Real-time data. Online social networks. Real-time payments. For the fraudsters, it’s all a match made in heaven.
Once fraudsters understand a payment system’s vulnerabilities and loopholes, they share it in their networks (even on social media), and coordinated large-scale attacks ensue. The bad actors can siphon away huge sums of money, cashing out before anyone can stop them.
“It’s surprising how fast things can propagate,” Xie said.
The traditional fraud-fighting approaches, governed by predetermined rules — even manual review — are too slow and don’t give enough granularity into what’s really going on. Xie noted that within financial services, fraud analysts look at past attack patterns and test static rules designed to differentiate attackers from legitimate users — and then code it all into a system. Privacy rules governing data sharing between providers and financial institutions (FIs) can (unintentionally) hobble banks’ ability to share information about threats.
The result of all this is a piecemeal approach to battling the fraudsters. Financial services firms, all too often, make the mistake of launching a new product or service, and once those offerings are attacked, they “pull” the service, patch up the vulnerabilities, and then go to market again.
“This is hugely damaging to the reputation of the firm, and to any momentum of a launch,” said Xie.
The holiday season looms as a particularly challenging period, she said, as many financial services providers will be busy launching new promotions and products to keep consumers engaged and spending.
Education helps, where staff within the FI and end users need to be reminded time and again to double check before sending payments. Business email compromise (BEC) scams are on the rise, for example, and so are social engineering attacks. Two-factor authentication is no longer adequate when so many of us are duped by sophisticated phishing schemes.
“From a service provider perspective, we all have to work together to stop these attacks from happening,” Xie said. “And we have to leverage technology solutions to support that.”
The Mindset Shift
The move to a real-time, tech-driven approach to fraud prevention demands a mindset shift, said Xie. FIs must assume they’ll always be under attack, and they must expect they’ll be the victims of fraud. That level of hyper-vigilance can help improve the actual design and development of new product features.
“Fraud should not be an afterthought,” she said.
In a world that’s moving toward real-time payments — where instant settlement means instant monetization for the criminals — real-time defense mechanisms, powered by artificial intelligence (AI) and machine learning, are critical. Xie said those fraud-fighting systems are not constrained by pre-determined rules, and are, by nature, flexible.
Unsupervised machine learning gives rise to a proactive approach to fraud fighting and adapts as fraud attacks evolve, she said. There are only milliseconds in which to react, and FIs need to quickly make decisions by looking at a broad range of different attributes and data and come to a decision. Solutions such as DataVisor’s dEdge generate unique device IDs and compute fraud scores.
That data can, and should, include device-level and consumer-level information, said Xie, leveraging thousands of data points to form a portrait of what “typical” behavior is, even as fraudsters launch large-scale attacks before they become devastatingly effective.
“If we put the technology in place that can look across all of these transactions, across the different user profiles,” she said, “as we see new fraud rings, we can put a stop to it.”