Tag: fraud risk

Part four in our series on Insights from Vision 2016 fraud and identity track It was a true honor to present alongside Experian fraud consultant Chris Danese and Barbara Simcox of Turnkey Risk Solutions in the synthetic and first-party fraud session at Vision 2016. Chris and Barbara, two individuals who have been fighting fraud for more than 25 years, kicked off the session with their definition of first-party versus third-party fraud trends and shared an actual case study of a first-party fraud scheme. The combination of the qualitative case study overlaid with quantitative data mining and link analysis debunked many myths surrounding the identification of first-party fraud and emphasized best practices for confidently differentiating first-party, first-pay-default and synthetic fraud schemes. Following these two passionate fraud fighters was a bit intimidating, but I was excited to discuss the different attributes included in first-party fraud models and how they can be impacted by the types of data going into the specific model. There were two big “takeaways” from this session for me and many others in the room. First, it is essential to use the correct analytical tools to find and manage true first-party fraud risk successfully. Using a credit score to identify true fraud risk categorically underperforms. BustOut ScoreSM or other fraud risk scores have a much higher ability to assess true fraud risk. Second is the need to for a uniform first-party fraud bust-out definition so information can be better shared. By the end of the session, I was struck by how much diversity there is among institutions and their approach to combating fraud. From capturing losses to working cases, the approaches were as unique as the individuals in attendance This session was both educational and inspirational. I am optimistic about the future and look forward to seeing how our clients continue to fight first-party fraud.

What the EMV Shift means for you I recently facilitated a Webinar looking at myths and truths in the market regarding the EMV liability shift and what it means for both merchants and issuers. I found it to be a very beneficial discussion and wanted to take some time to share some highlights from our panel with all of you. Of course, if you prefer to hear it firsthand, you can download the archive recording here. Myth #1: Oct. 1 will change everything Similar to the hype we heard prior to Y2K, Oct. 1, 2015, came and went without too much fanfare. The date was only the first step in our long and gradual path to EMV adoption. This complex, fragmented U.S. migration includes: More than 1 billion payment cards More than 12 million POS terminals Four credit card networks Eighteen debit networks More than 12,000 financial institutions Unlike the shift in the United Kingdom, the U.S. migration does not have government backing and support. This causes additional fragmentation and complexity that we, as the payments industry, are forced to navigate ourselves. Aite Group predicts that by the end of 2015, 70 percent of U.S. credit cards will have EMV capabilities and 40 percent of debit cards will be upgraded. So while Oct. 1 may not have changed everything, it was the start of a long and gradual migration. Myth #2: Subscription revenues will plummet due to reissuances According to Aite, EMV reissuance is less impactful to merchant revenues than database breaches, since many EMV cards are being reissued with the same pan. The impact of EMV on reoccurring transactions is exaggerated in the market, especially when you look at the Update Issuer provided by the transaction networks. There still will be an impact on merchants, coming right at the start of the holiday shopping season. The need for consumer education will fall primarily on merchants, given longer lines at checkout and unfamiliar processes for consumers. Merchants should be prepared for charge-back amounts on their statements, which they aren’t used to seeing. Lastly, with a disparate credit and debit user experience, training is needed not just for consumers, but also for frontline cashiers. We do expect to see some merchants decide to wait until after the first of the year to avoid impacting the customer experience during the critical holiday shopping season, preferring to absorb the fraud in the interest of maximizing consumer throughout. Myth #3: Card fraud will decline dramatically We can look to countries that already have migrated to see that card fraud will not, as a whole, decline dramatically. While EMV is very effective at bringing down counterfeit card fraud, organized crime rings will not sit idly by while their $3 billion business disappears. With the Canadian shift, we saw a decrease in counterfeit card loss but a substantial increase in Card Not Present (CNP) fraud. In Canada and Australia, we also saw a dramatic, threefold increase in fraudulent applications. When criminals can no longer get counterfeit cards, they use synthetic and stolen identities to gain access to new, legitimate cards. In the United States, we should plan for increased account-takeover attacks, i.e., criminals using compromised credentials for fraudulent CNP purchases. For merchants that don’t require CVV2, compromised data from recent breaches can be used easily in an online environment. According to Aite, issuers already are reporting an increase in CNP fraud. Fraudsters did not wait until the Oct. 1 shift to adjust their practices. Myth #4: All liability moves to the issuer EMV won’t help online merchants at all. Fraud will shift to the CNP channel, and merchants will be completely responsible for the fraud that occurs there. We put together a matrix to illustrate where actual liability shifts and where it does not. Payments liability matrix Note: Because of the cost and complexity of replacing POS machines, gas stations are not liable until October 2017. For more information, or if you’d like to hear the full discussion, click here to view the archive recording, which includes a great panel question-and-answer session.

While walking through a toy store in search of the perfect gift for a nephew, I noticed the board game Risk, which touts itself as “The Game of Global Domination.” For those who are unaware, the game usually is won by players who focus on four key themes: Strategy — Before you begin the game, you need a strategy to attack new territories while defending your own Attack — While you have the option to sit back and defend your territory, it’s better to attack a weakened opponent Fortify — When you are finished attacking, it’s often best to fortify your position Alliances — While not an official part of the game, creating partnerships is necessary in order to win These themes also are relevant to the world of real-life fraud risk prevention. The difference is that the stakes are real and much higher. Let’s look at how these themes play out in real-life fraud risk prevention:  Strategy — Like in the game, you need a strategy for fraud risk detection and prevention. That strategy must be flexible and adaptable since fraudsters (your enemies) also continuously adapt to changing environments, usually at a much quicker, less bureaucratic pace. For example, your competitors (other countries) may improve their defenses, so fraudsters will mount a more focused attack on you. Fraudsters also may build alliances to attack you from different vectors or channels, resulting in a more sophisticated, comprehensive strike.  Attack — As the game begins, all players have access to all competitors (countries). This means that fraudsters might have the upper hand in a certain area of the business. You can sit back and try to defend the territory you already “own,” where fraudsters have no traction, but it’s best to be aggressive and attack fraudsters by expanding your coverage across all channels. For example, you might have plenty of controls in place to manage your Web orders (occupied territory), but your call center operations (opponents’ territory) aren’t protected, i.e., the fraudsters “own” this space. You need to attack that channel to drive fraudsters out.  Fortify — In the game, you can fortify your position after a successful move — that is, move more troops to your newly conquered territories. In real life, you always have the option to fortify your position, and you should constantly look for ways to improve your controls. You can’t afford to maintain on your current position, because fraudsters constantly are looking for weaknesses.  Alliances — In business, we often are hesitant to share information with our competitors. Fraudsters use this to their advantage. Just as fraudsters act in a coordinated fashion, so must we. Use all available resources and partners to shore up your defenses Leverage the power of consortium data Learn new methods from traditional competitors Always team up with internal and external partners to defend your territory If you apply these themes, you will be positioned for global domination in the fight against fraud risk. You can read more about fraud-prevention strategies in our recent ebook, Protecting the Customer Experience. As a side note, I’m always ready for a game of Risk, so contact me if you’re interested. But be forewarned — I’m competitive.

I often provide fraud analyses to clients, whereby they identify fraudsters that have somehow gotten through the system.  We then go in and see what kinds of conditions exist in the fraudulent population that exist to a much lesser degree in the overall population.  We typically do this with indicators, flags, match codes, and other conditions that we have available on the Experian end of things. But that is not to say there aren't things on your side of the fence that could be effective indicators of fraud risk as well! One simple example could be geography.  If 50% of your known frauds are coming from a state that only sees 5% of your overall population, then that state sounds like a great indicator of fraud risk!  What action you take based on this knowledge is up to you (and, I suppose, government regulation).  One option would be to route the risky customers through a more onerous authentication procedure.  For example, they might have to come into a branch in person to validate their identity. Geography is certainly not the only potential indicator of fraud risk.  Be creative!  There might be previously untapped indicators of fraud risk lurking in your customer databases.   Do not limit yourself to intuition either.  Oftentimes the best indicators of fraud risk that I find are counterintuitive.  Just compare the percentage of time a condition occurs in your fraud population to the percentage of time it occurs in the overall population.  It might be that you have a fraud ring that is leaving some telltale fingerprint on their behavior--one that is actionable in ways that will jumpstart your fraud prevention practices and minimize fraud losses!