sample over time to incorporate seasonal fluctuations in the development sample. The most robust samples are pulled from data that best represents the full population to which the model will be applied. It’s important to ensure your data sample includes customers or prospects declined by the prior model and strategy, as well as approved but nonactivated accounts. This ensures full representation of the population to which your model will be applied. Also, consider the number of predictors or independent variables that will be evaluated during model development, and increase your sample size accordingly. When it comes to spotting dirty or unacceptable data, the golden rule is know your data and know your target population. Spend time evaluating your intended population and group profiles across several important business metrics. Don’t underestimate the time needed to complete a thorough evaluation. Next, select the data from the population to aptly represent the population within the sampled data. Determine the best sampling methodology that will support the model development and business objectives. Sampling generates a smaller data set for use in model development, allowing the developer to build models more quickly. Reducing the data set’s size decreases the time needed for model computation and saves storage space without losing predictive performance. Once the data is selected, weights are applied so that each record appropriately represents the full population to which the model will be applied. Several traditional techniques can be used to sample data: Simple random sampling — Each record is chosen by chance, and each record in the population has an equal chance of being selected. Random sampling with replacement — Each record chosen by chance is included in the subsequent selection. Random sampling without replacement — Each record chosen by chance is removed from subsequent selections. Cluster sampling — Records from the population are sampled in groups, such as region, over different time periods. Stratified random sampling — This technique allows you to sample different segments of the population at different proportions. In some situations, stratified random sampling is helpful in selecting segments of the population that aren’t as prevalent as other segments but are equally vital within the model development sample. Learn more about how Experian Decision Analytics can help you with your custom model development needs.
As our society becomes ever more dependent on everything mobile, criminals are continually searching for and exploiting weaknesses in the digital ecosystem, causing significant harm to consumers, businesses and the economy. In fact, according to our 2018 Global Fraud & Identity Report, 72 percent of business executives are more concerned than ever about the impact of fraud. Yet, despite the awareness and concern, 54 percent of businesses are only “somewhat confident” in their ability to detect fraud. That needs to change, and it needs to change right away. Our industry has thrived by providing products and services that root out bad transactions and detect fraud with minimal consumer friction. We continue to innovate new ways to authenticate consumers, apply new cloud technologies, machine learning, self-service portals and biometrics. Yet, the fraud issue still exists. It hasn’t gone away. How do we provide effective means to prevent fraud without inconveniencing everyone in the process? That’s the conundrum. Unfortunately, a silver bullet doesn’t exist. As much as we would like to build a system that can detect all fraud, eliminate all consumer friction, we can’t. We’re not there yet. As long as money has changed hands, as long as there are opportunities to steal, criminals will find the weak points – the soft spots. That said, we are making significant progress. Advances in technology and innovation help us bring new solutions to market more quickly, with more predictive power than ever, and the ability to help clients to turn these services on in days and weeks. So, what is Experian doing? We’ve been in the business of fraud detection and identity verification for more than 30 years. We’ve seen fraud patterns evolve over time, and our product portfolio evolves in lock-step to counter the newest fraud vectors. Synthetic identity fraud, loan stacking, counterfeit, identity theft; the specific fraud attacks may change but our solution stack counters each of those threats. We are on a continuous innovation path, and we need to be. Our consumer and small business databases are unmatched in the industry for quality and coverage, and that is an invaluable asset in the fight against fraud. It used to be that knowing something about a person was the same as authenticating that same person. That’s just not the case today. But, just because I may not be the only person who knows where I live, doesn’t mean that identity information is obsolete. It is incredibly valuable, just in different ways today. And that’s where our scientists come into their own, providing complex predictive solutions that utilize a plethora of data and insight to create the ultimate in predictive performance. We go beyond traditional fraud detection methods, such as knowledge-based authentication, to offer a custom mix of passive and active authentication solutions that improve security and the customer experience. You want the latest deep learning techniques? We have them. You want custom models scored in milliseconds alongside your existing data requests. We can do that. You want a mix of cloud deployment, dedicated hosted services and on-premise? We can do that too. We have more than 20 partners across the globe, creating the most comprehensive identity management network anywhere. We also have teams of experts across the world with the know how to combine Experian and partner expertise to craft a bespoke solution that is unrivaled in detection performance. The results speak for themselves: Experian analyzes more than a billion credit applications per year for fraud and identity, and we’ve helped our clients save more than $2 billion in annual fraud losses globally. CrossCore™, our fraud prevention and identity management platform, leverages the full breadth of Experian data as well as the data assets of our partners. We execute machine learning models on every decision to help improve the accuracy and speed with which decisions are made. We’ve seen CrossCore machine learning result in a more than 40 percent improvement in fraud detection compared to rules-based systems. Our certified partner community for CrossCore includes only the most reputable leaders in the fraud industry. We also understand the need to expand our data to cover those who may not be credit active. We have the largest and most unique sets of alternative credit data among the credit bureaus, that includes our Clarity Services and RentBureau divisions. This rich data helps our clients verify an individual’s identity, even if they have a thin credit file. The data also helps us determine a credit applicant’s ability to pay, so that consumers are empowered to pursue the opportunities that are right for them. And in the background, our models are constantly checking for signs of fraud, so that consumers and clients feel protected. Fraud prevention and identity management are built upon a foundation of trust, innovation and keeping the consumer at the heart of every decision. This is where I’m proud to say that Experian stands apart. We realize that criminals will continue to look for new ways to commit fraud, and we are continually striving to stay one step ahead of them. Through our unparalleled scale of data, partnerships and commitment to innovation, we will help businesses become more confident in their ability to recognize good people and transactions, provide great experiences, and protect against fraud.
Synthetic identities come from accounts held not by actual individuals, but by fabricated identities created to perpetrate fraud. It often starts with stealing a child’s Social Security number (SSN) and then blending fictitious and factual data, such as a name, a mailing address and a telephone number. What’s interesting is the increase in consumer awareness about synthetic identities. Previously, synthetic identity was a lender concern, often showing itself in delinquent accounts since the individual was fabricated. Consumers are becoming aware of synthetic ID fraud because of who the victims are — children. Based on findings from a recent Experian survey, the average age of child victims is only 12 years old. Children are attractive victims since fraud that uses their personal identifying information can go for years before being detected. I recently was interviewed by Forbes about the increase of synthetic identities being used to open auto loans and how your child’s SSN could be used to get a phony auto loan. The article provides a good overview of this growing concern for parents and lenders. A recent Javelin study found that more than 1 million children were victims of fraud. Most upsetting is that children are often betrayed by people close to them -- while only 7 percent of adults are victimized by someone they know, 60 percent of victims under 18 know the fraudster. Unfortunately, when families are in a tight spot financially they often resort to using their child’s SSN to create a clean credit record. Fraud is an issue we all must deal with — lenders, consumers and even minors — and the best course of action is to protect ourselves and our organizations.
Consumer confidence is nearing an 18-year high. Unemployment figures are at record lows. Retail spend is healthy, and expected to stay that way through the back-to-school and holiday shopping booms. Translation for credit card issuers? The swiping and spending continue. In fact, credit card openings were up 4% in the first quarter of 2018 compared to the same time last year, and card utilization is hovering around 20.5%. Even with the Fed’s gradual 2018 rate hikes, consumers are shopping. In a new Mintel report, outstanding credit card debt is now $1.03 trillion (as of the end of Q1, 2018), and the number of consumers with credit cards is growing fastest among people aged 18 to 34. In the retail card arena specifically, boomers and Gen X’ers are leading the charge, opening 45% and 27% of new retails cards, respectively. “A stronger economy always bodes well for credit cards,” said Kelley Motley, director of analytics for Experian. “Now is the time for card issuers to zero in on their most loyal consumers and ensure they are treating them with the right offers, rewards and premium benefits.” Consumer data reveals the top incentives when selecting a rewards-based card includes cash back, gas rewards and retail cards (including travel rewards and airfare). In fact, for younger consumers, offering rewards has proven to be the most effective way to get them to switch from debit to credit cards. Cash back was the most preferred reward for consumers aged 18 to 44 when asked about their motivation to apply for a new card. For individuals 45 and older, 0% interest was the top motivator. Of course, beyond credit card opens, the ideal is to engage with the consumers who are utilizing the card the most. From a segmentation standpoint, the loyal retail cardholder has an average VantageScore® of 671 with an average total balance of $1,633. They use the card regularly and consistently make payments. Finding more loyalists is the goal and can be achieved with informed segmentation insights and targeted prescreen campaigns. On the flip side, insights can inform card issuers with data, helping them to avoid wasting marketing dollars on consumers who merely want to game a quick credit card offer and then close an account. A batch and blast marketing approach no longer works in the credit card marketing game. “Consumers expect you to know them and their financial needs,” said Paul DeSaulniers, senior director of Experian’s segmentation solutions. “The data exists and tells you exactly who to target and how to structure the offer – you just need to execute.”
Consumers and businesses alike have been hyper-focused on all things data over the past several months. From the headlines surrounding social media privacy, to the flurry of spring emails we’ve all received from numerous brands due to the recent General Data Protection Regulation (GDPR) going into effect in Europe, many are trying to assess the data “sweet spot.” In the financial services space, lenders and businesses are increasingly seeking to leverage enhanced digital marketing channels and methods to deliver offers and invitations to apply. But again, many want to know, what are the data rules and how can they ensure they are playing it safe in such a highly regulated environment. In an Experian-hosted webinar, Credit Marketing in the Digital Age, the company recently featured a team of attorneys from Venable LLP’s award-winning privacy and advertising practice. There’s no question today’s consumers expect hyper-targeted messages and user experiences, but with the number of data breaches on the rise, there is also the concern around data access. Who has my data? Is it safe? Are companies using it in the appropriate way? As financial services companies wrestle with the laws and consumer expectations, the Venable legal team provided a few insights to consider. While the digital delivery channels may be new, the underlying credit product remains the same. A prescreened offer is a prescreened offer, and an application for credit is still an application for credit. The marketing of these and other credit products is governed by an array of pre-existing laws, regulations, and self-regulatory principles that combine to form a unique compliance framework for each of the marketing channels. Adhere to credit regulations, but build in enhanced policies and technological protocols with digital delivery. With digital delivery of the offer, lenders should be thinking about the additional compliance aspects attached to those varying formats. For example, in the case of digital display advertising, you should pay close attention to ensuring delivery of the ad to the correct consumer, with suitable protections in place for sharing data with vendors. Lenders and service providers also should think about using authentication measures to match the correct consumer with a landing page containing the firm offer along with the appropriate disclosures and opt-outs. Strong compliance policies are important for all participants in this process. Working with a trusted vendor that has a commitment to data security, compliance by design, and one that maintains an integrated system of decisioning and delivery, with the ability to scrub for FCRA opt-outs, is essential. Consult your legal, risk and compliance teams. The digital channels raise questions that can and must be addressed by these expert audiences. It is so important to partner with service providers that have thought this through and can demonstrate a compliance framework. Embrace the multitude of delivery methods. Yes, there are additional considerations to think about to ensure compliance, but businesses should seek opportunities to reach their consumers via email, text, digital display and beyond. Also, digital credit offers need not replace mail and phone and traditional channels. Rather, emerging digital channels can supplement a campaign to drive the response rates higher. In Mary Meeker’s annual tech industry report, she touched on a phenomenon called the “privacy paradox” in which companies must balance the need to personalize their products and services, but at the same time remain in good favor with consumers, watchdog groups and regulators. So, while financial services players have much to consider in the regulatory space, the expectation is they embrace the latest technology advancements to interact with their consumers. It can be done and the delivery methods exist today. Just ensure you are working with the right partners to respect the data and consumer privacy laws.
