Fraud Technology Podcast
Join us on the Fraud Technology Podcast as we delve into the rapidly escalating world of fraud, where the stakes are high and the pace is relentless. In an era where financial institutions find themselves in a perpetual game of catch-up with ingenious fraudsters, we stand firm in the belief that united efforts are the key to victory. Our mission is simple yet bold: to foster a collaborative community that stands up against fraud's onslaught. Tune in as we engage with the sharpest minds in the field, seeking insights, strategies, and stories from the very best in the business. Together, we unveil the strategies, innovations, and resilience that pave the way to effective fraud prevention. Welcome to the Fraud Technology Podcast, where we forge a powerful alliance against the forces of fraud.
Fraud Technology Podcast
Episode 7: There are more creative ways (to fraud) nowadays than 10 years back !!
This episode highlights the ever-evolving challenges in the realm of fraud, emphasizing the increasing sophistication of fraudulent tactics compared to the past decade. Focusing on the context of startups and neobanks, three primary forms of fraud are addressed. First, identity fraud is discussed, occurring during the customer onboarding process, where fraudsters gain access to sensitive personal information, including Social Security numbers and phone numbers. Account takeover, another significant challenge, is then explored, where dormant accounts are particularly vulnerable to fraudulent activities. The conversation also delves into the complex world of synthetic fraud, where thieves use stolen data to create entirely new identities, complicating the detection of fraudulent activity. These insights underscore the need for proactive measures and vigilance in the ongoing battle against fraud.
Thanks to Varun Vanka from Upgrade (https://www.upgrade.com/) for the insights.
In conversation with Ravi Madavaram from Regulo (www.regulo.ai)
Welcome back listeners. This is Ravi from the Fraud Technology Podcast. Happy to be back here again. As you can see, I have a change of setting doing an outdoors recording today. You may have some noises, hopefully I can edit it out, but I love the setting. I wanted to bring that out into the podcast itself. And for today we have Varun Vankar from Upgrade. He has a lot of experience in the fraud space itself. So I wanted to bring him on board and hear. To some of his insights, fighting the front itself. Welcome Varun, would love to know a little bit about you and how you ended up in the fraud space itself. Thank you for the detailed introduction, Ravi. I can see that you're in a different setting and seems very pleasant by the way. But yeah, coming back to me, I've actually joined fraud space around six years ago, you could say, and before that I was mostly in the technology space. But coming to the fraud, one thing that really interests me is there is new learnings every day. When I initially started it out, I would say I'm new to it, especially on the financial side and learning about how does a card not present work and everything was pretty new to me. But then I was lucky to have really good mentors at that time who had patience to teach me everything about fraud, to be honest, but also with my background experience from technology, it really helped me to. Get quicker and fraud because as data is a key factor in fighting the fraud. So that kind of helped me to jump quickly and with the use of data and analytics Try to get into those. What do you say nitty bitties of finding? Hey, where could I actually find the fraud and everything but and after that joining update? It's a medium startup right now. It's a good experience because I'm learning a lot of different kinds of fraud and I've been enjoying it for now. Wonderful. I see a lot of people coming from the tech background, especially around SQL and like database side itself, which I'm guessing is also your background, right? Yes. Yeah. Yeah. So I also see quite a few people with that background doing really well in the fraud space itself. So can I understand a little bit about what exactly you do? You're a fraud analyst, right? So do you build models or do you actually unless when alerts come in, you investigate them? Exactly. So the model is like an analyst. We have a data science team over here who does the whole thing. But you could say as like a second tier where we work, we use the models. Because models, they work really well, but it doesn't really always catch the changing fraud trends. Let's say you have like many transactions coming on and there's a model that builds where there is individual scoring for each transaction, but then it could not always happen like that. There is a sudden change where the fraudsters could get a hold of a lot of Credit cards or anything, and they could actually do like a legitimate transactions And the model wouldn't have been trained for it yet. So that's where we come in to see. Hey, okay I see a pattern over here that the model isn't catching it So let me first investigate it and see if we would able to catch it better. Okay And also we think that, okay, this is, seems to be like a new pattern that we did not notice that before. That's when we go to the modeling team or anyone saying that, Hey, I think this is a new pattern. Maybe we need to train the model in a different way so that it could catch this fraud pattern. But the problem with this is. It keeps changing. So we can't always like telling, Hey, this is a new fraud pattern, go and change the model that couldn't happen always. So I think as a fraud analyst and as a data science team, we have to collaboratively work to make sure both of us are up to date. In running the models and share each other's knowledge so that we could mitigate some of the fraud risk. I know we couldn't completely remove it, but at least reduce those fraud losses. I understand that. So you talked about modeling giving a scoring for each. Transaction and based on the scoring, something is decided with this fraud. And I'm assuming that above a score threshold, it is considered a alert and actually comes to the product's team. So that's the process. Okay. All right. When an alert comes to you, then you investigate that. And then you decide whether it's a false positive or true, right? Yeah, but that doesn't really work on the transactional side because they're like billions of transactions, but usually that happens on the onboarding. And if you have to catch any identity fraud or a contact over, that's usually the process, but for transaction fraud, we have to figure out like, Hey, if there is a pattern coming from those models, let's say I shop at a regular store nearby my house, but then my transactions start popping up at. Brazil or somewhere and the pattern keeps changing like that. Hey, there are transactions coming from Brazil and then Argentina and from different countries. So we have to figure out, Oh, so there seems to be like a new pattern where they're using a merchant in Brazil to do some kind of an attack over there. Okay. So this would be the modeling team doing it or would the analyst team be doing this? So usually the modeling team, what they do is they would run this model, but the model has to go from really well, that it could say that, okay, if this guy does his transactions every day at a local store, but then suddenly a transaction popped up at Brazil, like how did the score jumped up? We don't want like an immediate jump to because I might be traveling there. So all those factors come through to the picture. And then the fraud analyst like us, we, what we do is we determine, Hey, if this is actually a fraud pattern in there, like seeing multiple, because we just don't focus on one customer. We focus on like hundreds and thousands and then see that, okay, if there is actually a fraud pattern and this is truly a fraud, or it's just a false positive that actually a customer is traveling there and we are good to go. Okay, maybe let me take a step back then. So you mentioned that there is a difference in how it is done for onboarding and ATO versus a transaction. So how is a setup done for transaction fraud? How do you go about, because you have billions of transactions that are happening, right? How do you go about which ones to investigate? So typically we don't do here on a. Customer by customer basis. Okay. So we typically tend to see how the fraud pattern is coming up. Like it could be either coming from a zip code or it's either coming from a specific merchant. So these days what's happening, I think it's across the industry is the fraudsters are trying like a bin attack process. So they choose like a specific bin. So a bin is the first six digits of our credit card number. Oh, okay. Wonderful. So these days what's happening is the fraudsters, they're using like a sophisticated bot attack to target a particular bin. As I was saying, like bin is the first six digits of your credit card number and it is a unique for each financial institution and every financial institution might have multiple bin numbers too. Okay. The bigger the financial institution, there are multiple bin numbers and yeah. So what's happening with these, the frosters are, they're clever too. So what's happening is they would choose like a vulnerable merchant where they don't have many controls in place. It could be like a mom and pop store, or it could just be a regular high merchant to discord. It could be both. Oh, it is both, but mostly they would do like a card, not present transactions. So what happens is they get these first six digits. They choose one of those bin numbers and then they use this vulnerable merchants to write like a sophisticated bot program. And what happens is they try like multiple different combinations because they only have the six digits, right? So they'll just tell the program to run those permutations of combinations to match a number and then run it through this merchant. It could be like a dollar or 2, but Within a span of five minutes, there could be like 5, 000 And what's happening over here is almost 80 percent of them won't go through if you think about it, because they're just trying all those combinations and numbers. Yeah. Yeah. And if you think about it for the card not present, you need like CVV and all the numbers to be matched. So they could be missing out and we could have multiple different reasons coming out of it too. Hey, either they got the number right, but the card was already terminated. Or it didn't match anything specific, but they would eventually catch at least five to 10%, I would say. And then they know that, okay, this thing is working. Then they know that, okay, this 5 percent of the cards, they have those card numbers, which is think about it from a huge industry scale perspective. It's huge. Yeah. And 1 transaction, like customer was like, I personally wouldn't know if a dollar transaction happened on my statement because I don't see my statement on a daily basis. Yeah. All of a sudden, like we see a hundred dollars transactions or 200 transactions because they know our card numbers or what they could do is they could just use that 5 percent they don't want to be caught themselves. They would just use this 5 percent to do 1 transactions and probably they would have gotten successful with thousand transactions. That's thousand dollars for them. Okay. All right. Bye. So that's how they do the sophisticated attacks. But our model, right? When the mom and pop store could be your next door or something. So from an individual perspective, the score wouldn't have gone drastically up, but the fraud models, they do catch in a sophisticated way, seeing that, okay, this merchant keeps popping up and they didn't had any transactions before, like in a such a huge scale. So that's when it'll start elevating the score by then. If you think about it, I wouldn't say like too late, but at least some of the transactions would have gone through already. Exactly. Yeah. So there is no right answer saying that, Hey, because we as a humans, we always couldn't keep an eye out every hour or every minute. So I think it's important to understand that are the risk factors, like how much threshold can we let it go through. And take controls from there. Got it. So this sounds very close to a brute force of attack that people used to do on passwords, right? It sounds similar to that because you're guessing things and they'll keep brute force hitting the particular server, right? I'm surprised that there are no controls on the merchant side, which is what you were talking about, that probably they don't have as many controls as they should have, right? Yeah, if you think about it, I think the fraud is overseen on the merchant side because I feel like merchants need to be educated to, let's say if a large trawler if instead of using 1, what if they're using like 90 exactly, and even if they don't get successful with 99%, 1 percent is still like very harmful, not just for the financial institution, because we can go ahead and so chargeback is again, telling the merchant saying that customer is not authorized. So we need the money to go back. So there is a chargeback fees too. So it's actually expensive for merchant. So I personally think that merchants as a whole also needs to understand how fraud works and how costly it is. Yeah. Okay. So basically when you are saying card not presented, so how would somebody do a bin attack on a mom and pop store? How are they getting access to that? Because they are you, a moments pop store would be using a POS terminal, right? And POS terminals typically are not necessarily connected to the internet, or maybe they are connected in the backend, but encrypted to that, right? Yeah. What is the point that they attack? Because in a website and password, I can visualize that somebody is entering the password or basically hijacking the backend connection. But in a moment pop store, how does that happen? So usually for the mom pop store, they mostly attack the card, not something on their website. I can give you like an example of a mom and pop store. So it could be an online bookstore or something that comes on top of my mind is I'm a blogger and I wanted to sell my book in online where I open up an online website. And then I put, Hey, if you want to buy my book, this is go to this, just enter your details and we are good to go. So these could be like something that are very new merchants. Yeah. Or these could be something that they don't really focus more on the online site. And that's when they see this vulnerability on the online website where, okay, I think we could use this to whatever program that we have to run it over here and then do it on a large scale. Yeah. I understand. I understand. So I'm like, this reminds me, and again, probably I'm having a dialogue here rather than I'm probably not an expert at this, but what I'm thinking out loud here is. Probably there could be a scoring to the merchant itself, whether the merchant has good controls or not. And let's say somebody who doesn't have any controls could have a low scoring and then any transaction that they can have a lower threshold, right? I'm guessing that's what the modeling team does anyway, right? Yeah. As I said, there is no one right solution for it. Because they could actually be one or two customers who are legitimately trying to do the transaction over there, trying to buy my book and we are blocking them or anything because we've seen a fraud attack from before. They should understand that, okay, there will be a fraud coming in place, but how much of that risk can be taken. Okay, cool. So let's go to a different topic itself. So I keep hearing in the fraud industry, a third party fraud, second party fraud, first party fraud, right? Yeah. So one, I would love to understand if you can explain what are these types of fraud and how would you differentiate them? And what is probably out of these types of frauds, what is more challenging to counter? Honestly, every fraud is challenging because there are more creative ways nowadays than 10 years back on how sophisticated they're trying to be. And it's just, we are trying to catch up on stopping them. So let me start off by saying how the fraud actually goes by. So let's say if you are a startup or a neobank that you're trying to get the customers and you've become from a small scale startup to a medium scale startup. And now the main thing is how to stop the fraud. I feel the first kind of fraud is identity fraud. It's basically happens during the onboarding process where the froster has access to the customer's identity information. He probably has information related to his SSN, phone number and everything. And it's not even a surprise that they could read the OTPs too these days because we've been seeing that, Oh, frosters can actually read our phone OTPs because we thought it was from before. So even the, so the first thing is The identity fraud, where either they're trying to open up a new account or trying to create a new loan. And the problem with this is, let's say they're trying to open up a new loan and they're trying to get the money out from the loan they opened, they even have access to the customer's bank account. Oh wow. Yeah. So what happens is they take this money and they put it in the customer bank account and then they immediately move it to a different places. Okay. Oh wow. Yeah, that could happen too. So when I say like identity fraud, it could be that they have access to all their information and it's just that they might not have a few things, like some of the key factors I tend to think are like email address or phone number or all this. They could have necessary information, but they couldn't have an email. But it's easy to open up an email, right? So they open up an email and they try to verify their email verification, everything. And now the loan is approved. And then once they got the money, it goes back to the customer's bank and from there move to different places. So that is a risky one. But this is the first kind of fraud that I see, identity fraud. And then the second is account takeover, the major one. I'm sure like most of us are familiar with it, but this is after opening up your account. Let's say I opened up my account like two years back and I don't really use it often now. It's just that I use it only for like few transactions now and then, but I think I haven't used it in a year. And then I suddenly see my account being taken over. But what could happen is. They could probably open up my account using my login credentials and they might not have my password yet, but they do have my email. So they would try to reset my password and the reset password could be either through OTP or email verification or anything, which they do have access to. And then what they would do is they would probably go there, change their phone numbers. You might never know. And. Later on, the thing is, since I'm not actively monitoring it, I don't know what is happening to my account. And then suddenly I get these payment, or usually most of us, they do monthly payments. And then suddenly on from my bank account, like a payment going to this, I'm like, I didn't even use this. Like, where did this come from? And you could be too late or So that's usually the account takeover. So I feel these two are like one of the most important ones. And the other one that I usually see is synthetic fraud too. Synthetic fraud is having all your information, but you're creating a completely new person out of it. So let's say they have my SSN phone number and everything. My name is Warren, but they would create someone called Ravi with all this information. And then they would actually use this, create like a completely new person to open up a completely new loan account. But since your SSN and everything, it belongs to me. I would like, if anything default happens, that will come to me. Okay. So they take the loan, but on the bureau side or to everyone, to the financial institution, you are the one who is liable basically. Yeah. So why wouldn't they use just your name? Why would they need to create a, so how is it different from the first identity fraud that you talked about? Again, this is not as common as identity or ATO, it's just that they might not have access to their bank accounts. So they would have opened up bank account with another name and they wanted to use that same information so that the bank account matches too. Oh, okay. They already opened a bank account. And because when you're going to give a loan, you're going to check whether that business bank accounts matches to your name. Yeah, because usually these are all the controls in place for like financial situations to see, Hey, we just don't send money to anyone, right? It's to make sure we have controls in place to, okay, if this bank matches to the actual customer who is speaking, or if it's like a completely different person or anything like that, we don't want to do that. So I feel like the fosters, they know, yeah, how the controls work. And then they try to find those little nitty gritties saying that, okay, I think there is a space over here. I just want to say one thing, but with the neo banking and stuff, the thing is important is stopping fraud is important, but also the customer experience is important too. So it's a right balance makes us a little hard. Okay, got it. You briefly talked about that fraudsters know what controls we have in financial institutions or the process itself, right? They're experts on fraud controls itself, which is right for them to be able to, at that level, they should be an expert of that. I want to understand how the fraudsters that you see, like I would expect, like in previous years, when the controls were not that many, you could have an opportunistic fraud where somebody stumbled upon an opportunity to get money out. But now it seems like there has to be somebody motivated and expertise. in doing it. So is there a trend that you see in the last six years that you've been working? How fraudsters themselves are evolving? Oh, definitely. So first of all, it brings back to like how internet has grown in the past couple of years and how sophisticated everything has been, like how easy it is. So that also means. From the financial standpoint, the loans are increasing, though credit cards usage is all time high. And that also means that the fraudsters are also evolved. Before it was just like a stolen card and then you could get, Hey, I've stolen a card and then just do some kind of fraud. But as I said, from the first one, like Binitak, they could actually buy like card numbers from a dark web and then use that for doing any kind of transactions. Definitely the fraud has been evolved a lot from what I've seen in the last six years. But one thing that I've noticed personally was there's always like a test thing the fraudsters do and this is from my understanding like just to make that the fraudsters usually try to test or how their strategy works on a fewer scenarios and then they try to do like a wide scale but this doesn't happen all the time like sometimes they just go all in but from what I've seen they tend to start off small and then go from there. Yeah, and you also talked about technology, how it's been evolving, right? And obviously the talk of the town now is generative AI, right? So what's your initial feelings about how the tech is either for you or for the front? Obviously generative AI has grown, especially in the last one year. I think it's one of the biggest evolution to be like right after iPhone is what I think because it is really helpful even on our day to day basis if you wanted to do anything, but On the fraud, it keeps changing. If we have access to generative AI, even the fraudsters might have access to generative AI. Exactly. And it is a very powerful tool. I can say that. It could really help us in stopping the fraud. Because one of the major things is like anomaly detection. If there is any anomalies from a daily different pattern. And I know we have like models running right now, fraud models or anything that able to catch those. But I think with generative AI, it could be more powerful. And the one other use case that I think with generative AI is. Matching up with like biometric verification or anything like that could be really helpful because I could say that it could really help us in caching those biometric verifications. But if you think about from the fraudster side, now they have this generative AI to create a face of mind and then create a loan application, like who would stop them. So I think there is no right way, and I couldn't say that January could completely stop fraud. It won't do that. End of the day, the manual. Processing needs to be done, but it's just that it would be really helpful for us with finding those nitty gritty patterns using generative AI. So the other type of fraud that I would love to understand a little bit, and probably I'm not the best person. I actually live in Singapore. And so my knowledge about the U. S. payment ecosystem is also very limited in that sense, right? But I wanted to understand that one type of fraud, which is around ACH fraud, right? And I would love to hear some more details about how this fraud happens and how you guys fight it. So ACH is a payment you usually, if you have a credit card balance or anything that you wanted to pay it off or pay your balances, that's like an ACH transaction you're doing from your bank account to your credit card balance. So one thing... Is a different bank? It can be a different bank. So let's say I have a Chase account and then I have a Wells Fargo bank account. I'm trying to pay off my credit card, a Chase credit card using Wells Fargo. So I'm doing an ACH transaction for that. So the thing with the ACH is it was always considered to be safe because we need to have routing number, account numbers and everything. But The problem is there could be a written fraud to saying that, Hey, I didn't do this authorization. I didn't authorize that to go through this ACS transactions, but we've already cleared the balance for the customer. And then, okay. From the credit card standpoint, it might not see too much, but let's say from the deposit standpoint, You say, Hey, I've moved my money from one account to another bank account. And then the customer or the fraudsters would have probably taken that money from that deposit account and moved it to his personal level to multiple accounts. But then the customer says that, Hey, I didn't do any of these transactions from my bank account. So the bank who he sent the money from, they wanted to get those money back because he said it's unauthorized. The loss is from the one who is in the middle. That's what happens. The fraudsters might have access to both accounts. And then he did an ACS transactions from one account to another account and then moved it from here. It could be a part of your money laundering too. We don't want to know, but it's important to know that. Having the right controls in place can really help that, but usually ACH is, you could say, more trusted because it's one customer saying that, Hey, I know that personally I have sent this money from this account to this account. Okay. Got it. And there's also a new type of payment that is also coming up, right? The RTP, I believe real time payment that is being tested right now. I think it's came into existence in the last one year, right? Again, this is probably not related to fraud itself, but I wanted to understand how the ecosystem is evolving from ACH to RTP itself. It hasn't been like a very wide scale from what I've seen because the fraud from the ACH is still comparably less compared to the other or from transactional fraud or anything like that. So I felt like it isn't wide scale yet, but you never know. The fraud keeps growing. Yeah. Okay. The other thing that I want to talk about was about third party data and how it can help in a startup of how they can fight the fraud itself. And how do you use third party data itself? Oh, I think. No matter how much data you have, it's really important so that it could be very helpful in identifying if it's like a truly fraud or any false positive or anything like that. But there is no one solution saying that, Hey, I think if we get all this data, we could be able to stop the fraud. No, that couldn't happen. But it's important to know that we consider all these, what kind of data is important for us. Do we think if the email is associated to the right customer or if the login they're doing it from, is it like a valid login or is it like a proxy coming in? As a startup, we wouldn't know in the initial days. So that's where the third party data come in, where they could help us get this information. And from there, we could use this to determine if whichever the new application that comes in, if it's like a truly fraud or it could be false positive. I've seen people doing weird things that. We thought, okay, it's truly fraud, but coming up, it's so you wouldn't always rely on the data, but it's important that all this can help us determine if it's okay, considering all these factors, because one of the third party might give us how the email is. Connected to the customer or one of the other third party can give us like, Hey, how the login IPs coming in, is it actually like legitimate or not? So you just have to combine all these and then make that conclusion saying that, Hey, I think based upon all these variables and factors, I think this is truly fraud or it might not be fraud. Okay, wonderful. Wonderful. My final question is probably, and again, this is something that I ask all my guests is what's something I'm going to be in the fraud space, right? What is something that is. Frustrating to you that you think that should have happened and that from a technology or a regulation or any of this point of view, what is your frustration that you think that it is easily solvable, but it's not happened? Oh, that's actually a great question. So I think for me, when I initially started on the fraud, so my frustration was, how could we think this control has to be in place, but. You cannot, the control is not in place because you think, Hey, I think this is like basic. I'm just giving like an example. Let's say we're changing a phone number on an application, but then there is no control in place saying that, Hey, you can change this like this. There is no like a verification happening. Isn't that like normal saying that, Hey, if you're changing a phone number, you have to make sure it's connected to the right customer. It's connected to the customer who is present. And that felt like very frustrating to me on the initial days, like all these are normal. Hey, if you have a new application, if you're changing a phone number, it's mandatory to do anything. But there are a few way, few things that still happens thinking that, Oh, I think over here, I think you need to do some control in place, either some verification or a biometric thing like makes sense. But as a person who fights fraud, you think it's common, but if you think from business perspective, it's a customer experience too. So that's important too. So you need to give like a friction. You don't want to give too much friction to the customer. Exactly. So I understand like from a business perspective, it's not really needed, but from a fraud standpoint, Oh, I think it's really important over there. So I think it's the right balance to see that, Hey, if we do this over here, how many customers are we like losing and also how much fraud losses we might have. I think having the right balance is important. I understand that was really insightful. Thank you so much for spending the time with me and I would love to have you some of the time back again and thank you again, have a good day. Thank you so much. You've been really great. All the podcasts was really informational and really helpful in my personal work to keep doing what you're doing. Thank you and see you.