Presented as s session in the NRF Protect 2015 conference-
With EMV migration coming up, many retailers mistakenly think that they should no longer worry about fraud. But the reality is that while solving many crucial weaknesses at the point of sale, EMV does not assist with Card Not Present transactions. In fact, since fraudsters will still try to make a living somehow, EMV migration might make things worse for online retailers. The good news is, that while fraudsters are fast, so is technology. This presentation provides knowledge about the changing behavior patterns of fraudsters and to get a practical guide on how to be prepared for the upcoming post-EMV fraud tsunami, while balancing between loss prevention and user experience, without letting the fear of fraud create a spike in false positives or result in an over-conservative policy.
5. NOT REALLY.
1 Being a fraudster is profession.
EMV won’t make them disappear 2
Fraudsters look for the weakest link;
EMV doesn’t protect Card Not Present
Transactions
4 E-commerce will continue
to grow3
EMV migration will cause organizations
to be slower and less efficient than
before
5 Crime as a service: even fraudsters with low technical abilities can commit fraud
online, lower barriers to entry
6. FRAUD TO SPIKE 40-50%
In the 2 years following EMV migration
Research
14. FRAUD IS CHANGING
So should your fraud prevention
1 Dark-net Marketplaces enable a sophisticated
fraud ecosystem
Crime as a Service
2 2014’s massive data breaches flooded the market
with high quality cards
Abundance of Stolen Data
3 Fraudsters are quick and agile, methods that used to be
the holy grail of fraud prevention can no longer get the
job done
Traditional Practices are no longer enough
4 After Silk Road’s demise, fraudsters have become
vigilant about operation security
Fraudsters Are Paranoid
5 Wherever there’s internet, there’s the opportunity
for CNP fraud
Fraud is Global
6 Hardware is cheaper than ever, so fraudsters can
burn through it & never look back
Hardware is Commoditized
16. 81%of merchants
review orders manually
52%
of fraud budget is used for
manual reviews
MANUAL REVIEWS
20+ MIN
Per a manual review,
for over 20% of merchants
Source: Cybersource Online Fraud Report
17. Predicting people is not like predicting the weather
Nuances and patterns extracted from a user’s online behavior enables
comparing and benchmarking against expected behaviors, adding a whole
new dimension of knowledge.
BEHAVIORAL ANALYSIS
Automating manual reviews
19. FALSE POSITIVES
| Definition |False Positives
A "false positive,"... arises when fraud detection software
blocks your card because the card has been identified as
the vehicle of potentially fraudulent activity when it isn’t
~ Tech Republic
20. FALSE POSITIVES
$40 BILLION
lost every year due to unnecessary red flags
and transaction blocks
Source: Trust Insight, Measuring Consumer Attitude on CNP Credit Card Declines Report
21. FALSE POSITIVES
Source: Cybersource Online Fraud Management Benchmark Study (N. American edition, published 2015), Ethoca research 2015
OVER 70%
of merchants believe that
UP TO 10%
of rejected orders are actually valid
BUT THE ACTUAL RATE IS ESTIMATED AT ABOVE 40%!
22. FALSE POSITIVES
NEARLY 20%
of consumers who experienced a fraud-related decline
had no future spend 6 months after the decline event
Source: Trust Insight, Measuring Consumer Attitude on CNP Credit Card Declines Report
23. FALSE POSITIVES - CAUSES
Processor rules and red flags
Tools that require hard coding
Outdated rules
Manual reviews: bias
30. EXPERT KNOWLEDGE
Interdependencies: What do the data points tell us?
Platinum+
Credit Card
Type
San Jose, US
Billing
Neighborhood
Mexico (very low
income)
Shipping Neighborhood
$200, $90, $80
Past Purchase
Amounts
$10,000
Current Purchase Amount
Spanish
Browsing Language
Wireless Network
IP Type
31. Platinum+
Credit Card Type
San Jose, US
Billing Neighborhood
Mexico (very low income)
Shipping Neighborhood
$200, $90, $80
Past Purchase Amounts
$10,000
Current Purchase Amount
Spanish
Browsing Language
Wireless Network
IP Type
EXPERT KNOWLEDGE
Stories Model: Mexican National Holiday Sale
Immigrant shipping to family
33. UNCOVER THE FRAUDSTER SOCIAL GRAPH
Verification and authentication of a single transaction and blacklists that are based on IP
match and email match provide a very narrow view
Similarities and proximities reveal beyond the transaction
34.
35. 1. KNOW YOUR FRAUDSTER
2. AUTOMATE
3. DON’T PANIC
4. HUMAN BASED MACHINE LEARNING
5. SMART LINKING
RECAP: WHAT TO DO
37. Nominate an attendee or speaker
from this session as a PROTECT MVP.
#PROTECTMVP
THANK YOU!
Notes de l'éditeur
Quantity and quality – rise in fraud rate, variance in the quality – different levels of expertise, kids who “play” with fraud, facebook groups that distribute card numbers in the cleranet – burdens the system – in analyst based systems it takes a lot of resources. Above that high levels of sophistication, uber sophisticated fraud
1. Crime as a service: While in the POS fraud is based on networks and many people who do the dirty work, CNP Fraudsters no longer need to be part of an organized crime organization, they have a full suite of services available for affordable prices..
Remote desktops – IP wherever they want, $30 a month, unlimited IPs, screening abilities, buy bundles of credit Cards, sort according to banks, zipcodes, focus on geographies , huge masses of data available for sale , ability to call the bank and commit full account takeover, card owner loses control of address
Shipping address as a service – to send something close to the billing address ,
Knowledge based economy – how to guides for 5$, how to spam paypal accounts… how to disguise…
Stolen data – anything is available on the darknet, depends on what you’re willing to pay. The fraud rate among elite cards is twice as high as standard corporate cards. Fraudsters tend to think that these cards have better credit lines, better acceptance, so they would pay more for these on the darknet.
AVS and CVV are the most common and trusted methods for fraud prevention among large merchants. Relying on these methods in 2015 won’t get the job done. When a fraudster purchases card numbers in the darknet, in most cases he will purchase the CVV along with it. So that becomes irrelevant.
AVS Manipulation –
change details in the bank , if you pay 5$ per card you get mother maiden name and you can change details in the bank
AVS takes zip digits and address digits fraudster puts billing AVS and ships to different address even though zip is incorrect
buy “drop” address 2 miles from billing – abandoned buildings, people who got scammed etc…
Travelers, reshippers
If you want to sell to travelers, reshippers, students – you need to be much better and more precise – traditionally merchants view it as high risk and flag it because of AVS mismatch
Fraudsters are aware of the improvements in the field and are constantly watching their back. Behavioral awareness – have awareness of how anti fraud systems work, let website accounts get old, they sell the knowledge, the systems have to be adaptive and constantly change
The fraud rates between 2-6 am are twice as high as between 2-6 pm. One of the reasons is that some of them have a “day job” and operate by night, but the main reason for this is that many fraudsters are located outside of the US, in opposite time zones.
Hardware has become a commodity, fraudsters can buy a mobile device for $100 to commit their fraud from and replace it so they won’t get tracked – in high ticket transactions the ROI makes sense. However the fraud rate from Android devices is twice as high as from iOS – Android is considered to be easier to manipulate
We want to do fraud prevention but we are here to protect our assets – brand, consumer engagement, growth opportunities
Automation and technology enable us to leverage models to link multiple data points and hop dynamically between them in real-time , a human can never create that depth and complexity of analysis.