traditional fraud prevention is costing you customers
TRANSCRIPT
TRADITIONAL FRAUD PREVENTION IS COSTING YOU CUSTOMERS
Alex Kilpatrick, PhDCTO, BeehiveID
Let’s say you are a banker
• $9,999.99 - Definitely suspicious• $9,999.00 - Definitely suspicious• Asking about limits - suspicious• $9,875.21, $9,923.12, $9,782.97 -
Maybe suspicious• $5,000, $5,000, $5,000 – Maybe
suspicious• 16 year old depositing $8,768 in cash -
Maybe suspicious• Paranoid behavior – Maybe suspicious• Corporate check – Definitely not
suspicious• $102.32 – Definitely not suspicious
Binary Classification
Conservative / LiberalRich / PoorGood Guy / TerroristAthletic / SedentaryMale / FemaleYoung / OldHealthy / SickGood customer / Scammer
-3 + x1 + x2 >= 0
Reality
REAL-WORLD CLASSIFICATION IS NEVER
AS CLEAN AS WE WANT
Remember
Positive - ScammerNegative – Good customer
False Positive – We classify someone as a scammer when they aren’t
Lose customersFalse Negative – We classify someone as a good customer when they are a scammer
Lose money
New Disease - Alexitis• Very rare – only affects 1 in a million
people• Luckily, we have a test that is 99%
accurate• If they have Alexitis, test is positive 99% of
the time• If they don’t have Alexitis, test is negative
99% of the time
I’ve just tested positive for Alexitis. What are the
chances I actually have it?
99%, right? I’m screwed!
Would you believe .01%?Has
AlexitisDoes not have
AlexitisTotal
Test Positive 1(true positive)
10,000(false positive)
10,001
Test Negative 0(false negative)
989,999(true negative)
989,999
Total 1 999,999 1,000,000
Paradox of the False Positive
Conditional Probability
If you live in the United States, you probably speak English
If you speak English, you probably don’t live in the United States
IF YOU ARE TESTING FORSOMETHING THAT RARELY OCCURS,
YOUR TOOLS HAVE TO BE REALLY, REALLY GOOD
Remember
THE INTERNET IS BUILT ON PACKETS,
NOT CONNECTIONS
Remember
IP Geo-Location
Nigeria
I am worried about scams, so I won’t accept mail from Nigeria
IP Geo-Location
891889-11
But the mail only has codes, not country names
IP Geo-Location
891889-11
No problem! I can look it up in a table
891888 United States891889 Nigeria891890 France891891 Luxemborg
IP Geo-Location
891889-11
Problem 1: Database gets stale
891888 United States891889 Germany891890 France891891 Luxemborg
IP Geo-Location
891889-11
Problem 2: Mail Forwarding
891888 United States891889 Nigeria891890 France891891 Luxemborg
891890-19
IP Geo-Location
891889-11
Problem 2: Other Carriers
891888 United States891889 Nigeria9999 FedEx891891 Luxemborg
99999999
99999999
99999999
99999999
IP Geolocation• With “honest” users, IP Geolocation can be
somewhat accurate• Nation: 95% - 99%• City: 50% - 80%
• In terms of fraud prevention, it will only catch the most clueless of fraudsters
• Essentially useless for mobile data
Proxy Detection
891889-11
I’ll make a blacklist
891888-12 REJECT891890-19 REJECT891891-12 REJECT
891890-19
Proxy Detection• Can catch known proxies• Suffers from same database issues as
IP Geolocation• ANY machine on the internet can be a
proxy
Cookies
Once I find out your are a scammer, I sneak into your house and put an X on your envelopes, with invisible ink
891889-11
891899-11
X
X
Cookies• Will work if the scammer does nothing to
prevent it• Can be prevented with a single click• Useful for tracking customers, almost
useless for tracking fraudster
Behavior Detection
Scam mail usually comes in between 3:45 and 4:00
3:45
3:52
3:55
Behavior Detection• Very difficult to measure accurately• Highly subject to false positives• Almost any behavior that appears
suspicious can also have a legitimate purpose as well
Browser Fingerprinting
I am going to measure the unique characteristics of the paper, so I can recognize the bad letters
Browser Fingerprinting• Somewhat effective technique for tracking people
online• Measures unique characteristics of your browser
(fonts, plug-ins, etc.) that are reported to web server• Not well known among general public
• Generally not completely unique• Will lead to false positives
• Not useful for mobile• Trivial to circumvent
• Clean browser install• Virtual machine
TRANSACTIONAL DATA:
DATA THAT IS CONTEXTUAL TO A SINGLE TRANSACTION
Transactional Data Strengths• Does not require user involvement or
knowledge• Usually quick• Can encompass many data points• Does not affect the user experience• Can be tested on sample data
Transactional Data Weaknesses• Generally easy to workaround• Significant false positive rate• Difficult to aggregate across platforms
WITH TRANSACTIONAL FRAUD PREVENTION, YOU ARE RELYING ON
INFORMATION THE SCAMMERULTIMATELY CONTROLS
Remember
Identity-Based Fraud Prevention• In the real world, we want to know who we
are dealing with• Personal recommendations are extremely
important• Social context is extremely important• However, online we have no identity
framework to leverage
FUNDAMENTALLY WE HAVEBEEN SOLVING THE WRONG
PROBLEMWE DON’T HAVE A TRANSACTIONPROBLEM, WE HAVE AN IDENTITY
PROBLEM
however
“No man is just of his own free will [...] he will always do wrong when he gets the chance. If anyone who had the liberty [of the ring of Gyges] neither wronged nor robbed his neighbor, men would think him a most miserable idiot.”
- Plato
SOCIAL ACCOUNTABILITYBREEDS POLITENESSAND GOOD BEHAVIOR
Short Version
Anonymous Comment Facebook Comment
Source: David Kelts
Extreme Identity: DoD Top Secret Clearance
• Takes 1-2 years• Involves ~ 40 pages of
documentation• Leverages numerous federal
databases• Involves dozens of interviews
with people who have known you for
Privacy
Identity
Friction
Identity
Strong identity means lower privacy and higher friction
Both bad…
Identity FarmsCost of a phone-verified Facebook profile: $0.70- $1.50
Global market for fake identities: $800M
http://www.newrepublic.com/article/121551/bot-bubble-click-farms-have-inflated-social-media-currency
Identity Reputation Trust
Genuine UserFake User
Solution: Federated Identity
User1234
Verified Identity• John Smith• 123 Main Street• Single• (212) 555-1212
BeehiveIDWebsite
One IdentityPer Person
No InformationSharing
Transportable
Owned byUser
FederatedIdentity
BeehiveID Advantages• Ultra-low friction
• Selfies are easy!• Uniqueness through biometrics• NO private information whatsoever• Supports trust through
connections between people• One-step integration
Summary• Classification problems are inherently fuzzy• When the thing you are looking for is rare, you have to
be really precise• Transactional data is dependent upon data effectively
provided by the scammers• Results in high false positives, losing customers• Is easy to circumvent by scammers
• Identity is the foundation of trust in the real world, and can be used from trust online, with the right tools• Must be low-friction• Must preserve privacy
QUESTIONS?