11th January, 2021
Interview with Hubert Rachwalski von Rejchwald, CEO, Nethone
The expertise of fraudsters in committing a fraud is what merchants/ ecommerce specialists need to be wary of at this juncture.
Experts believe that fraudsters not only act as an organized group and learn fast from their own errors but they are also well aware of which platforms are using which security measures.
Ai’s Ritesh Gupta spoke to Hubert Rachwalski von Rejchwald, CEO, Nethone about the same. Excerpts:
What would you term to be the biggest challenge in managing fraud today – would it be false positives?
Hubert: It’s not that fraudsters stopped pursuing their activities during COVID. In fact, we have actually witnessed an increase in signals that indicate fraud attempts. So it becomes an issue of riskiness of traffic. But at the same time, the volumes are down. False positives cost a lot in such a scenario. Fraudsters have evolved their technology rapidly over the last year, making it more difficult to keep false positives to a minimum.
How to fight fraud with scalable and flexible infrastructure?
Hubert: We recommend cloud-based infrastructures and cloud-based solutions. From an operating cost perspective, on-premise implementation is way too time consuming and costly. We hope to see that all of the merchants that are thinking about implementing these solutions will be more inclined to go with cloud-based systems.
It allows them to be effective because if there are changes in traffic, they don’t need to worry about server capacity. The latest features are added to their solution with minimal cost.
Fraudsters continue to evolve. What new methodology would you like to highlight as far as e-commerce fraud is concerned?
Hubert: There is currently a big offensive among the most sophisticated and organized fraudsters to leverage more and more professional tools. These days it’s actually becoming less about the manual setups and configurations organized by individual fraudsters. It has become a problem of dealing with sophisticated, sometimes ML-based, scalable solutions that were specifically designed for “frauding”.
The barrier to entry to this space is merely having the financial resources to subscribe to these tools; there is less training needed, fraudsters just purchase access, generate credentials, go through basic configuration of parameters, and they’re ready to go. And it’s difficult to detect these tools. We’re happy to share some of the names of the tools that are available in private meetings, but we don’t want to promote them in publicly accessible content. In order to stand a chance in this fight, you need profiling capability that is able to recognize that you’re not dealing with a normal user, but instead an excellent imitation. Just to put in perspective how quickly the evolution happened, 12-18 months ago, these tools just started to appear. The majority of fraud was conducted with easier tactics and less advanced tools.
Just as with any innovation, it’s a matter of convenience and ROI. If you’re a fraudster and have the financial resources, why not go for tools that will automate your work, supported by SaaS organizations that provide professional, 24/7 customer support complete with YouTube tutorials. It’s an arms race. So much innovation is being poured into methods to extract money from the system. It needs to be met with comparable investment on the merchant side.
Considering that mobile plays a pivotal role in commerce today, how are fraudsters finding ways to commit mobile commerce fraud?
Hubert: The reality is that most of the biggest anti-fraud solutions on the market today were built in the late 1990’s and early 2000’s. The newest ones are from the 2010s. Back then, the share of transactional traffic going through web browsers was dominant. And then in 2012, mobile began to grow. In growing markets like Asia/Africa/LATAM, mobile is dominant.
Merchants who use legacy systems now have a hole in their security. When we were starting in 2016, we saw the future growth in e-commerce, and predicted that the bulk of the growth would come from the mobile channel. So we invested in research and development to find data that will help us fight mobile fraud, such as extracting data from gyroscopes and accelerometers in devices. The R&D helped us build a richer risk profile of a given mobile session. And now the investment is paying off.
Fraudsters are perfectly aware of which platforms are using which security measures. They know which ones are leaky with regards to mobile data. Fighting fraud in native mobile is a whole different game.
There have been interesting discussions around improvising on both traditional/ rules driven as well as machine learning to combat fraud. What’s your advice to merchants when it comes to working out a solid defense mechanism?
Hubert: This is a discussion that we’ve participated in for the last 4 years. We actually understand why fraud prevention managers are in favor of rules. Rules are easy to understand. If something happens, then you can rebuild the logic in your mind and find what triggered an event. With ML the complexity is much larger, hence the hesitation for moving to an automated setup. It becomes difficult for an analyst to grasp what’s happening without some additional help.
That’s why we decided to invest in Explainable AI. It’s a machine learning setup that allows for granular explanation of why a particular prediction is being made. We are able to leverage the analytical potential of the most powerful tools out there, including deep learning where applicable, but still be able to precisely understand why a particular decision and recommendation has been made. We’ve expanded on the ELI5 (Explain Like I Am Five) library/ methodology to be able to provide more context for what an ML model was sensitive to. For each transaction there is a recommendation, and we can provide a prioritized list of arguments why a particular recommendation was made. This is important for both regulatory and adoption reasons. The analysts on the fraud managers’ team are now feeling more in the loop.
Regulations impose strong obligations on the merchant or institution especially if there are disputes, if a transaction was rejected, to provide arguments why an end customer wasn’t accepted. Being able to just go to the panel, search the ID of the transaction attempt and extract a list of features with their weights from the model that suggested the decision, that’s super helpful and powerful.
One of our engineers recently wrote a piece that illustrates the topic well---how studying connections in networks built from transactional, tabular data helps us uncover relationships that are hard to extract when keeping the data flat.
At the end of the day, a client wants to understand why a decision was made. We can pinpoint that this particular model made this particular decision.
My recommendation to merchants: there are so many tools out there, so think about your priorities. I suggest thinking about false positives and the cost of rejection given difficult times. Think about having a setup that allows you to leverage powerful tools while having transparency and control. It’s difficult to jump into unknown waters, and a “black box” ML solution isn’t reassuring. But if you can use a solution that is heavily automated, allows you to maintain some rules logic if your processes require it, then you can take advantage of the most sophisticated tools out there while having the option to see and extract explanations---that sounds pretty compelling to me.
Shopping patterns have evolved – for instance, order during day-time as people mostly worked from home this year. How to ensure there is a balance between security and CX?
Hubert: It’s true, shopping patterns have evolved. That’s why you cannot use rules. If you have a rule that it’s unlikely for a user of a particular card value to make purchases during typical working hours from a certain geography, then you will reject or at the very least send to manual review very legitimate users. The internal cost of modifying dozens of rules is a killer. That’s why we advise our partners (and anyone who asks, really) to leverage as many data points as possible. Save all of the data points of what is being bought and when, which time stamps, etc. and use models that will be retrained periodically. Rules are very aggressive, they like to discriminate right away. With ML we can be much more subtle and look at shades of gray.
It’s good to remember that fraudsters know what might be confusing to merchants right now, because they know what’s changed in the world. It’s all about discerning what is typical and what is not. If they know that the hours of shopping have changed, then they will blend into crowds that are relatively new to confuse the merchants. So we recommend that merchants use all of the available sophisticated techniques to extract information value from this data that the organization possesses.
We hope to see increased adoption of unsupervised and supervised ML. We recently resolved the velocity rules functionality with unsupervised ML. We created a group of models that compare a session against the previous 10,000 session using 5,500 distinct attributes. With that scope you’re able to spot a lot of similarities, and you can identify a fraud attack as it happens without having to wait for the feedback. The historical way of dealing with this was velocity rules. For example, if a user has the same BIN number that was used in many other transactions in the last 30 min or 30 hours, then the transaction is stopped with velocity rules. What if there are a lot of legitimate users with the same BIN that want to buy from your portal because they’re responding to an adwords campaign? It doesn’t mean it’s a fraud attack. If you can compare 5,500 attributes at the same time, and act on it automatically, then that is power.