It’s October 1. Everyone who’s anyone in payments knows that the EMV liability shift is upon us, unless they’ve been living under a rock.
Michael Reitblat, CEO & Co-Founder of Forter, and his team sort of have been living under a rock — but with a purpose. His company — with its roots in Israeli military intelligence — has spent years exploring the darkest corners of the Internet, learning all there is to know about how fraudsters operate. Reitblat’s philosophy is as simple as it is effective: If you want to catch the fraudsters, better go where they hang out. That philosophy and process means that Forter has both the insight and the knowledge base to predict criminal activity in the payments space that – with the shift to EMV – will now move online.
Reitblat emerged from the shadows to share with MPD CEO Karen Webster all that his company has learned while “undercover” among the cybercriminals, and why Forter is able to offer a “fraud-free” payments environment that makes the consumer experience even better than it is today, as this new era of fraud begins.
KW: With the EMV liability shift upon us, everyone is now focused less on securing the physical point of sale, and more on what to do about online fraud. What’s your perspective on why online fraud will increase now that EMV is here in the U.S.? Isn’t fraud online low today and doesn’t that imply that we aren’t as smart as your average cybercriminal?
MR: The answer to that really comes down to who are the perpetrators of the crime. The fact is that a majority of the people perpetrating fraud are professional criminals. They make their living entirely from fraudulent activity.
Because of chip and PIN, or whatever chip implementation there is in the card, they now will have difficulty copying the physical card. So if they want to continue their criminal enterprises, they have to move somewhere else — to online, where it is easier for them to get money. We’ve seen that in every market that has introduced any kind of EMV standard: Europe, Australia, Canada, and so on.
I’m not sure that fraud online is manageable today. I think a lot of people underestimate the damage that it causes to their business, because they only focus on how much money they’re losing from fraudulent chargebacks and not its effect on the entirety of their business. I agree that after EMV implementation fraud will get worse, but I don’t think that we should accept the online fraud levels today as sufficient — I think it’s far from it.
When we look deeper into the industry numbers regarding retailers we’ve already worked with, we see dramatic losses incurred due to fraudulent activities leading to customers being served with very bad experiences as they try to tighten up security and/or turning away from businesses entirely.
KW: How do you help change that direction?
MR: The first thing we want to do is restore the balance. We think that retailers should be retailers, and fraud professionals should be fraud professionals. Everyone needs to focus on their strength, which can eliminate the internal tension born of engaging in business activities that are riskier – by simply “outsourcing” it to someone whose strength it is.
We can’t eliminate fraud altogether, but we can create a completely fraud-free environment for the retailer through which they can make decisions solely based on what’s good for their business. This can be achieved by shifting all of the fraud-related liabilities, damages and operations to us. We handle all of their online transactions and give them real-time yes/no answers. For everything we say “yes” to, if anything goes wrong, we take the hit financially.
KW: So you better be pretty darn good at detecting suspicious activity. How do you get to that place?
MR: We’ve been dealing with the problem in various incarnations for more than 15 years. We started in military intelligence, catching not fraudsters but terrorists or criminal organizations moving money for weapons deals and the like.
We got very good at tracing malicious intent within activities that otherwise appear legitimate, and we adopted that practice to online fraud prevention in a different company called Fraud Sciences, which was acquired by PayPal. Through PayPal, we gained another level of education.
In the last three years we’ve been working on Forter, which we believe is the best fraud prevention product we’ve ever created. It’s all been built on learning how fraudsters act and being able to predict their behavior.
There’s a common belief that if something is suspicious in a transaction, it must be fraud. We want to shift the thinking back towards “innocent until proven guilty.” The world is changing, and while some consumer behavior might look strange to someone who’s got a perspective rooted in the past, we are able to apply a more contemporary understanding that can recognize it as actually legitimate.
KW: One of the things that is very unique about your approach is your view that there isn’t a single profile of the fraudster — that there are many different types, some more dangerous than others.
What do retailers underestimate the most about cybercriminals and their activities? Is there something that most people miss that you, because of your experience, know for certain is dangerous?
MR: There are two things they tend to miss.
First, retailers underestimate how easy it is for some professional fraudsters to create a complete identity. There’s a misperception that if it’s a domestic transaction, and the shipping, billing and IP address are all within close proximity, then it’s legitimate. But it’s so easy now to get an IP address or a proxy server close to the location of the credit card using a self-selected ZIP code, creating a complete fake identity with a physical location and a digital footprint is simple.
The second thing retailers tend to underestimate is how quickly fraudsters can exploit a newly discovered weakness. We saw several examples in different places where everything appeared fine; the fraud levels were at an acceptable rate for the particular retailer. All of a sudden, a group of fraudsters found a way to penetrate, and they attacked for several days, using an array of different identities to create a massive hit on that business…and then they disappeared.
KW: You obviously glean a lot of insights by putting yourselves in the shoes of the fraudsters, to understand them and anticipate their behavior. Are there particular areas where you anticipate problems occurring as we move to a world where the incidence of online fraud is likely to spike?
MR: The first thing that will happen — which people probably underestimate — is that there will be far more domestically originated fraud than before.
There are a lot of people in the U.S. that make a living copying cards. With the chip implementation, that’s going to almost disappear entirely — so those same people will now start trying their luck online.
Previously, most of the successful attempts in online fraud in the U.S. were based outside of the country — Eastern Europe, Africa, Southeast Asia and places like that. Now, however, there will be more domestic attempts. We saw the same pattern after Western Europe, Australia and Canada implemented EMV. We need to challenge the popular opinion that less online fraud occurs in domestic transactions.
The dominant approach to fraud prevention today still relies heavily on rules derived from common knowledge. That keeps it focused on international transactions, or digital goods transactions, or past instances of fraud. It’s interesting for us to see, as we start working with a new customer, all the rules in their system that are based on what happened to them in the last two to three years. The biggest impact of relying on such an outdated rule set is on good buyers that are turned away.
KW: In addition to expecting more domestically originated online fraud in the U.S., what are some other insights and observations that you can share?
MR: A lot of aberrant things that are happening are not necessarily EMV related, but retailers will need to adjust to them at the same time.
Firstly, we see a greater desire on the part of retailers to move to quick fulfillment. Following the Amazon model in that regard is great for the consumer but, for the retailer, quick fulfillment cannot be effective if it relies on manual authentication or is held up by regarding large swaths of customers as suspicious. That negatively impacts buyer satisfaction.
Secondly, as mobile transactions continue to increase, retailers will encounter the problem of old tools no longer working in the mobile space. They need to adapt. Additionally, they can’t ask buyers to type in the same amount of details that they do on Web-based browsers. It needs to be condensed and made a faster process for mobile.
KW: Authenticating the consumer is widely perceived as the silver bullet, but there are many theories as to how to do that effectively. What have you learned in that respect from the testing you’ve conducted?
MR: Our perspective is that there actually is no silver bullet in fraud prevention, because fraudsters are so adaptive. Authenticating the consumer is a necessary part of the solution, but it cannot be relied upon solely.
There’s no catch-all solution that I can recommend for retailers in general, because effectively protecting against fraud is dependent on the specifics of the retailer’s business — what products are being sold, how their fulfillment works, how their customer service works, and what they’re trying to achieve.
If the marketing and product arms of a company — particularly a smaller one with limited resources — decide that what’s best for business is to focus on the customer experience first and worry about risk later, then that’s what they should do. That’s where a company like Forter can help: no matter what might happen down the line, they’re covered.
I would suggest that payment innovation in the retail space needs to be shifted into the hands of the product and marketing and conversion people, not left up to payments and risk people specifically. More ideas being offered can lead to more effective solutions.