Stopping $6.4 Billion Worth of Post-EMV Fraud
By 2018, card fraud is expected to more than double, reaching $6.4 billion. As the U.S. migrates to EMV, CNP fraud in particular is expected to not shockingly spike with fraudsters turning to new channels. Tackling CNP fraud, however, is particularly tricky – the underlying secret, says Dr. Thomas Rand-Nash, Director of Operations at Brighterion, is to acknowledge that it will always occur, but just shifts and evolves. MPD CEO Karen Webster recently sat down with Rand-Nash in a live digital discussion to find out how behavioral analytics can mitigate fraud damage, predict and prevent fraud in real-time, and act as a crucial part of a multilayered CNP fraud approach.
The discussion kicked off with a brief intro by Julie Conroy, Aite Group Research Director, who provided industry context related to the migration of EMV in the U.S., and the subsequent rise of CNP fraud. Conroy indicated that many merchants and consumers still don’t know about EMV, which has stirred up a lot of chaos and confusion – something that fraudsters thrive on.
Over the course of this year, as the U.S. is the last G-20 country to enable the EMV standard, the largest U.S. credit card issuers will upgrade their credit cards. By the end of the year, said Conroy, 70 percent of credit and 41 percent of debit cards will be EMV chip enabled.
The majority of credit card issuers are going to market with chip and signature, not chip and PIN, as a method of verification. Issuers say that there are two driving factors of that – one is the fact that globally, it’s split. Sixty percent have gone PIN, 40 percent signature.
Second, the U.S. has the most competitive card environment on the planet – consumers have an average of 3.5 cards in their wallets. Issuers say there is risk associated with having a more difficult consumer experience, said Conroy.
The only thing that PIN addresses is lost and stolen fraud, which represents a very small portion of U.S. issuers’ fraud problem now.
One of the good things about being the last to migrate, however, is that the U.S. has learned a lot of lessons from other countries. Looking at Canada, as Canadian migration progressed, the dark blue line on the graph below represents counterfeit fraud coming down, explained Conroy.
“EMV is very effective against counterfeit card fraud, but there is also a dollar for dollar displacement into CNP fraud,” said Conroy. “The pressure will be even more intense in the U.S. market with that CNP fraud.”
In addition, as the U.S. migrates to EMV, cross-border fraud will displace to CNP fraud. That’s because there is no other card market like the U.S. of a similar size and scope to serve as an outlet for cross-border fraud. So that will introduce additional pressure on the CNP channel, said Conroy.
Overcall, card fraud will double from about $3.1 billion to over $6.4 billion in 2018. It will therefore be increasingly important for merchants and issuers alike to turn to advanced analytics to help them better assess the risk of the transaction so they won’t be part of the $6.4 billion problem, and so they can ensure customers a safe/easy user experience.
It was at this point in the discussion that Dr. Thomas Rand-Nash, Director of Operations at Brighterion, took over to jump into the complexity of CNP fraud and how to go about solving the problem.
REDUCING CNP FRAUD
CNP fraud, he said, is “not your parent’s fraud.” It is much more complex and technical in nature with the recent and rapid introduction of novel payment methods and mechanisms. CNP fraud, he said, is complex, organized and involves continuously evolving fraud schemes.
And because it is more technical in nature, technologies used for CNP fraud result in a more sophisticated, tech-savvy type of criminal.
As we know, said Rand-Nash, there’s no single silver bullet for a problem like CNP fraud. It requires a comprehensive, layered approach.
That prompted MPD CEO Karen Webster to ask, how do tokenization, 3-D Secure and behavioral analytics all work together?
Tokenization, said Rand-Nash, makes stolen data useless. But it’s susceptible to other downfalls.
“As we saw with Apple Pay, while tokenization wasn’t compromised, it was about social engineering to gain credentials to put real cards on fake phones to use those to make purchases. Tokenization worked as planned, but fraud happened somewhere else,” he said.
Next, 3-D Secure adds an extra layer of security, like a password or PIN. But one of the downsides is that it adds complexity and inconvenience in terms of the customer experience.
Finally, behavioral analytics makes and assists authorization decisions. It realizes that fraud will always occur in one place or another.
“For example, if you have a balloon and fill it with water, and you grab the balloon anywhere, you cannot grab the water inside – it just moves around to different locations. Behavioral analytics mitigates damage and predicts fraud where possible, but overall it operates with the understanding that fraud is always occurring.”
Webster then asked, are things like device forensics bundled under behavioral analytics?
Somewhat, responded Rand-Nash, specifically with regards to device identification.
“There’s something we call behavioral device ID, which is focused on verifying, validation and authentication of devices based on a number of parameters to create profiles for devices.”
“How would you address multi-factor authentication?” asked Webster.
That, said Rand-Nash, seems like something more for the 3-D Secure methodology, with things like one-time passwords for banks. While sometimes that’s good, he said, for customers, that can really detract from the seamless experience of purchasing.
Next, Rand-Nash pulled up a poll question for the audience, asking viewers to indicate the effectiveness of each of the following technologies at reducing card fraud and data security issues: tokenization, 3-D Secure, and behavioral analytics.
The results showed that 47 percent of audience members who voted thought tokenization to be most effective, 32 percent voted behavioral analytics and 18 percent voted 3-D Secure.
That was surprising to Rand-Nash. When he asked merchants the same question, results (shown above) were slightly different. Most saw the value in behavioral analytics first, then tokenization, then 3-D Secure.
BEHAVIORAL ANALYTICS LEGACY APPROACHES
Previously, in looking at how behavioral analytics was tackled in the past, solutions in the marketplace involved the following:
Business Rules: Experts write rules based on past experiences with fraud to identify risk.
Data mining & neural networks: Looking at past sets of training data to identify fraud using mathematical models.
But in the context of CNP, explained Rand-Nash, the applicability for each of these breaks down.
“While these approaches are good at identifying past elements of fraudulent behavior, they tend to apply the same logic to all cards, merchants and devices, and that starts to devise things like false-positives,” he said.
In addition, they are built based on past fraudulent behavior. Being that they’re pattern recognition models, they may be able to identify past behavior in the future, but they are not good at identifying changing behavior in future.
“With CNP fraud, fraudsters’ methods are continuously evolving. By the time you identify a new pattern and have a set of experts write up rules to test it, the fraudsters have moved on and are looking for new methods,” noted Rand-Nash.
These legacy approaches also require a lot of resources in terms of the time spent to implement them (12-15 months of a process) and the cost of the equipment or databases they require. They also deliver poor results, with an average of 18 percent CNP fraud decline rate and 5 percent CP fraud decline rate.
“Existing approaches in the marketplace alone are not enough.”
Enter: Brighterion’s solutions. The company, explained Rand-Nash, takes a comprehensive approach to fraud protection and prevention. First, it uses unsupervised learning. On the contrary, supervised learning is when one can identify or label the type of behavior that they are trying to recognize (like past instances of fraud). Once the behavior is labeled, artificial intelligence models are trained to spot this behavior in the future. Most of the AI methods mentioned earlier – neural networks, data mining – fall into the supervised learning category.
With unsupervised learning, models need to automatically identify key features of data that could be indicative of CNP fraud behavior. There is no transaction labeled in advance. Models cluster similar types of merchants with certain behaviors, for example, automatically.
Brighterion uses this method to enrich its incoming transactional data – and to identify frequent and infrequent behavior through techniques like clustering. This approach is good for automatic data enrichment and feature identification.
Brighterion also uses an optimized, multi-dimensional profiling engine. The company performs real-time and long-term profiling of every entity in the system.
“As people, we think of an entity as a credit card or merchant, but with our solution, entities are any characteristic of the data that gives us insight into fraudulent behavior. That goes beyond cards and merchants to geographic regions and periods of time,” said Rand-Nash. “Once we create the entity, we create virtual smart agents that track their behavior over time, all in real-time.”
With behavioral profiling, Brighterion also uses adaptive learning – its solutions learn the behavior of every entity in system over time. Brighterion can monitor behavior in real time, and detect and stop previously unknown fraud schemes as they occur. The model, said Rand-Nash, has the longest lifespan of those on the market.
Finally, a real-time behavioral device ID helps monitor and profile mobile devices and computers over time, as the world of online and offline shopping blurs. That, said Rand-Nash, will become more important as mobile payments become more widely used.
BRIGHTERION CNP IN ACTION
A question that came in from the audience asked about how Brighterion’s CNP fraud solutions work with ACH transactions, stored value cards, and things other than credit and debit cards.
“For the merchants and banks that used these solutions, the intelligence that’s gathered is spread and shared across channels. With the single tools we’ve developed, we can secure CNP, SP, ACH, wired, etc. because of that shared intelligence,” said Rand-Nash. For example, for one business customer now, Brighterion started off providing them with money laundering solutions, but has since moved into offering credit risk solutions, chargeback prevention and more.
Brighterion has supported clients in Germany, Brazil and Canada while those markets adopted and rolled out EMV. According to Rand-Nash, it currently scores billions of transactions in real time for hundreds of millions of cardholders worldwide, and has seen 75-95 percent CNP fraud detection improvements.
Webster then asked, how are Brighterion’s solutions implemented in just 6-8 weeks?
Brighterion is able to implement their solutions in just a short time partly due to their experience, but overall, the secret sauce comes down to the automation of these processes, Rand-Nash said.
“In our case, we have the technologies and algorithms that enable us to automatically identify and start tracking and building features.”
“So how does all of this work together, if you think about the portfolio of solutions that issuers and merchants are currently contemplating or investing in? When you have conversations with them about the prioritization of something like this versus tokenization in particular, how do you help them understand where this fits?” asked Webster.
Brighterion’s solution is complementary to a more holistic, layered solution, said Rand-Nash. It’s not built to replace one or the other, but it recognizes that some of these methods are not ready to go “prime time,” like in the case of tokenization, for example.
“Our solution is fitting for merchants and issuers that want a seamless and invisible solution. It recognizes that fraud will occur no matter what, and we need to identify it as quickly and as much as possible, while also reducing instances of false positives,” he said.
“It’s an integral part of that multilayered approach – but no matter what we do, there will always be fraud.”