Online payment fraud stops here

How one of the world’s largest financial institutions is fighting mobile and online payment fraud – and winning

By Diana Rothfuss, Senior Global Marketing Manager, SAS Fraud and Security Intelligence Practice

Like a high-stakes game of truth or dare, the credit card transaction request comes in – a $4,500 purchase for a high-end, flat-screen HDTV purchased via online payment. You have one second to make the decision: Approve it or reject it as potentially fraudulent.

If you reject a legitimate purchase, you lose the fee from the purchase, anger a loyal customer and risk account churn. But by accepting payment for a fraudulent purchase, you've allowed your customer to become a crime victim, and your bank is out $4,500 from online payment fraud.

How to decide – approve, flag or block?

Before deciding how to handle, it’s important to take a broad view of each request. As online and traditional payment channels converge, there are more types of fraud and more transactions that may look innocuous at face value but will look quite different when seen in full context. To avoid fraudulent transactions, it’s more important than ever to know the customer's digital identity.

Globally, the question of whether to approve online transactions is asked at least 1 billion times a day (according to – and that number will only increase. For one, we’re relying on mobile channels more each day. More than 50% of the world is connected, and by 2030 that number is forecasted to be 90%. And we’re shopping online more than ever. It's estimated that by the year 2040, 95% of all purchases will be through e-commerce. For years to come, the preference for online payments via mobile devices is only expected to grow.  

SAS has been able to identify individual fraudulent transactions much more effectively than any other solution we’ve deployed. The proof is in our fraud numbers – our detection rates and our false positives – which continue to meet our aggressive goals. Head of security and fraud risk A large banking and financial services organization

Online payment fraud losses keep climbing

According to a report by eMarketer, by 2023, more than 42% of people worldwide will be using mobile payments. Only around 6% will use cash. That sounds like good news for banks and merchants offering goods and services, but there’s a dark side. If present trends continue, Juniper Research says online payment fraud losses are likely to climb as high as $48 billion by 2023.

Digital channels are innately vulnerable. The openness that makes digital banking and online payment so convenient also makes it inviting for fraudsters – and high risk for customers. It would be great if passwords and PINs kept out the bad guys, but they don’t. Fraudsters can get around authentication systems, make off with stolen credit or money, and be undetected until after the fact.

Hindsight analysis of questionable transactions might stop the next day’s fraud, but what about today’s? Before accepting online payment, all details related to transactions must be monitored in real time.

But how do you tune a fraud detection system for the high volume of online payment fraud? Tune it too loosely, and fraudulent payments slip through. Tune it too tightly, and you block legitimate transactions.

Not many merchants can track precisely how well they do this, and some believe that a significant number of rejected orders were actually valid. Such missteps lead to lost sales, diminished reputation and aggravated customers.

Win with fraud prevention by fighting smarter, not harder

With a greater breadth and depth of data – plus the high-performance computing to crunch it – you can fully understand an account holder’s behavior across products and channels. Financial institutions, payment gateways (e.g., PayPal, Apple Pay and Amazon Pay) and payment processors are bringing some powerful fraud prevention tools to the task, such as machine learning and hybrid analytics approaches.

Machine learning

Unlike rules-based systems, which are easy for fraudsters to test and circumvent, machine learning adapts to changing behaviors in a population through automated model building. With every iteration, the algorithms get smarter and deliver more accurate results. This ability to quickly learn and adapt is why machine learning is so adept at keeping pace with evolving online payment fraud tactics.

Suppose certain IP addresses seem to point to emerging vulnerabilities. In the past, it would have required extensive research – starting with drafting a business requirements document – before IT could add a new scenario to the system. Today, fraud systems can evaluate in real time how many customers are using a particular IP address, the countries from which they originate, and which are associated with known fraud incidents. The results can be almost instantaneous, with fraud models quickly updated. What might have taken months in the past is now done in minutes.

Hybrid analytics

Analytics based on historical information can spot suspicious behavior that mimics previous patterns of known fraud, but the fraud environment is dynamic. You need more than good hindsight. You can find more fraud more accurately – and identify emerging online payment fraud tactics – by using multiple analytics methods.

For example, anomaly detection and predictive analytics can uncover new areas of potential fraud by examining what’s happening right now. Social network analytics can establish links among money mules and groups of fraudsters. A strong fraud system captures behavioral data from multiple entities and analyzes patterns in multiple ways every time a transaction is scored.

Analytics in action

Combating all forms of fraud – payment cards, online transactions, friendly fraud and even first-party (customer) fraud – has vaulted to the top of the corporate agenda.

One of the world's largest banking and financial services organizations, serving millions of customers around the globe, is putting analytics to work in its attack on online payment fraud.

“It’s an incredibly important focus for us,” said the bank’s head of security and fraud risk. “Like most institutions, we’ve implemented policies to segregate duties, create dual controls and establish strong audit trails to spot anomalies. But what sets our anti-fraud strategies apart is our commitment to technology to monitor and score the millions of transactions we process every day.”

The bank first deployed SAS® Fraud Management, the engine behind the SAS payment fraud solution, in the US. It then expanded to using this solution in Europe and Asia as the foundation for global, real-time fraud detection and ongoing online payment fraud management. The solution protects credit and debit card transactions in real time and is being expanded to include more sales channels and lines of business.

With this proactive approach to online payment fraud detection, the bank has significantly reduced the incidence of fraud across tens of millions of debit and credit card accounts.

“We're very pleased with the results,” said the security and fraud risk executive. “SAS has been able to identify individual fraudulent transactions much more effectively than any other solution we’ve deployed. We believe we have the best anti-fraud models that the marketplace can offer right now. The proof is in our fraud numbers – our detection rates and our false positives – which continue to meet our aggressive goals.”

Of course, as soon as you close one loophole, clever fraudsters create another. “Because of the nature of this battle, it's critical to constantly monitor fraud detection performance. The SAS solution provides a wealth of up-to-date information about the performance of our fraud defenses and allows us to adapt, as needed, to battle changing threats in different regions of the world.”

Everyone wins by stopping online payment fraud – except the bad guys

The savings from cutting online payment fraud losses should make any financial institution take note. In fact, the effort pays for itself. Forrester estimates that an enterprise fraud management platform will provide 150% to 200% ROI over five years.

In the process, the fraud detection program evolves from a cost center to a savings center – while improving customer relations. It’s a win-win for customers, fraud managers and financial institutions alike – everyone, that is, except for the fraudsters.

Read More