December 5, 2018
Data Sharing for Fraud Detection: How Do We Get Ahead of the Fraudsters?
Posted November 27, 2018
If there is anything upon which we can all agree on in the fraud-fighting community, it is the imperative to band together in order to share data to beat the bad guys. We hear this sentiment time and time again at events and trade shows and at industry associations, from both vendors and end-user organizations alike.
However, is this where consensus on the topic ends? In many minds the questions of WHAT kind of data to share and HOW to actually go about this, still loom large. Well, as this is a topic that is very close to our hearts here at ThreatMetrix, I’d like to spend a couple of blog posts delving into this.
The Two Approaches to Shared Intelligence
Typically, when talking data sharing we mean exchanging data on known fraudulent activity which has been identified at one organization in order to help our peers detect similar fraud patterns, identify the same bad actors and protect themselves against organized cybercrime rings.
The benefits of this approach are obvious. For example, if a device has been connected to known incidents of fraud at one organization, subsequent transactions from that device have a very high likelihood of also being fraudulent. Organizations sharing data on fraud activity can develop blacklists or watch lists that help inform fraud decisions.
This is particularly useful in peak periods of fraudulent activity, enabling organizations to react more quickly to emerging threats. A key risk period tends to be directly after a major data breach, when fresh identity and financial information is available to fraudsters on the dark web- but before the breach has been disclosed publicly. It is only by accessing shared intelligence that these peak periods of attack are discernible.
However, the catch here is that often when organizations are focused solely on data sharing of known fraudulent behavior, they are already a few steps behind the bad guys. The fraud has already happened, and the chances are multiple organizations are being attacked simultaneously, with the fresh swathes of stolen data. Real time sharing of this data (which we will cover in the next blog) will help organizations act quickly, but you are still essentially in reactive mode.
A more ambitious approach is one that uses shared data not only to share intel on known fraud events, but uses it as a vital tool to proactively identify fraud that would be extremely difficult for one organization working in silo to detect.
This depends on a shared intelligence model that expands the type of data that is accessible shared from fraud data to include trust data and attributes from legitimate transactions.
The Benefits of this Approach
Let’s walk through an example that clearly demonstrates the advantages of a broader approach to data sharing in order to proactively pinpoint fraud and achieve advanced behavioral analytics that can transform your approach to fraud and identity management.
The online lending industry is a great case in point, due to is position at the forefront of digital transformation. Consumers are increasingly coming to expect instant decisions on loan applications and there has been a wave of digital-born companies which have risen up to challenge traditional financial institutions as a result.
However, naturally online lenders have become a prime target for fraudsters, due to the potential for instant access to cash.
By accessing shared intelligence that goes beyond known fraud events, online lenders can grow their businesses securely and rapidly.
For example, when an online lender receives an application for a new loan when it is the first time that company is dealing with that person, they do not have any historical data from their own systems. Yes, there are the traditional routes for verifying identity which are open to them, however these typically slow the process down dramatically.
The acquisition of new customers is the primary commercial target for growing organizations, so the last thing they want to do is to make a brand new customer jump through hoops to prove who they are and risk alienating them and driving their business elsewhere. They need a way to verify identity in a risk-based manner that is invisible to the customer, however very accurate due to the high risk of abuse.
What if that organization had the ability to query a shared data repository to see if the attributes shown at the time of application fit in with what is typically seen for that individual? They will be able to answer questions such as:
- Has the device they are coming from been historically associated with the user’s identity credentials?
- Have they completed trusted transactions from that device on other websites and apps?
- Does the location they are appearing to be transacting from fit in with where we typically see that person?
When you understand the baseline of normal user behavior and identifying attributes, anomalies that indicate fraud will be infinitely easier to spot. For example, using shared intelligence organizations can spot geo-velocity anomalies in a way that would be impossible using internal data only.
- If another organization has seen a trusted login into a bank account from a mobile device tied to a digital identity, should an online lending organization accept a new loan application from San Francisco 2 hours later?
Additionally, by being able to query external data other red flags can emerge. For example, where a fraudster has bought full stolen identity details for a person and has applied for a new loan at an online lending organization, the chances are that they are not limiting this to just one organization. By being able to access shared data with other organizations in the same industry it would be revealed if one user’s identity data has been used across multiple online lending sites in one morning – indicating the threat of a bust out scam working across several sites.
By accessing historical data for a particular user, from their activity across multiple websites and apps, this opens up new possibilities in what can be assessed to spot fraud. We have looked at the example of online lending, as the monetary value of a successful fraud attack can be very high, but the same can be said of lower value but higher frequency transactions – such as eCommerce websites that need an accurate, but friction-free way to assess transactions at speed and scale; or high volume actions such as logging into online banking which can happen daily for a lot of digital banking customers – but when accounts are breached can potentially have very grave consequences.
Advanced Behavioral Analytics Provide a Competitive Advantage
What this all essentially boils down to, is the ability to perform advanced behavioral analytics to assess not only what is normal behavior for a typical customer at one organization – but what is normal behavior for a specific individual- based on their historical transactions and identity attributes.
In order to assess this in any meaningful way, shared intelligence across multiple organizations is essential – otherwise fraud teams are working with an incredibly narrow view.
To move from being reactive to proactive – and therefore staying ahead of the fraudsters and refusing to accept that we will always be playing catch-up – we need to start thinking about data sharing as not something to do after the fact once fraud has happened (although the need for this will never go away) but look towards a strategy that uses data sharing in order to proactively detect fraud in the first instance.
And once we’ve accepted this more ambitious approach to data sharing, the big question then is HOW we go about doing this – while protecting privacy, and operating in a real-time decisioning environment. Watch out for the second blog in this two part series which will discuss the key principles of data sharing for fraud prevention.
In the meantime, please check out our video on how ThreatMetrix approaches this.