This is a contributed piece by Gerry Carr, founding hire at fraud detection company, Ravelin
Any business that sells goods or services online is vulnerable to attack by fraudsters. This can be using stolen credit card details for purchases online, creating false accounts and even voucher code abuse. The cost of this fraud can be calculated in the multi millions, with chargebacks and related costs plaguing online businesses. In the UK it is the most common crime of all, with 2.47M offences in 2015/16 alone.
The traditional approach to tackling this problem is to use heuristic rules and business logic to try to ‘predict’ whether a new transaction that the business is seeing is fraudulent or not. It is important to note that with some variation this is what 90% or more of the online fraud detection platforms still use, including those that banks and payment gateways use. Why is this? Well, because to some extent it works but often with massive costs involved.
So how do the majority of companies use rules? It is a top-down, expert-led approach with insights intuited from a combination of data, horizon-scanning and gut-feel. And all of it is back-stopped with manual reviews to confirm the experts’ decisions. For example, there has recently been a flood of Turkish cards on the dark net due to the well-publicised data breach in Turkey. So it is a simple matter for a business to add a rule saying ‘review all transactions with a Turkish credit card’ and every time a purchase is made or attempted with a Turkish card, it is prevented or reviewed. But there are over 60 million legitimate purchasers in Turkey and a rule like this could turn away millions of legitimate customers. How does this rule distinguish good from bad and how does it evolve over time?
The answer is it doesn’t; rules tend to spit out a binary result. A transaction is deemed risky or safe with little room for grey in between. Forever more this rule will prevent cards from Turkey and someone will have to manually review (an inexact and timely process) every transaction that comes in with that card origin. In a 2016 survey from Cybersource [PDF] one of the leading rules-based fraud detection solutions, over 25% of all transactions across a wide range of companies that they surveyed were manually reviewed!
This is fairly astonishing statistic, and while manual review is potentially effective, it is really an example of where human endeavour is not enhancing a computing efficiency but compensating for a computing failing. Can we find a better way of predicting whether a transaction is likely to be fraudulent or not?
Introducing machine learning to fraud detection
Machine learning has been nominated as a great candidate for e-commerce fraud detection for a number of years. The reason is that in e-commerce there is a great deal of data (from account sign up, to behaviour in-app or on-site, all the way through to checkout) and there is a binary outcome (fraud or not fraud). Online businesses are able to identify fraudulent transactions accurately because they receive chargebacks on them, but this happens after the fact and therefore they can only be reactive, not proactive.
So from a data science perspective we have large historical datasets collected across many clients and industries and a very accurate set of training data (chargebacks versus non-chargebacks). Working on that historical dataset it is an exercise in choosing the right models in order to optimise the levels of recall and precision that they provide. This simply means the fraud that was successfully predicted (recall) and out of all transactions the model calls fraudulent, what proportion are actually fraudulent (precision)?
Ideally this would identify 100% of fraud with 100% accuracy, which is nearly impossible so it’s really a question of how close to perfection the models can reach. Once the accuracy of the models is deemed acceptable it is time to start predicting.
it is important to consider where these predictions come from. From within these datasets we construct features. These are data points; like the age of the customer account, the value of the account, the origin of a credit card. There can be hundreds of features and each contributes to a greater or lesser extent towards the fraud probability. It is critical to note here that the degree of contribution to the fraud score is not determined by a fraud expert or analyst. It is data-driven based on the training set and generated by the artificial intelligence of the machine. There is no explicit programming done to achieve an expected outcome. So, to use the above example, if the Turkish cards are proving a major contributor to proven fraud then the level of contribution will be high. If it is not seen again its contribution level will diminish. Crucially, the models self-learn without explicit programming.
These features allow a machine learning-based system to be inspectable - which means it can show the level of contribution a feature made towards the fraud determination. This ameliorates the black-box concern around machine learning-based systems by explaining to a fraud analyst which features were the most significant contributors. Additionally, users are encouraged to confirm the system’s decisions by marking customers as genuine or fraudsters. This feedback improves the machine’s ability to learn and therefore become more accurate.
So in order to predict fraud three steps need to be completed: the features from a dataset need to be extracted, a training set provided and the models built. In practical terms a model can be reused for similar data. For instance, a model that works on one retail ecommerce site will likely work on another with minor adjustments for slight differing features which means in real world implementations, this process is relatively quick.
This means for merchants who have a system like this in place that their visitors are being assessed for fraud all the time. A score is being created with every significant action or event that takes place on a merchant’s website or app. If the system assesses that an action is sufficiently suspicious, so much so that it breaches a fraud probability threshold, then that user will not be allowed to make a purchase.
Moving beyond manual review
Is fraud detection ready to move past manual review? For businesses where speed scale and efficiency are paramount, the answer is that we have to. As an industry in order to defeat or at worst lessen the onslaught of fraud we have to provide more accurate, faster decisions when they are needed. And machine learning is the only mature technology available to do that. That is not to dismiss the importance of human intervention and insight. Our customers need to understand what is happening in their business at the point of payment and we have make every effort to provide that information. However, this information should be used to make better the next generation of automated fraud prevention, not used to supplant it.
PREVIOUS ARTICLE«Digital Transformation: A ‘make or break’ challenge
Jon Collins’ in-depth look at tech and society
Phil Muncaster reports on China and beyond