SlideShare a Scribd company logo

The Post-EMV Card not Present Fraud Tsunami: 101 Guide for Online Retailers - MRC 2015

Forter
Forter

A session from the 2015 MRC conference presented by Noam Inbar, Forter's Vice President of Business Development, discussing the expected transformation in the fraud landscape and trends as a result of the EMV migration, and suggesting recommended actions for online retailers who want to prepare for the e-commerce "Post-EMV Fraud Tsunami". Are you prepared for the spike in fraud rates that the industry will face after EMV adoption? The US will officially adopt EMV standards in October 2015. While that's good news for preventing fraud in card present transactions, it means trouble ahead for CNP (card not present) transactions and merchants. Other markets saw a sharp rise in CNP fraud after adopting EMV, so will the same thing happen in the US? Probably. While Card-Present fraud is based on networks and many people who have to do "dirty work" in order to get the job done, the Card not Present space marks the rise of the independent fraudster: a fraudster doesn't have to belong to a crime organization - a computer and an internet connection will provide everything he needs to commit e-commerce fraud. A thriving Crime as a Service ecosystem gives fraudsters numerous options in a wide price range to get the technical tools, the data and the knowledge that they need, making it much more challenging than in the past to fight them with manual reviews, scores and rule engines. This presentation offers five guidelines that will help online retailers prepare for the day after the EMV migration while balancing between loss prevention and user experience, so that fear of fraud neither creates a spike in false positives or results in an over-conservative policy.

Internet
1 of 29
The Post-EMV Card not Present Fraud Tsunami: 101 Guide for Online Retailers MRC Vegas 2015 Noam Inbar, VP Business Development, Forter
The countdown to EMV migration - Soon all our worries will be over
Really?
Actually, not really. 1. Being a fraudster is a profession, hurdles at the POS arena won’t make them look for a different profession 2. Fraudsters look for the weakest link, there is no such word as “safe”, there can only be “safer”.There is always a loophole and there are enough savvy fraudsters and fraud communities that will find it. 3. EMV migration is taking its toll in terms of organizational resources and is slowing the organization down. Ususally the samefunctions that are in chargeof the migration arealso in chargeof CNP fraud and fraudsters will take advantage of the factthat they will be preoccupied with a huge technological and organizational change. Unlike retailers and largecompanies which are subject to regulations, law, internal approval and “chain of command”, fraudsters areagileand quick and can act on their ideas as they wish. 4. There’s greatROI in CNP fraud for fraudsters: Ecommerceand mobile will continue to grow,at a much higher rate than the POS. Fraudsters will be able to make a high profit in less effort. 5. The evolving Crime as a Service ecosystem makes it easy for amateurs and individuals to become fraudsters – with very low barriers to entry almost anyone can become a fraudster,making it a matter of quantity over quality and creating a huge variancein the level of skills and experience of the fraudsters.
Here is what most of us do today in terms of fraud prevention practices: the mechanism is based on rule engines of different kinds which eventually generate a score. Some of them are based on newer technologies, some of them combine behavioral aspects, enhanced data sources and other things but in the end of the day they all do the same thing – provide a score. If anything goes wrong and the merchant gets a chargeback, the provider isn’t accountable for that score, its basically a decision supporting tool or a recommendation. The CNP Liabilityshift creates a situation where merchants have to carry the burden and they have a lot to lose, so after getting the score they add more and more layers to ensure that they’re making the right call – 3D Secure, more rules, and most of all – manual reviews. This can be very inefficient and result in a conservative policy which will compromise consumer experience and generate many false positives which unfortunately as we know are one of the biggest pains in the industry. There’s nothing fundamentally wrong with that – that’s how most companies have been working for years now and they’re still here.
But that was OK as a 1.0 fraud prevention practice
We’re approachingthe post-EMV era, accompaniedby ongoing transformationin the fraud landscape, fraud today isn’t what it used to be 3 years ago. We’re facing 2.0 fraudsters which we can’t fight efficientlywith processes that are so deeply based on manual work and outdated practices, we need to ammunition.
Machine learning , Big data, algorithms, scores, ruleengines. behavioral, Fingerprinting, blacklisting –we’ve all heard these buzzwords a hundred timesduring thisconferenceand in general, but what’s actually behindthebuzzwords?
101 Guide: Here are five actionable things you can do to prepare for the post EMV Fraud Tsunami
KYF: Know Your Fraudster. Just like we do KYB and KYC, before we even think of solutions, we need to get a better understanding of our enemy.
Fraud is changing. It isn’t what it used to be10 or 5 or 2 years ago. 1. Rise of Crime as a Service economy –everything is available for sale in thedark-net, making it easy and affordable for anyone to operateindependently. Starting from any typeof stolen data –credit card numbers, CVV, full personal details that enableaccount takeovers –themore you pay themoreyou get. Fraudsters can set up remotedesktopservices for a fee as low as $30 a month, they can access from IPs anywherethey want, from an unlimited number of IPs with screening features and more. Shipping address “for sale” close to thebilling address – using addresses of elderly peoplewho got scammed into providing their address as a mailing destination, addressesin abandoned buildings and other creativesolutions all within a few miles from thebilling address of thestolen card so it would enableAVS manipulation. 2. Abundanceof stolen data – thelink between cyber attacks and fraud: theongoing breaches flood themarket with quality data that includes CVVsand many sensitivepersonal details. Many companies aren’t PCI compliant and don’t protect thedata properly, that gives fraudsters an edge, they wait a few months and attack. 3. No expertise necessary – There’s a hugeknowledgebaseavailable that can takea completenewbieand teach him how to becomea fraudster from scratch with “how to” guides available for several dollars. How to hack Paypal accounts, how toperform account takeover, how to hideyour IP – Knowledgeis power? Everything they need to know is available for sale and for cheap. The result is thehugeincrease in thequantity of fraudsters, and thevariancein thequality –we see many amateur fraudsters, teenagers that do fraud for a hobby and postthecard numbers that they got ontheclear-net, on Facebook, and on theother hand uber-fraudsters with sophisticated MOs thatarevery difficult to track. That creates a lot of noisein thesystem –peoplewho are doing manual reviews, and havebeen doing that for a while, haveusually operated in a much morepredictablespace , now its almost impossibleto manually decidewho’s an amateur and who’s a threat worth pursuing, and how to manageresources on that. 4. Fraudsters areparanoid – After Silk Road’s demise, fraudsters (thesuccessful ones  ) constantlywatch their back. They know that they arebeing tracked. They haveawareness of how anti fraud systemswork and they areconstantlytaking additional measures and hiding between several layers of protectionsin order to try and confuseus. 5. Technology moves fast –Just likewe leverage technology innovations, so do fraudsters. Fraudsters aretheir own CTO and thesophisticated onescomeup with creativeways to leverage technology. Geo location, IPs, Cookies –thoseare old school tactics for today’s world. 6. Hardware is commoditized–Hardware keeps getting cheaper, with new Chineseplayers offering smartphones for under $100, a fraudster can usethem as disposablephonesfor high ticket transactions and beevasivethan ever,
Fraudsters still have their own communities and social spaces in which they share knowledge and information – here is a special Black Friday promotion for stolen credit cards posted in a dark net forum
Challenge what you know – while some of it might be valid, open your mind and never take anything for granted or consider something as secure.
These are some of the most popular technologies among merchants for tracking and preventing fraud – most of them are very problematic. 1. Cookies – most users use Private Browsing / Incognito mode or block cookies so cookie info is hardly reliable 2. CVV – CVV and AVS are the most popular methods for fraud prevention according to MRC merchants. Any fraudster who respects himself gets a database which includes the CVV so the CVV check is meaningless most of the times. 3. AVS (Address verification System)– Even though processors encourage merchants to automatically use AVS rules for fraud detection, here are many ways to manipulate AVS checks: Since AVS only checks numeric values in the address, fraudsters often “buy” a shipping address that is close to the billing address of the stolen card and thus has the same zip code. Sophisticated fraudsters buy quality data and perform a full account takeover in which they change the customer’s billing address in the bank records, making the AVS check irrelevant. In addition, using AVS usually makes you turn away a lot of good business. most countries outside of the US don’t support the AVS method so automatic rules create false positives and processor declines for consumers whose cards were issued in a country that doesn’t support AVS. Re shippers – services that ship to a destination shipping address, has a lot of revenue there, growing market. Re-shippers, travelers, students – all automatically and wrongfully flagged as high risk by the AVS rules since they ship to addresses that are not their home address as its registered in the bank. In order to successfully serve those audiences and enjoy their revenue you need to be much better and more precise. 4. IP – in a mobile era IP aren’t a valid verification system, moreover, dynamic IP allocation is very common, and public wi-fi networks make the IP irrelevant
Apple Pay is just an example of why we should ask questions. Apple Pay is great, it offers a seamless payment experience and all of the merchants that I’ve talked to that have implemented it are really happy with the results. But a few months back some of us met in a different conference which was focused pretty much on how secure Apple Pay is and why we would never have to worry about it. And then someone found a weak link, with never-used devices, and never-used stolen cards, that had no history and were sent to the banks for further decision. So even though it wasn’t inside the Apple system, this is just another example of why we should never assume that something is secure - always be on your toes
Smart linking
Uncover the fraudster social graph – this is what we refer to as the “social graph” of fraud prevention, and not in terms of social media connections. In fraud, people typicallylook at a transaction as a single entry – they verify, authenticate, check email match, IP match. If the transaction is flagged as fraud, the “user” is blacklisted -or what is defined as the user from the informationbytes that you have on him. But its actuallynot that simple – because we know that fraudsters are evasive and they aren’t the “user” that they want you to think you are. Try to take your linking capabilities to the next level – using similarities and proximities to see what attributes link between bad transactions and other transactions, a blacklist is a simplistic rule, use a more complex structure to get inside the head of your fraudsters.
A visualization of what was explained in the previous slide – Think of it as “Six Degrees of Separation”: looking inside the transaction and exploring how its linked to other transactions, in what attributes, are they good or bad? What does that mean – all of that is information that should be part of an automated decision making algorithm
Automate : in order to scale and handle the upcoming changes we should aim to have an automated practice
Almost everybody was doing manual reviews at some point! 73% of online merchants conduct manual reviews, 20% of merchants spend over 20 minutes per reviewed transaction, 52% of fraud management budget is spent on review costs according to the latest Cybersource report. As inefficient as it is, there’s something good about manual reviews: it gives you a sense of control. You really follow someone, try to understand his behavior, see what’s going on inside his head – and the two biggest problems with it, are that it damages the user experience of the majority of your legitimate buyers (delayed fulfillment , uncertainty etc) and that it doesn’t scale
We look at Behavioral Analysis as the automation of manual reviews! And it has a lot of added values. Predicting people isn’t like predicting the weather – unlike the weather, people’s behavior changes between cultures and over time , they know when you’re following, they know what you’re looking for and they can change their behavior accordingly. Regular machine learning and big data practices won’t help – those need to be powered by adaptive human modelling that finds the story behind the transaction.
Don’t panic – the biggest threat is giving in to the fear of fraud and deploying an over-conservative policy that rejects good customers and automatically blocks global markets.
When you rely on statistics, averages and rule engines, you are most likely generating false positives. Here is an example of a transaction that according to its attributes will surely be declined by a rule engine.
When you look for the story behind the transaction, you see a Mexican Immigrant sending a package to his family on a national Mexican holiday – a legitimate, $10,000 transaction.
I personally got 3 false positives on united with 3Dsecure! 3D Secure is hated by most consumers as well as many of the merchants that we’ve talked to. In return for a liability shift, merchants need to take a major hit in user experience and conversion rates, yet some merchants need that peace of mind
The networks are talking about a new version of 3Dsecure which is planned some time in 2016. we tried to analyze that new product but there isn’t any available info. I assume it will be less invasive and require a more friendly password flow. On the other hand, it still remains something that the user needs to do on the frontend and interrupts the transaction. Regarding the technology aspect, there isn’t any information on the product that we can conclude from.
To sum up: 1. Know your Fraudster 2. Challenge everything you Know 3. Smart Linking 4. Autimate 5. Don’t panic
Feel free to reach out for more information noam@forter.com www.forter.com @ForterFraudFree

Recommended

A Practical Guide to Post-EMV Card Not Present Fraud
A Practical Guide to Post-EMV Card Not Present FraudA Practical Guide to Post-EMV Card Not Present Fraud
A Practical Guide to Post-EMV Card Not Present FraudForter
 
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...FT Partners / Financial Technology Partners
 
StatsCraft 2015: Monitoring using riemann - Moshe Zada
StatsCraft 2015: Monitoring using riemann - Moshe ZadaStatsCraft 2015: Monitoring using riemann - Moshe Zada
StatsCraft 2015: Monitoring using riemann - Moshe ZadaStatsCraft
 
Storm at Forter
Storm at ForterStorm at Forter
Storm at ForterRe'em Bensimhon
 
Symantec investor presentation february 2017
Symantec investor presentation february 2017Symantec investor presentation february 2017
Symantec investor presentation february 2017InvestorSymantec
 
Know Your Fraudster: Leveraging everything you've got to prepare for post-EMV...
Know Your Fraudster: Leveraging everything you've got to prepare for post-EMV...Know Your Fraudster: Leveraging everything you've got to prepare for post-EMV...
Know Your Fraudster: Leveraging everything you've got to prepare for post-EMV...Forter
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Recommended

A Practical Guide to Post-EMV Card Not Present Fraud
A Practical Guide to Post-EMV Card Not Present FraudA Practical Guide to Post-EMV Card Not Present Fraud
A Practical Guide to Post-EMV Card Not Present FraudForter
 
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...FT Partners / Financial Technology Partners
 
StatsCraft 2015: Monitoring using riemann - Moshe Zada
StatsCraft 2015: Monitoring using riemann - Moshe ZadaStatsCraft 2015: Monitoring using riemann - Moshe Zada
StatsCraft 2015: Monitoring using riemann - Moshe ZadaStatsCraft
 
Storm at Forter
Storm at ForterStorm at Forter
Storm at ForterRe'em Bensimhon
 
Symantec investor presentation february 2017
Symantec investor presentation february 2017Symantec investor presentation february 2017
Symantec investor presentation february 2017InvestorSymantec
 
Know Your Fraudster: Leveraging everything you've got to prepare for post-EMV...
Know Your Fraudster: Leveraging everything you've got to prepare for post-EMV...Know Your Fraudster: Leveraging everything you've got to prepare for post-EMV...
Know Your Fraudster: Leveraging everything you've got to prepare for post-EMV...Forter
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 

More Related Content

Recently uploaded

Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 

Recently uploaded (20)

Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 

Featured

Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Featured (20)

Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 

The Post-EMV Card not Present Fraud Tsunami: 101 Guide for Online Retailers - MRC 2015

  • 1. The Post-EMV Card not Present Fraud Tsunami: 101 Guide for Online Retailers MRC Vegas 2015 Noam Inbar, VP Business Development, Forter
  • 2. The countdown to EMV migration - Soon all our worries will be over
  • 4. Actually, not really. 1. Being a fraudster is a profession, hurdles at the POS arena won’t make them look for a different profession 2. Fraudsters look for the weakest link, there is no such word as “safe”, there can only be “safer”.There is always a loophole and there are enough savvy fraudsters and fraud communities that will find it. 3. EMV migration is taking its toll in terms of organizational resources and is slowing the organization down. Ususally the samefunctions that are in chargeof the migration arealso in chargeof CNP fraud and fraudsters will take advantage of the factthat they will be preoccupied with a huge technological and organizational change. Unlike retailers and largecompanies which are subject to regulations, law, internal approval and “chain of command”, fraudsters areagileand quick and can act on their ideas as they wish. 4. There’s greatROI in CNP fraud for fraudsters: Ecommerceand mobile will continue to grow,at a much higher rate than the POS. Fraudsters will be able to make a high profit in less effort. 5. The evolving Crime as a Service ecosystem makes it easy for amateurs and individuals to become fraudsters – with very low barriers to entry almost anyone can become a fraudster,making it a matter of quantity over quality and creating a huge variancein the level of skills and experience of the fraudsters.
  • 5.
  • 6. Here is what most of us do today in terms of fraud prevention practices: the mechanism is based on rule engines of different kinds which eventually generate a score. Some of them are based on newer technologies, some of them combine behavioral aspects, enhanced data sources and other things but in the end of the day they all do the same thing – provide a score. If anything goes wrong and the merchant gets a chargeback, the provider isn’t accountable for that score, its basically a decision supporting tool or a recommendation. The CNP Liabilityshift creates a situation where merchants have to carry the burden and they have a lot to lose, so after getting the score they add more and more layers to ensure that they’re making the right call – 3D Secure, more rules, and most of all – manual reviews. This can be very inefficient and result in a conservative policy which will compromise consumer experience and generate many false positives which unfortunately as we know are one of the biggest pains in the industry. There’s nothing fundamentally wrong with that – that’s how most companies have been working for years now and they’re still here.
  • 7. But that was OK as a 1.0 fraud prevention practice
  • 8. We’re approachingthe post-EMV era, accompaniedby ongoing transformationin the fraud landscape, fraud today isn’t what it used to be 3 years ago. We’re facing 2.0 fraudsters which we can’t fight efficientlywith processes that are so deeply based on manual work and outdated practices, we need to ammunition.
  • 9. Machine learning , Big data, algorithms, scores, ruleengines. behavioral, Fingerprinting, blacklisting –we’ve all heard these buzzwords a hundred timesduring thisconferenceand in general, but what’s actually behindthebuzzwords?
  • 10. 101 Guide: Here are five actionable things you can do to prepare for the post EMV Fraud Tsunami
  • 11. KYF: Know Your Fraudster. Just like we do KYB and KYC, before we even think of solutions, we need to get a better understanding of our enemy.
  • 12. Fraud is changing. It isn’t what it used to be10 or 5 or 2 years ago. 1. Rise of Crime as a Service economy –everything is available for sale in thedark-net, making it easy and affordable for anyone to operateindependently. Starting from any typeof stolen data –credit card numbers, CVV, full personal details that enableaccount takeovers –themore you pay themoreyou get. Fraudsters can set up remotedesktopservices for a fee as low as $30 a month, they can access from IPs anywherethey want, from an unlimited number of IPs with screening features and more. Shipping address “for sale” close to thebilling address – using addresses of elderly peoplewho got scammed into providing their address as a mailing destination, addressesin abandoned buildings and other creativesolutions all within a few miles from thebilling address of thestolen card so it would enableAVS manipulation. 2. Abundanceof stolen data – thelink between cyber attacks and fraud: theongoing breaches flood themarket with quality data that includes CVVsand many sensitivepersonal details. Many companies aren’t PCI compliant and don’t protect thedata properly, that gives fraudsters an edge, they wait a few months and attack. 3. No expertise necessary – There’s a hugeknowledgebaseavailable that can takea completenewbieand teach him how to becomea fraudster from scratch with “how to” guides available for several dollars. How to hack Paypal accounts, how toperform account takeover, how to hideyour IP – Knowledgeis power? Everything they need to know is available for sale and for cheap. The result is thehugeincrease in thequantity of fraudsters, and thevariancein thequality –we see many amateur fraudsters, teenagers that do fraud for a hobby and postthecard numbers that they got ontheclear-net, on Facebook, and on theother hand uber-fraudsters with sophisticated MOs thatarevery difficult to track. That creates a lot of noisein thesystem –peoplewho are doing manual reviews, and havebeen doing that for a while, haveusually operated in a much morepredictablespace , now its almost impossibleto manually decidewho’s an amateur and who’s a threat worth pursuing, and how to manageresources on that. 4. Fraudsters areparanoid – After Silk Road’s demise, fraudsters (thesuccessful ones  ) constantlywatch their back. They know that they arebeing tracked. They haveawareness of how anti fraud systemswork and they areconstantlytaking additional measures and hiding between several layers of protectionsin order to try and confuseus. 5. Technology moves fast –Just likewe leverage technology innovations, so do fraudsters. Fraudsters aretheir own CTO and thesophisticated onescomeup with creativeways to leverage technology. Geo location, IPs, Cookies –thoseare old school tactics for today’s world. 6. Hardware is commoditized–Hardware keeps getting cheaper, with new Chineseplayers offering smartphones for under $100, a fraudster can usethem as disposablephonesfor high ticket transactions and beevasivethan ever,
  • 13. Fraudsters still have their own communities and social spaces in which they share knowledge and information – here is a special Black Friday promotion for stolen credit cards posted in a dark net forum
  • 14. Challenge what you know – while some of it might be valid, open your mind and never take anything for granted or consider something as secure.
  • 15. These are some of the most popular technologies among merchants for tracking and preventing fraud – most of them are very problematic. 1. Cookies – most users use Private Browsing / Incognito mode or block cookies so cookie info is hardly reliable 2. CVV – CVV and AVS are the most popular methods for fraud prevention according to MRC merchants. Any fraudster who respects himself gets a database which includes the CVV so the CVV check is meaningless most of the times. 3. AVS (Address verification System)– Even though processors encourage merchants to automatically use AVS rules for fraud detection, here are many ways to manipulate AVS checks: Since AVS only checks numeric values in the address, fraudsters often “buy” a shipping address that is close to the billing address of the stolen card and thus has the same zip code. Sophisticated fraudsters buy quality data and perform a full account takeover in which they change the customer’s billing address in the bank records, making the AVS check irrelevant. In addition, using AVS usually makes you turn away a lot of good business. most countries outside of the US don’t support the AVS method so automatic rules create false positives and processor declines for consumers whose cards were issued in a country that doesn’t support AVS. Re shippers – services that ship to a destination shipping address, has a lot of revenue there, growing market. Re-shippers, travelers, students – all automatically and wrongfully flagged as high risk by the AVS rules since they ship to addresses that are not their home address as its registered in the bank. In order to successfully serve those audiences and enjoy their revenue you need to be much better and more precise. 4. IP – in a mobile era IP aren’t a valid verification system, moreover, dynamic IP allocation is very common, and public wi-fi networks make the IP irrelevant
  • 16. Apple Pay is just an example of why we should ask questions. Apple Pay is great, it offers a seamless payment experience and all of the merchants that I’ve talked to that have implemented it are really happy with the results. But a few months back some of us met in a different conference which was focused pretty much on how secure Apple Pay is and why we would never have to worry about it. And then someone found a weak link, with never-used devices, and never-used stolen cards, that had no history and were sent to the banks for further decision. So even though it wasn’t inside the Apple system, this is just another example of why we should never assume that something is secure - always be on your toes
  • 18. Uncover the fraudster social graph – this is what we refer to as the “social graph” of fraud prevention, and not in terms of social media connections. In fraud, people typicallylook at a transaction as a single entry – they verify, authenticate, check email match, IP match. If the transaction is flagged as fraud, the “user” is blacklisted -or what is defined as the user from the informationbytes that you have on him. But its actuallynot that simple – because we know that fraudsters are evasive and they aren’t the “user” that they want you to think you are. Try to take your linking capabilities to the next level – using similarities and proximities to see what attributes link between bad transactions and other transactions, a blacklist is a simplistic rule, use a more complex structure to get inside the head of your fraudsters.
  • 19. A visualization of what was explained in the previous slide – Think of it as “Six Degrees of Separation”: looking inside the transaction and exploring how its linked to other transactions, in what attributes, are they good or bad? What does that mean – all of that is information that should be part of an automated decision making algorithm
  • 20. Automate : in order to scale and handle the upcoming changes we should aim to have an automated practice
  • 21. Almost everybody was doing manual reviews at some point! 73% of online merchants conduct manual reviews, 20% of merchants spend over 20 minutes per reviewed transaction, 52% of fraud management budget is spent on review costs according to the latest Cybersource report. As inefficient as it is, there’s something good about manual reviews: it gives you a sense of control. You really follow someone, try to understand his behavior, see what’s going on inside his head – and the two biggest problems with it, are that it damages the user experience of the majority of your legitimate buyers (delayed fulfillment , uncertainty etc) and that it doesn’t scale
  • 22. We look at Behavioral Analysis as the automation of manual reviews! And it has a lot of added values. Predicting people isn’t like predicting the weather – unlike the weather, people’s behavior changes between cultures and over time , they know when you’re following, they know what you’re looking for and they can change their behavior accordingly. Regular machine learning and big data practices won’t help – those need to be powered by adaptive human modelling that finds the story behind the transaction.
  • 23. Don’t panic – the biggest threat is giving in to the fear of fraud and deploying an over-conservative policy that rejects good customers and automatically blocks global markets.
  • 24. When you rely on statistics, averages and rule engines, you are most likely generating false positives. Here is an example of a transaction that according to its attributes will surely be declined by a rule engine.
  • 25. When you look for the story behind the transaction, you see a Mexican Immigrant sending a package to his family on a national Mexican holiday – a legitimate, $10,000 transaction.
  • 26. I personally got 3 false positives on united with 3Dsecure! 3D Secure is hated by most consumers as well as many of the merchants that we’ve talked to. In return for a liability shift, merchants need to take a major hit in user experience and conversion rates, yet some merchants need that peace of mind
  • 27. The networks are talking about a new version of 3Dsecure which is planned some time in 2016. we tried to analyze that new product but there isn’t any available info. I assume it will be less invasive and require a more friendly password flow. On the other hand, it still remains something that the user needs to do on the frontend and interrupts the transaction. Regarding the technology aspect, there isn’t any information on the product that we can conclude from.
  • 28. To sum up: 1. Know your Fraudster 2. Challenge everything you Know 3. Smart Linking 4. Autimate 5. Don’t panic
  • 29. Feel free to reach out for more information noam@forter.com www.forter.com @ForterFraudFree

Editor's Notes

  1. The Post-EMV Card not Present Fraud Tsunami: 101 Guide for Online Retailers MRC Vegas 2015 Noam Inbar, VP Business Development, Forter
  2. The countdown to EMV migration - Soon all our worries will be over
  3. Really?
  4. Actually, not really. Being a fraudster is a profession, hurdles at the POS arena won’t make them look for a different profession Fraudsters look for the weakest link, there is no such word as “safe”, there can only be “safer”. There is always a loophole and there are enough savvy fraudsters and fraud communities that will find it. EMV migration is taking its toll in terms of organizational resources and is slowing the organization down. Ususally the same functions that are in charge of the migration are also in charge of CNP fraud and fraudsters will take advantage of the fact that they will be preoccupied with a huge technological and organizational change. Unlike retailers and large companies which are subject to regulations, law, internal approval and “chain of command”, fraudsters are agile and quick and can act on their ideas as they wish. There’s great ROI in CNP fraud for fraudsters: Ecommerce and mobile will continue to grow, at a much higher rate than the POS. Fraudsters will be able to make a high profit in less effort. The evolving Crime as a Service ecosystem makes it easy for amateurs and individuals to become fraudsters – with very low barriers to entry almost anyone can become a fraudster, making it a matter of quantity over quality and creating a huge variance in the level of skills and experience of the fraudsters.
  5. Welcome to the post-EMV Card not Present Fraud Tsunami
  6. Here is what most of us do today in terms of fraud prevention practices: the mechanism is based on rule engines of different kinds which eventually generate a score. Some of them are based on newer technologies, some of them combine behavioral aspects, enhanced data sources and other things but in the end of the day they all do the same thing – provide a score. If anything goes wrong and the merchant gets a chargeback, the provider isn’t accountable for that score, its basically a decision supporting tool or a recommendation. The CNP Liability shift creates a situation where merchants have to carry the burden and they have a lot to lose, so after getting the score they add more and more layers to ensure that they’re making the right call – 3D Secure, more rules, and most of all – manual reviews. This can be very inefficient and result in a conservative policy which will compromise consumer experience and generate many false positives which unfortunately as we know are one of the biggest pains in the industry. There’s nothing fundamentally wrong with that – that’s how most companies have been working for years now and they’re still here.
  7. But that was OK as a 1.0 fraud prevention practice
  8. We’re approaching the post-EMV era, accompanied by ongoing transformation in the fraud landscape, fraud today isn’t what it used to be 3 years ago. We’re facing 2.0 fraudsters which we can’t fight efficiently with processes that are so deeply based on manual work and outdated practices, we need to ammunition.
  9. Machine learning , Big data, algorithms, scores, rule engines. behavioral, Fingerprinting, blacklisting – we’ve all heard these buzzwords a hundred times during this conference and in general, but what’s actually behind the buzzwords?
  10. 101 Guide: Here are five actionable things you can do to prepare for the post EMV Fraud Tsunami
  11. KYF: Know Your Fraudster. Just like we do KYB and KYC, before we even think of solutions, we need to get a better understanding of our enemy.
  12. Fraud is changing. It isn’t what it used to be 10 or 5 or 2 years ago. Rise of Crime as a Service economy – everything is available for sale in the dark-net, making it easy and affordable for anyone to operate independently. Starting from any type of stolen data – credit card numbers, CVV, full personal details that enable account takeovers – the more you pay the more you get. Fraudsters can set up remote desktop services for a fee as low as $30 a month, they can access from IPs anywhere they want, from an unlimited number of IPs with screening features and more. Shipping address “for sale” close to the billing address – using addresses of elderly people who got scammed into providing their address as a mailing destination, addresses in abandoned buildings and other creative solutions all within a few miles from the billing address of the stolen card so it would enable AVS manipulation. Abundance of stolen data – the link between cyber attacks and fraud: the ongoing breaches flood the market with quality data that includes CVVs and many sensitive personal details. Many companies aren’t PCI compliant and don’t protect the data properly, that gives fraudsters an edge, they wait a few months and attack. No expertise necessary – There’s a huge knowledge base available that can take a complete newbie and teach him how to become a fraudster from scratch with “how to” guides available for several dollars. How to hack Paypal accounts, how to perform account takeover, how to hide your IP – Knowledge is power? Everything they need to know is available for sale and for cheap. The result is the huge increase in the quantity of fraudsters, and the variance in the quality – we see many amateur fraudsters, teenagers that do fraud for a hobby and post the card numbers that they got on the clear-net, on Facebook, and on the other hand uber-fraudsters with sophisticated MOs that are very difficult to track. That creates a lot of noise in the system – people who are doing manual reviews, and have been doing that for a while, have usually operated in a much more predictable space , now its almost impossible to manually decide who’s an amateur and who’s a threat worth pursuing, and how to manage resources on that. Fraudsters are paranoid – After Silk Road’s demise, fraudsters (the successful ones  ) constantly watch their back. They know that they are being tracked. They have awareness of how anti fraud systems work and they are constantly taking additional measures and hiding between several layers of protections in order to try and confuse us.  Technology moves fast – Just like we leverage technology innovations, so do fraudsters. Fraudsters are their own CTO and the sophisticated ones come up with creative ways to leverage technology. Geo location, IPs, Cookies – those are old school tactics for today’s world. Hardware is commoditized – Hardware keeps getting cheaper, with new Chinese players offering smartphones for under $100, a fraudster can use them as disposable phones for high ticket transactions and be evasive than ever,
  13. Fraudsters still have their own communities and social spaces in which they share knowledge and information – here is a special Black Friday promotion for stolen credit cards posted in a dark net forum
  14. Challenge what you know – while some of it might be valid, open your mind and never take anything for granted or consider something as secure.
  15. These are some of the most popular technologies among merchants for tracking and preventing fraud – most of them are very problematic. 1. Cookies – most users use Private Browsing / Incognito mode or block cookies so cookie info is hardly reliable 2. CVV – CVV and AVS are the most popular methods for fraud prevention according to MRC merchants. Any fraudster who respects himself gets a database which includes the CVV so the CVV check is meaningless most of the times. 3. AVS (Address verification System)– Even though processors encourage merchants to automatically use AVS rules for fraud detection, here are many ways to manipulate AVS checks: Since AVS only checks numeric values in the address, fraudsters often “buy” a shipping address that is close to the billing address of the stolen card and thus has the same zip code. Sophisticated fraudsters buy quality data and perform a full account takeover in which they change the customer’s billing address in the bank records, making the AVS check irrelevant. In addition, using AVS usually makes you turn away a lot of good business. most countries outside of the US don’t support the AVS method so automatic rules create false positives and processor declines for consumers whose cards were issued in a country that doesn’t support AVS. Re shippers – services that ship to a destination shipping address, has a lot of revenue there, growing market. Re-shippers, travelers, students – all automatically and wrongfully flagged as high risk by the AVS rules since they ship to addresses that are not their home address as its registered in the bank. In order to successfully serve those audiences and enjoy their revenue you need to be much better and more precise. 4. IP – in a mobile era IP aren’t a valid verification system, moreover, dynamic IP allocation is very common, and public wi-fi networks make the IP irrelevant
  16. Apple Pay is just an example of why we should ask questions. Apple Pay is great, it offers a seamless payment experience and all of the merchants that I’ve talked to that have implemented it are really happy with the results. But a few months back some of us met in a different conference which was focused pretty much on how secure Apple Pay is and why we would never have to worry about it. And then someone found a weak link, with never-used devices, and never-used stolen cards, that had no history and were sent to the banks for further decision. So even though it wasn’t inside the Apple system, this is just another example of why we should never assume that something is secure - always be on your toes
  17. Smart linking
  18. Uncover the fraudster social graph – this is what we refer to as the “social graph” of fraud prevention, and not in terms of social media connections. In fraud, people typically look at a transaction as a single entry – they verify, authenticate, check email match, IP match. If the transaction is flagged as fraud, the “user” is blacklisted -or what is defined as the user from the information bytes that you have on him. But its actually not that simple – because we know that fraudsters are evasive and they aren’t the “user” that they want you to think you are. Try to take your linking capabilities to the next level – using similarities and proximities to see what attributes link between bad transactions and other transactions, a blacklist is a simplistic rule, use a more complex structure to get inside the head of your fraudsters.
  19. A visualization of what was explained in the previous slide – Think of it as “Six Degrees of Separation”: looking inside the transaction and exploring how its linked to other transactions, in what attributes, are they good or bad? What does that mean – all of that is information that should be part of an automated decision making algorithm
  20. Automate : in order to scale and handle the upcoming changes we should aim to have an automated practice
  21. Almost everybody was doing manual reviews at some point! 73% of online merchants conduct manual reviews, 20% of merchants spend over 20 minutes per reviewed transaction, 52% of fraud management budget is spent on review costs according to the latest Cybersource report. As inefficient as it is, there’s something good about manual reviews: it gives you a sense of control. You really follow someone, try to understand his behavior, see what’s going on inside his head – and the two biggest problems with it, are that it damages the user experience of the majority of your legitimate buyers (delayed fulfillment , uncertainty etc) and that it doesn’t scale
  22. We look at Behavioral Analysis as the automation of manual reviews! And it has a lot of added values. Predicting people isn’t like predicting the weather – unlike the weather, people’s behavior changes between cultures and over time , they know when you’re following, they know what you’re looking for and they can change their behavior accordingly. Regular machine learning and big data practices won’t help – those need to be powered by adaptive human modelling that finds the story behind the transaction.
  23. Don’t panic – the biggest threat is giving in to the fear of fraud and deploying an over-conservative policy that rejects good customers and automatically blocks global markets.
  24. When you rely on statistics, averages and rule engines, you are most likely generating false positives. Here is an example of a transaction that according to its attributes will surely be declined by a rule engine.
  25. When you look for the story behind the transaction, you see a Mexican Immigrant sending a package to his family on a national Mexican holiday – a legitimate, $10,000 transaction.
  26. I personally got 3 false positives on united with 3Dsecure! 3D Secure is hated by most consumers as well as many of the merchants that we’ve talked to. In return for a liability shift, merchants need to take a major hit in user experience and conversion rates, yet some merchants need that peace of mind
  27. The networks are talking about a new version of 3Dsecure which is planned some time in 2016. we tried to analyze that new product but there isn’t any available info. I assume it will be less invasive and require a more friendly password flow. On the other hand, it still remains something that the user needs to do on the frontend and interrupts the transaction. Regarding the technology aspect, there isn’t any information on the product that we can conclude from.
  28. To sum up: Know your Fraudster Challenge everything you Know Smart Linking Autimate Don’t panic
  29. Feel free to reach out for more information noam@forter.com www.forter.com @ForterFraudFree