November 14, 2017
Across the globe, organized Identity fraud continues to grow as fraud syndicates exploit the lack of effectiveness of traditional personally identifiable information (PII). These fraudsters use money transfer and payment companies to move funds from legitimate customer accounts to their offshore accounts.
A leading provider of money transfer services was using ThreatMetrix for its customer logins and payment transactions. It wanted to expand the engagement to solve for identity assessment attacks from an organized fraud syndicate.
The operator identified multiple instances where seemingly legitimate accounts were being created using stolen and harvested credentials.
The established methods of identity assessment and verifications were not able to catch these requests and the fraudsters cleared all KYC protocols. There was no mismatch around customer PII data including age, gender, accent and phone numbers. Unbeknownst to the legitimate individuals these fraudsters had created a parallel persona including bank accounts to set the stage for the ensuing tax fraud at a later date, sometimes over a year later.
The operator realized that the static data it were using has been compromised through credit bureaus and the traditional methods of identity verifications had been shrinking. It needed a better way to differentiate the legitimate customers from these fraudsters without impacting user experience.
“Static data from the credit bureaus has been compromised through the recent breaches and identity leakage. Using this information for customer verification will result in fraudsters exploiting the verification methods easily. With the help of the technology that ThreatMetrix has provided us, we have been able to detect, deter and prevent the activity going through our platform.”
– Fraud and Risk Manager
Using Dynamic Non-PII Data to Enhance Identity Assessment
Upon receiving the first customer complaint, the operator worked with ThreatMetrix to conduct a retrospective review of the transaction. By using the link analysis based on the devices, IP and identities, it was able to identify patterns and also pinpoint additional instances of fraud.
Exposing the Fraud Syndicate
The operator worked with law enforcement agencies to identify a previously known fraud syndicate that had laid dormant for the over three years, building the fake identity for customers. This syndicate was setting up online bank accounts with the stolen credentials that were then used to collect the tax refunds. By leveraging ThreatMetrix, the company was able to help the government agency identify and return approximately $2 million to over 60 customers.
Enhanced Identity Assessment
Leveraging information related to the customers’ true digital identities gave them a much clearer view of the requests that belonged to the syndicate. This allowed them to track the associated devices and other attributes efficiently, regardless of channel, use case, location, presented credentials, or PII. By collecting and maintaining nearly 250 user-specific pieces of information, the operator could identify the fraudsters with a much greater degree of accuracy. This allowed it to use dynamic information to take an extremely proactive approach to preventing known syndicate members from opening a new account or taking over legitimate accounts.
Multi-Channel Customer Protection
With the enhancements to the account registration process, the syndicate modified its behavior to use the stolen credentials to takeover user accounts. By leveraging information around links and associations, from the world’s largest Digital Identity Network built on shared intelligence from over a billion transactions per month, it was able to identify transactions coming from the fraud syndicates.
Since implementation, ThreatMetrix has helped the operator prevent fraud and continue to lead in the growing online lending industry by leveraging the following key capabilities:
- ThreatMetrix Smart ID helped the operator recognize a returning device even when cookies are deleted/disabled. Derived from the analysis of many browser, plug-in, and TCP/IP connection attributes, Smart ID generates a confidence score that detects multiple fraudulent account applications from a single device.
- ThreatMetrix Trust Tags enabled the operator differentiate between fraudsters and legitimate customers. Trust can be associated dynamically with any combination of online attributes such as devices, email addresses, card numbers or any other attributes involved in accepting, rejecting or reviewing a loan application.
- The Digital Identity Network, part of the ThreatMetrix SaaS solution that analyzes billions of transactions, allows the operator to access identifying attributes, characteristics, and behaviors associated with new accounts. Data shared by organizations, along with information available from ThreatMetrix device profiling, establishes a unique Digital Identity for each borrower. Digital Identities enable the lender to create policies for deciding which loan requests to approve with higher levels of accuracy and confidence.
- Deep connection analysis technologies from ThreatMetrix gave the operator a clearer view of suspicious transactions. Fraudsters often attempt to hide behind location and identity cloaking services such as hidden proxies, VPNs and the TOR browser. ThreatMetrix accurately detects the use of these technologies and, in the case of proxies and VPNs, allows the lender to see the true IP address, geolocation and other attributes of each transaction.