A session from the 2015 MRC conference presented by Noam Inbar, Forter's Vice President of Business Development, discussing the expected transformation in the fraud landscape and trends as a result of the EMV migration, and suggesting recommended actions for online retailers who want to prepare for the e-commerce "Post-EMV Fraud Tsunami".
Are you prepared for the spike in fraud rates that the industry will face after EMV adoption?
The US will officially adopt EMV standards in October 2015. While that's good news for preventing fraud in card present transactions, it means trouble ahead for CNP (card not present) transactions and merchants. Other markets saw a sharp rise in CNP fraud after adopting EMV, so will the same thing happen in the US? Probably.
While Card-Present fraud is based on networks and many people who have to do "dirty work" in order to get the job done, the Card not Present space marks the rise of the independent fraudster: a fraudster doesn't have to belong to a crime organization - a computer and an internet connection will provide everything he needs to commit e-commerce fraud. A thriving Crime as a Service ecosystem gives fraudsters numerous options in a wide price range to get the technical tools, the data and the knowledge that they need, making it much more challenging than in the past to fight them with manual reviews, scores and rule engines.
This presentation offers five guidelines that will help online retailers prepare for the day after the EMV migration while balancing between loss prevention and user experience, so that fear of fraud neither creates a spike in false positives or results in an over-conservative policy.
4. Actually, not really.
1. Being a fraudster is a profession, hurdles at the POS arena won’t make them look for a different profession
2. Fraudsters look for the weakest link, there is no such word as “safe”, there can only be “safer”.There is always a loophole and there are enough savvy fraudsters and fraud communities that will find it.
3. EMV migration is taking its toll in terms of organizational resources and is slowing the organization down. Ususally the samefunctions that are in chargeof the migration arealso in chargeof CNP fraud and fraudsters will take advantage of the factthat they will be preoccupied with a huge technological and organizational change. Unlike retailers and largecompanies which are subject to regulations, law, internal approval and “chain of command”, fraudsters areagileand quick and can act
on their ideas as they wish.
4. There’s greatROI in CNP fraud for fraudsters: Ecommerceand mobile will continue to grow,at a much higher rate than the POS. Fraudsters will be able to make a high profit in less effort.
5. The evolving Crime as a Service ecosystem makes it easy for amateurs and individuals to become fraudsters – with very low barriers to entry almost anyone can become a fraudster,making it a matter of quantity over quality and creating a huge variancein the level of skills and experience of the fraudsters.
5.
6. Here is what most of us do today in terms of fraud prevention practices: the mechanism is based on rule engines of different kinds which eventually generate a score. Some of them are based on newer technologies, some of them combine behavioral aspects, enhanced data sources and other things but in the end of the day they all do the same thing – provide a score. If
anything goes wrong and the merchant gets a chargeback, the provider isn’t accountable for that score, its basically a decision supporting tool or a recommendation. The CNP Liabilityshift creates a situation where merchants have to carry the burden and they have a lot to lose, so after getting the score they add more and more layers to ensure that they’re making the right call
– 3D Secure, more rules, and most of all – manual reviews. This can be very inefficient and result in a conservative policy which will compromise consumer experience and generate many false positives which unfortunately as we know are one of the biggest pains in the industry. There’s nothing fundamentally wrong with that – that’s how most companies have been working
for years now and they’re still here.
7. But that was OK as a 1.0 fraud prevention practice
8. We’re approachingthe post-EMV era, accompaniedby ongoing transformationin the fraud landscape, fraud today isn’t what it used to be 3 years ago. We’re facing 2.0
fraudsters which we can’t fight efficientlywith processes that are so deeply based on manual work and outdated practices, we need to ammunition.
9. Machine learning , Big data, algorithms, scores, ruleengines. behavioral, Fingerprinting, blacklisting –we’ve all heard these buzzwords a hundred timesduring thisconferenceand in general,
but what’s actually behindthebuzzwords?
10. 101 Guide: Here are five actionable things you can do to prepare for the post EMV Fraud Tsunami
11. KYF: Know Your Fraudster. Just like we do KYB and KYC, before we even think of solutions, we need to get a better understanding of our enemy.
12. Fraud is changing. It isn’t what it used to be10 or 5 or 2 years ago.
1. Rise of Crime as a Service economy –everything is available for sale in thedark-net, making it easy and affordable for anyone to operateindependently. Starting from any typeof stolen data –credit card numbers, CVV, full personal details that enableaccount takeovers –themore you pay themoreyou get. Fraudsters can set up remotedesktopservices for a fee as low as $30 a month, they can access from IPs anywherethey want, from an unlimited number of IPs with screening features and more. Shipping address “for sale” close to thebilling address – using addresses of elderly peoplewho got scammed into providing their address as a mailing destination, addressesin abandoned buildings and other creativesolutions all within a few miles from thebilling address of thestolen card so it would enableAVS manipulation.
2. Abundanceof stolen data – thelink between cyber attacks and fraud: theongoing breaches flood themarket with quality data that includes CVVsand many sensitivepersonal details. Many companies aren’t PCI compliant and don’t protect thedata properly, that gives fraudsters an edge, they wait a few months and attack.
3. No expertise necessary – There’s a hugeknowledgebaseavailable that can takea completenewbieand teach him how to becomea fraudster from scratch with “how to” guides available for several dollars. How to hack Paypal accounts, how toperform account takeover, how to hideyour IP – Knowledgeis power? Everything they need to know is available for sale and for cheap. The result is thehugeincrease in thequantity of fraudsters, and thevariancein thequality –we see many amateur fraudsters, teenagers that do fraud for a hobby and postthecard numbers that they got ontheclear-net, on Facebook, and on theother hand uber-fraudsters with sophisticated MOs thatarevery difficult to track. That creates a lot of noisein thesystem –peoplewho are doing manual reviews, and havebeen doing that for a while, haveusually
operated in a much morepredictablespace , now its almost impossibleto manually decidewho’s an amateur and who’s a threat worth pursuing, and how to manageresources on that.
4. Fraudsters areparanoid – After Silk Road’s demise, fraudsters (thesuccessful ones ) constantlywatch their back. They know that they arebeing tracked. They haveawareness of how anti fraud systemswork and they areconstantlytaking additional measures and hiding between several layers of protectionsin order to try and confuseus.
5. Technology moves fast –Just likewe leverage technology innovations, so do fraudsters. Fraudsters aretheir own CTO and thesophisticated onescomeup with creativeways to leverage technology. Geo location, IPs, Cookies –thoseare old school tactics for today’s world.
6. Hardware is commoditized–Hardware keeps getting cheaper, with new Chineseplayers offering smartphones for under $100, a fraudster can usethem as disposablephonesfor high ticket transactions and beevasivethan ever,
13. Fraudsters still have their own communities and social spaces in which they share knowledge
and information – here is a special Black Friday promotion for stolen credit cards posted in a
dark net forum
14. Challenge what you know – while some of it might be valid, open your mind and never take anything for granted or consider something as secure.
15. These are some of the most popular technologies among merchants for tracking and preventing fraud – most of them are very problematic.
1. Cookies – most users use Private Browsing / Incognito mode or block cookies so cookie info is hardly reliable
2. CVV – CVV and AVS are the most popular methods for fraud prevention according to MRC merchants. Any fraudster who respects himself gets a database which includes the CVV so the CVV check is meaningless most of the times.
3. AVS (Address verification System)– Even though processors encourage merchants to automatically use AVS rules for fraud detection, here are many ways to manipulate AVS checks: Since AVS only checks numeric values in the address, fraudsters
often “buy” a shipping address that is close to the billing address of the stolen card and thus has the same zip code. Sophisticated fraudsters buy quality data and perform a full account takeover in which they change the customer’s billing address
in the bank records, making the AVS check irrelevant. In addition, using AVS usually makes you turn away a lot of good business. most countries outside of the US don’t support the AVS method so automatic rules create false positives and
processor declines for consumers whose cards were issued in a country that doesn’t support AVS. Re shippers – services that ship to a destination shipping address, has a lot of revenue there, growing market. Re-shippers, travelers, students – all
automatically and wrongfully flagged as high risk by the AVS rules since they ship to addresses that are not their home address as its registered in the bank. In order to successfully serve those audiences and enjoy their revenue you need to be
much better and more precise.
4. IP – in a mobile era IP aren’t a valid verification system, moreover, dynamic IP allocation is very common, and public wi-fi networks make the IP irrelevant
16. Apple Pay is just an example of why we should ask questions. Apple Pay is great, it offers a seamless payment experience
and all of the merchants that I’ve talked to that have implemented it are really happy with the results. But a few months
back some of us met in a different conference which was focused pretty much on how secure Apple Pay is and why we
would never have to worry about it. And then someone found a weak link, with never-used devices, and never-used
stolen cards, that had no history and were sent to the banks for further decision. So even though it wasn’t inside the
Apple system, this is just another example of why we should never assume that something is secure - always be on your
toes
18. Uncover the fraudster social graph – this is what we refer to as the “social graph” of fraud prevention, and not in terms of social media connections. In fraud, people typicallylook at a transaction as a single entry – they verify, authenticate, check email match, IP match. If the transaction is flagged as fraud, the “user” is blacklisted -or what is
defined as the user from the informationbytes that you have on him.
But its actuallynot that simple – because we know that fraudsters are evasive and they aren’t the “user” that they want you to think you are.
Try to take your linking capabilities to the next level – using similarities and proximities to see what attributes link between bad transactions and other transactions, a blacklist is a simplistic rule, use a more complex structure to get inside the head of your fraudsters.
19. A visualization of what was explained in the previous slide – Think of it as “Six Degrees of Separation”: looking inside the transaction and exploring how its linked to other transactions, in what attributes, are they good or
bad? What does that mean – all of that is information that should be part of an automated decision making algorithm
20. Automate : in order to scale and handle the upcoming changes we should aim to have an automated practice
21. Almost everybody was doing manual reviews at some point! 73% of online merchants conduct manual reviews, 20% of merchants spend over 20 minutes per reviewed transaction, 52% of fraud management budget is spent on review costs according to the latest Cybersource report. As inefficient as it is, there’s something good about manual reviews: it gives you a sense of control. You really follow someone, try to understand his
behavior, see what’s going on inside his head – and the two biggest problems with it, are that it damages the user experience of the majority of your legitimate buyers (delayed fulfillment , uncertainty etc) and that it doesn’t scale
22. We look at Behavioral Analysis as the automation of manual reviews! And it has a lot of added values.
Predicting people isn’t like predicting the weather – unlike the weather, people’s behavior changes between cultures and over time , they know when you’re following, they know what you’re looking for and they can change their behavior accordingly. Regular machine learning and big
data practices won’t help – those need to be powered by adaptive human modelling that finds the story behind the transaction.
23. Don’t panic – the biggest threat is giving in to the fear of fraud and deploying an over-conservative policy that rejects good customers and automatically blocks global markets.
24. When you rely on statistics, averages and rule engines, you are most likely generating false positives. Here is an example of a transaction that according to its attributes will surely be declined by a rule engine.
25. When you look for the story behind the transaction, you see a Mexican Immigrant sending a package to his family on a national Mexican holiday – a legitimate, $10,000 transaction.
26. I personally got 3 false positives on united with 3Dsecure! 3D Secure is hated by most consumers as well as many of the merchants that we’ve talked to. In return for a liability shift, merchants need to take a major hit in user experience and conversion rates, yet some merchants need that
peace of mind
27. The networks are talking about a new version of 3Dsecure which is planned some time in 2016. we tried to analyze that new product but there isn’t any available info. I assume it will be less invasive and require a more friendly password flow. On the other hand, it still remains something that the user needs to do on the frontend and interrupts the transaction. Regarding the technology aspect, there isn’t any information on the product that we can conclude from.
28. To sum up:
1. Know your Fraudster
2. Challenge everything you
Know
3. Smart Linking
4. Autimate
5. Don’t panic
29. Feel free to reach out for more information
noam@forter.com
www.forter.com
@ForterFraudFree
Editor's Notes
The Post-EMV Card not Present Fraud Tsunami: 101 Guide for Online Retailers
MRC Vegas 2015
Noam Inbar, VP Business Development, Forter
The countdown to EMV migration - Soon all our worries will be over
Really?
Actually, not really.
Being a fraudster is a profession, hurdles at the POS arena won’t make them look for a different profession
Fraudsters look for the weakest link, there is no such word as “safe”, there can only be “safer”. There is always a loophole and there are enough savvy fraudsters and fraud communities that will find it.
EMV migration is taking its toll in terms of organizational resources and is slowing the organization down. Ususally the same functions that are in charge of the migration are also in charge of CNP fraud and fraudsters will take advantage of the fact that they will be preoccupied with a huge technological and organizational change. Unlike retailers and large companies which are subject to regulations, law, internal approval and “chain of command”, fraudsters are agile and quick and can act on their ideas as they wish.
There’s great ROI in CNP fraud for fraudsters: Ecommerce and mobile will continue to grow, at a much higher rate than the POS. Fraudsters will be able to make a high profit in less effort.
The evolving Crime as a Service ecosystem makes it easy for amateurs and individuals to become fraudsters – with very low barriers to entry almost anyone can become a fraudster, making it a matter of quantity over quality and creating a huge variance in the level of skills and experience of the fraudsters.
Welcome to the post-EMV Card not Present Fraud Tsunami
Here is what most of us do today in terms of fraud prevention practices: the mechanism is based on rule engines of different kinds which eventually generate a score. Some of them are based on newer technologies, some of them combine behavioral aspects, enhanced data sources and other things but in the end of the day they all do the same thing – provide a score. If anything goes wrong and the merchant gets a chargeback, the provider isn’t accountable for that score, its basically a decision supporting tool or a recommendation. The CNP Liability shift creates a situation where merchants have to carry the burden and they have a lot to lose, so after getting the score they add more and more layers to ensure that they’re making the right call – 3D Secure, more rules, and most of all – manual reviews. This can be very inefficient and result in a conservative policy which will compromise consumer experience and generate many false positives which unfortunately as we know are one of the biggest pains in the industry. There’s nothing fundamentally wrong with that – that’s how most companies have been working for years now and they’re still here.
But that was OK as a 1.0 fraud prevention practice
We’re approaching the post-EMV era, accompanied by ongoing transformation in the fraud landscape, fraud today isn’t what it used to be 3 years ago. We’re facing 2.0 fraudsters which we can’t fight efficiently with processes that are so deeply based on manual work and outdated practices, we need to ammunition.
Machine learning , Big data, algorithms, scores, rule engines. behavioral, Fingerprinting, blacklisting – we’ve all heard these buzzwords a hundred times during this conference and in general, but what’s actually behind the buzzwords?
101 Guide: Here are five actionable things you can do to prepare for the post EMV Fraud Tsunami
KYF: Know Your Fraudster. Just like we do KYB and KYC, before we even think of solutions, we need to get a better understanding of our enemy.
Fraud is changing. It isn’t what it used to be 10 or 5 or 2 years ago.
Rise of Crime as a Service economy – everything is available for sale in the dark-net, making it easy and affordable for anyone to operate independently. Starting from any type of stolen data – credit card numbers, CVV, full personal details that enable account takeovers – the more you pay the more you get. Fraudsters can set up remote desktop services for a fee as low as $30 a month, they can access from IPs anywhere they want, from an unlimited number of IPs with screening features and more. Shipping address “for sale” close to the billing address – using addresses of elderly people who got scammed into providing their address as a mailing destination, addresses in abandoned buildings and other creative solutions all within a few miles from the billing address of the stolen card so it would enable AVS manipulation.
Abundance of stolen data – the link between cyber attacks and fraud: the ongoing breaches flood the market with quality data that includes CVVs and many sensitive personal details. Many companies aren’t PCI compliant and don’t protect the data properly, that gives fraudsters an edge, they wait a few months and attack.
No expertise necessary – There’s a huge knowledge base available that can take a complete newbie and teach him how to become a fraudster from scratch with “how to” guides available for several dollars. How to hack Paypal accounts, how to perform account takeover, how to hide your IP – Knowledge is power? Everything they need to know is available for sale and for cheap. The result is the huge increase in the quantity of fraudsters, and the variance in the quality – we see many amateur fraudsters, teenagers that do fraud for a hobby and post the card numbers that they got on the clear-net, on Facebook, and on the other hand uber-fraudsters with sophisticated MOs that are very difficult to track. That creates a lot of noise in the system – people who are doing manual reviews, and have been doing that for a while, have usually operated in a much more predictable space , now its almost impossible to manually decide who’s an amateur and who’s a threat worth pursuing, and how to manage resources on that.
Fraudsters are paranoid – After Silk Road’s demise, fraudsters (the successful ones ) constantly watch their back. They know that they are being tracked. They have awareness of how anti fraud systems work and they are constantly taking additional measures and hiding between several layers of protections in order to try and confuse us.
Technology moves fast – Just like we leverage technology innovations, so do fraudsters. Fraudsters are their own CTO and the sophisticated ones come up with creative ways to leverage technology. Geo location, IPs, Cookies – those are old school tactics for today’s world.
Hardware is commoditized – Hardware keeps getting cheaper, with new Chinese players offering smartphones for under $100, a fraudster can use them as disposable phones for high ticket transactions and be evasive than ever,
Fraudsters still have their own communities and social spaces in which they share knowledge and information – here is a special Black Friday promotion for stolen credit cards posted in a dark net forum
Challenge what you know – while some of it might be valid, open your mind and never take anything for granted or consider something as secure.
These are some of the most popular technologies among merchants for tracking and preventing fraud – most of them are very problematic.
1. Cookies – most users use Private Browsing / Incognito mode or block cookies so cookie info is hardly reliable
2. CVV – CVV and AVS are the most popular methods for fraud prevention according to MRC merchants. Any fraudster who respects himself gets a database which includes the CVV so the CVV check is meaningless most of the times.
3. AVS (Address verification System)– Even though processors encourage merchants to automatically use AVS rules for fraud detection, here are many ways to manipulate AVS checks: Since AVS only checks numeric values in the address, fraudsters often “buy” a shipping address that is close to the billing address of the stolen card and thus has the same zip code. Sophisticated fraudsters buy quality data and perform a full account takeover in which they change the customer’s billing address in the bank records, making the AVS check irrelevant. In addition, using AVS usually makes you turn away a lot of good business. most countries outside of the US don’t support the AVS method so automatic rules create false positives and processor declines for consumers whose cards were issued in a country that doesn’t support AVS. Re shippers – services that ship to a destination shipping address, has a lot of revenue there, growing market. Re-shippers, travelers, students – all automatically and wrongfully flagged as high risk by the AVS rules since they ship to addresses that are not their home address as its registered in the bank. In order to successfully serve those audiences and enjoy their revenue you need to be much better and more precise.
4. IP – in a mobile era IP aren’t a valid verification system, moreover, dynamic IP allocation is very common, and public wi-fi networks make the IP irrelevant
Apple Pay is just an example of why we should ask questions. Apple Pay is great, it offers a seamless payment experience and all of the merchants that I’ve talked to that have implemented it are really happy with the results. But a few months back some of us met in a different conference which was focused pretty much on how secure Apple Pay is and why we would never have to worry about it. And then someone found a weak link, with never-used devices, and never-used stolen cards, that had no history and were sent to the banks for further decision. So even though it wasn’t inside the Apple system, this is just another example of why we should never assume that something is secure - always be on your toes
Smart linking
Uncover the fraudster social graph – this is what we refer to as the “social graph” of fraud prevention, and not in terms of social media connections. In fraud, people typically look at a transaction as a single entry – they verify, authenticate, check email match, IP match. If the transaction is flagged as fraud, the “user” is blacklisted -or what is defined as the user from the information bytes that you have on him.
But its actually not that simple – because we know that fraudsters are evasive and they aren’t the “user” that they want you to think you are.
Try to take your linking capabilities to the next level – using similarities and proximities to see what attributes link between bad transactions and other transactions, a blacklist is a simplistic rule, use a more complex structure to get inside the head of your fraudsters.
A visualization of what was explained in the previous slide – Think of it as “Six Degrees of Separation”: looking inside the transaction and exploring how its linked to other transactions, in what attributes, are they good or bad? What does that mean – all of that is information that should be part of an automated decision making algorithm
Automate : in order to scale and handle the upcoming changes we should aim to have an automated practice
Almost everybody was doing manual reviews at some point! 73% of online merchants conduct manual reviews, 20% of merchants spend over 20 minutes per reviewed transaction, 52% of fraud management budget is spent on review costs according to the latest Cybersource report. As inefficient as it is, there’s something good about manual reviews: it gives you a sense of control. You really follow someone, try to understand his behavior, see what’s going on inside his head – and the two biggest problems with it, are that it damages the user experience of the majority of your legitimate buyers (delayed fulfillment , uncertainty etc) and that it doesn’t scale
We look at Behavioral Analysis as the automation of manual reviews! And it has a lot of added values.
Predicting people isn’t like predicting the weather – unlike the weather, people’s behavior changes between cultures and over time , they know when you’re following, they know what you’re looking for and they can change their behavior accordingly. Regular machine learning and big data practices won’t help – those need to be powered by adaptive human modelling that finds the story behind the transaction.
Don’t panic – the biggest threat is giving in to the fear of fraud and deploying an over-conservative policy that rejects good customers and automatically blocks global markets.
When you rely on statistics, averages and rule engines, you are most likely generating false positives. Here is an example of a transaction that according to its attributes will surely be declined by a rule engine.
When you look for the story behind the transaction, you see a Mexican Immigrant sending a package to his family on a national Mexican holiday – a legitimate, $10,000 transaction.
I personally got 3 false positives on united with 3Dsecure! 3D Secure is hated by most consumers as well as many of the merchants that we’ve talked to. In return for a liability shift, merchants need to take a major hit in user experience and conversion rates, yet some merchants need that peace of mind
The networks are talking about a new version of 3Dsecure which is planned some time in 2016. we tried to analyze that new product but there isn’t any available info. I assume it will be less invasive and require a more friendly password flow. On the other hand, it still remains something that the user needs to do on the frontend and interrupts the transaction. Regarding the technology aspect, there isn’t any information on the product that we can conclude from.
To sum up:
Know your Fraudster
Challenge everything you Know
Smart Linking
Autimate
Don’t panic
Feel free to reach out for more information
noam@forter.com
www.forter.com
@ForterFraudFree