Battling CNP fraudsters

By David Andre

Card not present (CNP) fraud is on the rise. According to one study of CNP fraud in Canada, it increased 205 per cent between 2010 and 2015 and accounted for 76 per cent of all fraud in 2015¹. Unfortunately, it could become an even bigger challenge in 2019 as attack surfaces evolve.

The success of chip and PIN technology have pushed the battle lines of digital con artistry into new territory. High-tech fraudsters in Canada and Europe got a jumpstart since chip and PIN were introduced in those markets before others, like the U.S., that were slower to adopt this technology.

It’s been a slow build, but now other parts of the world have begun to experience a spike in this type of fraud as criminals get better at anticipating each move issuers and merchants make. If there’s a vulnerability anywhere they’ll find it.

To paint a picture of the continued challenges confronting fraud prevention, imagine you’ve got a perimeter around a big castle, and as technology advances, the castle gets bigger every day. There was a time when it could be protected with simple fortifications. There was also only one drawbridge: the plastic credit card.

Now though, with continuous financial technological advances, there are new ways to get in. Each new entry point makes the perimeter weaker and thus harder to defend. Attack surfaces are on the rise as consumers warm up to digital transactions, such as Venmo, Zelle and PayPal. More consumers want to shop online with apps, or even with their voices, meaning more attack surfaces amidst a castle that is becoming more complex.

The threat is growing, and it will only continue.

There is good news though. There are industry breakthroughs in machine learning that are proving to be highly effective in the effort to reduce CNP fraud.

A model of behaviour

A method of studying data that automates analytical model building, machine learning is a branch of artificial intelligence (AI) in which systems can learn from input, identify patterns and then make decisions. In the case of digital fraud, machine learning can reduce operational costs, enhance precision and deliver significant advantages in the fight against fraud.

Machine learning helps by assigning a numeric score to each transaction to help fight CNP fraud. It can be a number from 1 to 999 that indicates a scale of possible fraud, with 1 being almost certainly genuine and 999 being almost certainly fraudulent.

For example, at TSYS, our fraud-fighting Foresight Score is a tool that incorporates machine learning capabilities to help level the playing field in the battle against fraud. In essence, this kind of machine learning looks at the cardholder and comes up with a model of “normal” behaviour.

Some of the factors considered when calculating a Foresight Score, include frequency of cross-border transactions, individual merchants and merchant locations, whether an individual uses a chip card or swipes their credit card, taps their card or use other and evolving cashless payments methods. The TSYS Foresight Score can help increase fraud detection by 35 per cent in some cases.

The race to get data

At the core of machine learning is data. The simplest way to describe this defence against the world’s digital fraudsters is that it is a race to get data. The more data collected from sources like online retailers, apps and client banks the better machine learning can become at identifying fraud. That’s one reason that large payment companies are poised to gain more success in the fight against fraud than their smaller rivals because they have access to so much data.

Studying this type of information and collecting data about individuals’ spending patterns, however, begs the question of what is an acceptable level of fraud? Meaning: not flagging so many transactions that customers who are making legitimate purchases get pre-emptively declined.

Some banks tend to put the customer experience first, making sure that, above all else, card users don’t get unnecessarily blocked (false positives) for innocently using their cards somewhere new. But an occasional false positive can be the trade-off for heightened security that protects against fraudulent activities. Customers, when educated and aware about security, will accept the odd inadvertent blocking as the price to pay in these times: no different than the security they undergo when entering a public building or boarding a plane.

The battle against CNP fraudsters is far from over because the ever-increasing attack surfaces expose new weaknesses every day. However, thanks to continuous breakthroughs in machine learning, we’re learning new strategies that will help us know when and where to make trade-offs and enable us to fight this kind of fraud even more effectively while attracting and retaining customers.

David Andre is senior vice president of risk and fraud in the Global Product & Innovation Group at TSYS (www.tsys.com), a top global payments provider.

1 The U.S. Payments Forum, “Card-Not-Present Fraud around the World”, report, March 2017.