Fighting payment fraud is a never-ending challenge which requires on-going investment and extensive research and development by our teams at Empello. Once an effective barrier is put up, it is often only a matter of time before a fraudster finds a way around it. Some of the bad guys are extremely well resourced, use sophisticated techniques, and ultimately circumvent the barriers we put in their way.
What role does Artificial Intelligence (AI) have in this fight? Is it the most important tool in the armoury?
Pros and Cons of AI
Artificial Intelligence has much to offer cyber security companies in our space. Advanced machine learning algorithms determine which transactions are most likely to be fraudulent, while significantly reducing false positives.
Automated discovery and analysis of user behaviour can spot and block anomalies or unwanted transaction patterns both speedily and at scale. To give a simple example, the way the button is clicked can be an indicator of a bot in action as opposed to a genuine user, and AI allows every click to be monitored in a way that no human monitoring could ever hope to achieve.
AI is also cost effective. Once set up it can be rolled out to multiple instances, without the need for bespoke human research and monitoring.
But the “machine” needs to be told what to do and this is where its limitations may become apparent. We are far from producing an artificial general intelligence (AGI) where a computer is solving brand new problems without human input, or devising completely different approaches to a problem. Additionally, the datasets used to train an algorithm must contain high quality data that need human input on some level. In the context of fighting fraud AI can be useful for spotting variations on a known fraud technique, but falls down when presented with a completely novel technique.
Learnings from other sectors
One example of this is the financial services sector, where 2 factor authentication (2FA) is widespread as a means of reducing fraud attacks. 2FA was a solution devised by humans, after observing certain types of attack and considering how best to mitigate against the attacks.
Banks have invested billions in developing algorithms to detect unauthorised spending, but how often do these either fail or trigger falsely when we’re trying to complete a bona fide transaction ourselves? With all the years of experience in the financial services sector, it is still the human-invented 2FA approach which is by far the most effective anti-fraud defence.
Even ascertaining that a button really was pressed by a user is only part of the problem. Social engineering techniques are widely used by fraudsters to trick a user into buying or subscribing. Automated protection will not reveal that a user was encouraged to do something by a fake message which appeared to come from their social network, from an influencer, or from a misleading marketing statement making a false promise, such as “Congratulations, you are today’s lucky winner”.
At Empello we believe that desk research carried out by experienced data analysts remains invaluable and is a key ingredient in both the fight against fraud, as well as informing our machine learning engine. Automated detection techniques can work well, but they can be vulnerable and, if overcome, then the fraud can persist without awareness that fraud is taking place, unless comprehensive desk research is undertaken.
So it’s important that technical approaches are augmented by hands-on human analysis. For instance, what are consumers saying on various forums? Complaints data is one of several techniques which can be used to pick up advanced attacks which have fooled automated defences. This can then be researched by experienced staff, testing apps on real in-country phones and devices.
Apps infected with malware are far from the only threats which cause VAS/ DCB fraud. Malware is a so-called “front-door attack” as it’s a direct visit to the payment page which is easier to detect via automation, but increasingly there are new threats from “back door” fraud.
Fraudsters employing back-door approaches exploit weaknesses in the back office infrastructure between the network, merchant and payments aggregator. MSISDNs are spoofed or changed during the payment transaction. Precise diagnosis is needed to identify the vulnerability before a customised fix can be designed and deployed and this is where hands-on human research plays a key role in identifying this type of back-door fraud as well as determining the patterns and behaviour.
AI versus Humans
Just as in civilian police work, automated technology such as CCTV and DNA profiling have become important tools in the fight against crime, but they are still no substitute for great detective work. Detectives make use of new technology and it can be vital in solving a case, but we could never replace those detectives entirely with AI?
The same applies in the fight against payment fraud. Great cyber security solutions require great detectives to research and engineer them.