Guest post by Alexander Hall
Disclaimer:
In today's article, we present a unique perspective often concealed – that of a former high-level fraudster turned Fraud Defense consultant, Alexander Hall. With his extensive experience, the author sheds light on the tactics and strategies employed by those on the other side of the battle against financial crime.
We have seen a steady rise in data breaches and mail theft across the United States. This increase is flooding criminal marketplaces with sensitive information, supporting countless fraudulent methods. In this article, Alexander Hall shares his unique insight from his time operating as a fraudster and provides actionable preventative measures your company can deploy today.
Breaches and Mail Theft - Feeding the Abyss
For the last several years, data breaches have been the primary concern for the influx of stolen information on criminal marketplaces. These breaches provide fraudsters with an array of sensitive data; payment information, login credentials, account information, and most importantly, personal identifiable information (PII). The PII of potential victims with valuable credit profiles and/or well-funded accounts appeals to fraudsters as it can be employed in a wide range of methods, yielding valuable returns.
Following closely behind, and rising quickly, is mail theft. Where PII is the most valuable dataset collected through data breaches, checks are the most sought-over piece of mail. Any Google search will provide an article showcasing hundreds of checks in the hands of criminals.
How valuable are stolen PII datasets coupled with Checks when placed in the 'right' (wrong) hands? Extremely. The formulaic puzzle has three components; PII, Checks, Methods. Speaking from my experience on the other side, here's the potential I see:
Methods from my past, leveraging compromised PII and Checks:
Here are overviews of the three most relevant methods from my former life:
So what do we do? Proactive strategy development
My clients come to me to solve a laundry list of fraud-related issues ranging from identity theft to ATOs, automated card verifications, check fraud, and a great deal more. The strategy development process is much less demanding than most assume and there is plenty of work that can be handled in-house, while navigating compliance and regulatory demands.
Similar to retail theft, fraudsters are looking for any part of your operation where you don't have coverage. They will troubleshoot every available touchpoint and are armed with the information needed to put through numerous iterations within an hour (if they are determined to find the weakness specific to your organization).
Step 1. Identify your Touchpoints
Proactively identify every touchpoint wherein a user can transact with/manipulate the back-end of your operation. Common touchpoints for FIs include Account Creation - Login - Deposits - Withdrawals - Payments (Cards and Checks) - Credit Lines/Loans - Customer Service - Chargebacks.
Once identified, it becomes much easier to build a list of precedence and move on to...
Step 2: In-House Data
Build in-house data for each touchpoint with the intention of quickly identifying suspicious patterns. At this point, I typically suggest the deployment of two different datasets: one for all performance, one for escalations/suspicious activity. Once we know what suspicious behavior looks like for each touchpoint and have the data in place to identify suspicious patterns, we will then know the volume of processing required by our team and can move to...
Step 3. Automation
Once we know what we need, we know what we are looking for as we begin to qualify technology vendors with the intention of taking the heavy-lifting off our team's shoulders. Once automated, it's important to work with your account managers to refine your models as needed and work in tandem to squeeze as much ROI out of each engagement as possible.
Automation and data aggregation go hand-in-hand. Expanding beyond in-house data provides a massive boost to the accuracy of your determination process and ability to accurately identify users who would otherwise be categorized as "First Seen."
Reflecting on my experience as a fraudster, I am well-aware of how effective fraudsters can be at manipulating information and submitting what seems to be accurate information for engagements. Because of this, I often find myself leaning toward what I consider "passive" data sets for determinations. A passive dataset is one which is not submitted by the user. Examples include behavioral analytics, geolocation, and device fingerprinting.
Now we're off to the races... with one step left:
Step 4: Repeat
Successful organizations are constantly adjusting policies, introducing new product lines, adjusting for low-friction environments, etc. It's important that your fraud teams evaluate these new processes for possible exposures.
The process starts again...
Up Next:
Join us on December 14th @ 2pm ET as FiVerity CEO Greg Wolff and I co-host a fireside chat and open dialogue about the current landscape of fraud, the exposures to be aware of, and how to integrate behavioral analytics into your fraud prevention strategy.
Be proactive, my friends.