Randal Cox, Rippleshot: "The payments industry is in an arms race with fraudsters and it will likely never be over"

Friday 15 May 2015 08:22 CET | Author Melisande Mual | Interview

We will see an ecosystem of security and detection products that grow and evolve in response to fraudsters’ behaviour

This year, your company has won the METAward at the MRC annual conference in Las Vegas. Could you elaborate a bit on the degree of innovation Rippleshot brings within the ecommerce payments and fraud community?

We have found that the tools and solutions available to date rely on being reactive - to card network alerts, notifications from processors, or customers who call with fraudulent charges. This is a problem, because they are often coming long after the damage has already been done. That costs both issuers and merchants a ton of money and the loss of consumers’ confidence.

Unfortunately, these old approaches are faring worse and worse. Hackers have learned to scale their approaches to steal payment cards. If we keep relying on old methods, we wont be able to keep up.

Rippleshot was designed from the ground up to scale. We start watching potential breach locations from the first hints of anomalies. That means we spot the big breaches much faster and the little breaches that no one else has the time to spot. This intelligence lets our clients react faster and more strategically. Issuers can have the time to reissue cards or craft real-time decline rules. Merchants can learn about their breach while its still small enough to put out.

What are the main products and services that Rippleshot offers?

We offer three products, targeted at issuers, merchants and merchant acquirers.

The issuer product assists fraud analysts in detecting breaches, prioritizing card reissuance, and crafting the decline rules that you need in place until you can get new cards in consumers’ hands.

The merchant product is a first-alert fire alarm. By slashing the number of cards exposed, a merchant breach can go from a disaster of public relations and regulatory penalties to a brush fire that you can recover from.

Our acquirer product monitors networks of merchants proactively. When a breach occurs, fraud spends happen somewhere else in the network. Acquirers get alerted to breached merchants quickly so they can protect the other merchants in their network from expensive chargebacks.

With October 2015 as the deadline for EMV implementation in the US, do you believe that Chip and PIN will be the end of credit card fraud in the region?

It wasnt for Europe and it wont be for the US. In Europe, EMV shifted losses to online fraud and, to a lesser extent, ATM fraud. Its like squeezing a balloon: when you pinch one end, the other end just gets bigger. Dont get me wrong: EMV definitely decreased the volume of fraud, but it didnt extinguish it. The payments industry is in an arms race with fraudsters that will likely never be over.

That arms race will likely get very interesting as the US transitions to EMV. The fraudsters already know some of our weaknesses. For example, they know that automated fuel dispensers dont have to be EMV-compliant for an additional two years. Our own breach data sh ows that these dispensers are in the top three worst industry types for breaches. Past October, I expect them to spike hard. Fraudsters also have a good idea about which issuers are EMV-ready and which are behind. Community issuers will become preferred targets until they fully transition.

What is your view on wallets such as Apple Pay, who replace the plastic credit card completely? Are they a solution to fraud, or are consumers as exposed as with card present transactions?

Apple Pay and Google Wallet are potentially extremely important, but they cant stop everything. Fraudsters are formidable opponents. Weve already seen the first wave of fraud on Apple Pay, where the fraudsters take advantage of the initial approval process to get a stolen payment card hooked up to Apple Pay. Banks have been too eager to approve cards for use in Apple Pay, allowing stolen cards into the fold. Apple and Google and issuers will all work hard on this problem in the next months, but you should expect to see more clever schemes in response to security gains.

In general, I think we will see an ecosystem of security and detection products that grow and evolve in response to fraudster behaviours.

In which directions do you see the ecosystem of security and detection products grow and evolve?

There is already a great deal of specialization in the growing payments ecosystem. EMV and Apple Pay work for card present. There are dozens of CNP players. Our own solution catches whole cohorts of cards online or swiped, but we need to see some fraud first.

Hackers will recognize security holes in all of these solutions over time. Weve seen holes in EMV, Apple Pay and CurrentC. But a hackers job becomes MUCH harder if they need to subvert two or more security systems simultaneously. Its not doubly hard: its more like squared harder, because hackers have to find two security holes that line up with one another.

So far the payments industry has been slowly and unconsciously moving toward this stacked approach of card security. I think it is time that we started looking at this consciously. Ecosystem should be at the front of our thinking, not an accident we blunder into.

About Randal Cox

Randal Cox is the Chief Scientist and co-Founder of Rippleshot. Randal’s PhD is in bioinformatics, and he has wielded those big data genomics approaches to payment card fraud for more than a decade. 


About Rippleshot

Rippleshot detects data breaches faster, allowing card issuers, processors and merchants to proactively monitor suspicious activities and implement smarter fraud risk management strategies when breaches do occur. Rippleshot knows that what you can’t see can hurt you, which is why we sweat the small stuff – the ripples before the tsunami, the tiny anomalies that signal a looming data breach – and let you know earlier, so you can play a pivotal role in reducing fraud loss, improving cardholder security and reducing the severity of breaches.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Ripppleshot, payments industry, fraudsters, EMV, online fraud, security, fraud detection, MRC, card fraud
Countries: World