How to Protect Your Marketplace from Fraud
Credit card fraud is now a billion dollar problem hurting the world’s economy, consumers and businesses. Merchants around the world lose more than US$70 billion annually to card-not-present fraud alone, whereby unauthorised transactions are made to purchase items online. In addition, identity theft was at an all-time high last year, affecting more than 15 million consumers. This means that there is a new victim of online fraud every two seconds.
These are some of the worrying facts that were brought to light in Arcadier’s exclusive interview with CashShield’s Founder & CEO, Justin Lie. Now an Arcadier Affiliate Partner, CashShield and Arcadier aim to work together to help new online marketplaces expand securely and profitably.
Specializing in fraud management, CashShield prides itself in a fully machine-automated solution that can self-learn and recognize user behavior patterns in order to sniff out fraudulent financial transactions in real time. Its passive biometrics capabilities, which detect patterns in mouse movements or typing speed, means that the user doesn’t even know that the identification process is happening.
CashShield’s software can be used to detect fake account creation, account takeovers, and cases where fraudsters create new accounts in bulk to exploit sign-up incentives. To make sure its clients are fully covered, CashShield also offers clients 100% reimbursement for fraudulent transactions that break through its defenses.
Based on its track record, CashShield has been proven to help businesses increase their transaction acceptance rates to up to 99.5%, while reducing fraud rates to one-tenth of the industry’s average. The startup’s competitive advantage has awarded it big accounts such as Razer, Square Enix, T-Mobile, and Vodafone. CashShield now has offices in Singapore, Berlin, Jakarta, Shanghai, and most recently, the Silicon Valley.
Why is expanding beyond local e-commerce risky without an efficient fraud system?
When an organisation starts expanding beyond local e-commerce, fraud rate increases exponentially as they are susceptible to more high risk markets when cross-border transactions are involved.
The available fraud solutions in the market are still either rule-based systems, which are static and reactive in nature, or a combination of machine operation and manual reviews. With traditional rule-based systems, businesses would layer more rules and authentication barriers for tighter security when online hackers are able to bypass them the first time round. Such reactive approach to fraud prevention would leave businesses susceptible to evolving fraud attacks happening in real-time. In addition, the heavy reliance on manual reviews would also result in huge bottlenecks and limit the business’ scalability.
Instead, businesses should move towards active surveillance, which is a more efficient process in screening transactions. Using real-time analysis and behaviour monitoring, the system is able to proactively detect and block out fraudsters in real-time.
Which industries face the highest risks and are in greatest need of protection from fraud?
The highest risk industry would be the digital goods industry, due to the high liquidity of goods which allows them to be bought and resold quickly. As a result, hackers often target digital goods purchases for easy profit. In addition, consumers are always demanding for immediate fulfillments when it comes to digital goods, giving little downtime for manual reviews and a high margin of error when businesses experience an influx of transactions.
Are there specific factors that render an e-commerce site susceptible to fraud?
The growth of e-commerce fraud occurred when banks and credit card companies started to move towards EMV (global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions) adoption. As a result, this made it more difficult for fraudsters to commit card-present fraud, prompting them to target online businesses instead. Due to the anonymity of online fraud, this makes it even harder for businesses to trace.
Many fraud attacks involve having the hacker simply obtaining a list of stolen credit card numbers and generating seemingly unique transactions with false customer information. This is even easier with the fact that a stolen credit card number can be bought in the black market easily for as low as US$1. More sophisticated attacks would involve genuine customer profiles – i.e. hackers will obtain stolen account login and password information to access and make transactions with the credit card information stored.
In addition, several high profile breaches involving very comprehensive information associated with users have hit the news recently, such as the Equifax breach, Malaysian data breach and the Uber hack. With more quality information such as email address, credit card numbers, birth dates, social security numbers and passwords, fraudsters can create a more complete and seemingly genuine profile to mask their fraudulent identities while making purchases.
The CashShield team. Photo credit: CashShield.
Naturally, as a marketplace scales, it’s impossible to screen all the transactions manually. Payment service providers normally have their own verification system too. How does CashShield complement them?
While some payment service providers have their own verification system, their core expertise still lies in processing payments. It would make more sense that they outsource the fraud operations to specialised fraud management vendors like CashShield, since we have extensive research in this field coupled with the latest machine learning technology designed specifically to combat fraud.
In addition, many of the systems developed by payment service providers are more often than not rule-based filtering systems. To tighten their security, these systems usually increase the number of rules used, but risk filtering out a lot of genuine customers in the process. Using a different approach, CashShield’s system is able to combine the use of passive biometric analytics, real-time pattern recognition and high-frequency trading algorithms that evaluates risks in real-time and accept transactions based on optimised decisions that would help to maximise the company’s revenue. As a result, CashShield is able to accept more genuine, but riskier transactions by offsetting them with safer transactions within the portfolio.
What are some of the red flags that distinguish between legitimate and fraudulent transactions?
Many solutions in the market, especially traditional rule-based fraud detection systems determine whether transactions are fraudulent or not based on potential red flags, which are considered static rules and reactive in nature. For example, a common static rule will be to block transactions from riskier locations (deemed as red flag), but that would mean blocking genuine transactions as well. Many travellers have their transactions blocked as they would be using a card from a foreign location, and therefore be seen as suspicious activity. Furthermore, fraudsters can easily bypass such static rules after they have identified the rule, modifying and improving their attacks with machine learning.
Rather than relying on such static rules or flagging out transactions based on suspicious data points, more sophisticated fraud systems will detect and block out fraudulent transactions based on identifying the fraud patterns across different transactions. Most of the fraudulent transactions are coordinated fraud attacks, which will inadvertently leave behind a fraud pattern. By identifying the source of the attack (otherwise known as Patient Zero), the system can then identify all variations of Patient Zero attack and wipe out the rest of the associated fraudulent transactions.
Cashshield’s software preview. Photo credit: CashShield.
Inefficient fraud management can eat away at a business’ profit margin. Besides integrating services such as CashShield’s, what other best practices can online marketplaces implement to manage fraud?
One advice we always give businesses is that risk is to be managed and not eliminated. As we have seen recently, the number as well as the scale of data breaches have increased and evolved. We are no longer dealing with simple breaches, but those where many key data fields of a single user have been compromised. In light of this, fraud is inevitable and it is now a matter of ‘if’, not ‘when’.
Having said this, businesses should not be overly focused on completely reducing fraud rates to 0% because that would mean that genuine customers would get blocked out in the process too. Instead, they should focus on managing the fraud rates within an acceptable level such that it does not undermine business operations. This is very much in line with what we tell our clients as well.
As we are able to draw parallels with scaling a business and investing in a stock, where 0% risk yields 0% return, we encourage our clients to consider increasing their risk appetite slightly to unlock more business potential. For example, we will ask them to consider: if they can increase their risk from 0.1% to 0.2%, and it can potentially unlock a 20% increase in revenue, will they choose to do so? By managing fraud risks effectively, it will yield a better long term return with more revenue growth and better customer retention.