Poker tables have long been the ruin of the unfortunate. Tales of unsuspecting and inexperienced players losing their life savings to predatory card sharps are legion. But when managers at online gambling exchange Betfair saw that a string of new registrants were losing large sums of cash in very little time, they began to suspect that they were not just looking at an influx of mug punters.
The risk investigation team quickly found that money was being lost to certain players, and the suspicious bets could all be traced to a range of IP addresses from an Internet café in London’s King Cross area. Betfair’s Sandra Barton-Nicol, head of risk investigations, soon discovered that accounts were being set up using credit cards details from individuals that had stayed at a single hotel. The breadcrumb trail quickly resulted in the fraudster being apprehended and convicted.
This case is indicative of the toolset that businesses are applying in their efforts to stamp out fraud: data analytic systems trained to flag up anomalous activity; a level of data granularity that allows fraud teams to interrogate transactions; and importantly, co-operation between rival organisations.
George Lennox, HSBC
Such cross-industry co-operation is vital to preserving that industry’s reputation, says Barton-Nicol. It has also been essential in catching criminals off-guard. Betfair shares its poker room with Littlewoods and William Hill. “The criminals thought that because we shared licenses it would be easier to hide their activities, they were counting on us not speaking to each other. But we do and we share data,” explains Barton-Nicol.
Transactions that individually may look innocuous can be seen to be part of a wider, criminal network if companies are willing to share their data or the models they have developed to flag up suspicious activity, or if individual companies deploy enterprise wide fraud detection applications which draw on their own multiple sources of information. Avivah Litan, an analyst at Gartner says: “There is definite proof that cross-industry co-operation improves detection rates by between 10% and 15%. That can rise up to 70% depending on the fraudsters.”
The willingness of online rivals to co-operate in the fight against fraud is indicative of the scale of the problem: in the sober world of retail banking such information sharing would have been almost unthinkable.
The reason companies are willing to share data is simple, Timothy Paydos, director of threat and fraud intelligence at technology heavyweight IBM explains: the level of threat. “Now a relatively unsophisticated bad guy with imagination and a good laptop can cause major damage.” That is a game-changing development for those dealing with large volumes of financial transactions.
Furthermore, there is a growing threat from organised crime. A decade ago roughly 70% of all card fraud was due to cards being lost or stolen and then used by people who could just copy the signature. Conversely counterfeit card fraud and card not present (CNP) fraud – for example, perpetrated by someone paying for goods over the phone – barely registered.
In today’s Internet economy, CNP accounts for 42% of card fraud in the UK, and totals £183.2 million; fraud on lost or stolen cards accounts for 20% (see table).
Introducing the Chip and PIN system into card payments is helping drive down overall card fraud, says Mark Bowerman, communications executive at APACS, the UK’s payment processing organisation. And the system may soon help drive down online fraud as well. “Customers could insert a chip and PIN card into a reader linked with their computer and enter their PIN to generate a one-off passcode to verify each transaction.”
However, as those combating fraud know only too well, more robust and secure systems do not stop criminals, such systems simply shift the focus of attacks onto easier targets. Consequently, many organisations focus on detecting fraud after the event, a strategy given extra impetus in the financial services industry thanks to regulation such as Basel II.
David Porter, Detica
Many of the fraud-busting techniques rely on data mining tools, examining patterns of behaviour, spotting how fraudsters behave and creating models capable of identifying suspect transactions. However, there is a weakness to this approach, warns David Porter, head of security and risk at UK-based IT security consultancy, Detica: “The data’s based on the stupid and greedy: the really smart guys don’t get caught.”
Detecting fraud requires large amounts of high quality information. “Most countries haven’t got the data stores of the UK and US” says Gartner’s Litan. “Even a very developed economy like Japan doesn’t have that much of a credit history. Not having those stores just makes it so much harder to build up profiles of people and behaviour.”
Behavioural modelling of both genuine and bogus customers plays an increasingly important role in setting the limits of fraud detection. Managers want to simplify transactions for genuine customers, but there is a fine balance to strike between usable and secure systems, says Peter Bove, of data analysis software maker Fair Isaac. Typically, a ratio of one false positive for every 20 ‘problem’ transactions is regarded a sufficient protection to stop “significant fraud without inconveniencing the genuine customer too much”, he says.
However, modelling individuals’ behaviour may no longer provide adequate protection, says Detica’s Porter. “Behavioural models often focus on individuals looking for quick results which mean they leave an obvious trail. However with the involvement of more organised crime rings, fraudsters are not going for the big bang as much; individually their transactions are relatively innocuous which makes the chances of detection much more slight.”
One application of this social behavioural modelling can be seen at the UK’s Insurance Fraud Bureau, which collects data from over 20 leading insurance providers, and uses a mixture of individual and social behaviour modelling techniques to look for fraud. Insurance fraud is estimated to total £1.5 billion a year in the UK, adding 5% on to all insurance premiums.
The financial services industry has historically been well attuned to threat from fraud; now there is a growing recognition of the threat fraud poses across all businesses, especially those with a significant online presence, such as travel agents.
At online giant Lastminute.com profits were a huge impetus to improving fraud detection. Changes in the regulations governing liability mean that now when banks identify fraudulent transactions, they refuse the payment; Lastminute is also left with the burden of refunding victims. “It was a double whammy for us. The more we stopped the worse our figures were appearing,” says Andy Lee, the fraud manager from Lastminute.
Now, Lastminute examines 158 different variables in booking, to identify suspect transactions before they are accepted. Lee is naturally unwilling to share all the details of the 158 measurements – there is no point making the fraudsters’ jobs easier – but he did confirm that webmail accounts and destinations were two of the early indicators. Indeed, the problem with some destinations can be so acute that Hotwire.com, a US-based alternative to Lastminute no longer sells flights to Nigeria because at one point, every one of the flights booked to there was made using a counterfeit or stolen card.
The payment card companies are also playing their part in fighting fraud, no doubt aware that their business will be crippled if consumers lose faith in plastic.
Secure payment systems such as ‘Verfied by Visa’ or ‘MasterCard Secure Code’ have helped Hotwire.com massively reduce fraud, says Joe Selsavage, the company’s director of accounting. The use of such systems combined with other practical measures, including limiting the number of card numbers a user can input, has helped reduce fraud from a level of 5.25% of total sales in 2001 to just 0.03% today, he adds.
While such reductions are impressive, large enterprises are only too aware of the impact that a 0.03% level of fraud on sales can have. As George Lennox, senior manager of group credit at HSBC explains: “Even a 1% improvement in our risk figures will be the equivalent of some $75 million of profit for HSBC.” That makes justifying investment in fraud detection systems a no-brainer. HSBC is currently developing a new fraud detection system in conjunction with business intelligence vendor SAS.
And that system could have knock-on benefits. HSBC experiences far more credit losses than straight fraud, so Lennox’s rationale is that if the bank can tackle fraud with sophisticated data analysis and real time decision making then “we will be able to point the system in another direction i.e. credit, and with minimal implementation costs, make major gains.”
If HSBC is successful, expect to see other major enterprises investing in sophisticated data analysis tools. Fraudsters may soon see the days of easy money coming to an end.