I will explore some tactics that help reduce fraud to 0% when rounding down of course. Fraud defense is quite the game with many similarities to traditional security protection. The internet has been the perfect breeding ground for these malicious activities for digital transactions. It is up to companies to stay ahead of adversaries looking to harm you. Too few countermeasures and you will become a ever increasing target amongst criminals or too many protections and you will hermitize your company hurting profits. Now that I think of it is even similar to how people are reacting to the coronavirus.
Fraud can be massive topic and I will restrict the content towards an individual that is more advance and already has knowledge on all the basics. If you are looking to learn more a lot of lessons happen in real scenarios but there are some great online resources too. This article will cover real types of fraud committed by unknown actors.
I have always been against required registrations in the pursuit of the least friction to a path of a sale/signup. However, in recent years I have seen the trend move to almost everyone having an identity at all online places. The ability to track users by your own identity system is really the basis that I would start building my fraud prevention platform off. Once you have your registration process then its time to start analyzing each user. Most people don’t understand the hundreds of data points you provide when signing in to a site. Some important factors to consider: ip geo, browser, email age, ip info ie vpns, domain name, disposable emails, time of day, actions. Pretty much everything your identity does will all factor into the fraud likeness score. Enterprise identity systems typically have the luxury of not dealing with much id proofing but it is a trend I see changing with more people turning to the gig economy and creation of CIAMs.
At this point it necessary to bring in a fraud tool to ingest all the data and start identifying patterns of fraud. Building a machine learning platform is not worth the hassle and you likely can’t scale to the data requirements of making it effective globally. You don’t want to stop all fraudsters at your sign up point. You can maybe block disposable emails but wait to add more friction once you gather more information on them. The best way to maximize protections while also keeping revenues at the same time is to gradually apply friction to the users. Too much at once and you lose conversions and too little and you let the scammers through your defenses. I have noticed this approach by Google and other of the top tech firms when managing fraud on their platforms.
Most fraudsters know companies have systems to detect the simple patterns like ip, avs or even ID/selfie verifications in place. I was listening to an interesting podcast that stated how much these fraudsters work together online to come up with ways to hack and steal from companies. They even build their own businesses out of ways to provide these services. It interested me enough to investigate to see the validity of the statements. I was interested at the content I could find was mostly outdated simple guides on how to brazenly defraud people. Fortunately, I didn’t conclude that fraudsters are collaborating by the thousands on how to commit fraud and hack companies. I believe that age is over and they understand even companies are monitoring many internet channels to do opposition research just like they do it to the same companies they commit fraud against. The problem now is the fraudsters are just as secretive as companies at their own tatics that allow them to have a competitive edge on their market. I believe the battle will continue with fraudsters and companies ever increasing the line they are willing to cross to either attack or defend.
Back to ways to reduce the fraud. As stated earlier allowing some fraud is good. Kind of like a checkup on your immune system you can see various ways your security system is functioning. Eliminating fraud at the start will just allow fraudsters to pinpoint what you are doing to prevent them. Wasting fraudsters resources and time is probably one of the best things to do to frustrate anyone. An advanced fraudster might spend around $100 to get to the point where they believe they can commit their fraud. They need a lot of things in place and it can’t be automated. They might have to buy a good stolen card, ip, identity and many things to get passed your initial security checks. Fortunately, with some established rules and machine learning you can hopefully capture them as an outlier. At this point they have acted on your system and you can start applying friction to see if they really are who they say they are.
Unfortunately, this is the part where there really isn’t a solution in the market to do id auth/proofing at scale. Workflows are critical to determine which path the user will take to pass their identity verification. Sending the user for 3D secure authentication is a simple move that usually shifts your liability of fraud to the bank since they are stating the purchase was done by them. Unfortunately, 3d secure is still improving with 3ds2 and I haven’t seen high adoption in the USA. Instead, you can start with a simple reverse lookup on the phone to get another source to verify their identity. VOIP sends a warning and make sure the user actually can use it. Next you can do some kind of social binding or account ID sync with other systems. Luckily we have facebook, linkedin, paypal and countless sources where users are storing their identity at. Just connecting one’s ID from your own service to a trusted 3rd party can increase the likelihood the user is who they say they are. Each of these services will provide even more data that you can all correlate to in your fraud system. The aspect of privacy laws should be considered as you may only be allowed to use data for certain functions. Data brokers become even more important for these fraud prevention tatics as the more sources increases trustworthiness. It will be interesting to see if consumers finally realize how much data is being held about them one day and have a backlash against theses companies. Consumers are wising up though and not so keen on providing all their information to anyone in the age of leaks. That is why it is so important to have an adaptive id proofing system in place. If a user refuses to provide their passport don’t make it a loss sale. See what you can do to get the user to a point where you trust them. Trust goes both ways and companies need to stop thinking they hold all the keys.
Next we go into more extreme friction processes that may involve people. Calling the user and asking questions might work. Doing a video call even or requiring photo id of themselves. Lastly there has been a boom of ID verification services that automate the selfie and ID matching process. At this points it is pretty invasive and many customers might even be insulted by all these steps. It’s important to apply the right friction for the right users which requires some finesse. Some fraudsters are impatient and won’t think a target is worth it if their reward is small. Massive purchase velocity without thorough due diligence is opening yourself up to fraud. All these actions are making it harder for fraudsters to stay ahead which has left the field to the more professional actors. Instead of high schoolers and college players getting the chance to play against an NBA team in the past we now have enough security systems to outright reject their request and not waste our resources on them.
The game has changed in 2020 and will continue to evolve with more advanced solutions in the market. A tool that can start to provide all these services will dominate the market as businesses are always looking for simpler solutions to their problems. A bridge linking security detection systems to one that can adaptively authenticate users will be the next step forward in building robust trust and safety platforms.