Modern fraud detection need not rely on PII

Trends in online fraud detection often act as the canary in the coal mine when it comes to understanding and combating the next generation of online scams, fraud and cybersecurity threats. These days, security and fraud experts worry that insufficient user and data privacy protections will kill the canary. Retailers, on the other hand, need to implement stringent privacy and security controls without impeding the customer experience.

Given GDPR’s focus on security by design and PCI-DSS’s focus on securing PII, it’s easy to chalk up a renewed industry focus on user privacy to regulatory pressure, but there’s more to it than the stick of regulation. As deepfakes and other AI-powered scams trick users into sharing their private information, a privacy-centric approach to fraud prevention – one that doesn’t rely on sensitive user data to authenticate a user or transactions – makes good business and technological sense.

A privacy-centric approach to fraud detection

From the perspective of software designed to automatically detect fraud and abuse, knowing the actual names, addresses, phone numbers and emails of real people isn’t particularly useful. The software only cares about the context, not the actual values, so first it should change the data into a pseudo-anonymized version of the personal data designed only to preserve relationships, meaning that the original values cannot be recovered.

A fraud detection solution should also retain certain broad data about the original value, such as whether an email domain is free or corporate, whether a username contains numbers, whether a phone number is premium, etc. However, pseudo-anonymized data can still be re-identified, meaning if you know two people’s names you can tell if and how they have interacted. This means it is still too sensitive for machine learning (ML) since models can almost always be analyzed to regurgitate the values that go in.

The way to deal with that is to change the relationships into features referencing patterns of behavior, e.g., the number of unique payees from an account in 24 hours, the number of usernames associated with a phone number or device, etc. These features can then be treated as fully anonymized, exported and used in model training. In fact, generally, these behavioral features are more predictive than the original values that went into them, leading to better protection as well as better privacy.

Finally, a fraud detection system can make good use of third-party data that is already anonymized. For instance, we can use the global routing table (the publicly available map of the internet) as well as statistical data from public authorities, and mobile device market share from reputable research firms, all of which can tell us a lot about what values are expected and what is anomalous.

At a macro level, there are several other controls that are providing defenders with an edge in the fight against online fraud. Security and fraud teams are also innovating how they function operationally. While the two teams are long-time collaborators, new fraud technologies such as deepfakes and scams such as Authorized Payment Push (APP) fraud have expedited the rise of Cyber Fraud Fusion Centers (CFFCs).

SOCs for detecting fraud

CFFCs are specialized Security Operation Centers (SOCs) – integrated cybersecurity and fraud prevention teams, tools, and strategies to create a unified defense mechanism. By merging these functions, CFFCs can leverage a broad spectrum of expertise and data to better understand and mitigate threats, including those that conventional systems might not easily detect. This pooled knowledge leads to a more comprehensive understanding of advanced AI threats and enables defenders to correlate seemingly unrelated events to identify sophisticated attack patterns.

The best solution, however, is to focus on the user’s intent, not their identity. Intent-based fraud prevention analyzes the context and behavior associated with a user’s actions. It does this by seeking to understand the purpose behind a transaction or activity, and then determining whether it aligns with the expected behavior of the legitimate user. Rather than rely on PII, defenders can use dynamic factors, including transaction patterns, user behavior, device usage, and interaction with the system.

At the end of the day, to combat the next generation of online fraudsters – AI-powered or otherwise – fraud detection systems need to shift their focus from who the user is to why they’re there. The sooner security and fraud teams can embrace that mindset, the harder it will be for fraudsters to continually pivot their attacks.