The changing face of fraud
Cybercrime perpetrated worldwide in 2016 cost the global economy more than $450 billion and added 2 billion personal records stolen to an already extensive tab, based on statistics from small business insurance provider Hiscox Inc.
Visible gains in online commerce have also contributed to card-not-present (CNP) fraud as many predicted would happen when the U.S. transitioned to less fraud-friendly EMV (Europay, Mastercard and Visa) chip cards for card-present transactions. Javelin Strategy & Research estimated that year-over-year CNP fraud spiked 40 percent in 2016, and the incidence of identity, new account and account takeover fraud inched upward as well.
Conversely, POS malware attacks declined by 93 percent from 2014 to 2016, according to SonicWall Inc.'s 2017 Annual Threat Report, which measures data collected from daily feeds from more than 1 million security sensors in nearly 200 countries. Over the same period, Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted traffic grew by 38 percent as cloud-based application usage spread across global networks.
"While this trend toward SSL/TLS encryption is overall a positive one, it also merits a word of caution," wrote SonicWall. "SSL/TLS encryption makes it more difficult for cyber thieves to intercept payment information from consumers, but it also provides an uninspected and trusted backdoor into the network that cyber criminals can exploit to sneak in malware" and thus create attack vectors only deep packet inspections can detect.
But a number of security-focused companies are working vigorously to deflect fraud with technologies that detect malware, spot transaction laundering, gather merchant intelligence, assess consumer behavioral patterns and monitor for illicit web content, all part of a growing arsenal of defenses to stop fraud at the outset in real time.
Trustwave Holdings Inc., for example, developed a web-risk monitoring portfolio that ISOs can leverage to identify, prevent and remediate illegal ecommerce activity in merchant portfolios. It also helps with compliance obligations and delivers value-added protections beyond what merchants can normally manage on their own.
"From the time the merchant becomes a customer of the ISO and throughout that customer engagement, our service can be used to ensure compliance with card and industry standards," said Michael Petitti, Senior Vice President of Global Alliances at Trustwave. "If I can tell my merchants that I'm scanning their websites for malware, that's valuable to the merchant." And like other companies in the fraud prevention space, Trustwave can customize monitoring services to meet ISOs' merchant-specific requirements.
Institutional targets responsive
In an age when heightened government and institutional oversight seeks to cut off financial sources to potential terrorists, any entity that processes payments internationally, or even locally, must remain vigilant about monitoring data transiting networks. Implementing detailed reporting standards helps ensure that legitimate legal business practices are being enforced.
Flywire, whose platform supports international consumer payments, has seen an increase in fraud attempts directed at individuals who transact overseas for such things as healthcare and higher education. Both are lucrative markets. The education market processes $53 billion annually for international students, and medical care takes in about $40 billion per year from patients seeking care outside of countries in which they reside.
"Some scammers represent themselves as government agencies and demand payment of an 'international student tariff,'" said Peter Butterfield, General Counsel and Chief Compliance Officer at Flywire. "Others claim to be agents endorsed by schools and offer discounts for processing the tuition payment through their firm."
After obtaining student login information, imposter agents proceed to make tuition payments using stolen credit card credentials, which are then rejected and reversed, while the discounted tuition amount paid to fraudsters, typically by wire, vanishes without a trace. Phishing scams offering fake tuition grants represent another growing problem, he noted.
"While there are a number of new technology approaches to fraud, we are encouraging our clients to also take a manual commonsense approach by designating preferred payment channels for their students that they know are secure and convenient," Butterfield said. He urges institutions to communicate with payors and to work closely with processors to develop risk profiles and behavior patterns to detect fraud early on. Another emergent trend entails online money laundering involving fraudsters that steal and resell loyalty rewards points or goods. To address this issue, credit union services provider PSCU recently introduced technology that applies advanced authentication processes to validate all parties engaged in the redemption loop as an extra layer of protection for its CURewards program credit union members.
"This is a new criminal angle our members are not sensitized to, so we found they appreciated knowing that we were monitoring redemption activity for them and holding all suspicious redemptions for confirmation of legitimacy before allowing them to be fulfilled," said Liz Fee, Vice President of Payments and Deposits at Citadel Federal Credit Union in Exton, Pa.
Collaboration plays central role
Two companies long recognized for advancing the science of fraud detection and prevention are Brigherion Inc., which counts as clients Mastercard, banks, governments and other global entities; and CardinalCommerce, which serves a number of major retailers and now operates as a wholly owned subsidiary of Visa Inc. following its acquisition by Visa in December 2016.
While each delivers unique technologies to combat fraud, both agree a collaborative approach to cybersecurity is most effective. CardinalCommerce developed its core technologies to support authenticated payments, secure transactions and alternative payment brands. Brighterion evolved artificial intelligence to support real-time applications in payments, healthcare, homeland security and other security-sensitive markets.
"The big danger in fraud today is acting in a silo and not sharing and leveraging enhanced enriched data across the network, so together the card issuer and the merchant can make the best decision not only to catch fraud and stop fraud, but also to allow good orders to get through and not stop good people from buying and transacting," said Tim Sherwin, co-founder and Chief Executive Officer at CardinalCommerce.
Not only can lack of sharing be detrimental to cash flow, but it can also endanger brand reputation. "We have an interface sitting on the merchant side, and we collect data from the merchant and get it over to the card issuer in real time so that the card issuer can authenticate the transaction, or say, no, this is fraud, and provide that response or knowledge back to the merchant before you've even run it through the authorization network," Sherwin said.
Because this type of risk-based authentication performs silently in the background, it delivers seamless commerce experiences in often-complex environments. "You need to have the infrastructure monitoring in place and the network of merchants driving the scale and the volume through so you can stay on top of this very chaotic and very distributed payments system where there are tens of thousands of issuers with hundreds of BINs running authentication in all different ways," Sherwin stated.
To further complicate matters, U.S. merchants have an extensive catalog of online shopping cart options, which potentially connect to over 30 major gateways, and within both components multiple versions exist. Online marketplaces offer abundant possibilities. In the past, shopping cart providers built integration for payment into gateways, but more recently many have decided it's easier for third parties to build modules that connect the shopping carts to gateways, Sherwin noted.
AI digs into fraud behaviors
Artificial intelligence (AI) in its many forms has gained prominence as a dynamic security protocol. Dr. Akli Adjaoute, founder, President and Chief Executive Officer at Brighterion, is a former university professor who holds a Ph D in AI. He is one of the pioneers behind Brighterion's patented Smart Agent technology.
"When we started, we were purely in the payments industry, working with issuers and acquirers like Worldpay, Mastercard, BNP, Deutsche Bank, JCB, Bank of America and many others," Adjaoute said. "Then we moved to cyber and homeland security." The European Commission selected Brighterion to support the Passenger Names Records project to thwart terrorist networks.
Smart Agent technology can link data for one-to-one behavioral profiling. "We create a Smart Agent for each customer," he said. "A Smart Agent is a virtual representation of a customer. Because we do that for a customer, or it can be a merchant or cardholder or family, every transaction related to you goes through your Smart Agent as an incremental use that will be added to your Smart Agent, so that we have a 360-degree view."
For cybersecurity clients, some agencies send up to 62 types of social data through Brighterion's AI system. All totaled, 10 artificial intelligence technologies, including case-based reasoning and fuzzy logic, work in combination to adaptively learn behavior and share intelligence to stop previously unknown fraud schemes in real-time.
Operating behind the scenes, Brighterion's technology is also fast. "We currently do 12,000 transactions per second with less than 3 millisecond response time," Adjaoute noted. "We're the only company that guarantees by contract 100 percent vulnerability" when companies agree to use accepted Linux boxes, which are not considered expensive.
Because its technology works with any data in any format and doesn't use predefined rules, the average customer can go live in a few weeks in most cases. "We do not use predefined rules, because they have poor detection rates; it's old technology," Adjaoute said He also pointed out that database systems are not necessarily a good choice because they don't scale well in adaptive learning situations and tend to be more expensive.
He believes the key to fraud prevention is to learn from every transaction in real time and through sequence analysis to determine that customers buying airline tickets would also be expected to purchase hotel rooms or rental cars without triggering false positives in payment systems.
With fuzzy logic, merchants are able to add more risk, which can reduce false positives by as much as 20 percent, he said. That's because it creates an allowance to look for data for smoother decisioning. For example, a purchase above $100 that would normally trigger a flag with fuzzy logic would be grouped with items priced within the same range, say $99.99, which is less abrupt when monitoring for potential fraud activity.
Another effective AI tool, constraint programming creates constraints over time associated with individual profiles, such as increased spending when a new school year begins, or on paydays or when vacationing, developing greater precision as profiles build.
Adjaoute advises clients in the market for fraud prevention technologies to try products before buying them and to test more than one product since the product they select will eventually touch a company's risk, brand, bottom line and reputation.
Insurance rises to the challenge
Faced with the persistent barrage of fraud threats, many companies are turning to cyber insurance, a budding segment for insurers. Insurance provider Lloyd's of London saw a 50 percent increase in such policies written in 2016. And the AGCS Cyber Risk Guide estimated that 90 percent of cyber policies being written today are for U.S.-based companies.
In January, Frates Insurance & Risk Management introduced a Payment Card Industry (PCI) Data Security Standard (DSS) insurance program for members of the Electronic Transactions Association. In describing its new breach insurance policy, Frates said it "indemnifies a portfolio of merchants for the PCI liability they face as a result of a breach." The company also provides protection against chargebacks, CNP fraud and other related coverage valued by the payments industry.
As fraudsters continue to develop new schemes to defraud legitimate businesses and their customers, the counteroffensive surges forward. Although complete protection may never be fully realized, fraud detection and response times are being accomplished at record speed. This should offer some relief to online merchants, since 1 of every 97 online transactions during the 2016 holiday season was a fraudulent attempt, according to ACI Worldwide.