Fighting payments fraud can be a daunting battle – especially if the battle is waged with reactions. That is, once you’re under siege, protecting data can be a scramble.
Or as hockey great Wayne Gretzky once said, it’s important to skate to where the puck is going to be, and not where it has been.
That also applies in the ongoing electronic joust against those who aim to steal account data and use it to grab ill-gotten gains.
To that end, Mastercard announced on Monday the debut of its Early Fraud Detection System. The service seeks to give issuers advance alerts for cards and accounts that are put at higher risk due to data breaches. As the firm noted in the release, the speed of the early detection is critical in effectively preventing fraud – particularly considering the fact that it takes as few as nine minutes for stolen data to make it to the dark web.
The new system offers alerts that come after ferreting out fraud across all channels – “everything from active criminal trading of account data, to identification of cards being tested prior to being used for fraud, to account data that appears at-risk but without sufficient evidence to declare an account data compromise event,” said the company. “This provides issuers with alerts on a much broader set of at-risk accounts, potentially six to 18 months ahead of traditional alerts.”
In an interview with PYMNTS’ Karen Webster, Bruce Rutherford, senior vice president of Security Standards & Solutions at Mastercard, said that the early detection system was something Mastercard had been at work on for three years before its official launch. The solution had been piloted through two issuers, one in the U.S. and one in Latin America, and is now available globally with the Wednesday announcement.
Looking at the world from a cybersecurity vantage point today, he said, and surveying data compromises and fraud losses, “there is no single silver bullet in all of this.”
An effective, layered approach to security is necessary to catch fraud as it occurs and reduce compromises.
But the latest Mastercard offering is one that Rutherford said “bridges a gap in the ecosystem,” where analytics-based models give the firm the opportunity to proactively identify what might be at-risk accounts.
“We can give issuers advanced early warning about accounts that we believe have been exposed and become fraudulent over a period of time … that is what early detection systems are all about: being predictive and going forward,” said Rutherford.
Against that backdrop, Mastercard’s predictive models tap into a variety of data sources that provide a networked view on authorization activities, fraud activity and transaction flows. The company is also monitoring dark web sites where people may be trafficking in card data, selling and utilizing information in order to facilitate fraudulent transactions in the future.
Rutherford said that in looking at data breaches, both the reported ones and the ones that have been under the radar, so to speak, “at the end of the day, of those accounts that have been compromised, only about three to five percent actually see fraud occur in them.”
Being predictive on risk upfront, so to speak, would be of great value here, the executive said, as it saves costs to all parties involved.
He told Webster that when fraud occurs (or is thought to have occurred) and a card is reissued, there is an impact from the perspective of consumer usage. Those cardholders use their cards as much as 40 percent less than they have used the previous card held before the fraud exposure.
Webster inquired about what gives a card – from a fraudster’s perspective – more value than another. Rutherford said that cards have different values at different times within the dark web ecosystem. Corporate cards, for example, have (relatively high) spend control amounts and limits in place.
Mastercard’s traditional data compromise detection process will continue unabated – identifying possible risk at common points of purchase analysis, confirmation through forensic investigation and then notification of the issuer.
“There are signals within the transaction stream that point to increased risk of exposure” when Mastercard begins to see interactions with accounts that may not pass any of what he termed “initial threshold tests” or investigations.
But combined with other, data-driven insights, advance risk is identified (and categorized as medium, high or very high risk). A roadmap includes integrating Brighterion from an AI perspective. Layering in the AI component means Mastercard may be able to boost its fraud detection capabilities exponentially as well.
Don’t expect the bad guys to be complacent, of course. As Webster noted, the fraudsters do not operate in a vacuum, and are mindful that Mastercard will be out to cut them off at the pass, through these and other efforts. Might this new initiative have an impact on how fraud happens?
Said Rutherford, as dark web analytics becomes part of Mastercard’s forward efforts, criminals “may morph and change in their ability to use the dark web over time … we can innovate as well.”