How This Company Taught the World to Use ML for Payment Fraud
May 6, 2018
In the late 90s, after an initial period of growth, PayPal met a formidable challenger – fraud!
Fraud is a huge threat to any card processing business. The major card networks (Visa, Mastercard, etc.) are, justifiably, quick to identify and mitigate any (and all) risk. If you are a card-accepting merchant, you should expect a call from Visa or Mastercard when chargebacks start moving above 1%, along the lines of reduce your chargeback or else…
PayPal was processing millions of transactions per month, and they needed a solution, and they needed it ‘yesterday.’ The team turned to Max Levchin to start reducing fraud on their network. So what did he do? His team reviewed every transaction, manually, for weeks. Just kidding! They used intelligent algorithms and machine learning, of course.
It was no easy task. Could they really outmaneuver the hackers every day? Fighting tech with tech was the only way to counter Russian and Eastern European fraudsters who found PayPal an enticing target. Obviously, PayPal and Max’s team figured it out, but there wasn’t much certainty at the time.
Fast forward to today
Who is facing similar challenges today, similar to the early days of PayPal? What’s their approach and how is technology helping? It’s hard to avoid a breach story: whether it’s Bangladesh Central Bank’s $80-million loss via Swift or Equifax or Target, there continues to be a parade of hacks that make major news almost every weekly. There are different types of fraud that financial institutions face from transactions (we discuss that in detail later) to cross-border and account takeover fraud.
Russian hackers stole USD 10 million by breaking into 20 systems, which includes 15 US lenders, targeting ATMs with mules and Russia’s interbank money-transfer system. In 2015, hackers were able to infiltrate the SWIFT financial messaging system and send 12 fraudulent wire transfer orders to Wells Fargo, requesting $12 million from Ecuador’s Banco del Austro. Wells Fargo executed the transfers because they looked legitimate.
Both SWIFT and Banco del Austro blamed Wells Fargo for the fraud and filed a lawsuit. In a later case, the Bangladesh Central Bank blamed SWIFT for their $81-million robbery. Regardless of who is assigned the blame, it is clear that the ecosystem is vulnerable to fraud.
Financial institutions must find secure ways to transfer funds – ideally with an adaptable solution that adapts to the ever-evolving threats. Hackers only become more sophisticated and the current banking system, with its legacy tools, is not able to cope. Even today, many payment companies, banks, and merchants don’t have the capability to handle fraud as PayPal did. Why? Well, it depends.
Many companies don’t have the resources or the capability to build these systems internally – it is simply not a core competency. Plus, the best-of-the-best talent goes to work for pure security companies – not financial institutions. In other cases, they have the money, but it’s just not a priority.
A prominent CISO of a cybersecurity company said to me once, There are two types of companies: companies who know they’ve been breached and companies who just haven’t noticed yet.
So, when do they start investing? Only once they know it’s happened to them – not a good strategy!
The market landscape has also changed, which poses a serious threat to the payment systems:
The supply of hackers has dramatically increased. It’s no longer small groups of Russian or Eastern European hackers involved, but serious criminal groups and fraudsters from around the world.
As cybersecurity tools meant to protect the systems improved, so did the hackers’ technology. Both sides can use machine learning!
Another big change is that today, it’s not just PayPal (or other small startups) processing cards. Every bank and merchant is processing transactions online with the potential to leave sensitive data vulnerable to attacks.
So, have we made any progress?
Indeed! The progress of true fraud detection over the last several yes is truly amazing. Not only can we detect fraud today pretty accurately, but we can also prevent it from happening in real time.
The first wave of solutions were rule-based systems that were expensive and slow to adapt to new fraud patterns (they certainly couldn’t handle them in real time).
The second wave built on classical machine learning solutions. We now see self-learning algorithms that we believe are truly game-changing. These systems can mimic the thought process of a human analyst at scale and take decisions in real-time. A company called Fraugster claims its decision time to be as little as 15 milliseconds.
And how does a state-of-the-art system work?
It’s (not surprisingly) all about the data, and it begins with enrichment. Fraugster (that counts Visa, Ingenico, Wirecard, and Credorax as customers) starts collecting transaction data points such as name, email address, and billing & shipping address. This data is enriched with ~2,000 data points, such as any IP latency (to measure the real distance of the user and a transaction), IP connection type, behavioral biometrics (like how you type), and email name match. This enriched dataset is sent to the AI engine for analysis. But how does all this happen real-time? Using an in-memory database technology which makes the decision in around ~15 milliseconds (fast).
Traditional systems (rules-based) used harsh decisioning which prevented a significant number of transactions from processing – even though many of which were just fine. You can imagine how many unhappy customer calls, chats, and emails you might get. These good transactions that were prevented are called false positives. New solutions drastically reduce this problem as well. A recent study shows that false declines is the largest area of fraud, which causes the merchants to lose about $118 billion per year with clients losing ~$9 billion per year. Fraud prevention, obviously, is a strategic imperative for the banking and payments industries.
To address this, technologies built by companies like Feedzai are reducing the number of false declines in merchant payments.
See the reasons above to allow the transactions: IP matches in multiple records and other issues are a low priority.
It requires a great understanding of transactions and technology to develop such solutions. So it should come as no surprise that only highly specialized, tech-heavy teams are able to excel at it. Here are a few examples to get you going:
Simility offers a fraud prevention platform which combines machine learning and data visualization technology with a rules engine to help protect enterprises from fraud.
BioCatch has created cloud-based technology that builds user profiles based on over 500 cognitive parameters, including behavioral patterns.
Canadian startup, Trulioo, uses data from over 140 sources to collect and share information on over 3 billion people, making it one of the largest consumer data companies in the world. E-commerce stores can use Trulioo to verify new customers, reducing the risk of fraudulent purchases and subsequent chargebacks. Financial institutions can use Trulioo’s data to help them meet AML and KYC identity verification requirements.
If you are a techie or generally curious about the technology, keep reading. Otherwise, feel free to skip this section.
Any modern, third-generation fraud detection and prevention system will:
Treat each transaction as unique, making a decision based on its own characteristics – not just passing it through because it looks like a previously accepted transaction.
SQL-based decision engines give way to NoSQL: 100 times faster speeds are now possible with NoSQL-based data stores compared to traditional, SQL-based decision engines.
Data-agnostic integration: Integrate ‘never-seen-before’ data in weeks and not limit inputs to an existing data map in the decision engine library.
Omnichannel/omnidata: Pull data from multiple channels (phone, transaction, payments, media, etc.) for inclusion in the decision process.
Multi-tenancy: Accommodates multiple use cases from a single platform, avoiding data silos or point solutions.
Advanced rule simulation: Ability to simulate new rules within the live environment to test challenger models as part of a continuous optimization process.
Machine learning model simulation: Ability to evaluate multiple machine learning models and promote the best one to the live state.
Baselining and anomaly detection: Ability to compute baselines of what normal behavior looks like to provide a short-term forecast and identify anomalies in real time.
All the attributes are ‘must-haves’ for a modern fraud system. The speed is critical, and it provides complete transparency (not a black box), so you can understand exactly why a transaction was blocked or accepted – a clear need for improvement, appreciated by both customers and regulators.
Pulling it all together
Feedzai created a fantastic infographic to explain the risks and the architecture of a modern fraud prevention system.
Everyone in the industry knows security and fraud prevention is foundational to the industry. We’re now beginning to see proactive solutions rather than waiting for a crisis or breach to take action. Prevention will continue to happen either by design (progressive banks) or by decree (regulatory intervention). While it feels like the good guys are starting to gain ground, we will always be at odds with smart, opportunistic hackers looking to exploit every vulnerability.