As payments move online, fraudsters are following
Wherever your customers are in the world, most of them are probably online. More and more people are choosing to shop online for things that traditionally would have been bought in store, such as furniture, fashion and fast-food.
The whole world loves online shopping. The global ecommerce market is predicted to grow to 4.9 trillion US dollars by 2021. In 2018, one in every ten dollars spent globally was spent online, and by 2022 online sales will make up 17% of all global consumer sales.
With so many customers storing card details and making payments online, fraudsters can’t resist taking advantage, and online payment fraud is rising fast.
What is online payment fraud and why is it so common?
But before we dive into how online payment fraud happens, it’s important to know exactly what payments it affects.
There are two types of payments:
When the physical card is used to buy something in a shop, restaurant, bar or market.
Card not present
When the card details are used, but the physical card itself isn’t passed from the buyer to seller. CNP payments can happen by mail or on the phone, but mainly happen online.
Online payments are a prime target for fraudsters as they don’t even need to have the real card, they only need the card details which can be stored digitally. It’s also easier to get away with it, because it’s so much harder for the seller to verify who is really making the purchase.
Association of Finance Professionals
Payment fraud affected 82% of organizations in 2018
Online payment fraud statistics around the globe
Payment fraud is already a billion dollar business, and it’s growing. When you look at the stats behind global online payment fraud, it’s no surprise that almost three quarters of businesses say it’s a major concern.
Online sellers will lose $130 billion to online payment fraud between 2018 and 2023
Regional statistics for online payment fraud
Global fraud average costs:
- Online payment fraud costs global businesses 1.8% of revenue.
- For every $1 of fraud from chargebacks, ecommerce businesses lose an extra $2.94
The extra costs of fraud for businesses include chargeback fees, merchandise distribution, fraud investigation, legal prosecution and software security.
It’s not only about the financial cost - fraud also impacts brand and customer loyalty. Because consumers aren’t aware of how fraud works, they often blame the online seller and are less likely to buy from their site again.
Who is affected by online payment fraud?
For customers, having card details stolen can be frustrating and scary. On average, victims of online payment fraud spend two working days cancelling their cards and dealing with the aftermath.
For online sellers, online payment fraud is a huge cost and the top concern for 44% of finance professionals. If they fall victim to fraud they lose the merchandise that was ordered, plus when the customer reports the fraud to their bank, the merchant gets charged for the fraudulent purchase - this is known as a chargeback. On top of this, the seller also has to pay chargeback fees to their payment provider.
For payment providers in Europe, the revised Payment Services Directive (PSD2) means that they will now be legally responsible for fraud across their entire portfolio of online sellers. Payment providers who can prove they have low fraud rates will be in high demand as they’ll be able to perform risk analysis and avoid using 3D Secure on every transaction. Learn more about PSD2 here.
But why do people commit fraud in the first place? There are a combination of different reasons - ease of access, sociological and economic factors all play a part. Read more about the underlying reasons behind fraud.
How does online payment fraud happen?
There are different types of online payment fraud. One example is ‘friendly fraud’ which happens when a real customer does receive the goods they ordered, but claims not to have received the goods and goes on to file a chargeback through their bank instead of requesting a refund from the seller. Learn more about different types of online payment fraud here.
Most online payment fraud is identity theft - this is how it works:
Criminals steal cardholder information through skimming on payment pages or buy on the dark web
A fraudster uses the stolen card details to impersonate the cardholder and buy things online
The online seller thinks the purchase is valid, processes the payment and send the goods to the fraudster
The cardholder sees the charges and contacts their bank, the online seller is hit with a chargeback plus fees
For the average fraudster, buying card details on the dark web is the easiest and fastest way to get large numbers of card details. The Breach Level Index reports that over 14 billion data records have been stolen and leaked online since 2013.
Surprisingly, less than a quarter of consumers are aware that this is how fraudsters operate, and only 20% know that it is eventually the retailers who pay for this fraud. Find out more from our survey on consumer attitudes to fraud.
How fraudsters operate online
Fraudsters are stealthy, they’re constantly finding new ways to commit fraud online and improving their techniques.
The dark web is a corner of the Internet where criminals can interact without being traced. This is where fraudsters buy and sell card details and share information about how to go about committing fraud, what tools to use etc. At Ravelin, we’re always keeping an eye on what the fraud community is doing so we can stay ahead of them. Some of the latest trends we’ve seen are:
Use of advanced privacy software
The most sophisticated fraudsters use heavy-duty software like Anti-Detect and Kameleo to avoid browser IDs. This software enables fraudsters to create multiple instances of virtual machines in browser windows. Even though it makes it hard to trace them, blocking location is a huge indicator of fraud.
There are card details from all over the world on the dark web. When a fraudster buys a bunch of compromised card details, they can quickly find out where the card they are using is registered to, and then spoof the location so it looks like they are in that location.
Calling services and phone number spoofing
Fraudsters can buy real customer phone numbers online with card details - but they won’t have access to the actual phone. To get around this they can contact the customer’s phone company to request all calls are diverted to their own number so that they can verify purchases if needed. The dark web also advertises ‘calling services’ where someone can call a victim’s bank and credit card provider to change their registered phone number
Impersonating buyer behavior
Previously, most fraudsters were sloppy and would give themselves away by making huge orders on compromised cards very quickly. More sophisticated fraudsters are acting like real customers and waiting a while, adding and deleting things from their basket and placing a few smaller orders first before a big order.
Enhanced customer information
As well as payment card details and personal information, we’ve seen fraudsters buying and selling device IDs and driving licenses. Fraudsters can use this to appear more convincing, or they can mix different customer details up and create new accounts under these synthetic (fake) IDs. This tactic is often used in bank fraud.
Chargeback fees and card scheme rules
When a customer has been defrauded on an online seller’s website, they notify their bank and the seller will receive a chargeback. As well as refunding the cardholder, the seller also has to pay chargeback fees to their payment provider. Chargeback fees can be as high as $50 and are payable even if the chargeback is not upheld.
On top of these fees, the card schemes put a limit on the amount of chargebacks an online seller receives before they get even heavier fines.
Between 1988 and 1998, Visa and Mastercard lost $750 million to credit card fraud. This led both the credit card companies to create monitoring programs for chargebacks (also called disputes). From October 2019, Visa will update thresholds for the chargeback monitoring program - the changes are below.
Visa fraud and chargeback thresholds from October 2019
|Before 1st October 2019||From 1st October 2019|
|Visa Standard Fraud Monitoring Program (VFMP)||USD$ 75,000 in fraudulent transactions and 1.0% fraud:sales ratio (USD$)||USD$ 75,000 in fraudulent transactions and 0.9% fraud:sales ratio (USD$)|
|Visa Excessive Fraud Monitoring Program (VFMP)||USD$ 250,000 in fraudulent transactions and 2.0% fraud:sales ratio (USD$)||USD$ 250,000 in fraudulent transactions and 1.8% fraud:sales ratio (USD$)|
|Visa Chargeback Monitoring Program (VCMP) - Low Risk||100+ dispute count and 1.0% dispute:sales ratio||100+ dispute count and 0.9% dispute:sales ratio|
|Visa Chargeback Monitoring Program (VCMP) - High Risk||1000+ dispute count and 2.0% dispute:sales ratio||1000+ dispute count and 1.8% dispute:sales ratio|
For merchants, it pays to invest in fraud detection and prevention to minimize the risk of chargebacks. Payment providers with fraud detection as part of their service can offer online sellers security and the reduced risk of fees. So how should sellers and payment providers approach fraud detection?
The three pillars of fraud protection
As with any type of crime, approaches to detecting and preventing fraud have evolved over time. Ravelin’s Co-founder and Chief Intelligence Officer, Mairtin O’Riada has a background as an intelligence officer for the Met Police and explains more about the parallels between crime and fraud analysis in this article.
Fraud is definitely one of the success stories for applying big data, as this enabled analysts to change the way they looked at customers and payments. The three pillars of fraud detection are:
- A refined rules engine
- Machine learning
- Link analysis using graph databases
A refined rules-engine
Rules were the foundations of old-school fraud solutions until machine learning came along and changed the game. Sleek, agile models made the overstuffed, creaking rulebooks seem outdated and a chore to maintain.
But this doesn’t mean rules are completely obsolete. There are still situations where fraud analysts need to directly intervene in prevention - and rules provide the means to do that. Rules are still a relevant part of the prevention toolkit that complement machine learning and other technologies. So what are the kinds of situations where rules can still be effective?
Acting fast to stop an attack
Fraud analysts can use rules to quickly stop a fraud attack whilst it’s happening. For example, if an attack can be traced to a specific location, a fraud analyst can use location blacklisting to prevent all orders from one address or a specific area. Unlike other customer data which can be faked (eg. phone number, email address), the customer location is one which often remains constant for a fraudster.
Proactively block new fraud trends
Machine learning systems use historical data which is around 3 months old because it can take up to 90 days for chargebacks to come through. If models use only the most recent data, the model may not always be able to distinguish the latest attack vectors used by fraudsters (who haven’t caused a chargeback yet) from the rest of the recent genuine customers.
A fraud analyst could be aware of an emerging trend in fraudster behavior, but the machine learning model hasn’t yet adapted to this behavior, or their business has not been targeted yet. In this situation, the analyst can proactively use rules to prevent this type of fraud before it impacts their business. Specific rules that drill down into the known characteristics of fraud with more than one condition can allow fraud managers to target exactly the right behavior.
Using rules to allow good customers
It’s important to remember that rules can be used to allow and not just to prevent. This can help to “smooth the edges” of a machine learning model when a business makes a change. For example, a retail business recently began sending us new data from their newly acquired brands. We used a combination of allow and prevent rules to help the machine learning model get the data it needed to learn new patterns, while safeguarding the business from significant fraud attacks. Using rules to allow customer behavior can also be useful when the fraud team is working with other business departments, for example marketing - where rules can be used to allow specific promotions to run.
With great rule-making power, comes great responsibility
Although rules can be very useful in the ways outlined above, they can also be problematic if used in the wrong way. A single misconfigured rule has the power to potentially block all traffic, or allow every transaction, including all fraud - both of these conditions could be disastrous for a business.
We see quite a lot of our clients tweaking rules as part of their everyday role, so we’ve developed tools to make sure rules are used with caution, and to enable fraud analysts to learn more about the impact of potential rules before they impose them on transactions. How do we do this?
As mentioned, misconfigured rules have the power to damage a business through blocking significant amounts of your user base. This could happen if a fraud analyst is new to a fraud system, or makes a simple typing mistake. We enable safeguards to prevent any rules which could result in mass, potentially damaging changes.
Whenever a new rule is added, we enforce an impact test to see what the outcome of this rule would be. We calculate the impact of the particular rule combination based on the individual business’ user data (10,000 customers a day from each of the previous 7 days).
This gives us a reasonable estimate of what percentage of the customers would have been allowed, reviewed or blocked due to the rule. If the rule has an impact of greater than 5%, the safeguard means the fraud analyst will not be able to do this independently and will need to ask their Ravelin investigator to enable the rule.
Our investigations team is able to understand the business goals and can work to find an alternative method for achieving the aim without impacting the rest of the userbase. Through working on a range of client businesses, our team has lots of experience in understanding which rule conditions work well together and how to determine the right combination.
As well as being on hand to help businesses work out the right combinations of rules, we also want to give fraud analysts the power to tinker with rules without actively impacting the user base. We’ve recently introduced test rules to make that possible.
Test rules allow you to make a new rule and assess its impact without actually turning it on to be live yet. This means you can test out different combinations and see which is most effective for what you’re trying to do. For example, you can see a list of customers who would have been blocked by enacting a new rule. You can also see an aggregated view of how the rule would perform over time in Analytics.
Rules are still relevant when used wisely
Using machine learning as the basis for fraud detection allows fraud analysts to get rid of extensive rule libraries and start with a clean slate. But although machine learning has delivered a huge upgrade to fraud detection systems, it doesn’t mean you should give up using rules completely. Rules can be used to stop attacks fast and to finetune your strategy if you have a specific goal. Safeguards and test rules give fraud analysts more power to assess the impact of potential rules, while making sure that the business isn’t impacted by a drastic change.
Instead of just relying on rules with yes/no answers, machine learning uses trained models to score every transaction in terms of low, medium or high risk.
Whereas you need to feed rules into a rules engine, machine learning models are proactive and work on payments in real time, using past data and new information simultaneously.
Machine learning is automated and highly flexible to handle thousands of payments each second. A model is basically the equivalent of a team of analysts running hundreds of thousands of queries and comparing the outcomes to find the best result. With machine learning this is done in milliseconds with minimal human input. Read more about machine learning here.
Link analysis using graph networks
Link analysis is like a detective’s wall with suspects, dates and locations covered by criss-crossing strings connecting them. A graph network does a similar job - it allows you to look at all the evidence across all your customers and join the dots to build a picture of what a fraudster looks like, so you can prevent future fraudsters from making payments.
Machine learning models and graph networks are mutually reinforcing. For example, you can teach your machine learning model to flag large networks for review and to block payments from networks which have grown super quickly, to prevent a fraudster from using multiple accounts to order goods. Visit the link analysis and graph networks page to learn more.
Buying fraud protection vs. building your own
Ravelin’s founders worked together at a Hailo, a tech platform that matched taxi drivers and riders through a mobile app, which merged with MyTaxi in 2017. They each worked in different technical, finance and fraud prevention roles. They were looking for a fraud detection solution that worked, but also suited their business needs of speed and convenience. After trying and testing nearly all the available tools on the market, they found none of them were quite right for the modern business environment of real-time and mobile payments, so they had the idea to try doing it themselves. This idea eventually grew into an in-house fraud solution, which then evolved into Ravelin, which works as a service for other online sellers.
If you’re thinking about developing your own fraud detection in-house, make sure you know the key questions to ask to understand what’s right for your business.
Is fraud detection a core competency for your business?
Building a good fraud detection system is not cheap and nor is it easy. So it had better be important. For comparison, very few companies build their own payments processing system even though collecting revenue is core to any online business. So why do some businesses consider building their own fraud detection?
In some cases it is because the effort required is underestimated. It is very easy to build a basic fraud detection system that degrades rapidly.
To build, maintain and support a system is a significant undertaking. So we go back to the core question - why build in-house? Ask yourself:
- Does your business hinge on being able to accurately predict risk?
- Is it a natural extension of existing systems and skills you already have?
- Is the nature of your business or its risk so unique that you have no choice but to build internally?
- Is there a regulatory reason that compels you to do it in-house?
- Is it a competitive advantage in your market to do it in-house?
It would be reasonable to assume the answer at least one of these questions is yes before going further. So what other considerations are there?
Do you have sufficient data to create efficient fraud detection models?
We will assume for a moment that any business of scale is going to use machine learning at the core of its fraud detection strategy. Working on this assumption, how much data is enough to feel confident to begin?
At Ravelin we believe (and have proven) that the most predictive data is a merchant’s own. That is why we build bespoke models for each of our individual clients. Any merchant of substantial size (e.g. >5ML transactions a year) should have enough data to build some pretty great models.
What they will never have, though, is access to data sets beyond their own.
This is important because the ability to test and tune models in a variety of environments is a key defence to overfitting. It is better to move from a general model and then adapt to to a specific dataset. A single merchant will only ever have the specific model, which can give good but never optimal results.
Matching domain with technical expertise
Any large merchant will have a team familiar with the fraud that the merchant faces every day. Usually in that team some will have brought with them learnings from other companies. Actual fraud expertise is not usually an issue.
What is harder to do is to translate that expertise into data science and do so consistently. Data science teams in e-commerce businesses are generalists. Working on pricing algorithms for one project and fraud detection the next. This has definite benefits. Prime amongst them would be the ability to keep data science talent engaged as they get to work on a range of problems. What this costs is the consistent application by the data team to the problem of fraud.
As Ravelin has matured, one skill we've perfected is the ability to turn fraud insights into millions of tested and validated features and model inputs the scale of which would be very difficult to do in-house. This is the result of an investigations and client liaison team in lock step with a data science team that is permanently focused on the issue of fraud. Sounds straightforward. The secret is motivating a team in the long term if they are only working on a single set of merchant data.
Beyond Version 1.0
It’s easy and fun to ship a prototype, whether in software or data science. What’s much, much harder is making it resilient, reliable, scalable, fast, and secure.
We go into great detail in this blog post about our data science best practises; hard won knowledge from five years in the trenches. We hope it's useful, but know it's instantly out of date from where we are now not five months since it was written.
When push comes to shove in many organisations, it's highly tempting to see the fraud project as "finished" and to move the key staff off to other priorities. Or to have the preferred machine learning approach shape the fraud detection approach. For instance having in-house neural net expertise might pre-determine this approach for fraud detection. A key learning of ours is that any single technique quickly hits limits of usefulness. The skill is in mixing techniques and having the skills to do so.
In the meantime, fraud and fraudsters respond and change; the world moves forwards but your in-house solution does not.
A major consideration for any buy vs build evaluation is how confident you can be of guaranteed budget and resourcing of highly sought after data scientists in perpetuity.
Innovations in fraud
We have focused so far on the most common fraud detection scenario - payment card fraud predicted using machine learning. But this is only part of the fraud picture. Our clients all use Ravelin for at least one of the additional services on top of that. Here are brief descriptions with links to more information:
- Network Analysis: the instant creation of graph networks showing the relationships between entities in a database. This is vital for investigations analysis. It also boosts ML predictive capabilities by analysing networks.
- Account Takeover Defence: A combination of security checks, data analysis and detection that looks to secure the accounts against the constant breaching efforts of fraudsters.
- Marketplace Fraud: 360 degree analysis of the fraud threat for an online marketplace. From the supplier to the courier to customer - each element is a potential risk and different techniques are required for this complicated picture.
- Authentication and Acceptance: Increasingly, success in payment is related to how many good payments you can get accepted without friction; not just stopping bad payments. Regulation and legislation is rapidly changing this landscape and the investment to stay on top is daunting.
- Shared datasets. A useful fraud check between similar businesses is to see if certain identifiers have been flagged as fraudulent by other merchants. This could be an email, phone, IP address, or payment method. This is only possible through anonymously shared data via a third party.
As the nature of fraud attacks evolve the techniques and technology required to defeat them is endless. This is the core conundrum in the buy vs build decision. It is not a one-time decision. It is an on-going and significant investment. This is true whichever way you choose of course. The real decision is which is likely to result in the best outcome to your business.
If you’re looking for a fraud solution which uses a combination of technologies including machine learning and network analysis, use this RFP template to help you ask the right questions when meeting potential suppliers.