Podcast: Play in new window | Download
Now that it’s well into 2020, we’re in the midst of a rapidly evolving fraud landscape. Gone are the days where fraudsters primarily operated in the physical world, using stolen credit cards to make transactions. Instead, as society has become increasingly digital, so have fraudsters. Card-not-present fraud has proliferated, with everything from account takeovers to synthetic identity fraud on the rise.
To better understand the shifting fraud landscape and what solutions are needed to keep up, PaymentsJournal sat down with David Barnhardt, Chief Experience Officer at GIACT, and Tim Sloane, VP of Payments Innovation at Mercator Advisory Group.
The Frankenstein of fraud: Synthetic identity fraud is on the rise
As Barnhardt has previously discussed, synthetic identity fraud has become a major problem in the payments industry. However, despite its prevalence, this fraud vector remains hard to detect. Worse yet, many in the payments industry don’t even know what it is.
“A lot of times, companies confuse synthetic identity with account takeover and true name fraud,” explained Barnhardt. Synthetic identity fraud is when criminals combine both real and fake information to make an identity for an account. “I like to use the term Frankenstein to refer to this type of fraud,” said Barnhardt.
For example, the real information could be a person’s social security number or address. That piece of real information is then coupled with fake details, such as a name, phone number, or email address.
Once the Frankenstein—synthetic— identity is established, the criminal can create an account at a financial institution, use that account to increase their credit, and then cash out once they’ve reached the desired credit limit, explained Sloane. Some criminals will cash out immediately, but waiting longer to develop a higher credit limit is a more lucrative approach.
What makes synthetic identity fraud particularly pernicious is that it’s so hard to detect. Part of the problem is that traditional fraud solutions, including ones that rely on generating a probabilistic fraud score, are built on data that’s “provided within the institution,” noted Barnhardt. Because of this, “they don’t have anything to compare the application to, nothing that alerts them that a particular piece of PII, or maybe an entire identity isn’t even associated with that perceived customer.”
According to a Federal Reserve report, as many as 85% to 95% of synthetic identities are not flagged as high risk by the existing fraud models.
The other types of digital fraud will likely rise too
As 2020 unfolds, expect account takeover attacks to rise as well. Underpinning the rise of this fraud vector (and also synthetic identity fraud, for that matter) is the pervasiveness of data breaches.
According to a report from the Identity Theft Resource Center, the number of reported data breaches rose by 17% in 2019 compared to the previous year. Armed with a bevy of personal information exposed by the breaches, criminals can then seize accounts and commit fraud with ease.
Sloane cautioned that the problem is only getting worse due to emerging technologies that criminals can utilize. “It’s likely that account takeovers and spearfishing are going to become much more difficult to detect with deep fake voice and video,” he said. Criminals have already used a voice deep fake to steal money from a company in the United Kingdom.
Even though sophisticated fraud attacks are on the rise, solutions exist that enable companies to fight back.
“Beat them at the data game itself”
While data is key to criminals engaging in synthetic identity fraud and account takeover attacks, data is also key to stopping them. “The only chance companies have at beating fraud operators is beating them at the data game itself,” said Barnhardt. “Data is really the only clues that we have as fraud detectors in today’s sophisticated identity crime space.”
Barnhardt explained that companies need to have some type of comparative data set to catch sophisticated attacks. For example, “if you receive an application for an account creation, you need a third party to tell you, attribute for attribute, if that application is truthful,” he said.
However, both Sloane and Barnhardt agreed that not enough companies are pursuing an effective fraud prevention strategy, especially in the e-commerce industry. Too many businesses silo their data internally, explained Barnhardt. Many companies treat the different parts of the customer lifecycle as different segments, meaning that data from enrollments, payments, or the re-identification process are siloed in their own buckets.
To be effective against fraud, data from across the customer lifecycle needs to be pooled together and analyzed. This allows companies to get a holistic picture of the situation and better detect fraudulent activity. Crucially, companies must strike a balance between adding enough friction to stop fraudsters, but not so much that false declines proliferate and legitimate customers become frustrated.
Seamlessly manage the entire customer lifecycle with the EPIC Platform
The fraud prevention strategies discussed by Sloane and Barnhardt are on display in GIACT’s EPIC Platform. EPIC is an acronym for enrollment, payment, identity, and compliance.
“EPIC is designed to seamlessly allow for companies to manage their entire customer lifecycle to not only prevent fraud, but to also reduce friction and to enable commerce and to reduce the number of false declines,” explained Barnhardt.
The product analyzes mountains of data to verify and authenticate different data points throughout the customer lifecycle. If someone tries to create an account with a real social security number but a fake address, EPIC can often flag that application as suspicious.
“What is at the center of GIACT’s innovation is looking to the future and trying to predict the fraud’s next move,” said Barnhardt. With digital fraud on the rise, a solution that anticipates the future is necessary for stopping the criminals.
