Fraud has been on the rise lately with some recent high-profile cases like the Zappos leak a couple of weeks ago. The systems are unfortunately the target of fraudsters on all possible fronts:
- Origination or on-boarding: Can I trust this individual to do business with?
- Transactions or claims: Should I let it go through?
- Investigation: Is this transaction actually legitimate? Can I trust this individual?
- Management: How do I treat this flagged individual or transaction?
We often think of risk management as a Financial Services specialty but many if not all businesses can be the target of fraudsters. In my talk with eBay at BBC, Kenny and I discussed some specifics of Fraud Detection for a retail site. This is a significant problem they need to tackle very quickly, as you can imagine. Here are some numbers that are talk to the size of that problem:
- 2 rules deployments every week
- 20+ rules analysts around the globe depend on BRMS to innovate in fraud detection and risk management
- 110+ eBay user flows
- 300+ Rulesets
- 600 application servers running rules (in the slides), 1200 approved on the day of the talk!
- 1,000+ variables
- 15k+ rules
- 50M+ fired rules a day
- 140M+ rule sessions a day
Let me share of the key take-aways of the talk.
1. Fraudsters look for a good ROI
The same way that businesses consider the Return On Investment, fraudsters are on the look-out for the biggest bang for the buck. They continuously look for the weakness in the systems or procedures that can be exploited at large-scale. With that in mind, you could consider that the Fraud team’s job is not to make it impossible to abuse the system, but rather to make it *expensive*.
We have all received phishing emails, ranging from the African Dictator’s survivor to the Lottery Grand Prize. We know of credit card abuse, etc. Kenny shared some more unusual examples of fraud that eBay had to react to.
Account Take Over is a major issue. Originally fraudsters simply logged in to create new fraudulent listings. eBay started tracking the IP addresses in the account history and used it for comparison in case of new listings. Fraudsters eventually realized that they could instead revise the seller’s existing listings to the fraudulent ones. eBay introduced some delays in making the change visible to allow for verification. The fraudster found out that eBay, as a policy, did not delay those changes when made in the last 12 hours of the auction…
This feels very much like a chasing game. Kenny compares it to “catch the mouse”.
Here are some other “creative” moves from the fraudsters:
Fraudulent listings include contact information highlighted in the description to get the buyer to transact outside of eBay, by-passing the security measures of the commerce platform. eBay introduced a word search for email addresses at the time of posting. The fraudsters started posting their contact details as images!
A clever twist in the Fraud scheme caused an interesting puzzle for the Fraud Detection team. They realized that, after the fraudulent listings had been removed, they eventually reappeared despite the measures they took to block access… until they realized that, elsewhere in the account configuration, the fraudsters had made sure that non-sold items were automatically reposted. The automated rule repeated the fraud all by itself!
Fraudsters can get quite sophisticated. This “organized” crime organization moves fast and spreads everywhere through fraud rings and distribution channels.
2. The Intelligence to stop the fraudster
That is one fascinating aspect of the Fraud space: it is a moving target. You always need to solve new mysteries and devise plans to stop the fraud. If you love puzzles like I do, you cannot not be enticed by that challenge!
The rules analysts need to come up with rules that flag the fraudsters, all the fraudsters and only the fraudsters, as comprehensively as possible, as precisely as possible and as fast as possible. The metrics that are typically used to track the success of those business rules are the Hit Rate — when I flag a transaction, how likely is it that I catch an actually fraudulent transaction — and the Catch Rate — out of all the fraudulent transactions, how many do I catch.
Having clear objectives and ways to track them is a great start, but it does not solve the core issue of coming up with those business rules. The rules analysts have to rely both on their intuition, typically with the insight of the case workers, and lots of data insight of course. Analytics are critical tools in the Fraud Detection departments.
With this context in mind, the business case for Business Rules / Decision Management technology becomes obvious. The speed of change and the need to iterate to refine the fraud detection criteria are not at all compatible with traditional software development. If you played with the numbers that Kenny shared initially, you know that eBay makes about 20,000 changes per year. The only way to get this is done is by empowering those business analysts so that they can author the flagging rules on their own while the IT team focuses on improving the speed of data access and variable computation, which Kenny described in more details in his other talk.
In conclusion, the ROI for the companies that are fighting fraud is in getting the rules right and getting them fast.
Disclaimer: the examples of fraud I provided are not meant to encourage you to fraud… All of those schemes are now automatically flagged as fraudulent of course!