part of one of the pioneer credit card fraud detection projects. It was at Visa and, together with all the
similar projects taking advantage of early-stage data mining that were going on
about the same time throughout the financial industry, drove credit card fraud
down dramatically to all-time lows. In
recent years, as the technology changes, fraud has increased once again. The financial industry has the online problem
to deal with in addition to the ramifications from identity theft and the card skimming
that was once falling. Employees are
compromising the data they come into contact with as well.
Mass compromises occur routinely since thieves can divide and conquer - some can focus on getting the card numbers and others commit the fraud. There is a robust, efficient black market for card numbers. Consider the huge breach at Heartland Payment Systems in 2009. Committing fraud is done with the detection systems in mind. They often occur in "blitz" mode to overwhelm the system before it has a chance to react and stop transactions.
study by Ovum studied 120 banks and found that counterfeit card fraud is the
top issue, with wire fraud second. Card
readers can be purchased much more easily (i.e., on the iPhone) and the number
of cards has proliferated, increasing potential for fraud. While the UK has adopted "chip and pin"
technology on the card, the US has not.
This may one day make it more difficult for
criminals to cash in on credit card fraud in the US.
Personally, I just count on having to change my credit card numbers at least yearly either on account of outright fraud, the bank (I'll use "bank", but am referring to all financial companies in this article) being compromised or me making legitimate charges where the bank panics and decides to cancel the card. All that good fraud detection comes with a price to the card holder.
worked on the fraud issue since then.
Other than the fact that it's working on the prevention of a negative to
the company, these actually are fun, detective-work projects. For those who have not had the opportunity,
today I decided to share some of the architecture behind fraud prevention
utilizing the approach of one of the leading international providers of payment
systems, ACI Worldwide (Nasdaq: ACIW) and their product, ACI Proactive Risk
Managerâ„¢ 8.0 (PRM).
As the last step in the authorization process, PRM shares a score with the bank and, based on the tolerance the bank has set for the customer (balancing potential fraud with false positives), the bank's system decides whether to authorize or not.
Although the bank may have a data warehouse, all customer transaction sources feed PRM. Some customers extend PRM's capabilities to make it their data warehouse. One year's worth of backlogged transactions is recommended to start with - even though most are legally required to store seven years of data.
PRM makes decisions at the point of authorization based on:
1. Customer profile - i.e., customers with a $200/day average try to charge $500; customers are also lumped into "peer groups" and charges are expected to conform to the pattern of the group - or else!
2. Rule basis - the rules are managed by the bank; they may decide taking out the maximum from the ATM a minute before AND after midnight is acceptable for this customer; maybe not
3. Analytics - detecting a pattern in charges that equate to the PRM database of fraudulent patterns
As a learning system, PRM learns when it has been wrong and tunes accordingly. Patterns start with the known fraudulent patterns such as small charges at a gas pump followed by a Best Buy shopping spree, and go from there into areas I won't be writing about here. Some are quite nuanced, reflecting the growing sophistication of both the criminal network and the network detecting the crime.
One of the benefits is sharing learned fraud patterns across the ACI network. And although ACI brings in third-party, syndicated data, to enhance customer data it does not aggregate customer transactions across the network.
So the cat and mouse game continues into 2011 and, as with many important initiatives, we find information management critical to the solution.
Posted July 13, 2011 12:19 PM
Permalink | 1 Comment |