Fighting fraud with data enrichment – exclusive interview with SecuredTouch

Can you explain to our readers the basic tenets of what data enrichment means?

Data enrichment is the process of merging multiple sources of data (internal with external) to improve conclusions that can be drawn from the analysis of these combined data sets – a basic example will be getting geo-location/-city from an IP address.

What is the connection between this and fraud prevention? 

Data is used by merchants to approve/decline transaction payments. It’s often the case, however, that merchants have access to a limited amount of data and therefore any conclusion drawn from analysing this particular data set is unreliable and will result in friction for their customers. 

Thus, having more relevant data points at the time of transaction can lead to better decision making in real time. This is quite similar to the previously mentioned example: resolving geo-location from IP addresses is commonly used for fraud detection heuristics. In addition, data can also serve for fraud analysis reasons, more specifically, analysing users/fraudsters activity for the purpose of manual review of specific transactions or getting high-level analytical view of the users/fraudsters behavioural patterns in order to better understand the threats.  

How does SecuredTouch contribute to help your clients use data enrichment efficiently? 

SecuredTouch collects and processes unique data points to detect different types of fraudulent activities.

Many of our customers already have built-in risk engines for making decisions in real time, as well as data lakes for analysis and analytics. Besides using SecuredTouch risk modules to detect fraudulent activity, customers often want to enrich their existing systems with SecuredTouch unique data points in order to improve the visibility and effectiveness of their existing risk engines.

SecuredTouch exposes the processed data layer (called ‘indicators’ on the SecuredTouch platform) to our customers on the standard API calls, which means that they can enrich their existing risk engines and data lake with SecuredTouch’s indicators in order to achieve better detection and visibility into their fraud.

The exposed indicators include the following categories:

• Behavioural – e.g. mouse movements, typing dynamics, sensors etc.

• Usage – e.g. the user journey, device usage history, usage history etc.

• Device – e.g. OS attributes, browser attributes, hardware attributes etc.

• Network – e.g. IP reputation, ASN, user agent based attributes etc.

Going back to your ‘unique data points’ reference, please emphasise a bit more on what exactly you mean by this and how it can be used for data enrichment and improve fraud detection.

Let’s say a merchant is trying to assess the risk of a payment transaction online. The basic data that they have is something like: buyers email, credit card information, and the product. There's a limited amount of heuristics we can think of based on these data points alone.

But we can make smarter decisions, if we’ll add some more relevant data such as:

• Behavioural data: How did the credit card detail been filled – Autofill? Using copy/paste?; How fast did he fill the form? Does the behaviour match human behaviour or does it look like automation (a bot)?

• Usage data: the user journey that lead to this transaction; Did we see this user/device in the past? When? Where from?

• Device data: the type of device (desktop/mobile, OS version etc.), timezone, languages; Any anomalies in device attributes? Is that a read device even? (or is it an emulator?)

• Network data: geo-location of the IP, owner of the IP (Is it private? Data centre? Mobile carrier? etc.); Does this IP have former bad reputation?

These additional data points provide a new point of view into the transaction that allows fraud fighters and their risk engines to better identify fraudulent activity in real time and also to get better visibility into the users activity, both legit and fraudsters, which allows them to further improve the detection over time.

In which circumstances did SecuredTouch put this method into practice and what were the results (Any advantages/disadvantages)? Why should other companies use it?

SecuredTouch applies this method both on our own internal detection modules and with our customers that are using SecuredTouch data indicators to enrich their internal risk engines.

Based on our internal models, we can tell that the combination of behavioural data alongside with device attributes creates a dramatic increase in both accuracy and coverage of our models – take bot detection for example: using behavioural data allows SecuredTouch to detect new attack tools in the wild even if we’ve never seen/researched them before.

Several of our customers in the ecommerce space are already using SecuredTouch indicators to enrich their risk engines for several use cases, including account takeover, new account fraud, and payment fraud, and showed great improvement in their accuracy.

The additional visibility allows merchants to better understand the nature of the fraudulent activity they are facing and so to better protect against it (e.g. identified emulators traffic, automations etc.). The visibility into the user journey also exposed built-in vulnerabilities in some user journeys and sometimes even exposes a whole business model to be too fraud friendly (e.g. referral abuse). 

A disadvantage is that adding more data points adds complexity, and it makes understanding the risk detection logic to be very complex. For this reason exactly, it is really important to have good visibility and analytical capabilities built in. 

About Ran Wasserman

Ran brings 15+ years of experience in software development and cybersecurity, from IAF’s elite computing unit as a developer and team leader, to IMPERVA where he held several development and management positions, focusing on web security and the WAF product. As SecuredTouch CTO, he leads the research and delivery of SecuredTouch’s cutting edge fraud solutions. With SecuredTouch acquisition, Ran is now a Principal Architect on Ping’s product architecture group. Based in Tel Aviv, Israel, Ran holds a B.Sc. in computer science from the Academic College of Tel Aviv and an MBA from Tel Aviv University.

About SecuredTouch

SecuredTouch, a Ping Identity company, provides real-time, adaptive fraud detection throughout the customer journey to detect fraud early, with proven ROI from day 1. The company’s solutions ensure accurate risk-based prevention for multiple use cases including account takeover, bots, credit card fraud, and no-transaction fraud such as loyalty programme and referral fraud. SecuredTouch’s customers benefit from reduced overall fraud losses while maintaining a smooth customer experience.