By Dale S. Laszig
It's been said that a new car depreciates the minute it leaves a dealer's lot, but the opposite is true for the transaction. That down payment made by ACH, debit or credit card has just begun its useful life.
After verification, authentication and credit approval, funds change hands, credit limits update, and sales are inextricably linked with customer profiles and dealer transaction histories. The resulting trove of customer data creates opportunities and challenges for financial professionals and cybercriminals alike.
This two-part series explores the high-stakes digital identity battlefield where fraudsters and security experts deploy the same technologies with different endgames in mind. As recent reports demonstrate, consumers, business owners and service providers are this war's collateral damage, and experts predict casualties will get worse before they get better.
Chief among concerns is the need for agile verification, authentication and fraud detection in a world of real-time payments, instant credit decisioning and 24/7 customer service. The Green Sheet interviewed experts from numerous sectors of the identity community who are calling for an immediate, proportionate response to identity theft and other fraudulent activities.
Suresh Dakshina, co-founder and strategist at Chargeback Gurus, noted that digital commerce never sleeps. "We live in an Amazon world where customers can place orders and file disputes around the clock, and brands need to live up to those expectations," he said, adding that current card issuer zero liability policies make it easier for consumers to file a fraud dispute than a customer service dispute, and as a result, true fraud and first-party fraud are on the rise.
Having seen lines blur between good customers and fraudsters, Dakshina pointed out that economic pressures or impulse buys that lead to buyer's remorse can push legitimate customers over the line to first-party fraud. Merchant attitudes about these customers are changing, and in some cases, merchants who may have previously written off a customer will try to lure them back with personalized discounts and offers, he noted.
"Merchants were either fighting disputes or writing them off and never reaching out to the customer," he said. "A more effective strategy would be to send them an email, saying, 'I know you've filed a dispute and we're very sorry for your experience, but instead of filing a dispute or not using the product, I would love to give you a deep discount to earn your business.'" This way you retain the customer, Dakshina noted, and while not every customer will go for it, the email will at least let them know you're trying to keep them happy. I call this "friction, not rejection" because you can't stop buyer remorse from happening, especially when multiple stores are selling the same item, he said. A customer who buys a $1,000 item, then sees it sold somewhere for $800, will be thinking about how to recover the $200, he added.
Because fraud comes in many varieties, Dakshina recommended combining human and machine intelligence to detect anomalies and avoid false positives by separating legitimate orders from fraudulent transactions.
Nir Stern, vice president, product management at AU10TIX, acknowledged that deep fakes are a growing concern for companies of all sizes that have difficulty discerning between forged and authentic images and documents. Identity proofing, which his company provides to Twitter, LinkedIn and other global enterprises, can solve for this issue, he stated.
"Unfortunately, whenever there's a new technology, the first adopters are usually the bad guys," he said. "We run over 100 types of forgery tests and compare data elements to determine if a document or image is real or forged. And because we have such huge traffic from both our customers and bad actors, we're able to train our AI models on an ongoing basis against the latest threats."
Stern advised enterprises in need of identity proofing to look for fully automated solutions. He pointed out that numerous vendors claiming to be fully automated actually have agents behind the scenes doing manual work. Global entities require robust solutions that can respond in as little as 4 seconds to requests from multiple regions, languages and regulatory landscapes, he stated.
"I think the key for organizations is to work with solutions that are fully automated and scalable," he said, noting large enterprises that monitor traffic across global databases can identify new threats quickly and avert disasters. This type of provider, he stated, continuously builds new models, which protects their communities in the endless fight against the bad guys.
As infosec leaders have noted, lack of communication has been a major impediment to security within organizations and across public and private sectors. Dakshina, for example, recalled a recent conversation with a card issuer when pointing out that financial institutions frequently have gaps between fraud and customer service teams.
"He confirmed they store device ID and other transactional data, so I asked if customer service reps pass that information to the fraud team so they know if the customer purchased the product using the same device ID," Dakshina said. "He said, 'No, we don't give the data to the dispute side.' And because of that disconnect, customer service has no visibility into the transaction, leaving them no choice but to take the cardholder's dispute at face value. They can't even say, 'We see you used your phone to check out; are you sure you didn't initiate the transaction?'"
Jason Kratovil, head of public policy and external affairs at SentiLink, mentioned that gaps in Social Security were making it easy for criminals to create synthetic identities. "If you want to create a synthetic identity, find a Social Security number for a minor or immigrant with a thin credit profile and combine it with a burner phone and some made-up PII (personally identifiable information)," he said.
From there, he added, a criminal could purchase authorized user tradelines or accumulate declined applications by repeatedly applying for credit; over time, with minimal skill and a bit of patience, these activities could create a legitimate-looking consumer.
SentiLink CEO Naftali Harris and COO Maxwell Blumenfeld, who were early employees at Affirm, co-founded SentiLink in 2017 after seeing patterns in credit reports that didn't tie to real people. Kratovil noted they were among the first to see synthetic ID as a big problem.
The following year, the company was an early adopter of the Social Security Administration's real-time, API-based system for verifying an individual's name, date of birth and Social Security number. The Electronic Consent Based SSN Verification (eCBSV) service is now used by SentiLink partners to onboard customers efficiently while reducing fraud and risk.
In a July 2022 white paper, The Electronic Consent Based SSN Verification Service, How eCBSV can help your financial institution fight fraud and approve more applications faster, SentiLink positioned eCBSV as more efficient than paper-based consent forms for identifying synthetic fraudsters and enabling inadvertently flagged individuals to prove they're real. "Technology continues to re-shape how consumers seek out and utilize financial services. As this innovation takes hold, it has presented one undeniable truth: For financial institutions making the move to digital, the risk of identity fraud increases," SentiLink researchers wrote. "To help address these new challenges and reduce risk, financial institutions have increasingly focused on data 'sources of truth' to authoritatively answer whether a key piece of identity information is valid or not.
"Frequently, these sources are government entities: The Social Security Administration (SSA) for SSNs, the IRS for income and other tax transcript data, and state departments of motor vehicles for drivers license data are some examples."
While eCBSV is fully operational and capable of supporting approximately 350,000,000 verification requests per year, researchers acknowledged it will take time to fully implement. They expressed confidence, however, that the solution will help mitigate both forms of synthetic identity, which they defined as a manipulated real person's identity and a totally fake identity.
"As mentioned at the outset of this paper, SSA is the 'source of truth' for SSNs," researchers wrote. "But even sources of truth like a federal agency are not infallible and are prone to similar data quality issues and technical limitations as can impact any other database. Additionally, while the SSA is the source of truth for which SSNs they have issued, there is nothing preventing them from issuing SSNs to identities that don't exist due to fraudulently filed SS-5 forms."
Every new car owner who drives off a dealer's lot leaves behind a trail of digital exhaust that takes on a life of its own, navigating multiple checkpoints on its journey from POS to settlement. Every checkpoint, from verification and authentication to payment gateway and direct deposit account, presents its own potential risks and vulnerabilities. These risks multiply exponentially, SentiLink researchers warned, as financial institutions migrate to digital platforms, onboard new customers and enter markets outside their physical footprints.
In Part 2 of this series, The Green Sheet will interview security leaders who are working with financial institutions, business owners and third-party service providers to protect customers' digital identity data at point of entry, in transit and at rest.
Dale S. Laszig, senior staff writer at The Green Sheet and founder and CEO at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email dale@dsldirectllc.com, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter https://twitter.com/DSLdirect.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next