Separating Fraudsters from Consumers

Our communications-driven world is blessed and cursed by greater access and “convenience”. The blessing of convenience is that information is at our fingertips. We’ve moved from checking messages once a day by smart computer… to once an hour by smart phone… to once every 10 minutes via smart watch.

But the curse of convenience is we’ve made it much easier for fraudsters, con artists, and hackers to rob us. The bad guys are only too happy to exploit our Facebook-inspired openness and the many communication devices we use to manage our banking and telecom service accounts.

Luckily there are companies out there like Experian whose mission is to protect businesses and consumers and throw inconvenient roadblocks in the path of the fraudsters. Experian believes in customer-experience friendly fraud prevention tactics, such as predictive scores, device risk assessment, and linkage analysis. It applies intrusive methods such as knowledge-based authentication only when the risk and circumstances warrant it.

Staying ahead of the fraudsters is a constant challenge that involves supplementing traditional identity checks with a host of new processes, technology, and big data analytics.

Here to explain how credit and fraud prevention programs are keeping pace today is Matt Ehrlich, product director for Experian’s Decision Analytics Fraud and Identity Solutions.

Dan Baker: Matt, thanks for joining us. Could you give us a quick snapshot of how Experian helps protect telecom operators?

Matt Ehrlich: Sure, Dan. Experian’s business is really on the front end, on the activation side — helping telecom operators keep the bad actors from getting on their networks or stealing equipment. We help some of the largest telecoms companies in the US and around the world.
If you have a Verizon Wireless account, for example, we can help prevent the takeover of that account — stop criminals from obtaining handsets, shipping them overseas, and selling them at a much higher price in countries where the phones are not subsidized by customer contracts.

What techniques do you use to establish identity? And how is that practice evolving?

As you’d expect, we use traditional identity-based fraud prevention, things like name, address, social security number, phone number, and date of birth — matching that with information we have on file for that customer.

But these days, it’s important to supplement traditional identity checks with data about the velocity and consistency of information presented by people. For example, if we are verifying an identity, is there anything suspicious about the information presented to us? Third party identity theft is all over the news in the US — a retail firm has a data breach and millions of credit cards are compromised, for instance.

But third party fraud is not the only issue. There’s also plenty of first party fraud, often called true party fraud. And here the actual person committing the fraud uses their own identity: they do not pose as someone else. However they still obtain handsets or services with no intent to pay for those things. The crime is made to look like simple credit default or credit delinquency.

To get approval, the fraudster needs to misrepresent something about himself: his email address, physical address — perhaps slightly changing his social security number.

Yet another popular identity spoofing scheme is “muling”. This is where the ring leader of a fraud ring will pay cash to someone (the mule) for committing part of the fraud scheme.

In telecom, the mules are often recruited on college campuses, through internet sites such as Craigslist, and as crazy as it sounds — even outside a wireless provider’s retail store. And the mule is instructed to go in the store, apply for credit, and obtain as many handsets as they can. Upon exiting the store, the ring leader will pay the mule a small amount of cash for the handsets.

What kind of people are recruited as mules?

Students are one of the more popular groups of people to be targeted. The fraudsters consider them ideal for two reasons: 1) there is typically less credit information on students; and 2) students have more incentive to get quick cash.

Unfortunately, these students fail to understand the long-term consequences of sacrificing their credit.

Certainly one of the biggest risk challenges today is the many avenues for fraudsters to obtain private identity data thanks to all the desktop computers, laptops, tablets, and smart phone devices out there.

Yes, convenience and the effort to promote a better customer experience can get in the way of security. Luckily we’ve found that information collected about all these devices can be very predictive in highlighting risky transactions.

A year and a half ago, we acquired a company called 41st Parameter, experts in collecting information on devices and assessing risks based on the device. This gives us a whole new lens for looking at fraud risk and we have a whole new set of big data to combine with that traditional approach of identity assessment.

Device intelligence is about maintaining a history of activities associated with a particular device. So we recognize whenever that device visits a website or opens up a mobile app. Then, through big data, we investigate any potential linkage of that device to other websites and behaviors. This helps us understand the risks based on past performance and create fraud alerts appropriate to the device.

For example, through an IP address we can recognize that a device is accessing a website from outside the US, yet the user name logged in is a customer who lives in the US. So this will raise an alert. Criminals can even make it look like their inquiry to our client’s website is originating from Austin, Texas but our technology detects that spoofing and knows that access is being made, say, from Eastern Europe.

The nice thing about device intelligence is it allows you to keep the customer experience friendly. For example, when a telecom or wireless customer visits your website or your mobile app, because we can collect and evaluate many points of information on the device and compare it to what we know of its behavior historically, we don’t have to ask the consumer to provide additional information.

The challenge of keeping the customer experience convenient rings true for me. When I call my bank, I am constantly asked questions to verify my identity. It’s frustrating to keep repeating information they already have access to.

Dan, a major paradigm shift has occurred in customer care. In the past, you assumed that the person calling you at the call center to make an account change to his wireless account was indeed the legitimate person — because they provided the right identity information.

But in today’s world, we now have to assume that everyone has been the victim of some data breach and that their information is out there for criminals to find. So I can no longer trust the information I am seeing as they visit my website or as they call into my call center. I am going to assume a position that this identity has been compromised and now look for positive information to support the fact that it is truly them.

You now have to prove to me that you are who you say you are. Now as you experienced, Dan, that kind of treatment is going to turn customers off and they are going to go to your competitor. So you have to verify identity in clever ways and tie that back to your technology and big data.

One of the techniques in common use today is voice biometrics. It’s an emerging technology that has improved a lot over the last few years. The idea is to capture a voice print of you and then check that against a whitelist or blacklist database to ask, “Is this really Dan Baker?”

Given all of the data breaches and security vulnerabilities we hear about in the news nearly every day, it’s no surprise that all identity verification methods are being scrutinized. Take knowledge-based authentication for example. It’s still considered sound practice to screen someone using unique questions that only they should know the answer to. But increasingly, even that has become more and more at risk as a method because of consumers’ openness in social media, the ubiquity of malware, and the extent of breached personal information.

Thanks, Matt. It is indeed a financially risky world out there. We can liken the situation to security checks at the airport. Sure, they’re a waste of time and are inconvenient. But the technology and careful processes are there to protect us.

Credit application and identity fraud is one of the key subjects Dan Baker investigated in TRI’s new research report, Telecom Fraud Management Services, Software, and Strategies.

This interview was originally published by Black Swan and has been reproduced with their permission.

Dan Baker
Dan Baker
Dan is a founder of the Technology Research Institute (TRI), which has published studies about the telecom software market since 1994.

As a journalist, Dan wrote for B/OSS magazine and recorded webinars with VanillaPlus before launching his own publication, Black Swan Telecom Journal.