Tag: fraud
Part 3 in our series on Insights from the Vision 2016 fraud and identity track Our Vision 2016 fraud track session titled “Deployment Made Easy — solving new fraud problems by Adapting Legacy Solutions” offered insights into the future of analytics and the mechanisms for delivering them. The session included two case studies, the first of which highlighted a recently completed project in which an Experian client struggling with rising application fraud losses had to find a way to deploy advanced analytics without any IT resources. To assist the customer, data passing through an existing customer interface was reformatted and redirected to our Precise ID® platform. Upon arrival in Precise ID, a custom-built fraud scoring model was invoked. The results were then translated back into the format used by the legacy interface so that they could be ingested by the customer’s systems. This case study illustrates the key value proposition of Experian’s new CrossCoreTM fraud and identity platform. CrossCore features a similar “translation layer” for inquiries coming into Experian’s fraud and identity tools that will allow customers to define fraud-screening workflows that call a variety of services. The IT burden for connecting the inquiry to various Experian and non-Experian services will fall on Experian — sparing the customer from the challenge of financing and prioritizing IT resources. Similarly, the output from CrossCore will provide a ready-to-consume response that integrates directly with our customers’ host systems. The audience showed keen interest in the “here and now” illustration of what CrossCore will enable. Our second case study was provided by Eric Heikkila at Amazon Web Services™ and focused on the future of analytics. For an audience accustomed to the constraints of developing advanced analytics in a rigid data-structure, Amazon’s description of a “data lake” was a fascinating picture of what’s possible. The data lake offers the simultaneous ability to accommodate existing structured customer data along with new unstructured data in an infinitely scalable data set. Equally important is the data lake’s ability to accommodate an unlimited array of data mining and analytical tools. Amazon’s message was clear and simple — the fraud industry’s trepidation around the use of big data is misplaced. The fear of making the wrong choice of data storage and analytical tools is unnecessary. To illustrate this point, Eric shared an Amazon Web Services case study that used FINRA (Financial Industry Regulatory Authority). FINRA is responsible for overseeing U.S. securities markets to ensure that rules are followed and integrity is maintained. Amid a bewildering set of ever-changing regulations and peak volumes of 35 trillion per day — yes, trillion — Amazon’s data lake supports both the scale and analytical demands of a complex industry. As the delivery and access to fraud products is made easy by CrossCore, the data and analytics will expand through the use of services like Amazon’s data lake. As the participants will agree, the future of fraud technology is closer than you think!
Part 2 in our series on Insights from the Vision 2016 fraud and identity track With the growing number of data breach incidents taking place the stolen data from those attacks is being used to carry out social engineering attacks used to commit call center fraud. A recent study stated that global call center fraud has increased more than 45% in the last three years as fraudsters use social engineering to steal data and turn profits. The same report found that criminals might make up to 5 calls to a center, pretending to be the victim, before completing a fraudulent transaction. The importance of strong call center authentication procedures is greater than ever. At the 35th annual Vision Conference, Bobbie Paul from Experian’s Global Consulting Practice, Stefan Schubert from JPMorgan Chase and I led a session about call center authentication. After introductions and a discussion about existing call center identity authentication techniques, Stefan took the podium and provided an excellent overview of how his company approaches call center authentication. He made an interesting point — despite introducing friction into his process, he was not of the opinion that knowledge-based authentication (KBA) was going away any time soon because of how deeply it is embedded into their processes and its applicability to most consumers. He also called out the importance of reviewing KBA configurations regularly to adjust which questions are being asked and the positive implication to deterring fraudsters. Bobbie followed Stefan to discuss emerging call center authentication technologies, including a new take on an old tool — document imaging. She also discussed the notion of phone printing, which does not specifically evaluate the voice on the phone, but looks at the characteristics of the call itself, including the type of phone being used and the environment from which the call is being made. One of the highlights of the session was the interaction with the audience — including a demonstration of how, with a little distraction, it was easy to walk away with an audience member’s phone, how a fraudster could access and compromise a phone and how a gummy bear could be used to defeat fingerprint biometrics. What I, and many others, took away from this is that even with newer fraud detection tools available, incorporating tried-and-true methods like KBA is still an important step into a holistic fraud detection strategy.
Industry’s first smart plug-and-play fraud platform allows companies to connect their own solutions, Experian products and third-party vendors in one place to better protect their customers from fraud threats Experian unveiled the fraud and identity industry’s first open platform designed to catch fraud faster, improve compliance and enhance the customer experience. Experian’s CrossCore™ gives companies an easier way to connect any new or existing tools and systems in one place, whether they are Experian, internal or third-party partner solutions. This “plug-and-play” capability allows companies to rapidly adapt to changing conditions and risks. “Our clients have expressed frustration over the lack of a truly holistic industry solution that delivers the level of confidence and control they need without requiring a massive multiyear project to replace everything they have,” said Steve Platt, global executive vice president, Fraud and Identity, Experian. “New fraud threats, updates to regulatory requirements and customer expectations for a hassle-free experience are making it challenging for fraud and compliance teams to keep up. CrossCore will give them the flexibility they need to balance customer protection with customer experience.” The CrossCore open platform enables organizations to manage services through a common access point that supports a layered approach to managing risks across providers. CrossCore includes powerful workflow and strategy design capabilities that allow fraud and compliance teams to create and adapt strategies based on evolving threats and business needs. This helps them to respond more quickly and reduces the burden on IT. Fraud and compliance teams must constantly respond to new fraud threats and changing regulatory requirements by implementing new tools on top of existing solutions. “A layered approach is imperative, because fraudsters can break through each layer individually, but they will face greater barriers with each additional layer imposed,” said Avivah Litan, vice president and distinguished analyst, Security and Privacy, of Gartner.[1] Over time, as layers have been added and fortified, systems have become increasingly complex, expensive to integrate and difficult to manage, often increasing customer friction. A key feature of the CrossCore fraud platform is the ease of integration with third-party partner solutions. At launch, CrossCore will support fraud and identity services provided by third-party partners, including Acxiom® (Identity Solutions), TeleSign and many others already integrated with Experian solutions, with more being added to the platform. Previously, integrating third-party solutions required tremendous time and effort, which often challenged in-house teams to execute in a timely, efficient manner. Through CrossCore, the responsibility of integrating additional tools and systems moves away from those teams to the platform itself, enabling clients to select best-in-class solutions from multiple providers without creating a strain on resources. Al Pascual, senior vice president, research director and head of fraud & security for Javelin, said, “There are so many great niche solutions to work with, and new ones come out almost every day. To really have a world-class approach, the client has to put all those little things together, because there never will be one vendor who does it all. The market challenge is about how to make it faster and easier to bring things together to enable a more dynamic and fluid approach to managing risk.” CrossCore features Common access through a flexible API connects disparate systems to improve risk controls while reducing integration cost and complexity An open approach enables clients to connect and optimize a portfolio of best-in-class solutions across Experian, third-party services and existing systems Powerful strategy design and workflow decisioning functions enable fraud and compliance teams to apply services in any combination to get the level of confidence required A modern Software as a Service (SaaS) architecture provides scalability and the ability to make strategy changes dynamically with no down time Experian, which offers fraud and identity services in more than 44 countries, developed CrossCore to address the widespread market need consistently expressed by its clients for a faster, easier way to get more out of their existing systems and add new tools to improve their customers’ experience while minimizing risk. Companies can begin accessing CrossCore immediately, with the ability to turn on Experian services through a single integration, connect their own fraud and identity capabilities with a common API and turn on new services as they are added. The initial release includes key Experian products: FraudNet for Account Opening; Hunter®, for application fraud detection; Prove-ID, for international identity verification; and Precise ID®, for U.S. identity verification, including knowledge-based authentication. (KBA). Third-party fraud and identity service providers can engage with CrossCore to connect their services. “Now, companies can implement a new approach to managing fraud and identity services — one that will give them greater control over their risk exposure and enable them to provide a safer and more enjoyable experience for their customers,” added Platt. Learn more about CrossCore at https://www.experian.com/crosscore [1]Gartner, Identity Proofing Revisited as Data Confidentiality Dies, Avivah Litan, Dec. 12, 2013; last reviewed on April 28, 2015
Last week we had the pleasure of joining more than 400 clients at the 35th annual Vision Conference — connecting business leaders to ideas and solutions. Over the next few weeks, we’ll be sharing some insights from our fraud and identity dedicated session track. I had the pleasure of presenting alongside the U.S. Secret Service, and we had a packed session to discuss the Dark Web — what it is, how it’s accessed, how criminals are exploiting it to commit fraud and the human impact of the massive global cybercrime problem. According to McAfee®, cybercrime represents a $500 billion cost to the global economy — and that’s projected to rise to $600 billion this year, outpacing any other form of crime. With the Internet economy generating between $2 trillion and $3 trillion annually, that means cybercrime is extracting roughly 15 to 20 percent of the entire value created by the Internet. This is a massive problem, and it’s not going away. Unfortunately, there are countless tools and services to commit fraud available on the Web, providing attackers with the cloak of anonymity they need to compromise accounts, mimic legitimate users and submit fraudulent transactions. Device intelligence helps unmask these activities. It is a critical component to defend against the threat, and it provides insight into every interaction throughout a typical customer journey (from account setup to login and account maintenance to transactions). Without this visibility into users’ historical behavior and typical population patterns, organizations often have limited options to target attackers and identify anomalous behaviors. This is key to a successful cybercrime detection and mitigation strategy. Another important point in the session regarded recent law enforcement and private industry successes in identifying, tracking, apprehending and prosecuting online attackers. We thankfully have made significant strides in this area, as evidenced by the work of the Secret Service and other law enforcement organizations, but the collaboration must continue — and intensify. As mentioned in a CNBC story published on the same day as our presentation, the Dark Web is an increasingly mainstream source for everything from financial crime to drug trade and human trafficking. Unfortunately, most businesses are in the dark about the growing criminal underground, but Experian can help. With proper fraud expertise and innovative tools to defend against these ever-evolving threats, organizations can uncloak the attackers and safeguard the business.
False declines are often unwarranted and occur due to lack of customer information Have you ever been shopping online, excited to get your hands on the latest tech gadget, only to be hit with the all-too-common disappointment of a credit card decline? Whom did you blame? The merchant? The issuer? The card associations? The answer is probably all of the above. False declines like the situation described above provoke an onslaught of consumer emotions ranging from shock and dismay to frustration and anger. Of course, consumers aren’t the only ones negatively impacted by false declines. Many times card issuers lose their coveted “top of wallet” position and/or retailers lose revenue when customers abandon the purchase altogether. False declines are unpleasant for everyone, yet consumers struggle with this problem every day — and fraud controls are only getting tighter. How does the industry mutually resolve this growing issue? The first step is to understand why it occurs. Most false declines happen when the merchant or issuer mistakenly declines a legitimate transaction due to perceived high risk. This misperception is usually the result of the merchant or issuer not having enough information to verify the authenticity of the cardholder confidently. For example, the consumer may be a first-time customer or the purchase may be a departure from the card holder’s normal pattern of transaction activity. Research shows that lack of a holistic view and no cross-industry transaction visibility result in approximately $40 billion of e-commerce declines annually. Think about this for a minute — $40 billion in preventable lost revenue due to lack of information. Merchants’ customer information is often limited to their first-hand information and experience with consumers. To solve this growing problem, Experian® developed TrustInsight™, a real-time engine to establish trusted online relationships over time among consumers, merchants and issuers. It works by anonymously leveraging transactional information that merchants and financial institutions already have about consumers to create a crowd-sourced TrustScore™. This score allows first-time online customers to get a VIP experience rather than a brand-damaging decline. Another common challenge for merchants is measuring the scope of the false declines problem. Proactively contacting consumers, directly capturing feedback and quickly verifying transaction details to recoup potential lost sales are best practices, but merchants are often in the dark as to how many good customers are being turned away. The solution — often involving substantial operational expense — is to hold higher-risk orders for manual review rather than outright declining them. With average industry review rates nearing 30 percent of all online orders (according to the latest CyberSource Annual Fraud Benchmark Report: A Balancing Act), this growing level of review is not sustainable. This is where industry collaboration via TrustInsight™ offers such compelling value. TrustInsight can reduce the review population significantly by leveraging consumers’ transactions across the network to establish trust between individuals and their devices to automate more approvals. Thankfully, the industry is taking note. There is a groundswell of focus on the issue of false declines and their impact on good customers. Traditional, operations-heavy approaches are no longer sufficient. A trust-based industry-consortium approach is essential to enhance visibility, recognize consumers and their devices holistically, and ensure that consumers are impacted only when a real threat is present.
This article first appeared in Baseline Magazine Since it is possible for cyber-criminals to create a synthetic person, businesses must be able to differentiate between synthetic and true-party identities. Children often make up imaginary friends and have a way of making them come to life. They may come over to play, go on vacation with you and have sleepover parties. As a parent, you know they don’t really exist, but you play along anyway. Think of synthetic identities like imaginary friends. Unfortunately, some criminals create imaginary identities for nefarious reasons, so the innocence associated with imaginary friends is quickly lost. Fraudsters combine and manipulate real consumer data with fictitious demographic information to create a “new” or “synthetic” individual. Once the synthetic person is “born,” fraudsters create a financial life and social history that mirrors true-party behaviors. The similarities in financial activities make it difficult to detect good from bad and real from synthetic. There really is no difference in the world of automated transaction processing between you and a synthetic identity. Often the synthetic “person” is viewed as a thin or shallow file consumer— perhaps a millennial. I have a hard time remembering all of my own passwords, so how do organized “synthetic schemes” keep all the information usable and together across hundreds of accounts? Our data scientists have found that information is often shared from identity to identity and account to account. For instance, perhaps synthetic criminals are using the same or similar passwords or email addresses across products and accounts in your portfolio. Or, perhaps physical address and phone records have cross-functional similarities. The algorithms and sciences are much more complex, but this simplifies how we are able to link data, analytics, strategies and scores. Identifying the Business Impact of Synthetic-Identity Fraud Most industry professionals look at synthetic-identity fraud as a relatively new fraud threat. The real risk runs much deeper in an organization than just operational expense and fraud loss dollars. Does your fraud strategy include looking at all types of risk, compliance reporting, and how processes affect the customer experience? To identify the overall impact synthetic identities can have on your institution, you should start asking: Are you truly complying with \"Know Your Customer\" (KYC) regulations when a synthetic account exists in your active portfolio? Does your written \"Customer Identification Program\" (CIP) include or exclude synthetic identities? Should you be reporting this suspicious activity to the compliance officer (or department) and submitting a suspicious activity report (SAR)? Should you charge off synthetic accounts as credit or fraud losses? Which department should be the owner of suspected synthetic accounts: Credit Risk, Collections or Fraud? Do you have run any anti-money laundering (AML) risk when participating in money movements and transfers? Depending on your answers to the above questions, you may be incurring potential risks in the policies and procedures of synthetic identity treatment, operational readiness and training practices. Since it is possible to create a synthetic person, businesses must be able to differentiate between synthetic and true-party identities, just as parents need to differentiate between their child\'s real and imaginary friends.
Device emulators — wolves in sheep’s clothing Despite all the fraud prevention systems and resources in the public and private sectors, online fraud continues to grow at an alarming rate, offering a low-risk, high-reward proposition for fraudsters. Unfortunately, the Web houses a number of easily accessible tools that criminals can use to perpetrate fraud and avoid detection. The device emulator is one of these tools. Simply put, a device emulator is one device that pretends to be another. What began as innovative technology to enable easy site testing for Web developers quickly evolved into a universally available tool that attackers can exploit to wreak havoc across all industry verticals. While it’s not new technology, there has been a significant increase in its use by criminals to deceive simple device identification and automated risk-management solutions to carry out fraudulent activities. Suspected device emulation (or spoofing) traffic historically has been difficult to identify because fraud solutions rely heavily on reputation databases or negative lists. Detecting and defeating these criminals in sheep’s clothing is possible, however. Leveraging Experian’s collective fraud intelligence and data modeling expertise, our fraud research team has isolated several device attributes that can identify the presence of an emulator being used to submit multiple transactions. Thanks to these latest FraudNet rule sets, financial institutions, ecommerce merchants, airlines, insurers and government entities alike now can uncloak and protect against many of these cybercriminals. Unfortunately, device emulators are just one of many tools available to criminals on the Dark Web. Join me at Vision 2016, where U.S. Secret Service and I will share more tales from the Dark Web. We will explore the scale of the global cybercrime problem, walk through the anatomy of a typical hack, explain how hackers exploit browser plug-ins, and describe how enhanced device intelligence and visibility across all channels can stop fraudsters in their tracks. Listen to Mike Gross as he shares a short overview of his Vision 2016 breakout session in this short video. Don’t miss this innovative Vision 2016 session! See you there.
Top states for billing and shipping e-commerce fraud With more than 13 million fraud victims in 2015, assessing where fraud occurs is an important layer of verification for e-commerce. Experian® analyzed millions of e-commerce transactions from 2015 to identify fraud attack rates across the United States. With the switch to chip-enabled credit card transactions and possible growth of card-not-present fraud, online businesses should utilize advanced fraud solutions to monitor their riskiest locations and prevent losses. >> View the Experian map to see 2015 e-commerce attack rates for all states
Proven identity and device authentication to minimize identity tax return fraud Identity fraud places an enormous burden on its victims and presents a challenge to businesses, organizations and government agencies, including the IRS and all state revenue authorities. Tax return fraud occurs when an attacker uses a consumer’s stolen Social Security number and other personal information to file a tax return, often claiming a significant refund. The IRS is challenged by innovative fraudsters continually trying to outsmart its current risk strategies around prevention, detection, recovery and victim assistance. And with the ever-increasing number of identity data compromised and tax return fraud victims, it’s necessary to question whether tax preparation companies are doing all they can to keep personally identifiable information (PII) secure and screen for fraud before forms are submitted. “ID theft isn’t just credit card fraud,” said Rod Griffin, Director of Public Education for Experian. A recent Experian online survey indicated that nearly 76 percent of consumers are familiar with ID theft and tax fraud — up significantly from the past two years. And 28 percent of those surveyed have been a victim or know a victim of tax fraud. To protect all parties’ interests, tax preparation agencies are challenged by today’s savvy fraudsters who have reaped the benefits of recent breaches. In order to protect consumers, organizations need to apply comprehensive, data-driven intelligence to help thwart identity fraud and the use of stolen identity data via fraudulent returns. The key to securing transactions, reducing friction and providing a consistently satisfying customer experience, online and offline, is authenticating consumers in a clear and frictionless environment. As a result, it’s necessary to have reliable customer intelligence based on both high-quality contextual identity and device attributes alongside other authentication performance data. Comprehensive customer intelligence means having a holistic, bound-together view of devices and identities that equips companies and agencies with the tools to balance cost and risk without increasing transactional friction. Businesses and agencies must not rely on a singular point of customer intelligence gathering and decisioning, but must move to more complex device identification and out-of-wallet verification procedures. Effective solutions typically involve a layered approach with several of the following: Identity transaction link analysis and risk attribute derivation Device intelligence and risk assessment Credit and noncredit data and risk attributes Multifactor authentication, using one-time passcodes via SMS messaging Identity risk scores Dynamic knowledge-based authentication questions Traditional PII validation and verification Biometrics and remote document verification Out-of-band alerts, communications and confirmations Contextual account, transaction and channel purview Additionally, government agencies must adhere to recognized standards, such as those prescribed by the National Institute of Standards and Technology to establish compliance. The persistent threat of tax fraud highlights the urgent need for businesses and agencies to continue educating consumers and more importantly, to improve the strategic effectiveness of their current solutions processes. Learn more about Experian Fraud and Identity Solutions, including government-specific treatments, and how the most effective fraud prevention and identity authentication strategy leverages multiple detection capabilities to highlight attackers while enabling a seamless, positive experience for legitimate consumers.
According to a recent Experian Marketing Services study, 36% of companies interact with customers in five or more channels.
Ensure you’re protecting consumer data privacy Data Privacy Day is a good reminder for consumers to take steps to protect their privacy online — and an ideal time for organizations to ensure that they are remaining vigilant in their fight against fraud. According to a new study from Experian Consumer Services, 93 percent of survey respondents feel identity theft is a growing problem, while 91 percent believe that people should be more concerned about the issue. Online activities that generate the most concern include making an online purchase (73 percent), using public Wi-Fi (69 percent) and accessing online accounts (69 percent). Consumers are vigilant while online Most respondents are concerned they will fall victim to identity theft in the future (71 percent), resulting in a generally proactive approach to protecting personal information. In fact, almost 50 percent of respondents say they are taking more precautions compared with last year. Ninety-one percent take steps to secure physical information, such as shredding documents, while also securing digital information (using passwords and antivirus software). Many consumers also make sure to check their credit report (33 percent) and bank account statements (76 percent) at least once per month. There’s still room for consumers to be safer Though many consumers are practicing good security habits, some aren’t: More than 50 percent do not check to see if a Website is secure Fifty percent do not have all their Web-enabled devices password-protected because it is a hassle to enter a password (30 percent) or they do not feel it is necessary (25 percent) Fifty-five percent do not close the Web browser when they are finished using an online account Additionally, 15 percent keep a written record of passwords and PINs in their purse or wallet or on a mobile device or computer Businesses need to be responsible when it comes data privacy Customer-facing businesses must continue efforts to educate consumers about their role in breach and fraud prevention. They also need to be responsible and apply comprehensive, data-driven intelligence that helps thwart both breaches and the malicious use of breached information and protect all parties’ interests. Nearly 70 percent of those polled in a 2015 Experian–Ponemon Institute study said that the increased visibility and media reporting of breaches, including payment-related incidents, have caused their organizations to step up data security efforts. Experian Fraud & ID is uniquely positioned to provide true customer intelligence by combining identity authentication with device assessment and monitoring from a single integrated provider. This combination provides the only true holistic view of the customer and allows organizations to both know and recognize customers and to provide them with the best possible experience. By associating the identities and the devices used to access services, the true identity can be seen across the customer journey. This unique and integrated view of identity and device delivers proven superior performance in authentication, fraud risk segmentation and decisioning. For more insights into how businesses are responding to breach activities, download our recent white paper, Data confidence realized: Leveraging customer intelligence in the age of mass data compromise. For more findings from the study, view the results here.
Customer Experience during the holiday shopping season During the holidays, consumers transact at a much greater rate than any other time of the year. Many risk-management departments respond by loosening the reins on their decision engines to improve the customer experience — and to ensure that this spike does not trigger a response that would impede a holiday shopper’s desire to grab one more stocking stuffer or a gift for a last-minute guest. As a result, it also is the busy season for fraudsters, and they use this act of goodwill toward your customers to improve their criminal enterprise. Ultimately, you are tasked with providing a great customer experience to your real customers while eliminating any synthetic ones. Recent data breaches resulted in large quantities of personally identifiable information that thieves can use to create synthetic identities being published on the Dark Web. As this data is related to real consumers, it can be difficult for your identity-authentication solution to determine that these identities have been compromised or fabricated, enabling fraudsters to open accounts with your organization. Experian’s Identity Element Network™ can help you determine when synthetic identities are at work within your business. It evaluates nearly 300 data-element combinations to determine if certain elements appear in cyberspace frequently or are being used in combination with data not consistent with your customer’s identity. This proven resource helps you manage fraud across the Customer Life Cycle and hinder the damage that identity thieves cause. Identity Element Network examines a vast attribute repository that grows by more than 2 million transactions each day, revealing up-to-date fraud threats associated with inconsistent or high-risk use of personal identity elements. Our goal is to provide the comfort of knowing that you are transacting with your real customers. Don’t get left in the cold this holiday season — fraudsters are looking for opportunities to take advantage of you and your customers. Contact your Experian account executive to learn how Identity Element Network can help make sure you are not letting fraudsters exploit the customer experience intended for your real customers. Learn more about the delicate balance between customer and criminal by viewing our fraud e-book.
Electronic signatures and their emerging presence in our Internet-connected world I had the opportunity to represent Experian at the eSignRecords 2015 conference in New York City last week. The concept of electronic signature, while not new, certainly has an emerging presence in the Internet-connected world — as evidenced by the various attendee companies that were represented, everything from home mortgages to automobiles. Much of the discussion focused on the legal aspects of accepting an electronic signature in lieu of an in-person physical signature. The implications of accepting this virtual stamp of approval were discussed, as well as the various cases that already have been tried in court. Of course, the outcome of those cases shapes the future of how to properly integrate this new form of authorization into existing business processes. Attendees discussed the basic concept of simply accepting a signature on an electronic pad as opposed to one written on a piece of paper. That act alone has many legal challenges even though it provides the luxury of in-person authentication through a face-to-face meeting. The complexities and risk increase exponentially when these services are extended over the Internet. The ability to sign documents virtually opens up a whole new world of business opportunities, and the concept certainly caters to the consumer’s need for convenience. However, the anonymity of the Internet presents the everyday challenge of balancing consumer expectations of greater ease of use with necessary fraud prevention measures. Ultimately, it always comes back to understanding who is actually signing that document. All of this highlights the need for robust authentication and security measures. As more and more legal documents and contracts are passed around virtually, the opportunity to properly screen and verify who has access to the documents gets more critical. Many organizations still rely on the tried-and-true method of knowledge-based authentication (KBA), while many others have called for its end. KBA continues to soldier on as an effective way to ensure that people on the other end of the wire are who they say they are by asking questions that — presumably — only they know the answers to. In most cases, KBA is viewed as a “check the box” step in the process to satisfy the lawyers. In certain cases, that’s all you need to do to ensure compliance with legal policy or regulatory requirements. It starts to get tricky is when there’s more on the line than just “check the box” actions. When the liability of first- or third-party fraud, becomes greater than simple compliance, it’s time to implement tighter security, while at the same time limiting the amount of friction caused by the process. Many in attendance discussed the need for layers of authentication based on the type of documents that are being processed and handled. This speaks directly to the point that one size does not fit all. As the industry matures and acceptance of e-signatures increases, so too does the need for more robust, flexible options in authentication. Another topic — that was quite frankly foreign to everyone we talked to — was the need for security around the concept of account takeover. When discussing this type of fraud, most attendees did not even consider this to be a hole in their strategy. Consider this fictional scenario. I’m responsible for mergers and acquisitions for my publicly traded company. I often share confidential information via electronic means, leveraging one of the many electronic signature solutions on the market. I become a victim of a phishing attack and unknowingly provide my login credentials to the fraudster. The fraudster now has access to every electronic document that I have shared with various organizations — most of which have been targets for mergers and acquisitions. Fraudsters are creative. They exploit new technologies — not because they’re trendsetters, but because oftentimes these new technologies fail to consider how fraudsters can benefit from the system. If you are considering adopting e-signature as a formal process, please consider implementing: Flexible levels of authentication based on the risk and liability of the documents that are being presented and what they are protecting FraudNet for Account Takeover, which enhances security around access to these critical documents to protect against data breaches Not only the needs and experiences of your own business, but customer needs as well to enable to the best possible customer interactions If you haven’t considered implementing e-signature technology into your business process, you should — but be sure to have your fraud team present when considering the implementation.
We all know that first party fraud is a problem. No one can seem to agree on the definitions of first party fraud and who is on the hook to find it, absorb the losses and mitigate the risk going forward. More often than not, first-party fraud cases and associated losses are simply combined with the relatively big “bucket” of credit losses. More importantly, the means of quickly detecting potential first-party fraud, properly segmenting it (as either true credit risk or malicious behavior) and mitigating losses associated with it usually lies within more general credit policies instead of with unique, targeted strategies designed to combat this type of fraud. In order to create a frame of reference, it’s helpful to have some quick — and yes, arguable — definitions: Synthetic identity: the fabrication of an identity with the intention of perpetrating fraudulent applications for, and access to, credit or other financial services Bust-out: the substantive building of positive credit history, followed by the intentional, high-velocity opening of several new accounts with subsequent line utilization and “never payment” Default payment: intentionally allowing credit lines to default to avoid payments Straight-roller: an account opened with immediate utilization followed by default without any attempt to make a payment Never pay: a form of straight-roller that becomes delinquent within the first few months of opening the account So what’s a risk manager to do? In my opinion, the best methods to consider in the fight against first-party fraud include analytical solutions that take multiple data points into consideration and focus on a risk-based approach. For my money, the four most important are: Models and scores developed with the proper set of identity and credit risk attributes derived from current and historic identity and account usage patterns (in other words, ANALYTICS) — Used at both the account opening and account management phases of the Customer Life Cycle, such analytics can be customized for each addressable market and specific first-party fraud threat The monitoring of individual identity elements at a portfolio level and beyond — This type of monitoring and LINK ANALYSIS allows organizations to detect the creation of synthetic identities Reasonable (e.g., one-to-one) identity and device associations over time versus a cluster of devices or coordinated attacks stemming from a single device — Knowing a customer’s device profile and behavioral usage with DEVICE INTELLIGENCE provides assurance that applications and account access are conducted legitimately Leveraging industry experts who have worked with other institutions to design and implement effective first-party fraud detection and loss-mitigation strategies — This kind of OPERATIONAL CONSULTING can save time and money in the long run and afford an opportunity to avoid mistakes By active use of these methods, you are applying a risk-based approach that will allow you to realize substantial savings in the forms of loss reduction and operational efficiencies associated with non-acquisition of high-risk first-party fraud applications, more effective credit line management of potentially high-risk accounts, better segmentation of treatment strategies and associated spend against high-risk identities, and removal of first-party fraud accounts from traditional collections processes that will prove futile. Download our recent White Paper, Data confidence realized: Leveraging customer intelligence in the age of mass data compromise, to understand how data and technology are needed to strengthen fraud risk strategies through comprehensive customer intelligence.
Profile of an online fraudster I recently read a study about the profile of a cybercriminal. While I appreciate the study itself, one thing it lacks perspective on is an understanding of how identity data is being used to perpetrate fraud in the online channel. One may jump to conclusions about what is a good indicator for catching fraudsters. These very broad-brush observations may result in an overwhelming number of false positives without digging in deeper. Purchase value A single approach for understanding the correlation between purchase value and fraud does not work to best protect all businesses. Back in 2005, we saw that orders under $5 were great indicators of subsequent large-ticket fraud. For merchants that sell large-ticket items, such as electronics, those same rules may not be effective. To simply believe that the low dollar amount is the extent of the crime and not just a precursor to the real, bigger crime indicates a lack of understanding of how fraudsters work to manipulate a system. For some merchants, where fraudsters know they can go to do card testing against their business, low-dollar-amount rules may apply. However, for other businesses a different set of rules must be put into place. Time of day We have been tracking fraud time of day as a rule since 2004, but the critical point is a clear definition of which time of day. For the merchant, 3 a.m. is very different than 3 a.m. for a fraudster who is in Asia or Eastern Europe, where 3 a.m. merchant time is actually the middle of the online fraudster’s day. FraudNet is designed to identify the time from the user’s device and runs its rules from the user’s time. We find that every individual business will have a very specific threat profile. Businesses need to build their individual fraud strategy around their overall attack rate taking into account the strength of the defense and the ability to be flexible to accommodate the nuances for individual consumers. A general approach to fraud mitigation inevitably results in a system that begins to chase broad averages, which leads to excessive false positives and mediocre detection. That’s what drives us to do the job better. The proof of every fraud solution should lie in its ability to catch the most fraud without negatively impacting good customers.
Learn More Image
