defending against digital fraud - transunion · defending against digital fraud jon karl co-founder...
TRANSCRIPT
Defending against digital fraud
Jon Karl
Co-Founder and Executive Vice President
Iovation, a TransUnion Company
3
4
HAVE UNITED WITH
PERSONAL
Identities
DIGITAL
Identities
5
Unifying personal and digital data into single
customer view to build a defined identity strategy
1 billionworldwide consumer records
650 millionconsumer credit history records
4.8 billion petabytes of data
33countries
30+monthly data updates
5 billiondevices seen by network
35 billiontotal transactions protected
23 milliontransactions protected per day
55 millionfraud reports placed by network
35,000websites and apps protected
Financial Fraud – Past, Present and Future
2004
▹ Check Fraud
▹ ATM Compromises
▹ Point of Sale Fraud
▹ Virus, Worm, Trojan
▹ Counterfeit Cards
▹ Botnets
▹ Stolen Identities
▹ CNP Fraud
▹ Synthetic Fraud
▹ Account Takeover
▹ New Account Fraud
▹ Social Engineering
▹ True and Synthetic
Identity Fraud
▹ Account Takeover
▹ Automated Attacks
2010
2018
FutureSince 2010 over 10 billion
data records have been exposed,
according to Gartner.1
Source: ¹ Gartner: Market Guide for Online Fraud Detection, Jan 2018. 2 Telstra 2017 Cyber Security Report
59% of organizations in Asia detected a
business interrupting security breach
at least once a month in 2017.2
906
1070
1261
1429 1470
1899
2115
2176
2664
31413050
321
446
656
498
662
421471
614
783 780
1091
0
200
400
600
800
1000
1200
1400
1600
1800
0
500
1000
1500
2000
2500
3000
3500
Data Breaches and Consumer Complaints of
ID Theft & Fraud
Source: 1Federal Trade Commission, Consumer Sentinel Network Databook Jan-Dec 20162Identity Theft Resource Center
Data Breaches2
Consumer Complaints1
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Global Fraud and Authentication Trends
IOVATION REPUTATION REPORTS 2015-2017
97%
189%
143%
63%
158%
215%
131%
61%
0%
50%
100%
150%
200%
250%
Synthetic Identity Account Takeover True Identity Theft Identity Mining & Phishing
Increase of Reputation Reports Placed
All Industries Finance Industry Only
Increased OPEX for tools and
review-staffing
Lost time
repairing damage
Fraud Isn’t Just A Business Problem.
It’s Also a Customer Experience Problem.
Lost customers and
lost revenue opportunity
Sub-optimal consumer
experience design
Higher cost
products and services
Frustrating experiences with
online businesses
Business Impact Consumer Impact
Identity theft victims up
1.3 million.*
* 2018 Identity Fraud Study,
Javelin Strategy & Research
6 in 10 banks
in Asia Pacific said they
are experiencing application
fraud from
synthetic
identities.*
* FICO Survey APAC Banks
Say Fraudulent Synthetic
Identities on the Rise;
$120B - $200B
was lost to cybercrime
in East Asia
and the Pacific.*
* McAfee “Economic Impact of Cybercrime
— No Slowing Down” Report
v
v
© 2018 TransUnion LLC All Rights Reserved | 11
Consumers are moving to
online/mobile…
13
v
v
© 2018 TransUnion LLC All Rights Reserved | 14
Consumers are moving to
online/mobile…
Fraud threats are rising,
while user experience
suffers 83% of Millennials say they
would switch banks for a
better digital experience.*
* 2017 SalesCycle Report
Friction in online forms drives consistently high abandon rates
across industries
Abandonment Rates by Industry (Q4 2017) Abandonment Reasons
4%
9%
16%
20%
24%
27%
0% 5% 10% 15% 20% 25% 30%
Other
Language is too confusing
Visit branch / send in information
Distracted / Changed mind
Too much personal info
Form is too long
76%
66%
82%79%
82%
77%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Retail Fashion Travel Non-Profit Finance All Sectors
Source: SaleCycle (2017)
70+% of
abandonment
v
vv
Account Takeover
$1.4B
$2.3B
$5.1B
0
1
2
3
4
5
6
2015 20172016
Account Takeover Fraud Losses(Billions)
Source: Identity Fraud Hits Record High with 15.4 Million U.S. Victims in 2016, Up 16 Percent, Javelin Strategy & Research, 2018; Ibid.;
Identity Fraud Hits All Time High With 16.7 Million U.S. Victims in 2017, Javelin Strategy & Research, 2018
18
ATO Case Study(Communications Industry)
mY1pass
• Lost merchandise
• Chargeback fees
• Operating Expense
19
Business Cost of an ATO Attack
2,500Affected
Accounts
$50KRevenue
At Risk
$75KPersonnel Cost
To Repair
$5,000Chargebacks
Single Device
$$$Bad Brand
Reputation
20
Consumer Cost of ATO
16HOURS
62.2MHOURS
17%ATTRITION
RATE
$290OUT OF POCKET
COSTS
$3.8MCONSUMER
LOSSES
Source: Javelin 2018 Identity Fraud: Fraud Enters a New Era of Complexity
v
vv
Synthetic Identity and First Party Fraud
22
Credit Write-offs
are Rising
2%
21%
Q2 Q3
Loan Loss Y/Y 2017 1
1First Data US Financial Institution Quarterly. December 2017. Volume 1, Issue 4
…a top 5 US Retail
Bank reported a 26%
increase in credit
losses in Q1 2017…2
”
“
2”Surprise Surge in Card Defaults Sinks Capital One”, Bloomberg.com
Gartner Report - The Growing Problem of Synthetic Identity and
First-Party Fraud Masquerades as Credit Losses March 2018
Possible explanations for increase in credit write-offs
Unintentional
Fraud
First Party
Fraud
Synthetic Identity
Fraud
Stolen Identity
Fraud
Possible explanations for increase in credit write-offs
Unintentional
Fraud
First Party
Fraud
Synthetic Identity
Fraud
Stolen Identity
Fraud
Stopping first party fraud is a delicate process of
determining the customer’s intent
– But, how can you really know a customer’s intent?
• Competing priorities:
– Customer experience (don’t unnecessarily offend)
– Grow business - don’t slow down approvals
– Stop the flood of ‘never pay’ accounts and
chargebacks
First Party Fraud
First Party
Fraud
DIFFICULT TO DETECT
What is it?
– Creates a fake identity using elements
of real and fabricated identities
– Deliberately defrauds by applying for
credit with no intent to pay
– “Frankenstein” identity
Synthetic Identity Fraud
Address
Phone Gov’t ID #
Synthetic Identity
Fraud
27
Balances for Synthetic accounts have grown 300% since 2012 across
all lines of business
0%
100%
200%
300%
400%
500%
600%
700%
800%
900%
1000%
Bankcard Retail Card Auto Unsecured PL
Balance GrowthQ1 2012 to Q1 2017
Synthetic Consumers
All Consumers
$0
$200
$400
$600
$800
$1,000
$1,200
$1,400
$1,600
$1,800
2012 2013 2014 2015 2016
Annual New Account Exposure($ Millions)
Bankcard Credit Limit
Retail Card Credit Limit
Auto Loan Amount
Unsecured PL Loan Amount
Source: TransUnion’s Analytics Database
28
Synthetics are now charging off earlier in duration, indicating previous
years were “build up” versus current “cash out”
For synthetics present in 2015 and now
have a charge-off, 70% of the accts
were opened that same year
For synthetics present in 2012, that rate
was only 20%
Cumulative Charge-off Rate
By Account Open Quarter
Dec 2012 vs. Dec 2015 Synthetics
2009 2010 2011 2012 2013 2014 2015
2016 2017
Source: TransUnion’s Analytics Database
29
“By 2021, first-party fraud and synthetic
identity fraud will account for 40% of credit
write-offs, up from an estimated 25% today.”
Source: The Growing Problem of Synthetic Identity and First-Party Fraud Masquerades as Credit Losses, Tricia Phillips, Danny Luong, 1 March 2018. GARTNER is a registered trademark and
service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
30
Why does it matter what drives credit write-offs?
Traditional underwriting, credit processes, and models are designed to
determine credit worthiness NOT to detect fraud
v
vv
What to do?
v
v
© 2018 TransUnion LLC All Rights Reserved | 32
Most fraud prevention methods can be
burdensome on good customers
33
LOGINCALL CENTER /
CHANGE ACCOUNT DETAILS
CHECK
BALANCES
WITHDRAWL /
TRANSFER MONEY
ACCOUNT CREATION /
LOAN ORIGINATION
MAKE OR SCHEDULE
DEPOSITS
PAY BILLS
Typical Issues:
New Account Fraud
Application Fraud
Loan Stacking
First Party Fraud
Typical Issues:
Account Takeover
Call Center Fraud
Typical Issues:
Payment Fraud
Typical Issues:
Account Takeover
Customer Friction
Typical Issues:
Customer Friction
Typical Issues:
Wire Fraud
Payment Fraud
Bust-Out Fraud
Online Banking Buyer’s Journey
Typical Issues:
Customer Friction
Strategy for managing fraud at the ‘front door’
IDENTITY
ASSURANCE
IDENTITY
RISK
SCORING
TRANSPARENT
AUTHENTICATIONDEVICE
REPUTATION
MULTIFACTOR
AUTHENTICATION
v
vv
Device Reputation
36
IF A DEVICE CAN CONNECT TO THE
INTERNET, WE CAN RECOGNIZE IT ...
WITHOUT USING DIRECTLY IDENTIFYING
PERSONAL INFORMATION
TOR browser detected Proxy detected Emulator at work Watch list flag
ASSOCIATION
ASSOCIATIONASSOCIATION
A user account on
a mobile
or web app
User
account #921
User
account #528
User
account #150
The Association EffectUse a shared “Device Web” to reveal hidden associations
FRAUD
FINANCIAL
1.1 Credit Card
1.2 ACH/Debit
1.3 Friendly Chargeback
1.4 Insufficient Funds
1.5 Fraud – Other
1.6 Potential Fraud
1.7 Shipping Fraud
1.8 Counterfeit Money Order/Check
1.9 Click Fraud
1.10 Affiliate Fraud
1.11 First Party Fraud
1.12 Loan Default
POLICY FRAUD
5.1 Application Fraud—1st Party
5.2 Application Fraud—3rd Party
5.3 Claims Fraud—1st Party
5.4 Claims Fraud—3rd Party
B2B FINANCIAL
10.1 Business Identity Theft
10.2 Fictitious Business
10.3 Business Takeover
10.4 Dealer Fraud
10.5 Payment Evasion
10.6 Business Misrepresentation
IDENTITY THEFT
4.1 True Identity Theft
4.2 Synthetic Identity Theft
4.3 Identity Mining (Phishing)
4.4 Account Take-Over / Hijacking
4.5 Failed MFA
Leverage
community
intelligence
v
v
© 2018 TransUnion LLC All Rights Reserved | 38
Identity
Devices
Risk
Analytics
BehaviorsCommunities
IDVision with iovation data sources create a
global network of fraud and risk insights
v
vv
Device Based Authentication
40
Recognize Online Devices for
Identity, Risk and Reputation
41
Device-based Authentication
Match Grant
Access
No
Match
or Risk
Signals
Account-to-
Device Pairing &
Risk EvaluationPersistent
Session
Token
Customer
Access
Device
Registration
SUCCESSStep-Up
***
User
Access ***
42
AuthenticatedInitial Registration
IP Address
Geolocation
Security Risk Evasion
Jailbroken
Associations
MyMyMobile Account
Total balance:Due Nov 2, 2018
$152.20
My wireless CHANGE PLAN
Upgrade
Your Device
My Family
SEE MY BILL
UPGRADE
PAY MY BILL
ADD LINE
Plan: Family Ultra
GB Used:
Dan
Sue
Joey
43
0
20
40
60
80
100
% Match % Non-Registerd % No Match % Registered
Many users benefit
from improved
experience
Measure Results
ClearKey Authentication Consumer Experience – Online Banking
Positive match, minimal change
No device associated
with the account
New registrations as a %
Device is Registered, but these
devices do not match
44
Transparent
Auth
Checklist
Transparent &
Frictionless
• Simplify access for good users
• Lower barriers to usage
• Improve customer experience
Context
& Risk
• Make sure you can react to context of the
transaction and the user’s behavior
• Configure risk rules to balance risk to user
experience
• Use tools to detect attempts to evade
recognition or mask identity
Adaptive
& Dynamic
• Dynamically react to changes in risk
• Deliver the right level of assurance
• Minimize account takeovers
v
vv
Multifactor Authentication
46
Multifactor Authentication Basics
Something you
KNOW
Something you
ARE
Something you
HAVE
47
LaunchKeyUnified, Simplified, and Personalized Multifactor Authentication
“How can I provide strong, unified authentication for security-conscious customers?”
Through any channel, digital or physical
Call Center Reality
$1 per minute
Average cost per minute
of a customer service call
1 in 937
Average number of
fraudulent calls
8-12 minutes
Average call length of a
telecom help call
Source https://www.nojitter.com/post/240172726/the-ins-and-outs-of-call-center-fraud
936 in 937
Good customers
being overly burdened
“What color was the sweater that
you wore on May 15, 1987”
“In which city is the address 28
Canton Road?”
49
Use a Simple,
Unified
Experience
• Unify experience across online and offline
touchpoints
• Reduce friction from multiple authentication
modes
• Be contextual: With enough information, you
shouldn’t need to reauthenticate so often
Secure by
Design
• Remove credential stores that can be
compromised and exfiltrated
• Lock down with top grade cryptography
• Align with standards like OAuth and OpenID
Strengthen
“App Equity”
• Add functionality within existing customer
experience
• Make sure it’s future-proofed: Can you choose
from a number of interactive or passive
authentication options? Can you provide a
customer experience to your customers?
Multifactor
Checklist
v
vv
Fraud Prevention Without the Friction
51
LOGINCHANGE
ACCOUNT DETAILS
CHECK
BALANCES
WITHDRAWL /
TRANSFER MONEY
ACCOUNT CREATION /
LOAN ORIGINATION
MAKE OR SCHEDULE
DEPOSITS
PAY BILLS
IOVATION
FRAUDFORCEFRAUDFORCE
Solve For:
New Account Fraud
Application Fraud
Loan Stacking
First Party Fraud
Solve For:
Account Takeover
Call Center Fraud
Solve For:
Payment Fraud
Solve For:
Account Takeover
Customer Friction
Solve For:
Customer Friction
Solve For:
Customer Friction
Solve For:
Wire Fraud
Payment Fraud
Bust-Out Fraud
FRAUDFORCE
Optimized Online Banking Buyer’s Journey
DEVICE-BASED
AUTHENTICATIONDEVICE-BASED
REPUTATION
MULTIFACTOR
AUTHENTICATION
v
v
© 2018 TransUnion LLC All Rights Reserved | 52
Verify identity against a broad
set of personal and digital data
Utilize when an account is
originated or provisioned
Form a basis for greater identity
confidence
Validate the claimed identity is
who they say they are
Utilize authentication at specific
touchpoints
Employ methods that match the
risk level
Assess fraud risk of online
transactions or identities
Identify potentially fraudulent
actions or behaviors
Investigate suspicious behavior
and inconsistent data elements
Establish
identity
Authenticate
consumers
Prevent
fraud
Q&A