In the payments and FinTech space, there are high end and secure financial solutions on one side and there are data breaches and fraud on the other side. No matter how secure a solution is, hackers find a way to enter the system and hack it. To prevent such fraud and risks, there are companies that provide sophisticated fraud detection solutions. One such company is Feedzai, a data science company that works with leading retailers, banks and card issuers to detect payment fraud. Feedzai uses machine learning algorithms to detect fraud in financial transactions. The company was started in Europe by aerospace engineers and data scientists. It has customers like Coca-Cola, Vodafone, Ericsson, and a few other large banking companies here in the US. Recently, the Trump Hotel Collection confirmed a year-long breach of its credit card system that may have resulted in the theft of cards used at the hotels over the past year. We had an opportunity to discuss this recent data breach incident and other frauds in the payments industry in general with the CEO of Feedzai, Nuno Sebastião via email. Here’s the transcript of the interview:
LTP: LTP has been tracking Feedzai for a long time now . What is the biggest update in the past 12 months? In what areas are you investing $17.5m that you raised in June?
Nuno Sebastião: Feedzai is always inventing something in our ongoing effort to fight fraud, and we’ve been able to make huge strides this year with the help from our funding. We also recently announced a couple of strategic partnerships, which allow us to add two new sources of data to our machine learning software to detect fraud and minimizes risks. We now work with Socure for social biometrics and Emailage for email. We also hit a milestone and expect to analyze $800 million in daily payments volume in 2015. And with business growth comes company growth; we welcomed a few key hires including Phong Q. Rock, Senior Vice President of Global Business Development and Strategic Alliances, and Sandeep Grover, Senior Vice President of Global e-Commerce, to our senior management team, and opened a new office in New York City to expand our customer service team.
We are also going to announce a new solution later this month for organizations that don’t have the bandwidth for a dedicated data science and engineering internal team to deploy advanced machine learning techniques to fight financial fraud.
LTP: Since you use machine learning, how dependent is your fraud detection accuracy on increases in the amount of data you have and the number of clients you have?
NS: Our clients include the world’s largest payment companies and financial institutions, and as we’ve previously announced, Feedzai algorithms are risk-scoring $800 million of commerce volume a day. For comparative purposes, Square’s S1 filing reveals that they process about $82 million a day. But fraud detection efficacy is not just about how much data, but how fast the systems can learn and integrate new data. There traditionally has been a tradeoff between more data and fast data because fraud systems used outdated technology. We solved for that using technology that was created in the era of the Internet and Big Data. We’ve built a solution that can create brand new fraud models in 6 weeks, whereas it takes the industry 6 months.
LTP: In your experience of fraudulent transactions, what is the most common source of fraud? Do most of the breaches originate at POS level?
NS: The pattern we see the most is actually increasing variability of sources and patterns. Attacks emerge from anywhere, happen anytime, and come from any channel. This proliferation isn’t surprising since the same technologies that give us convenient omnichannel commerce experiences also bring new opportunities for fraud. Thus, today’s fraud patterns have a long-tail distribution that is the opposite of the Pareto principle or 80/20 rule of yesterday. When the Pareto principle was true, then “80% of fraud can be detected by 20% of your rules”. The remaining fraud that was undetected were exception cases. However, fraud is adversarial meaning that bad actors purposely try to go around the rules and mask themselves as exception. So in a world where they are using technology and machine-based attacks to “fly under the radar”, we now have the long-tail distribution of fraud where the exceptions become the norm – and these exceptions collectively represent the majority of your fraud loss. So now, 80% of your rules only capture 20% of fraud. It has become impossible for humans to effective learn and write new rules that can keep up.
LTP: What do you think exactly happened during breaches at Trump Hotel Collection? At what stage do you think the POS might have been affected?
NS: I don’t believe hotels like the Trump Hotels represent a riskier place to spend relative to any other place that accepts magstripe cards. It is the inherent weakness of the magstripe card – that they are easy to clone – that creates incentive for bad actors to attack POS systems. As long as the magstripe infrastructure stays in place, there will be professional crime organizations with incentive to keep doing this. That’s one reason why the industry is moving to EMV, to make it harder for fraudsters who will ultimately move their game online because it’s the next weakest point.
LTP: Had Trump Hotel Collection been your client, how early do you think you would have detected the breach?
NS: Data breaches represent the “point of compromise” and companies like the Trump Hotels use security firms to keep their data and networks safe. On the other hand, Feedzai’s business is about keeping payment transactions safe at the subsequent “point of use” for banks, payment providers, and merchants, like the Trump Hotel, who are all part of an interconnected transaction chain. So we don’t detect breaches per se, that’s about keep bad actors from stealing data. And data breaches seem to be happening more frequently that consumers expect it as part of living in a digital economy. So while we can’t control consumer expectations or tolerance for data breaches, we can affect the efficacy of the stolen data to be used to defraud business customers, and eventually their customers. Feedzai’s anti-fraud systems focus on keeping good customers happy and ensuring that you are who you say you are, that when you spend it is really you and not someone else who has stolen your account and identity information. So the data that was breached at the Trump Hotels will eventually be used to take over legitimate customer accounts, to counterfeit cards, to phish for more information and a myriad of devious ways. It is what happens after the data breaches that matter to you and I.
For example, our banking and payment provider clients are concerned about keeping their customers—the ones whose data was compromised in the Trump Hotel breach—safe and preserving their ability to transact freely without worry after the breach. Our clients don’t want to put in heavy-handed fraud countermeasures that punish their customers due to the actions of a few bad actors. So our clients use Feedzai to model their customer’s behavior—their commerce DNA—so that they can tell when something abnormal occurs, which is an indication of fraud. By using machine intelligence and big data science, we give our clients a customer-centric way to keep transactions flowing while keeping out the bad guys.
LTP: We are big fans of APIs in FinTech. What can you tell us about your API solutions for e-commerce platforms?
NS: Earlier this year, our developer team released a few upgrades to our fraud detection service API for developers, which has seen exponential growth at 300 percent since its launch in Oct. 2014. Feedzai’s Fraud API, which can be seen in our Developer Center, helps any e-commerce client — merchant, marketplace, commerce system or anything that facilitates commerce for that matter — tap into Feedzai’s machine learning algorithm to make selling online safe. We provide predictive analytics and big data science on all commerce transactions, which reduces frozen accounts and chargeback fees and decreases shipment delays. Our APIs learn our ecommerce clients' business and provide them with powerful machine learning data to help them make decisions on each transaction.
Our updated API makes the process even easier for e-commerce store developers, including more information about payers, a more seamless ongoing experience with a customer blacklisting and whitelisting process, the ability to search and review orders through new parameters such as risk score, date, address, and more.
LTP: Any last thoughts on the industry in general? Something that LTP readers must know about data breaches and fraudulent transactions?
NS: The more information we have, the more likely we are to protect ourselves as the good guys fight against fraud and take the necessary steps to take the bad guys down. For instance, we most recently passed the EMV Compliance deadline on Oct. 1. As new payment choices such as EMV and mobile devices become more widespread, and as fraudsters employ increasingly sophisticated technology, the good guys – payment networks, banks, retailers - are deploying a new and invisible layer of protection enabled by recent advances in computer machine learning, such as Feedzai’s, to do behavioral profiling to protect good consumers. Machine learning, used by companies like Google, Netflix and Amazon, is now being used by payment providers, financial institutions, and retailers of all sizes to combat fraud. While fraudsters can steal card data and consumer identity, the one thing they can’t steal easily is individual behavior. Machine learning’s ability to model a customer’s behavior, their "commerce DNA," gives the finance industry unprecedented power to deliver the best customer experience while preventing fraud.