Online Accounts:The New Risk Paradigm

Banking, Payments and Machine Learning

September 2016

Table Of Contents

1234567891011

12

IntroductionKnow the Risks... New Account Fraud

... Account Takeover Fraud

... Multi-Channel Payment Fraud

... Data Breaches

An Omnichannel Risk Prevention Strategy...Data Needed

...An Omnichannel Machine Learning System

ConclusionOur Other eBook: A Primer To Machine Learning For Fraud ManagementReferences

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

Businesses of all kinds increasingly rely on the ability to serve their customers online and through mobile applications. Online sales accounted for more than a third of total retail sales growth in 2015, according to data released from the U.S. Department of Commerce. Mobile as a channel is showing rapid growth; IDC predicts that mobile payments will account for $1 trillion USD in 2017, a massive 124 percent jump from less than $500 billion in 2015. Additionally, 53 percent of smartphone owners with a bank account used mobile banking in 2015.

However, online and mobile banking and commerce also come with serious risks, and those dangers are only mounting. According to Juniper Research, losses from fraudulent online transactions are expected to reach $25.6 billion by 2020, more than double from $10.7 billion last year. Moreover, tougher security measures at points of sale, including

the adoption of the EMV chip standard for credit and debit cards, are expected to drive a further spike in online fraud.

In the current landscape of online banking and commerce, the advantage belongs to organizations that take a proactive stance on securing accounts and minimizing risk with a machine learning-based omnichannel solution. By preparing today for what is coming next in online fraud, you can secure your business’s future.

1

Introduction

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

Online banking and commerce come with many of the same problems as point-of-sale transactions, such as the possibility that a customer will use a stolen credit card or falsified identification. However, online accounts and mobile applications also have risks unique to those channels; these include difficulty in verifying the customer’s identity and the possibility of information being stolen or a legitimate online account being taken over. The dangers are exacerbated by the fact that criminals’ methods, motives and targets are varied and shifting. Whether fraudsters are opportunistic, striking at whatever vulnerability they detect, or systematically working to compromise a particular network’s security, they remain a constant threat.

The first step in guarding against the dangers to online accounts is demystifying the potential risks. When stakeholders understand how an online presence can be compromised through fraud or data breaches, they can institute smart precautions and continuously manage risk.

In the next few pages we go deeper into four key types of risks in online accounts:

New Account Fraud Account Takeover Fraud

Multi-ChannelPayment Fraud

Data Breaches

2

Know the Risks

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

New account fraud takes place when criminals create accounts under false pretenses. This type of fraud generally falls under one of two types; true name fraud or synthetic identity fraud. True name fraud means opening an account with another person’s name and other information. In some cases it can take months, if not years, for true name fraud to be detected. On the other hand, synthetic identity fraud occurs when the fraudster invents a new identity, often attached to a genuine social security number.

In October 2015, the U.S. began a switch to EMV standards for payments. The biggest visible change is the move from magnetic-swipe to chip-based cards designed to reduce in-person and counterfeit card fraud. This has shifted the attention of fraudsters to the next weakest point of attack. According to Javelin Research, EMV spurred a 113 percent increase in incidence of new account fraud, which now accounts for 20 percent of all fraud losses.

3

New Account Fraud

2. True Name Fraud

1. Synthetic Identity Fraud

Types of New Account Fraud

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

Criminals may not need to open up new accounts if they can gain access to existing ones. They commit account takeover fraud by using another person’s account without authorization for purposes such as withdrawing funds, applying for loans or credit cards, making a purchase or gathering protected information. With login credentials in hand, criminals can easily take advantage of the payment methods attached to a user profile or other personal information.

Account takeovers can be a major problem for banks, retailers and online marketplaces alike, and a resurgence of this type of activity is now causing major concerns in those sectors. Experian reported that, in December 2015, 156 out of 10,000 applications for online access to existing accounts were fraudulent. That means existing accounts are now the most frequent financial targets, but criminals will continue to alter their modes of operation to evade security measures.

4

Account Takeover Fraud

Online Banking

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

Payment fraud includes a range of illegal transactions, such as unauthorized purchases or falsified refund requests. While fraud has always been a concern for retailers and other businesses, criminals today are driven to commit fraud online or even across multiple channels due to fortified point-of-sale security.

Already, criminals have adopted hybrid approaches, preying on retailers that do not have unified security measures across all channels. A new kind of ‘Buy Online/Pickup In-Store’ fraud has taken hold. In particular, these individuals take advantage of the option to pay for an item online before picking it up in the store.

Per an article by the National Retail Federation, the computer and electronics retailer Micro Center ran a special promotion to bring traffic into stores last year: With this promotion,

customers could make purchases online and then pick up their items at a store in as little as 18 minutes!

The new orders included a pattern of several orders for expensive Apple products such as MacPro notebooks and iPads, the costs of these running into the thousands of dollars. What happened was that a single individual took advantage of the new lapse in multi-channel fraud to commit synthetic fraud and order these products with stolen creditcard numbers.

5

$Pickup In-Store!

Multi-Channel Payment Fraud

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

Data BreachesSensitive information, such as credit card numbers, passwords, social security numbers and health care records, is at constant risk of exposure by fraudsters and hackers. The Gemalto Breach Level Index shows that 707 million data records were compromised in the course of 1,673 data breaches in 2015. Once obtained, this personal information can be used in identity theft, to open accounts or take over existing ones, or in other forms of fraud.

Criminals seek out vulnerabilities in both the systems used to store vital data and the people who have access to it. Black hat hackers are dedicated to finding and exploiting zero-day vulnerabilities, the security weaknesses in software or operating systems that go undetected upon release. In March 2016, a group embarked on a campaign to steal credit card information based on a flaw in Windows operating systems. Employing the social engineering tactic called spear-phishing, the attackers sent emails with attachments

carrying malicious code to targets in the hospitality, retail and restaurant industries. The FBI charged 18 people in the case, but not before financial institutions and businesses lost over $200 million.

6

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

Organizations in all sectors are striving to unify the ways they engage customers through various channels, reworking mobile applications, online sales and in-store interactions to create a seamless experience. Risk and fraud prevention must also be viewed through an omnichannel lens. Purely end-point centric or channel specific solutions will not offer the protection required in this new world.

What’s needed is an omnichannel solution that combines customer, network, transaction, social and other relevant data to intelligently detect fraud and risk across the business. New technologies like Feedzai take this one step further by using machine learning models to automatically process this data to detect fraud and prevent risk.

In the next two pages we describe the data needed and building blocks for such an omnichannel and machine learningbased system.

7

An Omnichannel Risk Prevention Strategy

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

For a system to locate and ameliorate potential threats across multiple channels, it must be supplied with the right data streams.

Feedzai can draw vital information about customers, online accounts and payment transactions from multiple channels to create a unique, “segment-of-one” behavioral profile for customers and accounts. This profile can then be processed by an advanced machine learning model while also considering the real-time interactions of the customer.Feedzai catches anomalies on an ongoing basis to determine the likelihood of identity fraud, account takeover fraud, payment fraud and data breaches.

OnlineSession

Data- Is user behind a proxy or

a tor node?- Length of stay at a

particular page- Where user landed from- Path to shopping cart

or checkout

Point of Sale Data

- POS Device ID- Terminal Location- Merchant ID

TransactionalData

- Historical transaction history- Location where past

transactionswere made

- Frequency of transactionsor checkout

- Network history- Geo-location- Device motion data —

rotation, acceleration- Device ID- Whether jailbroken or rooted

UserDevice Data

- Email Address- Reputation Information- Mobile Phone Contract

Validity- Social Security Number

Customer Data Third Party Data- Email authenticity and age check- Know Your Customer Data- OFAC Flags

Segment-of-one profiling

8

Data Needed

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

Powered by the data streams mentioned above, an omnichannel machine learning system creates a real-time profile for each customer and applies a combination of machine learning models and manually configured rules to produce a risk assessment per account, customer and/or transaction.

Risk assessments above specified thresholds either trigger automated escalations, such as “out-of-wallet” questions or manual review processes. Finally, real time operational dashboards allow fraud and risk teams to monitor the system’s end-to-end performance.

9

An Omnichannel Machine Learning System

Point of Sale Data

Transactional Data

Online Session Data

Customer Data

User Device Data

Third Party Data

MachineLearning

Rules

Dashboards &Analytics

Machine learning models score risk in real-time

based on trained models.

Operational dashboards help monitor real-time

KPIs and helpmonitor risk.

Clear rules account for known patterns such

as black lists, etc.

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

No business, whether conducted online or in brick-and-mortar locations, will ever be entirely without risk. However, in today’s world of omnichannel transactions and ever-changing fraud tactics, organizations owe it to their shareholders and customers to make every business interaction through every channel part of the same secure customer experience.

The best way to accomplish this goal is with a unified machine learning based solution that closely monitors every channel where customers do business. Multiple data elements help construct each customer or account’s individual segment-of-one profile. Machine learning algorithms then process these profiles in real time to assess risk and catch fraudsters quickly, causing minimal inconvenience to legitimate customers.

Feedzai’s unified platform brings the power of big data and machine learning to risk and fraud management. By implementing an

omnichannel solution, financial institutions, online retailers and marketplaces can stop playing catch-up with hackers, heading off fraudulent accounts and securing data.

10

Conclusion

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

DOWNLOAD OUR EBOOKon Machine Learning

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning

11

Our Other eBook

www.census.gov/retail/index.html

www.idc.com/getdoc.jsp?containerId=prSG25845515

www.federalreserve.gov/econresdata/consumers-and-mobile-financial-services-report-201603.pdf

www.juniperresearch.com/press/press-releases/online-transaction-fraud-to-more-than-double-to-$2

www.javelinstrategy.com/coverage-area/2016-identity-fraud-fraud-hits-inflection-point

abcnews.go.com/Business/synthetic-identity-fraud-kind-costly-id-theft-youve/story?id=32596029

www.experian.co.uk/blogs/latest-thinking/renewed-surge-current-account-fraud/

nrf.com/news/new-way-steal

www.gemalto.com/press/Pages/Gemalto-releases-findings-of-2015-Breach-Level-Index.aspx

www.zdnet.com/article/microsoft-windows-zero-day-exposes-companies-to-crippling-cyberattacks/

census.gov/retail/mrts/www/data/pdf/ec_current.pdf

reuters.com/article/us-retail-fraud-idUSKCN0T611T20151117

emc.com/collateral/white-papers/card-not-present-fraud-post-emv-env-wp.pdf

acfe.com/uploadedFiles/Shared_Content/Products/Self-Study_CPE/Financial%20Institution%20Fraud%202013_Chapter%20Excerpt.pdf

equifax.com/pdfs/corp/Account_Opening_White%20Paper_EFS1004_0.pdf

csoonline.com/article/2975333/cyber-attacks-espionage/fraud-rate-doubles-as-cybercriminals-create-new-accounts-in-users-name.html

ft.com/cms/s/0/ff2b9782-45c0-11e5-b3b2-1672f710807b.html#axzz4BDoqdpRg

12

References

Online Accounts: The New Risk Paradigm – Banking, Payments and Machine Learning