Debit has become exceedingly popular over the past year as social distancing and stay-at-home orders reduce consumers’ cash reliance and the ongoing economic decline and rising unemployment rates make them wary of taking out loans or leveraging credit. One financial services firm predicts that the past year’s financial and social upheavals could prompt a $100 billion shift from credit toward debit, in fact. Connecticut-based People’s United Bank has seen this trend in action in recent months, said Karen Boyer, the financial institution’s vice president of financial crimes and fraud intelligence.
“Brick-and-mortar [shops] are being forced online to stay relevant, meaning the only real method for our consumers to also purchase items [has been to] shift to eCommerce themselves,” she explained in a recent interview with PYMNTS. “Cash users [shifted] to physical cards and the physical card users [shifted] more to … digital wallets in an effort to become more and more contactless as fear increased when the pandemic kept going.”
This online commerce shift has brought with it an increased risk of fraud, however. Boyer and Frank Wheelahan, manager of digital fraud channels for People’s United, explained the nature of the fraud threats targeting debit transactions in 2020 as well as the ML and rules-based tools the bank deploys to combat these threats.
Debit Fraud Threats In The Time Of eCommerce
The most common type of debit scheme People’s United sees is card not present (CNP) fraud, which typically originates overseas. Fraudsters often fabricate debit card numbers or obtain them en masse from large-scale data breaches, at which point they will attempt to use them by posing as the cards’ owners or making purchases to test the stolen data.
“There’s a lot of [bank identification number] testing done overseas, where [fraudsters] fabricate card numbers and then try to find out if there are vulnerabilities that can be exploited and if they can be successful with the algorithms that they write to test our fraud rules,” Wheelahan said. “It’s become harder to carry out massively successful fraud attacks using physically present counterfeited cards, so the migration to eCommerce fraud has been increasing rapidly.”
The growing prevalence of payment apps that enable instant money transfers between consumers is one factor leading to the rise in CNP debit fraud, Boyer added. Fraudsters used to have to physically swipe fake or stolen debit cards at the POS, but payment apps allow them to conduct their schemes remotely.
“If [fraudsters] have a card number, it’s a lot easier for [them] to enter that card number into an app to transfer money or launder money within microseconds,” she said. “You don’t need to get a mag-type striper or physical counterfeit cards anymore, because through real-time payments, you can get [funds] in microseconds without doing much work.”
Stopping such fraud can be a tall order, Boyer said, but machine learning (ML) and rules-based analysis can do their parts to bring it to heel. She noted that banks should be aware of the former’s limitations, however.
ML’s merits and limitations
At the core of the fraud prevention system at People’s United is a rules-based analysis program that inspects transactions for signs of debit fraud or other malfeasance. Wheelahan said these transactions are inspected in real time and are useful for catching and identifying fraud trends before they become widespread.
“The best tool that we have at our disposal is the reporting of our real-time transactional data,” he said. “There are so many root causes of fraud trends that have been determined by us reviewing and really focusing on the activity that’s occurring throughout the day, so we’re actually able to mitigate a lot of the losses caused by skimming incidents or [bank identification number] attacks or even merchant compromises, if we’re able to detect them early.”
ML also plays a role in fraud analysis, but Boyer said banks must account for its limitations. Rather than relying on ML algorithms to make unilateral fraud decisions, human analysts and rules-based screening are still necessary to help these systems establish baseline normal activity.
“You really need hands and eyes on the system to detect what is fraud and what is legitimate so you can train that machine learning to ID what is legitimate and what is noise,” Boyer noted. “[Artificial intelligence] and machine learning are only as good as how quickly you detect the fraud, because if you don’t detect it as soon as possible, that activity will just look normal.”
Boyer said fraudsters can also coordinate their attacks to dupe ML tools looking for suspicious transactions, because fraud on a large scale can be read as normal activity to artificial intelligence (AI). This means personal intervention is necessary to prevent such fraudulent behavior from being incorporated into the ML algorithm.
“A lot of the problem, especially on the debit card side, is the scale of these compromises,” she explained. “If you have one large ring that’s hitting you [all] at once, then that AI can think that is normal activity. And fraudsters are often using the exact same [AI and ML] tools against us.”
Machine learning can play a crucial role in debit fraud prevention, but it is best deployed as part of a multilayered defense system. Bad actors are known to simultaneously leverage numerous tactics to wage fraud, and banks must therefore be equally multifaceted in their approaches to thwarting it.