Fraud detection is great, but you also need prevention
In this interview with Help Net Security, Itay Levy, CEO of Identiq, talks about the importance of fraud detection when it comes to protecting an organization but also its customers.
Consumers have moved most of their activities online, which has led to bad actors taking advantage of this situation and fraud becoming a common issue for most organizations. How have they tackled this issue?
Unfortunately, it’s inevitable – fraudsters and other bad actors will take advantage of any vulnerability they can uncover. With more users, and more activities, moving online, fraudsters know they have a greater chance to hide among the flood of good users.
Similarly, fraudsters have taken advantage of consumers being rushed and stressed – knowing their victims are paying less attention, criminals have increased their phishing campaigns, tricking people into giving up their personal information or login details. Armed with that data, fraudsters can hack into accounts, set up accounts using the stolen information, and even commit identity fraud which can have dangerous long-term consequences for those affected.
Online companies – which is practically every company these days – have had to adapt to stay ahead of the fraudsters. Where once it was enough to focus protection at checkout (since that’s where the financial risk is), now companies are shifting to protect the entire customer journey.
Account creation protection helps stop fraudsters from setting up accounts with stolen data. Login protection stops fraudsters from hacking into consumers’ accounts and viewing their purchase history and personal information. Content protection means the ecosystem isn’t flooded with false or misleading reviews, spam or hate-filled, predatory or dangerous speech. Age verification protects minors and gives them safe spaces online to interact.
Fraudsters increasingly attack anywhere in the customer journey – so companies have started to protect the entire flow, as well.
Is fraud detection the way to go for organizations?
Fraud detection is simply a necessity nowadays, but it’s only the beginning of what organizations need to do to protect themselves and their users. Detection is great, but you also need prevention. Knowing what’s fraud is only half the battle: you need to be able to catch it in time to prevent the fraud from succeeding.
More than that, you need to work hard to make a lot of your fraud prevention efforts as invisible as possible to the end user. Customers don’t want to have to jump through hoops in order to use your services. It’s inconvenient, and it sends the message that you don’t trust them. If there’s too much friction, they’ll simply go to a competitor.
Is there a different approach organizations can leverage to overcome fraud detection complexities?
A lot of the complexity of fraud detection comes from the fact that most fraud solutions focus solely on bad actors. They specialize in identifying the criminals by looking for suspicious factors.
A new approach which is becoming more common is adding a stage before the fraud detection phase: positive validation. The overwhelming majority of customers are real people, with real, trustworthy histories and identities. If most of them can be identified confidently at the start, then the fraud detection problem becomes more manageable. All the fraud team’s resources can be spent on the cases where there’s real cause for doubt, and can use judicious friction where appropriate (such as email validation, or multi-factor authentication) in those cases.
Positive validation has become a practical possibility partially due to online companies’ increased desire to collaborate with one another. Using providerless technology, generally based on some form of Privacy Enhancing Technology, companies can validate and vouch for trustworthy customers without sharing any personal user information with one another.
How will this different approach reflect on consumers?
The noticeable difference for consumers should be less friction, and less likelihood of being mistakenly rejected as a fraudster. Most consumers have rich online lives, so it makes sense that the good reputation they’ve built up on their favorite stores, apps and marketplaces should be able to speak for them when they visit a new site, or sign up for a new app. Once trust is pooled, there’s no need for friction.
Behind the scenes the shift towards incorporating Privacy Enhancing Technologies also benefits the consumer, in terms of dramatically improving their data privacy. Traditionally, online companies have had to share personal user data with third party data brokers in order to validate the users’ identities.
As many consumers are now aware, following the massive Equifax breach, the various Experian breaches, and so on, that system is not good at protecting user privacy. The fact that companies no longer need to share sensitive customer data in order to validate identities is significant in terms of increasing user privacy, though it’s not something that most consumers will be aware of unless they regularly read privacy policies on websites.
Do you see fraud evolving even more? Are we in for a never-ending battle?
Fraud continually evolves, there’s no doubt. If card present fraud becomes more difficult, fraudsters move online. If a regulation like PSD2 makes straightforward transaction fraud more challenging, then account takeovers will spike. Fraudsters are always looking for weaknesses, and for new opportunities. When retailers relaxed returns policies to accommodate pandemic norms, refund fraud started to rocket up.
Fraudsters are creative by nature, and they’re not limited by the sorts of regulations, responsibilities and processes that legitimate businesses take into account. They only stop trying a type of attack when the defenses against it have become so effective that the attack is no longer profitable – and then, they just move on to something else.
What’s different now, though, is a powerful trend towards collaboration in the fraud prevention industry. The more fraud prevention professionals work together, and the more ways they find to share insights, trends, experiences, what works, and to pool knowledge and trust in new ways, the stronger the entire fraud fighting community becomes.
New technologies continue to increase the ways in which fraud prevention professionals can work together, further supporting the community’s collaborative initiatives. All this is a real basis for hope.
It’s a genuine change in the industry, and has the potential to dramatically shift the dynamic of the fraud/fraud prevention battle. Previously, with each company acting alone, fighting back against fraud was like squeezing a balloon on one side; the air just shifts over to the other side of the balloon, and a different part of the balloon bulges out. But when companies start to work together, in a deep, direct and meaningful way, the “balloon” is being squeezed from all directions at once. The fraudsters no longer have easy avenues available to make a different part of the fraud balloon bulge. Instead, the problem is actually reduced.
Fraud is all about ROI. The more difficult companies make it for fraudsters to succeed in their theft, the less lucrative fraud becomes. Ultimately, if the cost becomes too high, fraudsters will stop altogether. By combining efforts, companies can make that happen. I know there’s a lot of work to do to get there, but having put a huge amount of thought and research into this, I really believe that we’ll get there – as long as we work together.