Episode 15: Reverse Engineering Cyber Criminals’ Tactics

Show Notes

In this episode of the Fraud Technology Podcast, host Ravi interviews Blair Ramsey, a seasoned expert with over two decades in the fraud industry. The discussion centers on the structure and nuances of fraud operations (ops), contrasting it with the technology side of fraud prevention. Ramsey elaborates on how ops teams are structured differently across industries and institutions, and how fraud detection can be triggered by both customer alerts and internal risk rules. He emphasizes the importance of balancing cost efficiency and thorough investigations, as well as the crucial role of customer education in minimizing false positives. The conversation also touches on the integration of AI and machine learning in fraud detection, while highlighting the indispensable role of human judgment in investigative work. Ramsey shares insights from his experience in the gaming industry, drawing parallels with financial services, particularly in handling identity fraud and managing customer expectations. The episode concludes with a discussion on the evolving role of biometrics and consortium-level data in enhancing fraud prevention efforts.

Transcript

0:00

Hi, welcome listeners. Welcome back to the Fraud Technology Podcast. And today we have a renowned guest is over two decades of experience. Again, we've been seeing a lot of experienced people in the last few round of interviews and we have with us Blair Ramsey, he has been in this fraud industry for almost two decades and it's a pleasure to have him here. Welcome to the podcast Blair. Thank you Ravi, it's a pleasure. Pleasure is ours as well. So the first thing that I wanted to understand from you is you work predominantly in the. ops space of fraud, right? We've talked to a lot of people on the technology side, but you're probably the first one who has a lot of experience in the operations side itself. So what do you understand a little bit about how ops is structured? What are the day to day nuances of an fraud ops team on what are the kind of success factors for the ops team itself? So we'd love to understand a little bit about how. Yeah, absolutely. I think it varies between industries and I think it varies between institutions. You, so if I look at it from a macro level Ravi, you can have everything that's insured. So from your upfront fraud detection through to investigation and disputes and charge versus maybe a slightly different approach where you have Some of your functions onshore domestic us, and then you have some of your back office support functions, maybe offshored in places like India or the Philippines or such. Okay. Sounds like a kind of a BPO or a call center set up, right? Maybe it's not a call thing that is happening, but it's more like a KPO kind of a process where you have offshore level one support being done by. Countries like in India and Philippines, whereas level two and three is being done in US. Is that understanding? Yeah, that's definitely one of the approaches you see. And no, clearly that's an expense or patch related move. But as things change, as regulations change, then no, you do sometimes see a little bit of swinging back and forth, depending on where the appetite is and where fraud losses are. I understand. And when you're doing this, so for example, in a call center, I can imagine where Somebody requires a customer request something and they call the company and then it goes that gets routed to a call center, right? So in your case, what is the trigger for a fraud process to start? Is it like a internal system raising alert then goes to the system? So what is a trigger for your fraud ops team? That's a great question. It can be triggered by multiple different things, right? I think the first and foremost, it can be triggered by the customer themselves, right? They see a transaction on their account and they don't recognize it. So that becomes a phone call type communication. It can also be triggered by internal risk rules. We'll set up rules based on historical events and patterns to determine whether or not that particular transaction is a normal type transaction for that individual or if in fact there's something that's suspicious about it. I'm assuming when you say customer triggered something like a chargeback would be a customer triggered transaction because the customer I don't recognize it. Correct. Okay. And the other one is generated by the system itself and the other fact that I also know is the fraud monitoring tools that are existing in the market do generate a lot of alerts, a lot of them being false positives, even to the tune of 99%, right? So wanted to understand because when it's a chargeback, there is a particular case that is happening. It has to be resolved. It is real. Some disposition has to happen for it. Whereas when it comes as a trigger from the system, it can be like number of customer queries can be probably predictable, but the number of alerts that are coming in, I don't know. I wanted to understand your perspective of when alerts are generated by the system. by a customer. How does it impact you as the ops team itself? It's a large trigger for a lot of the work that we get, and you're right, degrees of false positives that exist within that population of work, right? But it's definitely about, in all the organizations out there, it's definitely about educating the customer. It may receive notification alert as a result of our ongoing monitoring for their security. So they tend to be okay with the false positives when you educate them from that vantage point. And obviously it's an ongoing analysis, it's an ongoing movement, so we're always looking to reduce the false positives. When people travel, when people shop at stores or spend larger amounts transactionally than they normally do. We try to educate them on giving us advance notice so we can allow those to go through versus get declined because it exceeds their spend limit. I think the short answer is it comes down to kind of that ongoing customer education and the ongoing customer knowing your customer and letting them know that you're there for their security. I'm probably understanding this. I want to clarify if my understanding is right. So what you're saying is when alerts are generated, they don't go necessarily. Necessarily directly to the fraud ops team. First they go to the customer. For them to say whether that alert is genuine or fake, and based on what their input is. It then goes to the analyst team or not, I'm assuming. Correct. The rule kicks out, it will trigger a notification of our text message to the customer. The customer can then verify whether or not it's a genuine transaction, and then based on their response, that will then. Go down a path of requiring additional due diligence or get accepted and not put to rest. So in this case, if it's a text message, right, assuming the customer received it, he or she saw it and decided that it's a genuine transaction that I'm doing. Most of the time they don't do anything. If it is something that they see as a flag, they will write a call, right? So there is an action from their side. Right away. If it is a, if it is not a false positive, it's a true positive, then it's likely that they will call you back, but it's a false positive. It may be scenario that I have not checked the text message or I have checked it, but not responded to it. So how do we know? Because I'm asking this question, not as a theoretical question, because I remember when I lived in Singapore, there was this fraud that happened where a bank sent a text message. And. Either it was routed or the hacker had blocked the telecom OTP itself. And so the customer did not receive it for a long time and the bank assumed that they received it and didn't say anything. So they assumed it was a genuine transaction and went through. So in this scenario, right? Not receiving a feedback from the customer could be assumed as that There's no problem, right? But in some scenarios, maybe they didn't even receive it. I'm assuming if there's an app, you can also send a notification in the notification that can be a yes or no approach, basically. So I wanted to understand when it is going to the customer, what if the customer does not respond, what is it taken as There's a couple of different tactics that can be used. So if it's highly suspicious, such as high risk country, then we can definitely freeze the account until the customer contacts us. If they're choosing not to respond at that moment, we can assume no contact to be good until they contact us. Now the beauty that a customer has is that they have some pretty long timelines. to be able to file chargebacks and disputes. So whereas they may not see or respond to a text message at the moment that's sent, they have multiple months to file, right? And then I think it comes down to the last thing I might say on that is that ongoing education, right? So we would encourage customers to review their accounts and their statements on at least a monthly basis, if not more frequently so that. becomes a two way relationship. If we know that you are, you're constantly checking and we are trying to give you the notifications, at some point you'll notice that there's something unusual about your account. Now the only exception to that, I might say Ravi, is that in instances of full account takeover, where the fraudster has taken over the account and all of the maintenance, the email and the phone number, that can definitely occur. And obviously we have the strategies in place to mitigate against that also. Got it. Got it. Also in your response to the ops itself, so you talked about analysts and also investigation part of the operations. One investigation typically is not a very structured because you follow, there's things like, you know, when you watch detective shows, you follow the money, things like that. Right. So, One is a very, very unstructured process, whereas when you're talking about level one going to India or Philippines and then level two, level three going to somewhere else, one is a volume game. I'm assuming it's a volume game where economics is important, whereas the investigative part is more, you need more senior people. How do you balance between these two? So, not everything detected requires an investigation. Start there, right? It may just be that my wife spent money on my account and I didn't know about it. And now I'm getting an alert to say, why's your wife spending so much money? So, there are genuine instances of where that happens. Right. So that then takes care of itself. So it's, it becomes a numbers game, right? So it will be a percentage of the total reports that then go to investigations or will be disputes. And then we, over time, we, and over with the size of our overall portfolio, we make analysis on what we think we're going to need to handle X amount of investigations, right? So an investigation takes 30 minutes to complete as an example. Then if we're going to receive 500 investigations a month, then do the math and then we'll go from there. Okay, got it. So if I understand correctly, so the volume game is to figure out false positives. I'm assuming, right? You eliminate all of the unwanted things, which were wrongly And then within true positives, I'm assuming only some of them are investigated, not all true positives. If a hundred dollar transaction is going south, or let's say a, even 10, let's say a hundred dollar probably is on the higher side. If it's a 10, there's no point even doing an investigation, just refunding it. Would make sense because Amazon does that a lot because I would tell them that, Hey, this food was not delivered correctly. They would not even ask you a question. The word sharing photos of this. They'll just say, it's only 20. Let's just move on. Right. So I'm assuming that's also what's happening as well. Yeah. There's definitely thresholds in place on what makes sense from a breakeven standpoint. Right. And it does vary in the financial industry. I've seen that being as low as 25, but in some instances and at some times of the year, as high as 150. Right, so you think about your traditional U. S. Thanksgiving Black Friday shopping period. That's going to generally generate a lot of transactional volume. So turning the dials, I like to think of it as turning the dials on the oven, right? We can turn the dials based on where we want it to be so that we can control the volume. Okay. So if I'm getting that right, so now I'm going to the part of your KPIs and how you operate. Obviously, I think that it would be considered a cost center to the company. So the business teams would obviously have pressure on you to finish the investigation as soon as possible, because the customer service is obviously pressuring you when is this going to finish, right? So what are the business pressures for the ops team itself when it comes to operating in the fraud ecosystem? I've often had some real good conversations on, you know, because there's clearly pressure from a, a core KPI standpoint. And in an operations center, it's typically how much can you get done and how little time. Right? Number of units per hour, number of units per day, whatever, right? But I think the counterbalance to that is while it is still a fair way to look at it, if I'm going to take a little bit longer to save the organization money, and that money is multiple x of millions, then I would debate with anyone. That is worth, was a worthwhile investment to take a lot of a lot. Okay. So you're basically calculating ROI, essentially, that you're saving this many dollars and this is my cost. And that is how it makes sense. But on a day to day basis, is there like, I'm assuming between, let's say customer support, when there is a ticket to fraud team, fraud team does the investigation, I'm sure there are SLA's. within all these processes, so that they can communicate to the customer as well. Hey, we'll need two, three days to do this and we'll get back to you. Something like that. Right. So what are these kinds of SLAs that exist in this ecosystem? So you're a hundred percent correct. There are key metrics like SLAs, productivity. Things like that. They're obviously averages, but from a customer contact standpoint, we normally try to give a cushion of, you know, anywhere between one and five days, but we've balanced that off in the past by providing conditional credits to the customers. Right, because as a customer, if you have thrown on your account, my, my experience has been the only two things that you're worried about is am I going to get my money back or am I going to be charged interest for it? Right, number one. And secondarily is do I need to get a new car because my original car details have been compromised? They're the only two things you're, you're worried about. Consumer is not worried about our internal processes or our internal issues, right? So. If we can handle those two things up front and immediately for the customer at the detection stage, everything else doesn't matter, to the customer at least, right? And then we can back into, whether it is three to seven days, three to ten days, whatever that SLA is, to finalize the investigation, we'll deal with that internally. Now it is important because clearly it becomes a cost, cost item. For the business, but, you know, when you put this in the customer front and center, the only two things that why are the two things I mentioned. Okay. So just to reiterate the two things that from a customer standpoint is what we need to address is one is, am I going to get my money back? Right. And second one is. The card that I'm using for this transaction, whether I want to change it, whether I need to cancel this one and then get a, okay, fair point, I guess, from a customer standpoint. True. Whenever I had some sort of a transaction happening, I think most of the time I called up and they'll say, let's cancel the card. In the first call itself, they'll typically tell you cancel this card. I'm going to cancel it. Or they will tell you already that I'm going to cancel your card. I'm going to send you another card. And then whether they confirm the money or not, I don't remember that. I don't know. But yeah, good point. That reminded me. That's in my own experience, it happened. And you know, in some instances, at the point, it's sort of a notification feature set up. In some instances, if you indicate that you don't recognize those charges, that depend on how sophisticated the technology is in the institution, that in itself can be enough to trigger the new card being issued. Okay, so it's automated. In some instances, yeah. Yeah, okay. I think the first time I complained, I think it was not right away given as a card, but the next time I complained about a similar transaction happening, then they cancelled the card automatically. They didn't even ask them. But the first time I think it happened, they were like still trying to figure out whether it's a real fraud transaction. And then the second time, I think they could see the transaction being very similar to the previous one. So I guess the decision was simpler. Uh, and that's it. Yeah. That's very different situation. Possible. Yeah. And I am guessing even different times the customer comes also changes as well. Yeah. Because the risk changes. If one transaction happened the first time, maybe lower risk. But the same transaction happens the second time, then you have a higher risk, then you've changed. Right? One thing that I also wanted to understand, because there's a lot of talk about generative AI. There's a lot of talk about tech, right? But you deal people, right? Fraud ops. The core of it is people. Right? I personally, a strong believer of no matter how great AI is, you still need to have a balance between a human mind versus a AI. And I wanted to understand from you, how does this coordination, how does this give and take? For example, there is something that the human obviously has a lot to offer to a AI, and obviously AI has a scale that can scale. A human probably can't do and I wanted to understand from your perspective in the fraud ops itself. How does this play out? Yeah, no, I think it's a great question. Robbie. There's some really great tools on the market currently that provide those capabilities. So you think about AI, you think about machine learning, and then I would almost compliment them with a third that I find really interesting, and that is consortium level data, right? You have providers on the market today that may have 5, 000 customers globally that then have multiple millions of customers that use their product. NF. If you buy into that consortium level type platform, you're getting the benefit at a macro level of that consortium data. So if, if the consort, the overall consortium data says that Blair has a risk score that is above where the organization's acceptance is, then I get the benefit of that as a customer of that consortium platform. So I think. The AI, the machine learning and the consortium data are really critical at this point, but you're right. I think what it does is it definitely automates and optimizes much of the functionality, but you still need an element of human touch to do some of the investigative type work. So where do you say you still need human touch? In what aspects of it do you, let's say, I'm assuming when a system generates alerts, when a human says that it's not a true alert, claims that it's false positive, I'm assuming all these inputs are going into the system and then it gets optimized. So I wanted to understand how does human touch help essentially? You've still going to have those false positives within the consortium level platform or AI and ML platforms. So there's going to be instances where you may still need to make a judgmental manual decision. It may be an exception, right? Yep. So I think there's still an element of that that exists. And then I think that the second part of it is, from a support standpoint, you still need somebody to make the adjustments and write the rules that then are specific to your organization. So when a decision is being made that This transaction is fraud or not fraud, right? Is there a regulatory requirement or maybe there is no clear black and white rule like that, but is it looked down upon if a system makes that decision? No, it is not. In fact, when you move into, if you move away from, you know, the financial sector and maybe use the, the online sports betting and gaming sector, which I've also had some experience in, you know, that becomes a very jurisdictional based scenario. I'm thankful in the U. S. where there is Each state has to have independent regulatory approval. So geolocation data becomes critical in that instance. But you can still utilize the automation within the system to make those decisions. You just have to write your rules slightly different, um, by state. So my actually next question was around fraud in the gaming space because I noticed that you worked in the gaming space itself. So I wanted to understand in the financial space, I know it's a very heavy industry, which focuses, and there's a lot of talk about fraud and compliance getting merged and things like that. There's a lot of attention, money and effort going into it, right? So wanting to understand in other industries, and especially because you worked in the gaming industry, how that plays out, what does even a fraud. I mean, I only remember, uh, when I think of gaming fraud, I don't know if you watch Big Bang Theory. There is this one episode where somebody, somebody steals in the game. I win a sword and somebody hacks my account and steals that sword in the game. I'm guessing you are talking about betting industry. But in general gaming, online gaming industry itself, there could be account takeovers and somebody stealing some assets from your account. They may not be money, but assets that were. So I wanted to understand how the gaming industry itself is structured. Yeah, so it's interesting, right? Because there's definitely some correlation between the financial industry. So if you think about your traditional ATO type fraud, definitely can exist. I think there's definitely a big play on the identity piece, the identity fraud, right? Because a lot of the gaming industry is through mobile apps and online logins. So if I can steal and create a login with your identity, Then I can certainly go that and then I think the other two that I would probably call out are fraud by way of stolen Stolen credentials for a credit card. So I go on the dark web I buy you a credit card in your name and then I use that instrument to load my my online betting account and then I can win money with stolen money and then take it out and disappear to the sunset, right? So I think that's definitely a thing. And then I think the last one that I might mention in this, this space from a time of fraud is probably related to what I would call your equivalent of buyer's remorse, right? So, in the financial industry, you go, you buy a new jacket or a new, a new pair of jeans or something, right? And then you decide, Oh, I don't like, yeah, I'm going to take it back. Yeah. Whereas gaming industry, you have, uh, people lose money and then they try to claim that they weren't the ones that did it. that spent the money. Like somebody hacked, somebody hacked my account. Somebody, this wasn't me, my credit card was stolen. So you see a lot of that from a buyer's remorse. How do you identify such a thing? I want to understand how would you go about? Yeah, I think it depends on how sophisticated you are with your tools, right? So, if you register for a particular platform and we've got your device ID and your NEIM number from your device and we've got biometrics. You've played with us before using that instrument and it's within your typical pattern. Like what I'm doing right now is I'm creating a, a profile of Ravi and what he typically has done and the behaviors he typically has. So if you come back to me and say, well, I don't recognize that 10, that wasn't me, but you bet 10 every Saturday on that same device and have done for the last year. My ability to challenge the chargeback gets stronger, right? Because I can demonstrate linkage that it was you. There's definitely pieces of data that you can submit from a compelling evidence as part of the challenge to the chargeback that will help your case in winning it. Hmm. Okay. And typically in the financial services space, from a customer standpoint, I'm also very serious about my credentials. I don't share my banking credentials or even the passwords. I don't replicate anywhere else. But with gaming, I'm generally very loose about sometimes I don't even use my own credentials. credentials. I even have a secondary email just for that sort of a thing so that I don't have to use my primary email for this kind of thing. So, what is even a request? So, for example, if the gaming company decides that this is you, this is what's done by you, what would a customer be able to do? Yeah, I think you see a lot of that in so much as, you know, I think you would call it probably some online sort of social gaming. Right, so Blair gave Robbie his, his cell phone and said, Hey, we'll use a hundred bucks on whatever. Right. But I gave you my credit card. It's supposed to be a hundred bucks. Enjoy yourself. Right. That definitely exists. Right. There are some strategies that you can put in place upfront from a verification standpoint that will help you. Now it will not 100 percent meet it, but it will certainly help. But at the end of the day, it comes down to they have the ability. under the Visa Mastercard Discover and Express rules to file a chargeback. Right. So even though you and I may be friends and we may have agreed that you can use myself, I could still file a chargeback. So there is a little bit of a, an opportunity there to close, but then you, you go back into the previous, um, items I mentioned, that is, Okay, so you placed a bet at this amount, and it was on the same device that you've always used, and it's with the car, that's the same IP, and it's the same geolocation, you know, you start back into some of those parameters, and you, you build your case around that. Okay. I understand. So you talked about identity fraud and a few other frauds, the other frauds being a little more relevant to transactional level. So I wanted to understand, is identity fraud an issue in the financial services space? Because you do KYC obviously, but that's still a problem. Yeah, I think it is. I might say it is the biggest part of the problem. In my experience, I think if you let the bad guys onto your platform Then they can do what they want to do. If you can prevent them at the start of the process and the identification or the biometrics, and you meet them out at the start of the process, then they don't even get an opportunity to come in and do the bad thing. You talked twice about biometrics. You talked about biometrics in the gaming industry as well. So you're talking about facial biometrics for. Creating accounts, like liveness detection and taking pictures. So that's what, Oh, okay. I come from that industry. So it's like just confirming. So good to hear that because I see in the U. S. Face biometrics is not as popular as the rest of the world, actually. Yeah. The chipping cards or chipping pen on your card. The U. S. have lacked a little bit, but it's definitely what I would call a saturated element of the market. There's a lot of good companies out there and a lot of new ones coming on board. into the market in the last probably three to five years. So I think they're starting to get it. That is a critical piece, but I would agree. I think there are areas that are more advanced than the U. S. market. Yeah. So that was my first surprise when I was exploring face biometrics in the U. S. market is because that has become more or less a gold standard in the rest of the world for especially the developing countries, because where the identity is a big question mark. So you take phase biometrics and compare that to the ID documents. So that's been pretty popular basically. And I was surprised to learn that in the U S that's not a standard practice and very few companies do actually do that. Okay. So one of the questions that I wanted to understand is. Obviously you have the ops team and you have the global operation in place. Right? So how do you manage the global aspect of it? And I also have, I mean, I also want to tag that along with what I have known is if within the first day of the transaction being a fraudulent transaction, if you can get onto it in the first day, you have a higher chance of recovering it or doing something about it. The more time you take, the money is lost, right? You may decide that it's fraud, but you will never be able to recover. The money itself. So I want to understand, given the global nature and the time zones and the time sensitivity of you need to respond back as soon as you can. How do you optimize all of this? So earlier in the conversation, Ravi, I talked a little bit about two different models. The first being onshore model completely in the U S right now, unless you've got round the clock, 24, 7, 365 operation, um, is the case in some instances. That becomes a very expensive model, right? But I think that's then where you can optimize it from a revenue standpoint and having an offshore, partial offshore model. So keep costs down, but it will ultimately still give you that round the clock visibility. where you can detect or act upon fraud early, versus letting it wait until the morning. Okay, I understand, I understand. That more or less summarizes most of the questions that I had. It was a pleasure talking to you. I mean, I understand fraud technology a lot better than fraud operations itself. And it's been a pleasure to learn more about Ops teams and how they're structured. What are the pressures of the team and so nice to have that conversation. Thank you so much. Yeah, absolutely. It's been a pleasure and thank you for having me. Thank you. Have a nice day. You too. Bye.