To fight fraud, data must come in layers
Fighting fraud in today’s world involves having access to the right datasets. With widespread access to breached and stolen data, fraudsters can easily defeat knowledge-based authentication methods. To fight fraud effectively, you need to diversify the data you have available for analysis.
How can you tell the person making a purchase on your website is who they say they are? This is a multibillion-dollar question everyone is trying to answer.
Verifying someone’s identity can be a tricky proposition made even more complicated when transacting online. Fraudsters have access to vast quantities of personal identifiable information and can look very authentic. Therefore, it is better to diversify and utilize multiple sources of data to help protect your business.
Let’s take an innocuous example of where more data improves a situation: You are trying to find a restaurant to eat dinner. Choosing a restaurant is perhaps not as important as preventing fraud, but it is imperative that you find the right place to set the mood for your date or impress out of town visitors. So, when looking for a restaurant, do you read the first review and make your decision? Not anymore. You meticulously go through all sources available to you. You search the internet, crowd-sourced review sites, the restaurant’s website, and ask your friends and colleagues. You don’t want to have an awful dining experience, so you utilize all the data available to you. It’s almost the same process to help prevent fraud on your website.
Fraudsters have access to more data than they ever have had before. Over 10 billion data records have been lost or stolen in data breaches since 2005.
With this number so high, the majority of your customers and prospects have most likely had some part of their data leaked. Fraudsters have easy access to stolen credit cards, addresses, phone numbers, etc., and can look very much like legitimate customers when they sign up.
On the flip side, today’s websites are all about user experience. To get the highest conversion rate you need to capture the absolute minimum number of fields, to ensure customers complete the full process. How do you validate someone when you only capture name, email, and payment information?
This is where you can leverage your fraud platform to diversify your datasets and stop more fraud.
Layer 1 - Customer Supplied Data (name, address, phone). Customer supplied data is what we have been discussing above and includes the fields you ask for during signup and making a purchase. All of this data is easy to fake but still needs to be collected in order to create accounts and accept payments.
Layer 2 – Session Data (IP, browser, operating system, location). Session data is the second layer of fraud data used to protect your business. When a customer is using your website, you can capture key information from their internet browser, subject to notice or consent, pursuant to applicable law. This includes the IP address, user agent and HTML5 device-based location of the user.
When capturing these data elements, you can track and compare them across all interactions with your customer. Having a different IP address or using one computer operating system and then another doesn’t necessarily indicate fraud, but you will see patterns over time.
Adding session data is an easy and inexpensive way to catch a good chunk of your base fraud.
Layer 3 - Invisibly Collected Data (Device and Behavioral Analytics). Many fraud and trust and safety teams will stop at customer-supplied data and session data. To stay ahead of the fraudsters, you will want to add invisibly collected data to your repertoire. “Invisibly collected” data is collected without impacting the user experience.
Let’s use a shoplifter at a brick-and-mortar store, for example. They often show signs that they are shoplifting by loitering, carrying large bags, or acting nervously. The equivalent signs of a fraudster online can be captured invisibly without the user knowing by looking at their device information and their behavioral analytics.
Device fingerprinting can be very telling. By taking a fingerprint of the device you can unveil numerous things that fraudsters are trying to hide. They may be using an emulator to spoof a device OS or browser, or they may be using a proxy to hide their true IP address.
Behavioral analytics is the process of capturing how a user behaves when browsing your website. Fraudsters’ actions can be invisibly captured – such as pasting credit card information or using a bot to submit transactions. Additionally, you can compare previous customer behavior against the current browsing session to see if the customer is behaving in a consistent manner, or if it looks as though their account was taken over by a bad actor.
Layer 4 – Enriched Data (IP, Domain). Last but not least is where your fraud platform should take your customer-supplied data, session data, and invisibly collected data, and enrich your underlying data sets to provide a more holistic picture.
Using IP address as an example, you can get information on the IP location and IP carrier. Maybe your customer is using two different operating systems but at the same IP location and IP carrier, so you know they are purchasing from their house. Adding these extra data points to your fraud strategy can help connect the dots on good users and find complex fraud rings.
As it is with most things in life, more data is better. Whether you are choosing a restaurant for dinner, investing, or fighting fraud, you should utilize all the data sources available to you. When your fraud platform puts all your data assets to use, you will have a strong, layered approach to protect your business that will catch more bad actors with less false positives.
This column is part three of a six-part describing the current state of digital identity and account takeovers, identifying and detailing four levels of fraud – customer supplied data; session data; invisibly collected data and enriched data. Article one, What's your pet's name is no way to authenticate someone, explores the ineffectiveness of passwords and lack of security around the verification process. Article two, For payment crooks, bots are the master key looks at how frauders use bots and stolen information to break through payment system defenses.