As digital transformation has reached deeper into the operations of our businesses and our personal lives over recent decades, moving from a way to enhance productivity to a mission critical way of life, so the consequences and the size of the prize for those with criminal intent have grown exponentially.
In the early days of credit / debit card concepts as they gained popularity with the likes of Diners Club and American Express in the 1950’s the empowerment of the consumer was profound (and the opportunity to drive commerce for the vendor equally valuable). But with that power, came challenges. The metal number stamped into your card had little protection from copying and either stealing the card itself, or making a copy based upon the numbers found on the carbon foils used to sign a bill was relatively trivial.
Electronic processing, real-time verification that the card hasn’t been reported stolen – and that the customer hadn’t gone on a spending spree beyond their means – were a number of innovations that sought to combat this early and simplistic fraud, but as is almost always the case, as the defences get better, so do the weapons used to defeat them.
Wind the clock forward and credit & debit card payments are ubiquitous. In fact, with the advent of quicker, more convenient contactless and now cardless (digital card stored in your phone or watch), life can be virtually cash free. This isn’t just a personal life phenomenon, digital transformation of B2B purchase-to-payment processes has radically evolved too with solutions like Mastercard Track.
With more of our transactions being digitised, generating data and being trackable, everything from large purchases through to my cup of coffee on the way to the train station the entry points for potential fraud escalate, but so too do the opportunities to combat them.
By leveraging that wealth of data about my personal or business purchasing patterns and applying modelling and analytics my card provider can spot patterns & outlier transactions – transactions that seem unlikely to be me – rapidly and to deny them, or seek a second layer of proof that it’s really me.
These patterns started simple and were hard coded into early fraud detection systems. I remember in around 2001 buying some kit to upgrade my computer. As I left the shop I realised I’d forgotten one component, wandered back into the shop to buy it and as the transaction went through, the receipt in the terminal stopped printing halfway through, my phone rang and it was NatWest ringing to flag a “repeat transaction at the same vendor half an hour later”, I verified it was me and seconds later the receipt finished printing and I was out of the store, goods in hand.
My inner geek was impressed and enthused by the speed and ‘intelligence’ of the system, albeit as a developer I understood this was likely a hard coded set of logic to spot a specific pattern of fraud where a nefarious vendor might replay a transaction from a cloned card in the hope of escaping my notice.
The reality is, this was human intelligence in identifying a pattern of behaviour and manually coding a protection against it. Powerful, but such protections are slow to evolve. They need long lead times for the pattern to emerge, be spotted, prioritised in the development team and a mitigation designed, developed and deployed. It’s also limited to scenarios you can explicitly code for and apply to the system as a whole. It’s fine for rules like “two transactions at the same store within a defined timeframe” or “two transactions 100’s of miles apart within minutes of each other, both claiming ‘card holder present’”, but how would we combat a stolen or cloned card before the customer notices? Or in the online world a set of compromised card details?
How do we close the gap? Reduce the time between a compromise happening and the fraud being discovered? How can we shut-down the card before fraudulent transactions are racked up? How can we, at scale, personalise this experience so the rules aren’t hard-wired, but rather based upon evolving threats?
This is where machine learning, the application of statistics to data to spot patterns and outliers comes in. If the data shows clear trends for the type, frequency, locations of my transactions a model built and run against my data can identify higher risk transactions – the outliers that don’t fit my normal profile and raise the risk weighting of the transaction, either asking for an additional layer of validation or blocking the transaction outright.
As these models become more sophisticated, so the patterns can evolve to more nuances to ensure you don’t get false-positives – transactions you’re genuinely trying to make that get blocked as they seem ‘weird’ to the model.
Between these personalised models, and the training of fraud detection algorithms across the entire customer base of transactions the patterns of fraudulent activity, be it a card transaction, an online banking payment request or a loan application can be more rapidly spotted.
Machine learning and more sophisticated forms of AI allows us to review breadth and depth of data incomprehensible to the naked eye and spot the trends & correlations. These ever-evolving models can be trained & used to detect and mitigate emerging threats quickly, helping financial institutions keep pace with the relentless innovation of those attempting to defraud the system (and us). Fraudsters are critically aware that with the benefits and ubiquity of digital transformation in finance there is an ever bigger ‘prize’ to go after and the arms race is on.