The online payment fraud stops here

How one of the world’s largest financial institutions is fighting mobile and online payment fraud – and winning

By Ellen Joyner Roberson, CFE, Global Marketing Principal, SAS Security Intelligence Practice

A high-stakes game of truth or dare

The credit card transaction request comes in – a $4,500 purchase for a high-end, flat-screen HDTV purchased via online payment. You have one second to make a high-stakes decision: Approve it or reject it as potentially fraudulent.

If you reject a legitimate purchase, you lose the fee from the purchase, anger a loyal customer and risk account churn. But if you approve a fraudulent purchase, you've allowed your customer to become a crime victim, and your bank is out $4,500 from online payment fraud.

So, quick: Which is it – approve, flag or block?

A broad view is critical, because transactions that might look innocuous at face value can look quite different when seen in full context.

This question is asked about 300 million times a day in the US alone, and will only increase. For one, we’re relying on mobile channels more each day. According to a US Federal Reserve System survey, 43 percent of mobile phone users and 53 percent of smartphone users with bank accounts used mobile banking in the previous 12 months. One-quarter of mobile phone users (28 percent of smartphone users) made a mobile payment in the 12 months before the survey, either to pay bills, pay for something in a store or shop online.

And we’re shopping online more than ever. Forrester Research forecasts a 9.5 percent compound annual growth rate in e-commerce in the US from 2013 to 2018, representing about $414 billion in online sales by 2018 – about 11 percent of total retail sales.

That sounds like good news for banks and merchants, but there’s a dark side. If present trends continue, by 2018 $3.6 billion of that could be lost each year to online payment fraud (based on Forrester research.)

Digital channels are innately vulnerable. The openness that makes mobile banking and mobile payment so convenient for customers also makes it inviting for fraudsters. It would be great if passwords and PINs kept out the bad guys, but they don’t. Fraudsters can get around authentication systems, make off with the money, and be undetected until after the fact.

Hindsight analysis of questionable transactions might stop the next day’s fraud, but what about today’s? Online payments – all of them – must be monitored in real time.

And how do you tune a fraud detection system for the high volume of online payment fraud? Tune it too loosely, and fraud slips through. Tune it too tightly, and you block legitimate transactions. According to CyberSource’s 2016 Annual Fraud Benchmark Report, about half of merchants track how well they do this, and more than 70 percent of them believe that up to 10 percent of rejected orders are actually valid. These missteps lead to lost sales, diminished reputation and aggravated customers.

Fight smarter, not harder

With a greater breadth and depth of data – plus the high-performance computing to crunch it – you can fully understand the behavior of an account holder across products and channels. This broad view is critical, because transactions that might look innocuous at face value can look quite different when seen in full context.

Financial institutions are bringing some powerful tools to the task, such as machine learning and hybrid analytics approaches.

  • Machine learning. Unlike rules-based systems, which are fairly easy for fraudsters to test and circumvent, machine learning adapts to changing behaviors in a population through automated model building. With every iteration, the algorithms get smarter and deliver more accurate results. It’s easy to see the value of machine learning to keep pace with evolving online payment fraud tactics.

Suppose certain IP addresses seem to point to emerging vulnerabilities. In the past, this would have led to extensive research before drafting a business requirements document for IT to put a new scenario into the system. Today, fraud systems can evaluate in real time how many customers are using a particular IP address, from what countries, associated with what known fraud incidents. The results can be almost instantaneous, with fraud models quickly updated. What previously might have taken months can now be done in minutes.

  • Hybrid analytics. Analytics based on historical information can spot suspicious behavior that mimics previous patterns of known fraud, but the fraud environment is dynamic. You need more than good hindsight. You can find more fraud more accurately and identify emerging online payment fraud tactics by triangulating among multiple analytics methods.

For example, anomaly detection and predictive analytics can uncover new areas of potential fraud by examining what’s happening right now. Social network analytics can establish links among money mules and groups of fraudsters. A strong fraud system captures behavioral data from multiple entities and analyzes patterns in multiple ways every time a transaction is scored.

Analytics in action

Combating all forms of fraud – payment cards, online transactions and even first-party (customer) fraud – has vaulted to the top of the corporate agenda. One of the world's largest banking and financial services organizations, serving millions of customers around the globe, is putting analytics to work in its attack on online payment fraud.

“It’s an incredibly important focus for us,” said the bank’s head of security and fraud risk. “Like most institutions, we’ve implemented policies to segregate duties, create dual controls and establish strong audit trails to spot anomalies. But what sets our anti-fraud strategies apart is our commitment to technology to monitor and score the millions of transactions we process every day.”

The bank deployed SAS® Fraud Management first in the US, and then expanded to Europe and Asia as the foundation for global, real-time fraud detection and ongoing online payment fraud management. The solution protects credit and debit card transactions in real time, and is being expanded to include more sales channels and lines of business.

With this proactive approach to online payment fraud detection, the bank has significantly reduced the incidence of fraud across tens of millions of debit and credit card accounts.

“We're very pleased with the results,” said the security and fraud risk executive. “SAS has been able to identify individual fraudulent transactions much more effectively than any other solution we’ve deployed. We believe we have the best anti-fraud models that the marketplace can offer right now. The proof is in our fraud numbers – our detection rates and our false-positives – which continue to meet our aggressive goals.”

Of course, as soon as you close one loophole, clever fraudsters create another. “Because of the nature of this battle, it's critical to constantly monitor fraud detection performance. The SAS solution provides a wealth of up-to-date information about the performance of our fraud defenses and allows us to adapt, as needed, to battle changing threats in different regions of the world.”

The savings from cutting online payment fraud losses should make any financial institution take note. The effort pays for itself. Forrester estimates that an enterprise fraud management platform will provide 150 to 200 percent ROI over five years.

In the process, the fraud detection program evolves from a cost center to a savings center – while improving customer relations. It’s a win-win – except for the fraudsters.


Read More