Can we predict card fraud before it happens?

Machine learning technology is advancing to the point that some card issuers and processors are using it to predict where fraud is happening and where it will emerge. Though still in its early days, community banks are looking at how they might implement this technology.

By Karen Epper Hoffman

As card crooks grow ever more sophisticated in how they perpetrate fraud, retail banks and their providers are upping their own game in trying to determine where malfeasance is happening—and even where it might happen next.

While this sounds like fodder for a science-fiction film, financial institutions are embracing machine learning, or artificial intelligence in its advanced versions, to help more effectively pinpoint fraudulent card transactions or find cardholder data that may be for sale on the dark web, the online black market.

At last August’s Black Hat USA conference in Las Vegas, executives from Royal Bank of Canada (RBC) and technology partner Terbium Labs presented on how the Canadian bank had combined machine learning, predictive analytics and intelligence gathered from online carding forums with transactional data organizations to predict future fraud victims before dubious credit card transactions had even occurred. During his presentation, Dr. Cathal Smyth, a machine learning researcher with the RBC’s Vanguard cybersecurity team, identified that predicting card fraud presents “a classic big data problem.”

Quick stat


The average number of fraudulent card transactions before a fraud incident is caught and stopped

Source: PG Research & Advisory Services

With the vast stores of payment card, transactional, personal, demographic and historical fraud data to work from, card-issuing banks already have a lot of information to help them determine the direction of fraudulent activity.

And, as is often the case when dealing with huge, varied, disparate amounts of data, “trying to find the right combination of potential victims is like trying to find a needle in a haystack,” Smyth says. “A breach can affect a large number of clients with a huge number of transactions, but there’s still a degree of uncertainty.”

RBC began working with Terbium Labs, a Baltimore-based cyber vendor that specializes in monitoring dark web data, to help the bank’s Vanguard unit better analyze the cards and cardholders that have already been compromised in order to develop candidate groups, or potential fraud victims identified using previous crime patterns and current black market data.

Card-issuing banks, their processors and service providers have been using neural networks—the predecessor technology to machine learning—for decades. But, as the advent of chip-based cards made it more difficult for crooks to clone cards or commit real-world fraud, card-not-present (CNP) fraud blew up. In response, card issuers and their partners are increasingly turning to new technology to help track down actual fraud, as well as predict future fraud.

The cost of fraud

Cyber developer Tender Armor recently commissioned PG Research & Advisory Services to research the cost of fraud in CNP payment channels, which now represent more than 70 percent of total gross-dollar volumes of fraud on payment card accounts. Their research found that there are 3.6 fraudulent card transactions on average before the fraud is caught and stopped. CNP transactions make up nearly 30 percent of total credit and debit card purchase volume, and that percentage is continuing to increase as consumers increase their use of e-commerce.

U.S. banks and merchants are anticipated to see more than $12 billion in credit, debit, prepaid and private-label payment cards losses thanks to fraud by 2020, according to The Nilson Report.

Chris Cook, chief administrative officer and executive vice president for $200 million-asset Farmers Bank & Trust in Marion, Ky., says his community bank may not be at the stage of looking ahead in its card fraud products. Working with card service provider CSI Inc., the community bank is “constantly monitoring the card base activity … looking for geographic anomalies or [transactions] that are outside of a customer’s normal activity,” he says.

Douglas Manditch, chairman and CEO of $995 million-asset Empire National Bank in New York, points out that community banks like his still need to rely largely on what is being offered by their core processor or card services provider. “But that changes all the time,” he says. “We all want to shut down fraud as quickly as possible, and that seems to be getting better and better.”

“The technologies allow for the automated discovery of patterns across large volumes of transactions.”
—Jordan Blake, BehavioSec

Jordan Blake, vice president of products for BehavioSec, says retail banks have increasingly relied on artificial intelligence to detect and prevent fraud. “The technologies allow for the automated discovery of patterns across large volumes of transactions, which give banks the power to efficiently determine which transactions are likely to be fraudulent while reducing false positives,” he says.

Community banks should look for machine learning-driven offerings that go beyond cumbersome one-time authentication measures like passwords and tokens, Blake says. Indeed, Manditch is among the community bankers who are hoping to “catch fraud before it happens.”

In addition to fraud, community banks are looking to improve their “false positive” record, Cook says.

“There is strength in numbers,” says Ian Holmes, senior manager of enterprise fraud solutions at SAS. “Combining data across like financial institutions can provide a strong consortium of data, which helps them to become more predictive in identifying fraud across the group. It can also help them spot threat trends across multiple peer institutions that may have gone unnoticed in isolation.”

Karen Epper Hoffman is a writer in Washington state.