We’re a long way from the days of the “Nigerian prince” email scams.
Go back through the decades, and the fraudsters were able to lure unwitting victims to give up bank details with the promise of “sharing” their fake inheritances.
But now, with the dark web and everyone’s personal information seemingly everywhere, social engineering is prevalent in ways undreamt even a few years ago.
Visa Chief Risk Data Officer Dustin White said that amid eCommerce’s leaps and bounds, the phishing, the business email compromises (BECs), have only gotten harder to detect by most consumers.
“Creativity is skill ‘No. 1’ on a fraudster’s resume,” he told Karen Webster.
That creativity has bred success as 78% of us who receive unsolicited links still click on them.
And once they’ve been invited in, so to speak, the bad actors can make off with all sorts of data that, down the line, allows them to attempt fraudulent transactions. In many cases, it can take a long time for consumers to realize and report that they’ve been scammed.
The Cost of Fraud
The issuers and the payment networks (Visa among them) face challenges in gearing up for post-pandemic global movement of money. After all, fraud has a cost. When it comes to digital banking, consumers have more options at their disposal than ever before.
False declines can spur consumers to move away from certain providers, taking a slew of accounts with them. As White noted, about 89% of consumers, when faced with a false decline, will reduce their use of a credential in the future, translating into lost revenue streams for providers and merchants.
“Securing growth is imperative, and securing various channels of payment flows is an absolute must,” said White.
Data, he said — 60 petabytes of it in Visa’s case, akin to tens of millions of filing cabinets’ worth of information — represents a valuable currency in the battle against criminals.
The company has invested half a billion dollars over the past five years in artificial intelligence (AI) and data infrastructure to spot trends across entities with a network level view. Visa has also been leveraging advanced technologies to improve its behavioral analytics capabilities. Advanced Analytics, to name but one example, is a solution that recognizes fraudsters’ account takeover attempts, based on the types of attack. White pointed to Visa’s Cyber Fusion center, which delivers 24/7/365 security monitoring, instant response investigations and threat intelligence capabilities.
Behavioral analytics strengthens the link between what issuers do at the authentication and authorization level, and how they balance fraud with exceptions, he said.
“We analyze more than 400 million authentication requests made over the past two years across 12 million devices,” said White.
That deep data reservoir allows the payments network to see, when a customer is applying for credit (for example) whether they’ve typed in their Social Security number or copied and pasted the information.
That level of granular insight can help spotlight if the applicant is legitimate or using victims’ data. Generally speaking, what the company is looking for can best be described as “common patterns” of transactional behavior.
White said the company has been deploying its sophisticated analytical capabilities to identify fraud runs and anomalous behavior within the cryptocurrency space. Visa, he told Webster, was recently able to recover $5.5 million in a scheme that targeted a cryptocurrency exchange.
With a nod to the crypto recovery, he said, it might not be uncommon for cards to start transacting on the exchange.
“But it is uncommon for a whole bunch of new cards to transact there at the same time,” said White, where the transactions are similar, concentrated and significant.
Tokens Too
Tokenization, he said, helps protect consumer data no matter where the transactions are taking place, but especially in the cloud.
White said tokenization is up 60% year over year and has led to a 2.5% increase in approval rates and 28% reduction in fraud rates. And they analyze data at a rapid velocity in order to make sure the network is safe from malware attacks, zero-day exploits (which exploit vulnerabilities before developers can fix software) and insider threats.
Looking Toward the Tokens
As more commerce goes online, White said tokenization is up across 8,000 issuers and 800,00 merchants in Visa’s network. The company’s Cloud Token Framework looks beyond transactions to devices and experiences to pinpoint anomalous behavior.
That growth rate, he said, points to the fact that tokenization remains one of the best ways to cut down on identity theft, chiefly by eliminating the use of static cardholder information with a dynamic authentication layer.
As a result, he said, “good cardholders — especially the high value ones within merchants’ portfolios — are happy, and the risk of attrition is limited.”
Fraud Rates Still Low
Despite the monumental leaps in eCommerce seen in the past few years, we’re still at historically low fraud rates. Roughly speaking, those rates are at about 7 cents per $100 in transactions — and that’s despite 2 million daily attempts by the fraudsters. But with $6.5 billion seen in fraud losses tied to card-not-present spending, there’s clearly work still to be done.
“You can never celebrate too much because with each new day dawns new threats and attacks — and we must always be diligent,” he told Webster. “There are no half measures when it comes to cybersecurity. But the criminals know that we are there and that we are watching.”