When card-not-present payments attract card-not-present fraud

You have supported Riot Games with your risk management expertise for almost five years. From your experience, what are the best strategies for securing transactions and the consumers’ data in the gaming industry?

The gaming industry is a tricky one and that it seems to attract many smart people on both the good and the bad side. In most verticals, the main motivation behind fraud is making money, but in the gaming environment, there is a large element of fraudsters that see the beating the system as a game in itself. That type of fraud is much harder to detect. What I have learned is that in most cases, getting back to the basics works best. First, I would suggest locking down against the fundamentals like card running and things as simple as preventing duplicate transactions and mismatched card/country transactions. Second, I would look at account security since fraudsters who have full consumer data and/or trust now commit a lot of fraud, because they steal game accounts and then use those trusted accounts for malicious purposes.

Have you identified any emerging trends for CNP fraud that merchants should pay attention to in 2018?

Like I said above, account security is a huge area to focus on. What I have been seeing so far and expect to see a lot of going forward, is fraud being perpetrated from trusted sources, or at least from what one thinks it is a trusted source. I am seeing fraudsters hacking or stealing accounts, using them “legitimately” for as much as a year and then using them for fraud. Therefore, they look real and normal and then all of a sudden they turn on you.

In the same vein, I think we will see increasing trends in transactions that look good based on looking at core personal data (PII) - which includes information like name, address, email and phone number - but that are not in fact legitimate transactions. In many cases, the frausters not only have the PII data, but they even hold data normally associated with security questions. We as merchants and fraud fighters can no longer rely on this information as an identity verification method, largely due to the unprecedented number of data breaches that have occurred so far. Most people should just accept that all their personal info is out there on the web, so as merchants, we cannot trust that only the real cardholder would know basic PII info.

There is a lot of talk about sophistication and fraud at so many levels; however, we do not have a definition of what sophisticated techniques mean after all. So what does sophisticated fraud techniques stand for in the digital landscape that you operate in?

Sophisticated methods vary drastically by industry, but when it comes to video games, I think a great example is what I stated above on account security. The fraudsters gain access to a game account via hacking, stealing or any other illicit method, but afterwards, they don’t use it right away for fraud. Instead, they sit on the account for a year. But they don’t just let it sit; they play on it by using high tech methods like creating a bot that is as good as a human player and plays like a human. Eventually, maybe a year later, the fraudster uses this account to commit some fraud, often doing so in a purchase pattern that fits a normal gamer. This makes it incredibly hard to detect and prevent. So back to my comment above, one has to take account security very seriously and we as fraud professionals need to work hard to both prevent via technology, but also to prevent via educating our players and consumers to stop account takeovers in the first place.

Another common practice currently employed among fraud fighters is to use IP address and device ID mismatches to detect fraud. However, this does work to an extent. IP only works in the USA and device ID, and although it’s a good practice, it’s not a silver bullet. Sophisticated fraudsters can easily bypass IP address checks by using proxies or VPN, and in non-USA countries, IP addresses are very dynamic which renders them useless. Device ID, again, is a great tool, but lesser versions are easily defeated by virtual machines and other mechanisms and even the best ones can sometimes be beaten.

The best way is to have a layered approach, considering that there is not one tool to beat fraud but many different tools. Additionally, I’d never fully automate. AI and Machine learning are amazing tools, but well trained human eyes tend to find patterns faster, at least for now. Just because you seem to win the war today, it doesn’t mean there won’t be either a new attempt or a totally new enemy tomorrow. We must constantly strive for a better way to beat fraud. 

You will be attending the CNP Expo 2018 as a keynote speaker. What motivates you to join this conference and what are your expectations from an educational perspective?

Now that I am a keynote speaker, Im looking forward to share my knowledge from the bleeding edge of video games to the rest of the payments community. During my keynote I’ll be sharing some stories from the trenches of the gaming fraud world, including the mechanism we used to shut down a worldwide, multi-million-dollar fraud business, one of my best lessons learned about international payments, some tips and tricks for stopping account takeover (ATO), and much more. I’ll also be there during most of the event, and I look forward to discussing these topics and hearing other professionals’ opinions on the newest fraud techniques, trends and the metrics they use to monitor and fight fraud.

About Scott Adams

Scott Adams is a respected thought leader in the online business, the card-not-present community, and the affiliate marketing community. In one position, Scott grew a failing USD 5 mln eBook company into one with revenue of USD 25 mln annually and a healthy chargeback rate. While there, Scott built one of the earliest affiliate metrics tracking systems and developed proprietary anti-fraud software. Most recently, Scott was Director of Fraud and Risk at Riot Games. He took them from being fined by Visa/MasterCard and near TMF to good standing in months.