July 19, 2018
Managing Risk in the Payments Industry
Posted March 8, 2018
In this episode Armen is joined by Demitrious Baird, Director of Risk at North American Bancard. They explore the types of fraud currently affecting the payments industry.
Armen: Hi, this is Armen Najarian host of Digital Identity 360 and for today’s episode I’m here with Demitrious Baird, who is Director of Risk with North American Bancard. Demitrious, welcome to the show today.
Demitrious: Thanks, Armen. How are you?
Armen: I’m doing very well, thanks so much. And, Demitrious, now you hold a really unique position. We’ve had a lot of guests on this episode or this program and really no one with the focus that you bring to the payment space. And, so, we’d really love to dive into some issues as an industry practitioner and talk about the intersection between payments and digital identity. But, as a starting point, I really would like to hear from your point of view, as you think about the payments industry at large, not necessarily for your company, but the payments industry at large, what are some of the bigger pain points when you think about managing risk within the context of payments.
Demitrious: So, there’s a couple of different areas. But, I think the main item is account takeover. So, when you have a merchant’s perspective, and they’re taken over through social engineering. Whatever the case may be, and they begin processing payments on behalf of that merchant. That’s really, I think, the biggest area we see our fraud come from. The other one that’s kind of unique, and I’m sure every processor out there sees it, is where somebody also does like a social engineering type thing, and they get the terminal IDs and they clone the terminal, and they start processing and the merchant typically doesn’t understand what’s happening. And, so, they’ll change the bank account and they start collecting the funding.
Armen: Yeah. That puts companies like North American Bancard in a very interesting situation, where you’re executing and facilitating the payment through a merchant, in many cases, or maybe even another third party and then the question around, okay, who’s ultimately liable? You know, what could the consumer maybe have done differently? If the consumer was party to this. What could the merchant do differently? There’s a lot of different stake holders in these relationships, so that puts, I would imagine that puts companies like North American Bancard in a very interesting situation, as far as managing and preemptively managing risk.
Demitrious: Right. I mean, so you have to be really aware of what’s going on. And, you know, it’s critically important. I wouldn’t say it’s more important in the payment processing realm, but you know, if we’re not always paying attention, we can take a significant loss. I don’t know how else to express the importance of it. But, when you have these things happen they usually come quick, and the fraudsters, when they find out that we’ve not caught on to them, they hit us really hard. And really quick. And, so we can take a pretty significant loss quickly.
Armen: I can imagine so. So, you mentioned phishing as just one example earlier and just a minute ago.
Armen: Any interesting, you know, for lack of better word, innovative approaches that you’ve seen in recent months on phishing specifically?
Demitrious: The funny thing is that what we tend to see is old school, old fashioned kind of phishing. So, you know, one of the things that comes to mind is we had folks, fraudsters, calling our merchants saying they were from North American Bancard and saying that they need the numbers on the terminal in order to link up, because there was a disconnect.
Demitrious: And merchants give that information to them, and the moment they do that, they’re gonna clone that terminal and they’re gonna take it over. And they’re gonna start processing stolen credit cards. You know, there’s a lot of different things that they can do. And, then usually what they’ll do is they’ll also change the bank account information, and then they start getting the funding for that.
Armen: That’s remarkable. These are, what you’re describing, are well thought out schemes, if you will, where opportunities exist to exploit and once they’re in, right, they’re gonna make hay while the sun still shines and until they’re shut down. Right?
Demitrious: Yeah. And you know, it’s funny because more and more I see kind of like old school fraud ideas that you’ve always seen. You know, like social engineering. I mean that’s really something that we saw the most of 10-15 years ago. You would think in this day and age you would see a lot more like computer type hacks or you know, computer systems that are going through and trying to get into our systems. And, that’s really not what I see from my perspective.
Armen: Interesting. For whatever it’s worth, even on our end as a technology provider, we deal with our fair share of inbound attacks, including social engineering, CEO fraud, you might have heard of that. We deal with that at least on a weekly basis, if not a daily basis where a cryptic message or sometimes a very well constructed message from our CFO appears to make its way to our CEO asking for a wire transfer to be made. Fortunately, we’re smart enough to know what looks like something suspect and immediately shut it down. But, I can imagine, right? When you’re dealing with high volumes of transactions as many merchants might be, right? Something can slip through from some of these artful schemers.
Demitrious: Right. I mean, especially if you consider a merchant that is processing millions of dollars a month. If a hacker or if a fraudster gets in and they get the terminal ID and they’re able to take some of that money from them, they may not notice it. You know. So, I mean I’ve seen a lot of different things. I’ve seen inside jobs where they were taking cents on the dollar and it took a long time for us to figure that out.
Armen: So let’s talk about, you know, there’s different techniques and strategies to either mitigate or potentially even eliminate these fraudulent schemes from where we set at ThreatMetrix, this whole concept digital identity and peeling the layer back, you know, the concept of risk based authentication. Providing some really important context in the moment to really acertian whether someone is to be trusted or not. I mean these are capabilities that now exist. Obviously, companies like North American Bancard have embraced capabilities like this. Would like to hear just a little bit more about, you know, what you see the role of risk based authentication playing to get mitigate or potentially even eliminate some of these schemes that you’ve been dealing with for many, many years.
Demitrious: So, I will say that the primary use that we have for ThreatMetrix right now is pre-underwriting. So, you know, I’m not over underwriting, I don’t really have any involvement with the underwriting process. But, we do have Threat hooked in so that as an application is submitted, we are able to take a look at it in the risk department, and really understand if you know, that device has shown up before and we’re able to black list, and that’s really how we’re using Threat the heaviest. And, that’s been a very successful positioning for us. You know, because we cut all of that out before they even get approved. Now, I will say that I’m focusing now on really extending that to some of our other merchant facing portals. So that as they update information we can catch the same sort of circumstances that we would on the front end. And, that’s really kind of the approach that I’m taking is that you know, every touch point from the merchant to us, I want to make sure that it’s secure.
Armen: You know, I think you’ve laid it out really well. What you’re describing is generally a progression we see with you know, a lot of different use cases, a lot of different customers across sectors. You know, tier point catching the fraud at the front door is the most logical starting point, but to your point, there still might be ways around that. Right? We’ve got very sophisticated criminals and fraudsters out there and so should they find a way around the front door, right, sort of the login experience, if you will, to prevent account takeover or to your point on gaining information, injecting that same level of intelligence in the moment, at all touch points is the name of the game.
Demitrious: Right. Yeah.
Armen: Good. So, you know when you look forward, when you look to the future, again, just from the position that you’re in, you’re looking broadly across the payment processing space, what do you see some of the potential future threats or future approaches from a fraud perspective. Is there anything on the horizon that you’re starting to see signals on that might change the game, if you will, for people like us trying to stop this?
Demitrious: You know, so, it’s interesting. And, I keep going back to kind of the old school strategies because that’s really what I’ve seen. So, you know, I’ll give you an example where we took some losses last year in December. And, when I spoke to the FBI and when I spoke to the local PD, and they reached out to some of the account holders, or the supposed merchants, and the bank account owners, it was all social engineering. So, you know there was an example of, a woman owned the bank account that our funding went into, and the gentleman that she was supposedly dating online was the fraudster. And, the thing that really concerned me, or kind of frightened me a little bit is that with many of the examples that we looked into, they had some sort of online relationship for six months or more. So this wasn’t a quick in and out, I’m gonna defraud and I’m gonna use this person’s bank account. I mean, this was like a long six months, I mean to have a relationship or supposed relationship. To really fool them, that’s a lot of energy and a lot of work to do that.
Armen: So almost like a grooming process, what you’re describing.
Demitrious: Right. And we looked at probably ten accounts where the same situation happened. The fraudsters, what they did is, they used their bank account to apply the funds to, and then they had that person that they were dating go to the bank account, withdraw the funds, and then deposit it into their bank account.
Armen: And then they disappear.
Armen: Yeah. I’ve heard these stories. These long term relationships that seem genuine, right? Especially for someone who might be vulnerable.
Armen: And then all of a sudden, the switch flips. Right. The conversation dramatically changes. One thing that we’ve seen, you might be aware Demitrious, that ThreatMetrix publishes a quarterly Cybercrime Report. We look broadly across our network of the 110 million or so daily transactions that we see, and really developed some patterns for really understanding, aware of the patterns from a threat perspective, different types of fraudulent behavior. One thing that we’ve noticed, especially in recent quarters, is really, the true global nature of fraud. It’s certainly not relegated to any one country. As far, as where fraud originates, and also is certainly not relegated to one country as far as where the fraud is directed. It’s truly global to global. As global as you can imagine and even some surprising places where we’re seeing fraud originate. Does this generally match, so what you’re saying, from your point of view, just around the global-ness if you will of these schemes.
Demitrious: Yeah. It absolutely is. The benefit that we have is that we block any type of application from outside of the US. So, we’re only dealing with the continental US, and then you all help us with that tremendously. Right.
Demitrious: Making sure that somebody is not masking their VPN or not masking their location. So, that does help but you know, again, it goes back to we had a stint about two years ago where it was in Africa, they were calling merchants in the US, and they were trying to get them to ship goods to Africa. And, they were using stolen credit cards. So, you know, the difficult piece is that because we are in the middle, if a merchant is unable to fulfill paying for a chargeback or a loss so to speak, I’m really on the hook for that. So, you know, my team tends to be a little bit jaded, I would say, because they assume that everybody is trying to defraud us. And, that’s been a real difficulty that I’ve tried to overcome, coming from the bank side. So, you know I used to be J.P. Morgan, and it’s a different perspective. But, you know, on the payment side, if there’s a loss, I have to take it if the merchant can’t pay for that.
Armen: So, we have a saying here in Silicon Valley, popularized by Andy Grove, former CEO of Intel, that only the paranoid survive. So, I’m hearing a little bit of that, I am sure you have a cool head, of course. But, you get paid to be somewhat paranoid.
Demitrious: And you know the difficult part is that I try to have that balance between friction with the merchant, and saving enough money. I mean, it’s unreasonable to think that we’re not gonna have any losses. That just doesn’t make sense. But, I’ve tried really diligently over the last couple years to really bring in that frictionless touch point, I guess, as much as we possibly can. And, I think it’s gonna be an ongoing job for the rest of my career is trying to get people to understand that not everybody is a fraudster.
Armen: That’s right. And, to drill into that point further, removing friction, while stopping fraud, absolutely, right, to every extent possible we want to do that. We have a shared interest in that. But, on the flip side, where there’s a known good actor, removing all friction, making that experience as pleasant as possible will help the merchant, will help the consumer, will help your organization. And, so it’s really balancing both sides of the coin. I think that’s the mission that we’re all on together.
Demitrious: Right. And, its funny because with a lot of our merchants, they do things knowingly or unknowingly that we perceive as being a fraudster. So that’s really that kind of fine point where I’m trying to get my team to understand, you know, you really have to understand what they’re doing, and dig into it because you don’t want to assume just because there’s a couple of key indicators there.
Armen: That’s a really good point. Nuances and behavior, right, that are certainly not fraudulent when you peel back the onion. But, the signals can be confusing, right? But, that’s where, you know, tools like ThreatMetrix and others, with maybe deeper layers of policies to account for some of these behaviors that you know, might exist. And, then knowing when to examine other types of behavior. So, you’re not making a false positive claim frankly is really what we’re talking about here. You know, one other interesting thing that we’ve seen, I don’t know if you’ve seen this, or if you’ve serve a community of non-profits. But we’ve seen certainly in non-profits as a sector, as a point of fraud testing if you will, you know credit cards being sort of, fraudsters testing credit card credentials within a non-profit environment, you know making a small transaction and then if that’s successful sort of going elsewhere for bigger prey. Have you seen that type of behavior sort of in the non-profit space?
Demitrious: Yeah. Absolutely. I don’t know that it’s that heavy. I think what we typically see is that any eCommerce merchant, they will use some sort of algorithm on a computer, and they just test cards. But, it’s hundreds of thousands of cards.
Armen: Sure is.
Demitrious: In a matter of an hour.
Demitrious: So, you know. That, because we have a very diverse merchant portfolio, you know we have storefront merchants, we’ve got huge big box merchants, we have a mobile platform where you can get one of our mobile fobs in a local store, and you can literally apply for an account and be able to process payments in a matter of 10-15 minutes. So, you know, because of that we have the whole gamut of the merchants out there. Even, you know, somebody’s garage sale. I pretty much have seen everything you can imagine.
Armen: Sounds like it. Yeah. Good. Good. Well, any parting thoughts, Demitrious? This has been, by the way, very interesting, again, a different perspective than we’ve had to date on this show. Any final thoughts as you think about your role, and your intersection with the digital identity in risk based authentication space?
Demitrious: I mean the only thing I’ll say is that, you know, to be successful really in any risk role, you have to be open to understanding new ideas, new thoughts, new processes. I rely heavily on every level of my team to really help me understand where I need to look for the future. Absolutely, I see from a higher level some of the things that I need to do, and really approaches that I need take. But, I’ll tell you that a lot of folks that I know that have been unsuccessful, it’s because they didn’t listen to every level of their organization.
Armen: That’s great. Yeah. And, if I were to sort of play back one of the key learnings I have taken away from our conversation, is sometimes it doesn’t need to be sophisticated for it to exist, right? Some of these old school, tried and trued techniques that you’re seeing out there are tried and trued for a reason. They work. So listening to those signals, and having the right controls in place. To know what’s legitimate and what’s not is really the name of the game.
Demitrious: Right. Absolutely.
Armen: Great. So, with that, Demitrious, thank you very much for joining us on this program. Very, very interesting insights. Thanks for doing this remote, I think it worked out pretty well and I will virtually shake your hand and say thanks for joining us.
Demitrious: Yeah. Absolutely. Thank you very much, I appreciate it.
Armen: All right. Great. Have a great day then. Thanks so much.
Demitrious: You do the same.