News about recent cyber attacks, especially on some of the biggest FIs boasting “rock-solid” security, has been nothing short of unsettling. Revathi Subramanian, Senior Vice President, Data Science at CA Technologies, recently sat down with MPD CEO Karen Webster to talk about why these attacks continue to happen and what measures must be taken to more effectively detect them all while preserving a seamless process for consumers.
KW: We’re here to talk about the news that is being made with respect to the cyber attacks on many FIs that are household names. It’s a little scary and unsettling to hear that gigantic banks like JP Morgan Chase have been penetrated by the cyber criminals. How is that even possible?
RS: We probably can’t prevent these attacks 100 percent of the time, but we can certainly do a lot better than what we’re doing now. The reason I say this is that all of the information and technologies available are not necessarily being put to use when it comes to authentication systems.
When you look at two-factor authentication, not many people use it. It’s kind of annoying – customers don’t like it and as a result, financial institutions don’t always use it. That’s because it has become an all-or-nothing solution. However, if it’s used sparingly, it will be a more effective solution.
For example, when someone tries to break into an iCloud account or get into a system, businesses gather information on how they’re trying to break in, and if it looks very suspicious based on advanced analytics, following up with two-factor authentication is likely to be much more effective than if it’s all-or-nothing where businesses try it and customers get annoyed, so they turn it off. That’s where a breach situation occurs.
All of the information that flows through in terms of cyber-security is not being used intelligently to determine the problematic break-ins. And in gray areas where there is high suspicion that something is going wrong, potential fraudsters should be put through an additional hoop so data is harder for them to get to. Those techniques will really have a huge impact in the security space.
KW: What I find ironic is that at a point in time when we’re focused on making the experience more seamless, consumers may welcome the friction in order to feel like they’re being protected. How do you use analytics in a way that creates that necessary balance?
RS: I think it can be done very effectively using analytics. The reason for that is that analytics has the ability to take a gate that you have for all of the customers and make it a harder thing for them to pass for a very small percentage. What I mean by that is, let’s say that you have a password-based entry, and based on what you observe, you decide either to use two-factor authentication or you shut them out. If it is used sparingly, I think customers won’t find it annoying but rather a means to create a more secure environment.
Way back 20 or so years ago when analytics-based systems were introduced for detecting fraud, instead of the consumer getting a call after the fraud occurred, the fraud departments would call immediately and ask if the consumer made that charge. That really had a huge impact on fraud overall with respect to payments. If you look at authentication now, at least based on what I’ve seen, it’s kind of a one-size fits all. If businesses put into effect a more granular type of decision making, I think the customer experience or friction won’t be that high, and at the same time the customer will be protected.
Again, we’re not talking about a solution that completely prevents risk, but rather drastically reduces it. And that can be done very effectively. My pet peeve is that all of the information that’s available is not being used effectively in the most intelligent fashion.
KW: So why isn’t the data used effectively?
RS: That’s a question for which I’ve been seeking an answer for some time. There’s tremendous opportunity here, but for some reason it’s being viewed as a software solution. We just come up with better authentication methods that put the power in the hands of the consumer in terms of what they want to do – so if the consumer turns out to be a fraudster, the result isn’t a good one. We don’t necessarily use data in an intelligent way, instead putting brute force to it first, and when it doesn’t work, that’s when we use the data intelligently. That’s been my observation after being in the industry for the last 20 years or so.
I think there’s a real need for this here and now, and I hope that we can make solutions that are better for the consumer.
KW: So what tools are available for FIs to protect themselves and cardholders against fraud? I imagine the toolbox you would give them a decade ago is much different than the one you’d give them today.
RS: Specifically talking about cards, I would say that a really good authorization and fraud detection system is needed, and on the internet side of things, really making sure to gather a lot of information while the transaction is happening. 3D-Secure provides a way for merchants to do that very effectively.
This all also depends on the merchants – they must sign up for it in order for issuers to be able to do this with the transaction. But to the extent that merchants are allowing this, it’s important to intervene and gather as many attributes as possible for each transaction. On the authorization side, there are probably a dozen or so tiers that can be collected, and on the authentication side, there could be 4-5 dozen characteristics. Having the solution to examine all of this is key – as well as the combination of knowing what time the purchase was made, what the device ID was, and what sort of purchase it was – is a must.
Then, for any other online transaction, it’s important to collect all of that information and combine it to reveal a complete picture of what is happening with respect to the consumer.
KW: It would seem to be a lot easier to commit fraud today because there are so many ways to approach the problem set. Is that an accurate statement?
RS: I certainly think so. If you look at how fraud has progressed in the last 20 years that seems to be the case. Early on, a lot of it was opportunistic – a consumer left their card somewhere and fraudster takes it and decides to make a few transactions. Now, all the fraudsters need is the PIN number and an expiration date. It’s easier to commit and to never be found. Institutions are now less focused on finding the fraudster and more focused on making sure they don’t get hit by fraud. I really question how many fraud episodes actually result in the fraudster getting caught – there are fewer repercussions nowadays.
KW: We now read about data breaches daily – consumers that I talk to seem numb to it all. They actually almost expect to read about it every day and the shock value has worn off. Do you find that to be the case.
RS: Absolutely. We’ve also started looking at fraud as just part of the cost of running a business. The institutions have a lot of data and business coming their way, so they’re focused on making sure their door is shut properly so fraudsters don’t have access to their data instead of making sure the fraudster is caught and put behind bars when a breach does occur.
KW: Cybercrime is truly a business – it’s very decentralized and has a complicated supply chain. It isn’t a couple of guys stealing cards out of people’s pocketbooks and wallets. It really creates a lot of challenges in identifying the perpetrator.
RS: That’s absolutely correct.
Senior Vice President, Data Science, CA Technologies
Revathi Subramanian is Senior Vice President, Data Science at CA Technologies. She is the founding member of a team of high caliber data scientists that are uncovering business value and operational intelligence from the chaos of Big Data in areas like eCommerce, application performance management, infrastructure management, service virtualization and project management. Her team is at the forefront of using analytics to combat card not present fraud and has developed patent-pending technology in this area. She is the author of the book “Bank Fraud: Using Technology to Combat Losses” which describes fraud detection and prevention strategies from a technological perspective, helping users define their data and analysis environments correctly from the beginning, so that the best possible results can be achieved by their fraud management systems.
Before joining CA, Revathi was the co-founder of the SAS Advanced Analytics Solutions Division in 2002. She led the development of a new enterprise real-time fraud decisioning platform utilizing advanced analytics. Over the next ten years, she and her team added the name of SAS Institute to the world of real-time analytics solutions. Revathi is credited with multiple patents and some groundbreaking and innovative real-time scoring technology in fraud and risk management. Prior to joining SAS, Revathi held various leadership roles in HNC Software, acquired by FICO in 2002, and built highly innovative transaction-based credit risk, attrition risk, and revenue/profit forecasting systems.