Tag: fraud prevention
While marketers typically spend vast amounts of money to increase customer acquisitions, fraud prevention can undercut those efforts. According to a recent 41st Parameter® study, average card-not-present declines represent 15 percent of all transactions; however, one to three percent of those declined transactions turn out to be false positives, equating to 1.2 billion dollars in lost revenue annually. Marketers can avoid unnecessary declines and create a seamless customer experience by communicating campaign plans to the fraud-risk team early on and coordinating marketing and fraud-prevention efforts. Download Experian’s latest fraud prevention report. Report: Holiday Marketing & Fraud
By: Maria Moynihan Cybersecurity, identity management and fraud are common and prevalent challenges across both the public sector and private sector. Industries as diverse as credit card issuers, retail banking, telecom service providers and eCommerce merchants are faced with fraud threats ranging from first party fraud, commercial fraud to identity theft. If you think that the problem isn\'t as bad as it seems, the statistics speak for themselves: Fraud accounts for 19% of the $600 billion to $800 billion in waste in the U.S. healthcare system annually Medical identity theft makes up about 3% of 8.3 million overall victims of identity theft In 2011, there were 431 million adult victims of cybercrime in 24 countries In fiscal year 2012, the IRS’ specialized identity theft unit saw a 78% spike from last year in the number of ID theft cases submitted The public sector can easily apply the same best practices found in the private sector for ID verification, fraud detection and risk mitigation. Here are four sure fire ways to get ahead of the problem: Implement a risk-based authentication process in citizen enrollment and account management programs Include the right depth and breadth of data through public and private sources to best identity proof businesses or citizens Offer real-time identity verification while ensuring security and privacy of information Provide a Knowledge Based Authentication (KBA) software solution that asks applicants approved random questions based on “out-of-wallet” data What fraud protection tactics has your organization implemented? See what industry experts suggest as best practices for fraud protection and stay tuned as I share more on this topic in future posts. You can view past Public Sector blog posts here.
By: Kennis Wong When we think about fraud prevention, naturally we think about mininizing fraud at application. We want to ensure that the identities used in the application truly belong to the person who applies for credit, and not identity theft. But the reality is that some fraudsters do successfully get through the defense at application. In fact, according to Javelin’s 2011 Identity Fraud Survey Report, 2.5 million accounts were opened fraudulently using stolen identities in 2010, costing lenders and consumers $17 billion. And these numbers do not even include other existing account fraud like account takeover and impersonation (limited misusing of account like credit/debit card and balance transfer, etc.). This type of existing account fraud affected 5.5 million accounts in 2010, costing another $20 billion. So although it may seem like a no brainer, it’s worth emphasizing that we need to have fraud account management system and continue to detect fraud for new and established accounts. Existing account fraud is unlikely to go away any time soon. Lending activities have changed significantly in the last couple of years. Origination rate in 2010 is still less than half of the volume in 2008, and booked accounts become riskier. In this type of environment, when regular consumers are having hard time getting new credits, fraudsters are also having hard time getting credit. So they will switch their focus to something more profitable like account takeover. In addition to application fraud, does your organization have appropriate tools and decisioning strategy to minimize fraud loss from existing account fraud?
By: Kristan Frend Small business owners appear to be lucrative targets for identity fraud perpetrators, alarming banking institutions, payment processors, and B2B service providers. According to Javelin’s 2011 Small Business Owners (SMBO) Identity Fraud report, the cost of fraud and identity theft “hit SMBO constituents particularly hard. Javelin research uncovered what was previously an undocumented cost to the industry of $5 billion as a direct result of this fraud. In addition, financial institutions (FIs) lost over $590 million in clients and revenue opportunities over a five‐year period.” Additionally, the report indicated that small business owners mean fraud amount is about 5% higher than that for all consumers ($4,851 vs. $4,607). Even more alarming was the fact that the SMBO’s mean victim cost is 150% higher than consumer costs ($1,574 vs. $631). So what does all of this mean? If you’re a small business lender or service provider, having a robust multi-layered SMBO fraud prevention program in place is essential for client retention and avoiding reputational risk. You can take control of the situation with more proactive fraud prevention strategies which will improve your relationships with SMBO customers and save them (and you) money in the long run.
Let’s face it – not all knowledge based authentication (KBA) is created equal. I, too, have read horror stories of consumers forced to answer questions about a deceased relative or ex-spouse, or KBA sessions that went on far too long for anyone’s benefit. I have to attribute this to vendor inexperience and a lack of consulting with clients. An experienced vendor will use a fraud best practice such as a fraud analytics model to determine that some consumers do not even need questions and then a “Progressive Question” feature, which uses consumer performance on an initial question set to determine if it is necessary for the consumer to answer additional questions. This way, the true consumer completes the process quickly, improving the customer experience. The product of choice should also use a question mix that balances three factors: · how easily the true consumer can answer the question; · the fraud separation of the question (effectively the measured delta over time between how well true consumers answer the question vs. how well fraudsters do); · how many consumers overall the question can be generated. A list of hundreds of possible questions doesn’t mean much if the questions can only be generated for one quarter of one percent of the population, as is the case for something like airplane ownership or pilot’s license. Ultimately, out of wallet questions should be generated for a large part of the population, easily answered by the true consumer but difficult for a fraudster; and not offensive or what a consumer would consider “creepy” (such as their child’s birthday or name). Well designed questions will be personal but not intrusive and mindful of personal relationships that may have changed. The purpose of a knowledge based authentication session is risk management and/or consumer authentication for fraud prevention and compliance purposes – not to cause the loss of business because the fraud tool crossed the line in the mind of your customer.
When we think about fraud prevention, naturally we think about mininizing fraud at application. We want to ensure that the identities used in the application truly belong to the person who applies for credit, and not from some stolen identities. But the reality is that some fraudsters do successfully get through the defense at application. In fact, according to Javelin’s 2011 Identity Fraud Survey Report, 2.5 million accounts were opened fraudulently using stolen identities in 2010, costing lenders and consumers $17 billion. And these numbers do not even include other existing account fraud like account takeover and impersonation (limited misusing of account like credit/debit card and balance transfer, etc.). This type of existing account fraud affected 5.5 million accounts in 2010, costing another $20 billion. So although it may seem like a no brainer, it’s worth emphasizing that we need to continue to detect fraud for new and established accounts. Existing account fraud is unlikely to go away any time soon. Lending activities have changed significantly in the last couple of years. Origination rate in 2010 is still less than half of the volume in 2008, and booked accounts become riskier. In this type of environment, when regular consumers are having hard time getting new credits, fraudsters are also having hard time getting credit. So naturally they will switch their focus to something more profitable like account takeover. Does your organization have appropriate tools and decisioning strategy to fight against existing account fraud?
By: Kennis Wong In the last entry, I mentioned that consumers’ participation in protecting their own identity information is an important aspect of an identity theft prevention program to minimize fraud loss. Large financial institutions are starting to take charge in educating their customers, but others are having a hard time investing in such initiatives. I do understand that it is difficult to establish a direct linkage of revenue and positive return on investment for this type of activities. Business may view customer education of identity protection as a public service but not a necessity. After all, if my customer loses his identity information, it doesn’t necessarily mean that identity fraud will happen to my very own organization. But educating customers about identity protection and fraud trends can be a marketing tool and can increase customer loyalty, in additions to actual fraud prevention. Although consumers may not be aware of all the precautions they can take to protect their identity, undoubtedly identity theft is a hot topic in the media today. If there are two banks providing about the same service, but one of them goes an extra mile to provide me education on preventing identity theft, I would go with that bank. Also, as a financial institution, if my customers understand identity protection more, they would understand why I am putting some procedure in place and would be glad to comply with them. For example, they would be more patient when spending another minute in answering knowledge-based authentication questions, so that for their own protection, the bank can assure they are the true identity owners. Consumers can also actively monitor their credit report, whether through the bank or through other third party vendors. When consumers receive fraud alert from activities that could be a result of identity theft, they can actively contact the financial institutions about the situation. The sooner the identity fraud is discovered, the better off for both the consumers and the businesses.
By: Kennis Wong As a fraud management professional, naturally I am surrounded by fraud prevention topics and other professionals in the field all the time. Financial, ecommerce, retail, telecommunication, government and other organizations are used to talking about performance, scoring models, ROI, false-positives, operational efficiency, customer satisfaction trade-off, loss provisioning, decisioning strategy or any other sophisticated measures when it comes to fraud management. But when I bring up the topic of fraud outside of this circle, I am always surprised to see how little educated the general public is about an issue that is so critical to their financial health. I met a woman in an event several weeks ago. After learning about my occupation, she told me her story about someone from XYZ credit card company calling her and asking for her Social Security number, date of birth and other personal identifying information. Only days after she gave out the information that she realized things didn’t seem right. She called the credit card company and got her credit card re-issued. But at the time I talked to her, she still didn’t know enough to realize that the fraudster could now use her identity to start any new financial relationship under her name. As long as consumers are ignorant about protecting their identity information, businesses’ identity theft prevention program will not be complete and identity fraud will occur as a result of this weak link. To address this vulnerability and minimize fraud, consumers need to be educated.
We\'ve blogged about fraud alerts, fraud analytics, fraud models and fraud best practices. Sometimes, though, we delude ourselves into thinking that fraud prevention strategies we put into place today will be equally effective over time. Unfortunately, when a rat finds a dead-end in a previously-learned maze, it just keeps hunting for an exit. Fraudsters are no different. Ideally we want to seal off all the exits, and teach the rats to go and do something productive with their lives, but sadly that is not always the case. We also don\'t want to let too many good consumers get stuck either, so we cannot get too trigger-happy with our fraud best practices. Fraud behavior is dynamic, not static. Fraudsters learn and adapt to the feedback they receive through trial and error. That means when you plug a hole in your system today, there will be an increased push to seek out other holes tomorrow. This underscores the importance of keeping a close eye on your fraudsters\' behavior trends. But there must be some theoretical breaking point where the fraudsters simply give up trying--at least with your company. This behavioral extinction may be idealistic in the general sense, but is nonetheless a worthy goal as related to your business. One of the best things you can do to prevent fraud is to gain a reputation amongst the fraudsters of, \"Don\'t even try, it\'s not even worth it.\" And even if you don\'t succeed in getting them to stop trying altogether, it\'s still satisfying to know you are lowering their ROI while improving yours
Meat and potatoes Data are the meat and potatoes of fraud detection. You can have the brightest and most capable statistical modeling team in the world. But if they have crappy data, they will build crappy models. Fraud prevention models, predictive scores, and decisioning strategies in general are only as good as the data upon which they are built. How do you measure data performance? If a key part of my fraud risk strategy deals with the ability to match a name with an address, for example, then I am going to be interested in overall coverage and match rate statistics. I will want to know basic metrics like how many records I have in my database with name and address populated. And how many addresses do I typically have for consumers? Just one, or many? I will want to know how often, on average, we are able to match a name with an address. It doesn’t do much good to tell you your name and address don’t match when, in reality, they do. With any fraud product, I will definitely want to know how often we can locate the consumer in the first place. If you send me a name, address, and social security number, what is the likelihood that I will be able to find that particular consumer in my database? This process of finding a consumer based on certain input data (such as name and address) is called pinning. If you have incomplete or stale data, your pin rate will undoubtedly suffer. And my fraud tool isn’t much good if I don’t recognize many of the people you are sending me. Data need to be fresh. Old and out-of-date information will hurt your strategies, often punishing good consumers. Let’s say I moved one year ago, but your address data are two-years old, what are the chances that you are going to be able to match my name and address? Stale data are yucky. Quality Data = WIN It is all too easy to focus on the more sexy aspects of fraud detection (such as predictive scoring, out of wallet questions, red flag rules, etc.) while ignoring the foundation upon which all of these strategies are built.
The definition of account management authentication is: Keep your customers happy, but don’t lose sight of fraud risks and effective tools to combat those risks. In my previous posting, I discussed some unique fraud risks facing institutions during the account management phase of their customer lifecycles. As a follow up, I want to review a couple of effective tools that allow you to efficiently minimize fraud losses during post-application: Knowledge Based Authentication (KBA) — this process involves the use of challenge/response questions beyond \"secret\" or \"traditional\" internally derived questions (such as mother\'s maiden name or last transaction amount). This tool allows for measurably effective use of questions based on more broad-reaching data (credit and noncredit) and consistent delivery of those questions without subjective question creation and grading by call center agents. KBA questions sourced from information not easily accessible by call center agents or fraudsters provide an additional layer of security that is more impenetrable by social engineering. From a process efficiency standpoint, the use of automated KBA also can reduce online sessions for consumers, and call times as agents spend less time self-selecting questions, self-grading responses and subjectively determining next steps. Delivery of KBA questions via consumer-facing online platforms or via interactive voice response (IVR) systems can further reduce operational costs since the entire KBA process can be accommodated without call center agent involvement. Negative file and fraud database – performing checks against known fraudulent and abuse records affords institutions an opportunity to, in batch or real time, check elements such as address, phone, and SSN for prior fraudulent use or victimization. These checks are a critical element in supplementing traditional consumer authentication processes, particularly in an account management procedure in which consumer and/or account information may have been compromised. Transaction requests such as address or phone changes to an account are particularly low-hanging fruit as far as running negative file checks are concerned.
--by Andrew Gulledge Intelligent use of features Question ordering: You want some degree of randomization in the questions that are included for each session. If a fraudster (posing as you) comes through Knowledge Based Authentication, for two or three sessions, wouldn’t you want them to answer new questions each time? At the same time, you want to try to use those questions that perform better more often. One way to achieve both is to group the questions into categories, and use a fixed category ordering (with the better-performing categories being higher up in the batting line up)—then, within each category, the question selection is randomized. This way, you can generally use the better questions more, but at the same time, make it difficult to come through Knowledge Based Authentication twice and get the same questions presented back to you. (You can also force all new questions in subsequent sessions, with a question exclusion strategy, but this can be restrictive and make the “failure to generate questions” rate spike.) Question weighting: Since we know some questions outperform others, both in terms of percentage correct and in terms of fraud separation, it is generally a good idea to weight the questions with points based on these performance metrics. Weighting can help to squeeze out some additional fraud detection from your Knowledge Based Authentication tool. It also provides considerable flexibility in your decisioning (since it is no longer just “how many questions were answered correctly” but it is “what percentage of points were obtained”). Usage Limits: You should only allow a consumer to come through the Knowledge Based Authentication process a certain number of times before getting an auto-fail decision. This can take the form of x number of uses allowable within y number of hours/days/etc. Time out Limit: You should not allow fraudsters to research the questions in the middle of a Knowledge Based Authentication session. The real consumer should know the answers off the top of their heads. In a web environment, five minutes should be plenty of time to answer three to five questions. A call center environment should allow for more time since some people can be a bit chatty on the phone.
--by Andrew Gulledge General configuration issues Question selection- In addition to choosing questions that generally have a high percentage correct and fraud separation, consider any questions that would clearly not be a fit to your consumer population. Don’t get too trigger-happy, however, or you’ll have a spike in your “failure to generate questions” rate. Number of questions- Many people use three or four out-of-wallet questions in a Knowledge Based Authentication session, but some use more or less than that, based on their business needs. In general, more questions will provide a stricter authentication session, but might detract from the customer experience. They may also create longer handling times in a call center environment. Furthermore, it is harder to generate a lot of questions for some consumers, including thin-file types. Fewer Knowledge Based Authentication questions can be less invasive for the consumer, but limits the fraud detection value of the KBA process. Multiple choice- One advantage of this answer format is that it relies on recognition memory rather than recall memory, which is easier for the consumer. Another advantage is that it generally prevents complications associated with minor numerical errors, typos, date formatting errors and text scrubbing requirements. A disadvantage of multiple-choice, however, is that it can make educated guessing (and potentially gaming) easier for fraudsters. Fill in the blank- This is a good fit for some KBA questions, but less so with others. A simple numeric answer works well with fill in the blank (some small variance can be allowed where appropriate), but longer text strings can present complications. While undoubtedly difficult for a fraudster to guess, for example, most consumers would not know the full, official and (correct spelling) of the name to which they pay their monthly auto payment. Numeric fill in the blank questions are also good candidates for KBA in an IVR environment, where consumers can use their phone’s keypad to enter the answers.
--by Andrew Gulledge Where does Knowledge Based Authentication fit into my decisioning strategy? Knowledge Based Authentication can fit into various parts of your authentication process. Some folks choose to put every consumer through KBA, while others only send their riskier transactions through the out-of-wallet questions. Some people use Knowledge Based Authentication to feed a manual review process, while others use a KBA failure as a hard-decline. Uses for KBA are as sundry and varied as the questions themselves. Decision Matrix- As discussed by prior bloggers, a well-engineered fraud score can provide considerable lift to any fraud risk strategy. When possible, it is a good idea to combine both score and questions into the decisioning process. This can be done with a matrixed approach—where you are more lenient on the questions if the applicant has a good fraud score, and more lenient on the score if the applicant did well on the questions. In a decision matrix, a set decision code is placed within various cells, based on fraud risk. Decision Overrides- These provide a nice complement to your standard fraud decisioning strategy. Different fraud solution vendors provide different indicators or flags with which decisioning rules can be created. For example, you might decide to fail a consumer who provides a social security number that is recorded as deceased. These rules can help to provide additional lift to the standard decisioning strategy, whether it is in addition to Knowledge Based Authentication questions alone, questions and score, etc. The overrides can be along the lines of both auto-pass and auto-fail.
--by Andrew Gulledge Definition and examples Knowledge Based Authentication (KBA) is when you ask a consumer questions to which only they should know the answer. It is designed to prevent identity theft and other kinds of third-party fraud. Examples of Knowledge Based Authentication (also known as out-of-wallet) questions include “What is your monthly car payment?:" or “What are the last four digits of your cell number?” KBA -- and associated fraud analytics -- are an important part of your fraud best practices strategies. What makes a good KBA question? High percentage correct A good Knowledge Based Authentication question will be easy to answer for the real consumer. Thus we tend to shy away from questions for which a high percentage of consumers give the wrong answer. Using too many of these questions will contribute to false positives in your authentication process (i.e., failing a good consumer). False positives can be costly to a business, either by losing a good customer outright or by overloading your manual review queue (putting pressure on call centers, mailers, etc.). High fraud separation It is appropriate to make an exception, however, if a question with a low percentage correct tends to show good fraud detection. (After all, most people use a handful of KBA questions during an authentication session, so you can leave a little room for error.) Look at the fraudsters who successfully get through your authentication process and see which questions they got right and which they got wrong. The Knowledge Based Authentication questions that are your best fraud detectors will have a lower percentage correct in your fraud population, compared to the overall population. This difference is called fraud separation, and is a measure of the question’s capacity to catch the bad guys. High question generability A good Knowledge Based Authentication question will also be generable for a high percentage of consumers. It’s admirable to beat your chest and say your KBA tool offers 150 different questions. But it’s a much better idea to generate a full (and diverse) question set for over 99 percent of your consumers. Some KBA vendors tout a high number of questions, but some of these can only be generated for one or two percent of the population (if that). And, while it’s nice to be able to ask for a consumer’s SCUBA certification number, this kind of question is not likely to have much effect on your overall production.
Learn More Image
