Mastercard is unveiling an anti-fraud tool that’s been in development for more than three years, bringing a new way to pinpoint cards and accounts at the highest risk of fraud following data breaches.
The Early Detection System (EDS) was designed by multiple teams across Mastercard’s global operations in risk, technology, fraud investigation and issuer relations. It operates by attempting to peek over fraudsters' shoulders as they test out a fresh batch of stolen card accounts.
“When fraudsters get ahold of data for 100 accounts, they immediately begin testing the card to see if they can leverage it, and they only end up using about 3% to 5% of those cards for actual fraud. We apply that same approach to testing accounts exposed after breaches, and we flag the small number of accounts exposed in a breach that are most at risk,” said Ajay Bhalla, Mastercard’s president of enterprise risk and security.
To determine which accounts are at the greatest risk, Mastercard compares transactions occurring in real time to information collected on the “dark” web about stolen account data, Bhalla explained. Using a combination of internal and external data sources monitoring transactions spanning more than 55 million merchants worldwide, EDS determines if a particular card is at risk for exploitation after a breach and sends the participating financial institution an alert classifying the threat level as very high, high or medium.
“This tool gives financial institutions the opportunity to get ahead of the game and take action as needed only on the cards at high risk of exploitation for fraud, for a more precise response,” Bhalla said. “Analyzing patterns of transactions taking place at physical locations, on e-commerce sites and mobile devices, we can quickly figure out which exposed account numbers are being tested by fraudsters, and we can predict which accounts have the highest risk."
While other services may promise to alert issuers about accounts and transactions at risk for fraud, EDS provides issuers with alerts on a much broader set of at-risk accounts at least six to 18 months ahead of traditional alerts. Issuers must subscribe to EDS separately from other fraud-monitoring services; implementation can be completed within five days, Bhalla said.
“Some of this information was available before, but what makes EDS very different is the scale of the data we’re seeing and the way it pulls data, information and technology together for the first time to quickly pinpoint account risks,” he said.
Analysts say financial institutions may not see an immediate need to upgrade systems as a result of the Equifax breach, which is described as the broadest of its type, exposing the personal data of 143 million consumers.
“I don’t believe (the Equifax) breach is going to be a boon for the fraud mitigation software providers,” said Sarah Grotta, director of the debit advisory service at Mercator Advisory Group, noting that the latest breach was just one of hundreds of events exposing data that likely has been compromised previously.
“This data has been stolen before and financial institutions have seen this kind of fraud before. As long as they are following procedure, they should have the tools in place to protect against fraud emanating from this type of event,” Grotta said.