This interview was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.
What’s the relationship between fraud prevention and data breaches?
The two come together when fraud prevention is required to deal with the consequences of a data breach. Take, for example, the Equifax breach, one of the biggest data breach stories in 2017, which saw 140+ million credit records from US citizens placed in the hands of criminal organisations.
Fraudsters learn to exploit the weaknesses of traditional fraud prevention tools over time. It is crucial for businesses to combine human expertise and machine elements to prevent fraud
Fraudsters have, no doubt, already been using those details and will continue to use the stolen info in the months ahead, targeting online merchants with well-resourced account takeover (ATO) attempts.
How does account takeover (ATO) fraud work?
ATO occurs when a fraudulent entity gains access to a legitimate account – with an online retailer, for example – then uses the account holder’s details and stored payment information in order to pay for goods. The fraudster effectively hides behind the customer’s good history, causing undetected havoc. By the time the customer, the retailer or the bank have raised the alarm, the damage is often already done, the goods are shipped and the transaction charged to the account.
Unfortunately for larger businesses, the bigger the company (merchants, mobile network operator, banks), the more likely fraudsters will find overlaps within their stolen data. Get inside the mind of a fraudster: if you obtain stolen user credentials (which include e-mails and passwords) from the likes of Dropbox or LinkedIn, you’re going to try out those credentials first at Amazon or Best Buy, not at a small online retailer.
How can customers play a more active role in fraud prevention?
Since fraud moved almost exclusively online, fraudsters have been able to play an enormous game of ‘trial and error’ that was never possible in the physical world. Once they have one set of online credentials, they test them across dozens of different online merchants in a matter of minutes.
It’s therefore critical that consumers keep a varied range of passwords and security questions so that if one account is compromised, the rest will not fall like dominoes. However, the inconvenient truth is that customers have always been the weakest links in online security. A recent survey found that 80% of consumers reuse the same password across multiple accounts. With data leakages now reaching ‘epidemic levels’, it’s clear that the industry needs far stronger communication on how to stay safe online.
For concerned consumers worried about security, there are software vendors out there that will manage your entire spectrum of passwords, like 1password or KeePass. If that is too technical for you, our advice is to keep a notebook of all your online passwords at your desk. Sure, the book could be stolen but it’s far safer than limiting yourself to only one or two different passwords.
What can businesses do when they’re struggling against weak password security?
ATOs aren’t purely down to poor password discipline by end-consumers; passwords themselves are a flawed form of authentication. Two-factor authentication, asking users to provide an additional piece of information known only by them, in addition to passwords, is an important step forward in reducing the chances of ATO fraud. Merchants should also look at sealing leaks caused by outdated payment methods such as open invoicing. However, the most important step forward is to ensure that modern fraud is met by modern fraud prevention.
How is Artificial Intelligence (AI) used to prevent fraud?
Hackers and fraudsters are a constantly moving target; the moment you frame them, they adapt to the surroundings, devising an even more creative and menacing means of attack. For years, fraud prevention was conducted using large sets of rules that would make decisions based on basket value, location of delivery, customer account age, etc. For modern fraudsters, this is far too easy to work around. The ‘trial and error’ principal means that if they hit a wall, they can just change the parameters and try it again. Large merchants are subsequently hit with thousands of fraudulent transactions from different accounts and different identities every few minutes, 24/7.
Machine learning works on a rule-basis as well, but the difference is that the machine defines these rules and can change them instantly, responding to new threats without human interaction. The technology recognises patterns and regularities in datasets, and is then able to learn from each transaction and a wealth of historical data. In this way, it can continually create new models and constantly evolving algorithms that find patterns, calculate risks and halt illicit activities – in real-time.
However, machine learning doesn’t mark the death of human interaction. Experienced fraud managers are still critical in the training process, constantly feeding their knowledge on the context and causes of fraud into the machine, allowing the system to evolve continually. Businesses that combine these human and machine elements can scale their fraud protection system, allowing it to grow, evolve and adapt to changing threats.
About Roberto Valerio
Roberto Valerio is one of the foremost experts on the rise of AI in combating fraud, and founder of Risk Ident, Europe’s leading provider of new intelligent anti-fraud software. Roberto sits on the European Advisory Board of the Merchant Risk Council and is a regular speaker on Europe’s anti-fraud conference circuit.
About Risk Ident
Risk Ident is an anti-fraud software development company based in the US and Europe that protects companies within the ecommerce, telecommunication and financial sectors. Our machine-learning software uses sophisticated data analytics to block payment fraud and account takeovers, all with human-friendly alerts that simplify a fraud prevention team’s decision-making process.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now