Fraudsters’ methods are always changing. That means, try as they might, banks and financial institutions will never be able to keep all of them at bay. However, Dan McKenzie, Fiserv’s North America director of business development, says keeping fraudsters out isn’t the most important part of protecting customers — it’s catching the bad guys once they’re in, before they make off with customers’ money or sensitive data.
In fact, McKenzie feels transaction monitoring is so critical it should be the cornerstone of any good fraud strategy. That is especially true, he said, in light of the recent data breach at Equifax, which compromised sensitive data belonging to 143 million of the credit scoring company’s customers earlier this month. McKenzie dug into the whys and hows of it with Karen Webster during a recent interview.
“You know the most about a transaction just before those funds are about to leave the organization,” McKenzie explained, adding if there’s a right time to make a risk determination, that’s it.
But, as Webster noted, the determination has to be made quickly. Authenticating should not interfere with a good customer’s transaction, although there is some comfort to be had when one's bank requires further authentication to send an unusual amount or transact on a different device than usual, she noted.
As faster payments become less of a luxury and more of an expectation, banks are being put in the position of needing a real-time system to evaluate and deliver a risk score, McKenzie said, something much faster than a manual review process. At the same time, human discretion will be needed at some points when the automated system throws up a flag on certain transactions.
A such, institutions must educate both the artificial and organic intelligences in their ranks to put up a good fight against fraudsters, he concluded.
How Good Are The Stolen Goods?
“My motto, is ‘Don’t send money to known fraudsters,’” said McKenzie. “It sounds easy, but sometimes it’s very, very difficult to do if you’ve got wire rooms all over the country and all over the world.”
That’s because fraud is a business now. On the dark web — a section of the internet which can only be accessed through special software and is used by criminals to conduct illicit activities — there is a whole marketplace dealing in stolen credentials, and you better believe the data stolen in the Equifax breach will show up there sooner or later.
Not only are many, many fraudsters buying and selling many, many points of customer data, but they are also recycling many of those points, sometimes for as long as a decade, McKenzie said.
The most valuable items are static identifiers like driver’s license and Social Security numbers, which can’t be easily changed. Unfortunately, the Equifax hackers gathered quite a lot of this type of information. McKenzie noted the industry will be feeling the effects of this breach for a very, very long time, with some of these shelf-stable credentials not even appearing on the market for another two years. Banks need to brace themselves today for when that inevitably happens, he said, because when it does, there’s going to be a spike in social engineering attacks.
Other identifying information can be changed quickly and easily, meaning credentials like phone numbers and addresses go stale pretty quickly in the market. Anything the Equifax hackers gained in this category, they’ll probably want to sell pretty quickly, McKenzie predicted, since the value of those credentials will only depreciate with time.
Banks’ First Line Of Defense
McKenzie explained data is the key to keeping customers and their assets safe. There are several types for which to look, and tracking as many of these as possible is just “good hygiene,” he said.
Known bad data has been used by fraudsters in the past, either against the organization directly or against others who have reported the incident to third parties. More data is better, according to McKenzie, and leveraging data from external parties such as investigators, credit bureaus and the National Cyber-Forensics and Training Alliance (NCFTA) lets banks learn from each other’s mistakes.
Device data is gathered each time a legitimate customer conducts a transaction. If a fraudster tries to pose as that customer, it may be possible to detect the fraudulent activity by noting it is not coming from the customer’s usual device, or that the IP address looks right but the location is wrong.
Finally, customer data includes the length of the customer’s relationship with the institution and whether they have made any recent changes to their account — data that could be collected from a call center, McKenzie said. Getting 20 phone calls in a week from a customer who has never called support before can be a red flag by itself, but if those 20 calls were followed by an account change — such as changing the ACH beneficiary account information — then it is definitely a good idea to take a closer look.
This is one of the consequences McKenzie expects to see from the Equifax breach. With a Social Security number, driver’s license number, phone, email and home address on file, it would not be very hard for a fraudster to pose as a legitimate customer and gain access to someone’s finances, he explained. This would be done in the same way fraudsters' predecessors would have pretended to have moved and asked to be mailed a new credit card.
To Webster — and probably anyone with a bank account — the new threat is a lot scarier than the old one.
“Compromising a credit card is one thing, but draining your bank account?” Webster said. “That’s something different.”
Alternative And Organic Intelligence Required
McKenzie believes banks need two lines of defense: the automated, artificial intelligence (AI) line, which should let through around 90 percent of transactions without introducing any additional friction or authentication, and the manual, human intelligence line, whose job it is to review any transactions that raised the AI’s alerts.
The important thing here, McKenzie believes, is not which brand of AI the bank uses, but how much data they feed it.
“All vendors say their AI engine is the best, but it almost doesn’t matter,” he said. “If you can get more data into it, then you’ll get a better outcome than with a fancier algorithm. It all depends on the data and the problem you want to solve to determine which model will work best.”
When building the AI model, banks will want to include not just two or three dimensions of rules, but thousands — to the point that mapping on any kind of physical chart would not make sense to the human eye, McKenzie said. As the machine works through the data, it will group people who exhibit like behavior. This is called “segmentation” and it helps the system identify outliers, which are more likely to be fraudulent.
The automatic system should also engage in predictive modeling, projecting the future based on historical data. This is how the AI learns. Predictive modeling pushes key factors to the front — including qualities such as income and age, for example, if those were determining factors of a certain behavior — and determines a mathematical value for those factors. That’s the “score.”
Then, when passing along manual cases to the human intelligence team, it is critical to give investigators all the information they need. That includes not just the AI-generated score, but also risk factors and rules that contributed to that score and historical data from the customer to help point them in the right direction.
Words Of Caution
McKenzie’s top risks for which to look out in the days ahead are social engineering and credit card applications. He predicted fraudsters will assign bots to go through the stolen Equifax data and pump it into online credit card applications. He urged banks to pay attention to the sources of their applications and to be on the lookout for the same credentials applying for a hundred thousand cards or similar anomalies.
Invest in a data strategy, McKenzie says. Data is where budget dollars should be going — and again, having the shiniest robot to process it is secondary. In particular, do make the effort to collect data from call centers so unusual contact and activity requests can be used to back up decisions around fraud, he said.
Finally, McKenzie recommended watching demographic data closely. A fraudster may change information weeks or months in advance so the money will go to a different location when the transaction is finally completed.