Many VoltDB customers are creating externally-facing applications which face the potential of being hacked, with the applications and/or data being used in some fraudulent manner that can cost the businesses considerable time, effort and money. In addition, some of our customers, such as WhiteOps, have created businesses based on identifying and disrupting fraud. And fraud is on the rise – a recent Lexis-Nexus study, The True Cost of Fraud, reports that fraud increased as a percentage of revenue to 1.47%. So we thought it was time for a closer look.
We hosted a webinar on fraud, with speakers Andras Cser, Vice President and Principal Analyst of Forrester Research and Tamer Hassan, CTO and founder of WhiteOps. Listen to the webinar here, and read on for our top five takeaways.
1. Mobile fraud: What, me worry?
Mobile fraud is growing fast. Why? As Cser notes, mobile customers expect a good user experience, but often are careless with personally-identifiable information. They don’t protect their card numbers well, they don’t protect their phones, and many of us don’t pay enough attention to screen unlocks and application passwords. Further complicating things, mobile apps are rushed to market and lack security. App stores such as Google Play and the iOS App store may not understand and detect fraudulent activity in time to protect subscribers. We all expect an omnichannel experience on mobile, and may be willing to trade access to our devices in exchange for ads and other marketing outreach. Mobile ads are catnip for fraudsters.
2. Fraud is expensive
The cost of online and mobile fraud is increasing. Mobile fraud is growing at a rate of 12% year-over-year, according to the Lexis-Nexus report; e-commerce merchants using mobile as a sales channel saw a significant increase in successful fraudulent transactions from 2015 to 2016 – from 26% to 35%. Worse for merchants, the cost of fraud doesn’t end with the fraudulent transaction – the cost of remediation is high. For every $1 of fraud, companies lose $2.40 in chargebacks, merchandise replacement and fees.
Ad fraud is also growing, tracking the increase in online display ad spending, which is forecast to hit $21 billion in 2017. Ad fraud ‘wastage’ – ads triggered by malicious ad bots, for example – is projected to cost $3BN in 2017. Forrester reports total ad fraud came in at $6.8Bn in 2016. Ad fraud is more difficult to detect and manage on mobile because browser-side capabilities are lower and there are fewer ways to secure the mobile front end (mobile apps and mobile browsers). And while mobile subscribers appear to love video apps, digital video fraud is increasing fast.
3. Preventing Fraud: Recommendations
How can app developers and companies prevent fraud? Cser recommends:
- Get the data – Each time an app is installed on a device, it should issue a certificate that prompts the user to provide more information – enrollment attributes, security questions and so on. This authenticates the application; if the certificate is invalid or there’s a problem tying that certificate to the mobile device itself, it may be a sign of fraudulent activity. Use GPS to ensure there’s a correlation with what the user says about where they are; in insurance fraud, a claim may be submitted in one location, but GPS may show the device is in another location, indicating fraudulent activity. Device power settings, touchscreen attributes, biometric data from sensors and SIM card data are all useful for detecting and preventing fraud.
- Integrate the data – Once you have the data, it must be integrated. This can be done via link graphs and social network analysis that reveal understand the linkages between transactions, including good and bad profile attributes and other transactional attributes. Cser recommends analyzing integrated data to identify customer activity and segment dynamically. This understanding can help identify emerging geo areas of fraud risk.
- Use machine learning and artificial intelligence – move from writing rules to real-time decisioning on a per-transaction basis. VoltDB has several financial customers who use the database for real-time fraud detection and prevention – we’ll share more on these use cases soon.
- Use biometrics – passwords are increasingly easy to break. It’s possible to crack an 8-character complex password in 20 minutes using a PC. App designers are moving to the use of fingerprint sensors, microphones, and cameras for finger and facial recognition. Not only do biometric measures provide a much better customer experience, it is easier than remembering and typing a long, complex password on a mobile keyboard.
- Use passive/behavioral authentication – Subscribers establish patterns of use on their touchscreens. If the application detects that a user is suddenly not touching the screen, moving the pointer or tapping the device in the way they did 10 minutes ago, it may indicate anomalous activity – and provide an opportunity to restrict the activities available via the application.
4. Forrester’s Fraud Predictions
Fraud is constantly changing. Forrester’s Cser predicts the industry will see the following take place:
- A merger between EMEA’s strong authentication with North America’s strong EFM (risk scoring);
- Sensor data and location will be used for risk scoring on mobile devices;
- SaaS EFM tools will become more mature, and shared whitelists, blacklists, and models will proliferate;
- Automated money laundering (AML) and Fraud management will converge;
- Firms will derive Marketing / Business intelligence from fraud data;
- Expansion of fraud in EFM solutions’ models for MNO payment schemes – fraud solutions will help not only normal payment ad fraud prevention, but also mobile network operator-based payment schemes; and,
- Adoption of biometrics and behavioral biometrics will expand.
5. Ad Fraud Bots: the new recurring fraud revenue model
Much of the fraud damage in mobile advertising, and consequently in mobile e-commerce, is caused by ad bots – malicious code bits that behave like humans to commit fraud. Tamer Hassan, aka The Bot Hunter, joined the fraud webinar to discuss the impact of ad bots – and offer suggestions for how to identify and take them down.
Hassan, co-founder and CTO of WhiteOps, says in a recent interview “… advertising is a recurring fraud revenue model. There’s a lot of money moving, and companies are competing. Fraud is difficult to detect, and, unlike in banking, not as many people are chasing the bad guys.”
WhiteOps was founded to detect and prevent ad bot fraud. Hassan’s take on preventing fraud is somewhat different from that recommended by Forrester – for example, WhiteOps spots bots by differentiating bot action from authentic human behavior. “We are a security company focused on the important problem of human verification,” he says. Hassan adds ad bot fraud is “the most scalable cybercrime on the web today. There are very few places that you can cause a multibillion dollar loss, year over year, without much risk.”
The gain in any web scale fraud, ad fraud included, is to look like a million humans and a million machines. Almost three quarters of the ad fraud WhiteOps sees comes from compromised, malware-infected machines. If a consumer has a malware-infected machine, fraud detection systems may see human and non-human activity from the same machine, sometimes at the same time.
When you’re dealing with a compromised machine, you’re dealing with a compromised identity. If a consumer bought a TV last week, so did the malware that’s driving her browser, moving the fraud detection battleground from identifying compromised devices, to identifying transactions that are human versus transactions that are not human. More than over half of fraudulent activity on the internet today is from mobile devices.
WhiteOps runs human verification scans, seeking ad bots, on more than a trillion transactions a month. Moving to real time has been critical, enabling WhiteOps to detect ad fraud in transaction – in five to ten milliseconds. Giving a real-time decision for any impression on the internet in 10 milliseconds or less is one of the core capabilities of the company’s technology, and VoltDB is one of the major components in its tech stack.
VoltDB’s role in fraud prevention goes beyond detection. Our customers use VoltDB to move away from batch, post-transaction discovery of fraud to the ability to provide real-time alerts and actions on fraudulent activities. It is no longer enough to understand that fraud is happening: our customers want to act on it, and prevent it in real time.
Listen to the webinar, New Applications Mean New Fraud Targets. To find out more about how VoltDB can help your business detect and stop fraud, contact us at firstname.lastname@example.org.