This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Companies that provide online transactional services to consumers or other businesses have to be concerned about fraud. Whether it is renting hotel rooms to travelers, selling books to avid readers, arranging shipping services for hard goods, or any of the thousands of other types of sales and services transacted online, the entity behind the online business needs to know if the end user and transaction can be trusted.
The credit reporting company Experian says that e-commerce fraud attack rates spiked 33% in 2016 compared to 2015. Experian attributes this increase to the recent switch to EMV (those chip-based credit cards), which drove fraudsters to online card-not-present fraud, and to the vast number of data breaches in which users’ online credentials were stolen. The Federal Trade Commission says the number of consumers who reported their stolen data was used for credit card fraud increased from 16% in 2015 to 32% in 2016.
Fraud is one of those dark ugly things that has traditionally been part of doing business, but the cost is rising so quickly that companies can no longer ignore it. According to the fraud detection company Sift Science, the cost of managing fraud has jumped 8%, and the true cost of fraud is now 2.4x that of the original loss. That is, for every dollar that is lost to fraud on the revenue side, it costs $2.40 to deal with the penalties, fees and the general management of the problem on the back end.
Most e-commerce merchants have basic controls in place to try to validate the billing for transactions; for example, by comparing the billing address the customer provides to the address the credit card company has on file for that account. In the face of motivated fraudsters, such controls might just as well be non-existent because they are easily skirted.
Companies could turn to more stringent security measures such as multi-factor authentication, or micro payments deposited into customers’ bank accounts and then verified days later. While such measures help to reduce fraud, they also create friction with end users who prefer to have a simple experience when completing a transaction. Putting up too many visible security measures could drive customer traffic elsewhere.
Increasingly, it’s falling to the CIO or CTO to figure out the best way to insert frictionless anti-fraud measures into the security stack of the online business. The traditional approach of using a rule-based system can’t scale; it’s simply impossible to create and maintain rules that can cover every possible scenario. A more effective approach utilizes machine learning and automation to mitigate the risk of fraud.
Sift Science says it has developed a solution based on machine learning that doesn’t force a trade-off between security and usability. The company says more than 6,000 websites around the world have already implemented its solution from to protect the merchants and their end users from fraud, and to detect different kinds of bad actions. Sift Science’s product spans multiple areas of fraud, including:
- Payment fraud – A fraudster uses a stolen payment card to buy something.
- Account abuse – A user acts inappropriately within an account, such as not following the terms of service and behaving as a bad citizen of a website.
- Content abuse – A user writes malicious, hurtful or “spammy” content in a community or comments section of a website.
- Promotion abuse – A user takes advantage of a discount promotion by creating other accounts with which to share that same promotion.
- Account takeover – A legitimate user has his login credentials stolen by a bad actor, who then uses the credentials to perform other bad actions.
The nature of fraud is broad and it affects a range of businesses. The same person who uses a stolen credit card to buy goods from a merchant might also use it to pay for a trip to Vegas. Sift Science takes a very holistic approach to fighting online fraud, and that’s where the vendor’s large customer base comes into play. More on that in a moment.
To get started, a Sift Science customer instruments their website using REST APIs and a JavaScript snippet. This enables the customer to send a signal to the vendor in real-time. The signal contains data points associated with user events that are specific to that business; for example, details that an end user enters when he creates a new account.
Sift Science calls this the data injection component of its solution. It sees the signals, and all the different user behaviors happening through mobile devices and web browsers, coming from those 6,000+ customer organizations.
All of this data goes into Sift Science’s proprietary machine learning system, which uses multiple learning models. Custom learning models are specific to a particular business because certain behaviors of users of that business are unique. Network learning models incorporate data from across the spectrum of Sift Science’s customer base. The network learning models are important because bad end users – those that behave in a fraudulent manner – could have accounts with multiple websites, and spotting bad behavior in one website helps to identify it in others as well.
Sift Science uses a live learning component (called online learning in data science parlance). This means that new data samples are ingested and evaluated as soon as they come in. Thus, if a sample is judged to be associated with fraudulent behavior, an action can be taken in real-time to suspend a transaction, or set it aside for manual review. Sift Science updates its learning models constantly, in real-time, which allows the company to update the knowledge it gets and disseminate it across its entire customer base.
A third component of the solution is a workflow automation engine that enables customers to automate their businesses and their flows. Traditionally the output of machine learning is a score of how likely a sample is or is not correlated with a classifier; for instance, is the sample positively correlated with the label of “being bad,” or negatively? The workflow automation engine can take that correlation score and make the business process do something about it, such as automatically reject a user, throw the user into a queue for manual review, or surprise the user with a coupon to reward good behavior.
The last component of the solution is the analyst console, in which Sift Science tells a story behind the data. This helps customers understand the true nature of fraud—to see why an order or a transaction surfaced as fraud.
Sift Science says it is able to help its customers dramatically reduce fraud rates and improve their businesses in other ways. The company claims, for example, (although I couldn’t independently verify) that customer HotelTonight has had a 50% reduction in chargebacks since using Sift Science, and that Shippo no longer has any full-time people dedicated to fraud and the company experiences zero false-positives.
For online businesses, fraud is a serious and growing problem that rule-based systems can no longer address. Machine learning is instrumental in detecting and stopping fraud in real-time.