Fighting Fraud: An interview with Roberto Valerio
Financial IT: What are the major fraud threats hitting online businesses in 2017?
Roberto Valerio: Fraud is continually strengthening and evolving. Even though it suffers repeated blows, it’s clear that the threat to online businesses has never been greater. Significantly, as fraud rises, so does consumer knowledge of the issue, with headlines like: “You are now 20 times more likely to be robbed while at your computer than held up in the street”. So if a business does not have sufficient fraud prevention strategies in place to protect consumer data, then not only are revenues on the line, but so is the business’ reputation.
At Risk Ident, we keep a constant watch on all of the latest trends and tactics that fraudsters are using to bend the law in return for a pay day. In 2017, we’ve seen huge spikes in identity theft which has triggered a sharp spike in account takeover fraud attempts. The continued rise of mCommerce has also seen smartphones targeted more than ever, while the ticketing industry is becoming ever more blighted by bots.
Financial IT: Who are the fraudsters and why do they do it?
Roberto Valerio: There are three general categories of fraudsters within e-commerce and telecoms that you should separate:
• People with a bad credit history or no money: They want to buy a premium product that they cannot afford; leather jackets, handbags, electronics, Apple products etc.
• Petty criminals: They use stolen cre- dentials and payment information to obtain goods. These goods are being resold at eBay etc.
• Organized criminals: These people do it for a living. Some of them use their proceeds to finance other high-margin crimes, e.g. selling drugs or even weapons. They are responsible for high losses, sometimes adding up to hundreds of thousands of pounds in a single case (including hundreds of orders). The criminal gangs are sometimes quite structured and they can work cross-border (cases end up being handled by Europol.)
So, their intentions are quite different. The first two cases are mainly driven by greed and opportunism. The latter case is based on real and dangerous criminal motives.
Financial IT: Should consumers be worried about having their identity stolen online?
Roberto Valerio: Essentially, yes. Cifas (the UK’s leading fraud prevention organization) recently reported that identity theft is reaching “epidemic levels”, with a record number of cases reported in this first half of the year alone. It’s no longer enough to just shred letters from the bank before binning them; more than four in five cases are now committed online. Fraudsters will gather information on social media, the dark web and remotely hacked computers. Consumers should also be vigilant against fraudsters calling them directly to extract vital information or phishing attacks via email.
There’s also a tendency to think that fraud is something that only happens to the wealthy or vulnerable. People in their 30s and 40s are now more likely to be targeted than pensioners, as there tends to be more personal information about them stored online. The age group 21 to 30 saw the sharpest rise in H1 2017, according to Cifas.
Financial IT: What’s the danger of ID theft to online businesses?
Roberto Valerio: Once identity data has been stolen, fraudsters can create new accounts on ecommerce sites and begin ordering merchandise, often to be sold- off at a profit. However, the real danger comes when the fraudster uses the personal information to hijack existing accounts, masquerading as a legitimate user.
Poor password security (such as repeating passwords across accounts, or using simple words like ‘password’) plays a significant role here, but fraudsters can also use personal information to break security questions.
Another tactic is to target the victim’s email account, which often acts as the anchor to their entire online life, and from there break into multiple accounts across a vast range of online businesses. Existing accounts contain everything from addresses to birthdays to saved payment information. These details alone constitute everything one would need for online fraud. But the key here is that a genuine account which has been hijacked also offers fraudsters a significant advantage; trustworthiness.
Online businesses typically place much more trust in existing customers with years of good experience behind them, than they do with new customer accounts. This gives fraudsters space in which to hide.
Financial IT: Are there any suspicious signs of a hijacked account that online businesses can keep an eye out for?
Roberto Valerio: Fraudsters work hard to stay invisible for as long as possible, but it is possible to spot them early and prevent irreparable damage. Indicators of account takeover can include: an unusual numbers of failed login attempts, a password change followed by unusual customer behaviour, purchasing an unusually expensive item or a high volume of goods, login attempts from different devices and places or switching to an older browser / operating system.
However, many of these indicators can also be innocent customer behaviours and here online businesses must be careful of false alarms. False positives not only harm immediate revenues, but also damage customer relationships and subsequently, brand reputations.
Financial IT: What’s the threat-level for mCommerce? And what can be done to counter it?
Roberto Valerio: mCommerce is important opportunity for online businesses, set to be worth $250bn by 2020, but a new channel for us is also a new channel for fraudsters. I spoke on this topic recently at the Fraud Management for Banks event in Germany. Today, fraudsters will take over portable devices in attempts to avoid detection or triggering fraud alerts. Fortunately, by combining device fingerprinting with a local security SDK added to the targeted smartphone App it is possible to track and halt their activities.
Financial IT: What is the precise role of Machine Learning and Artificial Intelligence in fighting fraud?
Roberto Valerio: Machine learning technology, based on developing computer programs, recognises patterns and regularities in datasets, and is then able to learn from each transaction and a wealth of historical data. In this way, it can continually create new models and constantly evolve algorithms that help ecommerce businesses stay a step ahead of the fraudsters.
While fraudsters seek to conceal their locations, mask their identities and make their fraudulent transactions look unsuspicious, machine learning technology finds patterns, calculates risks and halts illicit activities – in real-time.
However, AI alone is not enough; fraud managers are indispensable in the process. Domain experts, with years of experience fighting fraud, know their fraud problems best and can never be replaced by a machine. Only by combining the two entities will businesses see the best results. Fraud managers constantly feed their knowledge on the context
and causes of fraud into the machine, allowing the system to evolve continually. Businesses can therefore scale their fraud protection system, allowing it to grow and evolve exponentially.
Download the original article published in Financial IT, Special Sibos & Money 20/20 Issue • 2017 (PDF)