TransUnion
01/26/2024
Podcast
In this episode of the TransUnion Fraudcast, Ricardo Font, Director of Product Management for Fiserv, joins us to talk about mitigating bot fraud, navigating the internal friction vs. CX conversation, and what to bear in mind when moving fraud systems to the cloud.
Jason Lord:
Hello, and happy new year. Welcome to the TransUnion Fraudcast. I'm your host, Jason Lord, VP of Global Cross-Solutions Marketing.
We are your essential go-to for the absolute linkages between the day's emerging fraud and authentication topics, trends, tropes and travails, delivered with all the straight talk and none of the false positives.
In 2023, we had the good fortune of having a number of very smart people, certainly smarter than me, on the Fraudcast to talk through the many different dimensions of fraud –– everything from effective model building to identifying synthetics to the impact on the call center customer experience.
But it's fair to say that many of these conversations have been a bit theoretical.
What about from the client side?
I'm interested in hearing more about how an organization understands their own problems, what types of internal challenges they're up against, how they measure the issue, what they look for in a solution…which is why I'm absolutely thrilled to have with us today Ricardo Font, Director of Product Management, Identity and Security for Enterprise Applications at Fiserv.
Fiserv, of course, is the leading global provider of payments and financial services technology solutions, providing account processing and digital banking solutions, card issuer processing, network services, payments, ecommerce and much more.
It's safe to say that if you do banking of any kind, Fiserv likely has a role to play in it, and Ricardo has been working in the networking and security arena for over 20 years, including concentrations in networking, endpoint solutions, identity and government systems.
And he is an excellent ambassador for the needs and challenges of any organization looking to improve their identity and fraud capabilities, without compromising the customer experience.
Ricardo, welcome to the Fraudcast.
Ricardo Font:
Thank you, Jason, it’s great to be here today.
Jason Lord:
In full disclosure, Fiserv is a partner and consumer of TransUnion TruValidate Fraud Solutions, but we're not necessarily here to talk about that.
What I'd rather talk to you about is your experience in identifying and combating fraud in the field.
So let's start with a perennial issue.
For many organizations, there's been an explosion of the use of bots to harvest PII and commit automated fraud attacks, and I'm curious from your perspective, Ricardo, when a customer is in session, how can an organization distinguish whether they're a legitimate consumer or a bot?
Ricardo Font:
Fantastic question. I'm glad you brought it up because it's funny, you know, this year 2024 has already started with an enormous amount of activity when it comes to botnets overall, and we've seen quite a number of uptakes happening even within the first few weeks of this year.
And yeah, that question about how exactly is it that I'm going to distinguish between the person who is who they pretend to be as opposed to who they really are once they actually log into the system –– how does this system really, you know, tell them apart?
And the truth is that it's very, very difficult to do, right, because now you've already established…or at least gotten into the system. And I'm only going to be able to really look at what you're doing within the system and how you're doing it.
What is your behavior as a user within the system versus what this thing that is presenting itself to be you, or pretending that what is the difference between the two?
And so if all of a sudden I'm used to logging in as an end user, I check my bank accounts, I spend a little bit of time thinking about what's going on, having to do with, you know, my day-to-day transactions, how I pay my bills and things of that nature.
I'm going to take some time over certain screens. I'm going to observe certain things.
I'll have definitely a set pattern to what I do in the system.
Jason Lord:
There are certain human behaviors that are different than what automated behaviors look like, is that right?
Ricardo Font:
Absolutely. And that is kind of the baseline that, you know, to tell these two things apart, it's establishing that baseline of what is it that I normally do and what do your normal users or real users actually do within a system, versus kind of the targeted sort of thing that a botnet will do, which is at first glance after the login it becomes really, really obvious as to how exactly they're targeting certain things about accounts.
Jason Lord:
So what do some of those human behaviors versus bot behaviors look like?
Ricardo Font:
Yeah, a bot for instance, you know when even from the point, from the exact moment in time that you're accessing the system, how quickly do you actually type in your username and password, right?
As a human, there's a certain…you might fat finger a thing or two… You might do that one or two things that you might pause for a second. But if it's a copy and paste sort of like bam, I'm into the system, then that definitely reeks of automation.
And once you're actually within the system, what you're actually accessing within the fields, like you know, I'm going to, if I'm looking at a menu structure that's in front of my screen, I'll click on something to see, well, what are my accounts? And let me take a look at this balance, and I might look at…these are the three big bills that I have do this month, right?
And I'll spend some time within certain areas, moving my cursor a particular way.
And you know, when you're thinking about how a botnet will work, they're going to try to make their system log in and log out as quickly as possible to do the things that they're going to do.
Potentially transfer information, go straight to the money transfer or along the lines of, even if they want to go low and slow, they might keep the quantity small.
It's going to be a weird sort of thing that you're doing in terms of what sort of money that you're transferring.
It's going to look different than what you normally do, especially if you're an end user that doesn't always transfer funds around. So those are the sorts of things that how exactly they target specific functions within the system and how quickly they do that.
All of those become red flags.
Jason Lord:
And if you think of just the application process –– because applications are a big focus for bots, if you're running, if you're a fraudster, whether you're a human or a bot fraudster, the way that you fill out an application is probably going to be different than the way a human being does.
Like if you probably don't have to think to remember what your last name is, but you may have to pause a little bit when you're trying to remember what your childhood pet's name is, or something like that, and all those things happen in milliseconds and probably are measurable to a fraud-control system.
Ricardo Font:
Absolutely.
And those become interesting spikes and nuggets of information that a fraud system is going to key off of to see that something is illegitimate.
Jason Lord:
Now, when I hear something like preventing fraudsters or bots from applying or getting through or conducting transfers, any of those types of activities that a consumer would normally do, it might be normal for me to say “but I don't want to slow down the consumer experience for legitimate consumers.”
So when you're having those internal conversations about friction versus fraud prevention, how do you navigate that to ensure that the business end of it isn't given short shrift?
Ricardo Font:
That is definitely the perennial task of the product manager within any organization, right?
Which is really balancing that and at least from our point of view, at least with our internal conversations, are always centered around, look: If a business is putting an application out there for the world to consume, be it in finance or any other type of application, the value of that application becomes in how much it's used.
So “we want to minimize friction” becomes the number one thing that we're actually after, or at least decreasing that friction, when it comes to the user experience.
It used to be a time and place and a date where you had to…it was a seesaw, right, where that if you increased security, you were decreasing usability.
And so you had to make that sort of call, but we're kind of living in an era right now where we have enough technology and systems to actually not have to make that decision.
We can increase security and actually decrease the friction that's in play altogether, all in one shot.
Jason Lord:
I'm so glad you said that, Ricardo, sorry to interrupt you, because my biggest pet peeve is when people use the word “balance” to describe friction versus customer experience, because to me it's not a balance.
If you can distinguish humans from bots effectively, you are improving both of those things.
It's not a zero-sum game.
Ricardo Font:
That is absolutely correct and I think when folks will talk much about or there's much conversation around, well, you know there is automation, there's data sets there’s all of these things that are coming together as these technologies are converging, and what we really get down to is yeah, how do we just make sure that the security system is doing its thing in the background, and I could just keep doing what I need to do in the foreground?
There's no reason why we can't have that.
Jason Lord:
Now, as a product owner, or product manager, rather, I'm sure that you're having a lot of internal conversations about moving systems to the cloud. Is that fair to assume?
Ricardo Font:
Absolutely, constantly happening every day. We're doing much of that today, right as we speak.
Jason Lord:
So now knowing that is a conversation you're having a lot, what are you thinking about when you're thinking about moving programs or systems to the cloud?
Ricardo Font:
Good question. We have –– and when we talk about cloud, I'm really centering around the public cloud offerings that are out there.
So, you know, using Amazon web systems or using…what is it, Azure from Microsoft or Google, whatever the cloud system may be, I think one of the central pieces that really rings forth and what isn't always considered is that most organizations are looking, hey, let's take the applications that we had and we hosted before and let's just stick it into the public cloud.
Whereas not a lot of thought –– or it seems like there's a lot more thought that needs to be placed into how do I break that application apart and potentially bring it and leverage the advantages that the cloud brings?
Resiliency, scalability, being able to auto-heal, all of these great things that come forth when you're deploying something in Azure or any one of these other cloud systems.
And so the thought is take my application, let's do a feature parity with what it is today and just replicate that in the cloud.
And it's like, Nah, that's not really what you want to do, right?
You have to look at this application and say, well, that was relevant 20 years ago and what it used to do and what are the new, what are the features right now that are important?
If there were 10 features that it had before, maybe today it's only five features that are needed, but then from the consumer point of view, why do I care as a consumer that you as an organization are moving to the cloud?
Well, it's because hopefully you're bringing and using that opportunity to bring forth a set of features that are class-leading things I couldn't do before, right.
So I went from an application to the 10 things down to five things, and bringing it back up to 10 things –– but 10 new things that it didn't do before. And that often isn't really brought into kind of like the resourcing and the cost really involved around doing the research, doing the lift around, you know, what's the industry doing, what are the trends, where is it going to and what do people need and want within the system.
So it isn't a simple lift and shift into the cloud. It is re-factor what you were doing before as well.
Jason Lord:
Well, you bring up something really interesting that I had not considered, which is that moving…to your point, moving a system to the cloud should be an opportunity to examine what is relevant, what is necessary, what needs to be updated, but it may be also a place for us to look at technologies that could be outdated by now, right?
That maybe it's time for us to consider what was the original purpose and intent of this, and are there elements of it that are no longer relevant or could be updated in some sort of way.
So maybe moving a system to the cloud is the best opportunity to re-look at the entire fraud system itself.
Ricardo Font:
Yeah, and unfortunately, for many organizations, the stewards of that information of why it was relevant initially, and that application, may not even be with the organization any longer, or the organization, with any mergers and acquisitions that occur, they might have taken a different direction.
So the idea is now not only an application re-presents this slice of time as to what was valuable to that organization then, but you now need to take that into the context of everything that's occurred in that organization and its people now to understand what is it that I can bring forth that's going to be valuable today.
And that is, you know, it takes some analysis, it takes some time.
Jason Lord:
And not just order taking, right, not just moving and shifting something to the cloud, but actually asking the questions of why is this relevant and how is it serving the business today.
Ricardo Font:
Absolutely.
Jason Lord:
So to bring it back to the friction versus conversion conversation we were having a second ago, KBA is the common whipping mule of the friction application process.
Knowledge-Based Authentication, which is the asking questions that presumably a consumer would know –– but, let's be honest, fraudsters probably know better than consumers these days. It slows down the process –– it's not foolproof.
What other obstacles, besides KBA, are preventing organizations from having friction-right fraud systems?
Ricardo Font:
Yeah, that is…in identity we always talk about, you know, to fully validate what a person is, or at least a person behind the keyboard, against their online identity, you need to know those three factors of authentication, right?
Something that you know, something that you are, something that you have.
So you present when you were talking about within the realm of something that you know, that's your username and password. Those are the knowledge-based questions. Unfortunately, knowledge is something that we share, right, whether we want to or not.
Whether you gave your spouse or something that your username and password to log into your account, or whether or not you're, you know, somebody filled out a form online that had a series of kind of personal information where somebody was mining that information to then use it to try to access your system.
So there is the actual, there's that need to bolster everything, things that you know with either something that you possess, which most of us know if you've ever used a system that asks you for that, you know we're going to send something to your phone with a one-time passcode and you need to input that into the system.
That's something that is going to a device that you possess and you show possession of that…or something that you are, which is a biometric of some sort; use your face or use your finger or anything along those lines.
So I think what really prevents getting fraud under control when it comes to that is really still providing multiple other factors to validate that identity that is still as friction-free as possible, right?
Because we live in a world now where you can use a passkey with Google, you just basically show your face on your device and you're into the system, right?
Beautiful user experience, but then there's the pullback of like, oh, they've got my, you know, there's my face in there. Is this a privacy invasion? What is going on?
So I think counterbalancing being able to provide that with making sure that customers or clients that are users are still comfortable with what's being asked, that's the biggest challenge that we have right now.
I think we're way beyond the point of, you know, we all know that we need to do more to validate the identity.
The question is, how do we surface that as cleanly as possible…and then it's user education at the end of the day, what's actually happening when this happens?
When you're providing this within a system, I think those are the biggest hurdles that we have right now, just that general education of security versus usability.
Jason Lord:
Well, and AI has only accelerated this process from every angle of it, whether it's the fraudsters using AI, whether it's the fraud prevention systems, taking advantage of AI, or even consumers’ interaction with AI.
I'm curious to know, from your perspective, how has AI changed the game in terms of fraud prevention?
Ricardo Font:
Good question. Because I think AI and machine learning and concepts of that nature have, you know, kind of been co-opted by marketing.
You know, I've seen a lot of systems that I go and interact and they claim to have AI and machine learning and it's just basically another little ruleset that they add it to the system, or something along those lines.
So it's kind of, you know, to kind of play the game, you say that you have this but it isn’t really out there.
True AI, true machine learning, is really about being able to take enormous amounts of information and distill it so that you and I can consume it.
So it used to be that, you know, you needed a legion of, you know, engineers or folks to figure out well, if a particular person is logging in from a location and there’s this website, there's this place that they're located in the world, geolocation, all of the stuff that used to be the work of lots of folks trying to figure out whether or not something was fraudulent.
What AI has done for us has definitely brought all of those things together. I always equate it to kind of like preparing that meal, right.
If you have to make dinner or something, you buy all of your ingredients and then you know you have to go home and cook it all together. AI is doing the cooking for us, it’s taking all of those ingredients, bringing it to a form that now says OK, these are the hotspots within all of this data that you need to kind of focus on.
And with that, now you can better use a human to decide whether or not this is worth investigating further, or at least I can now more easily stitch that information together, you know, figure out fraud occurred here and now I have visibility into these other three instances of fraud that were all related, that were all due to this one attack, to this one botnet.
And now –– and for those out there that do fraud investigations, we always talk about blast radius, right, who has been, what other accounts have been affected by the same sort of fraud.
Customer calls in says that they had $1000 that wasn't their transaction.
And so the fraud investigator will look at that and say, here's that singular instance, but we know that it was related to botnet A, and now where within my system that I see all of that or potentially other accounts affected in that same way, that's where AI really comes into play, accelerating the fraud investigation timeline.
Jason Lord:
Focusing those fraud-fighting resources on the minority of interactions that actually deserve it, and perhaps drawing correlations nonintuitive that the human fraud investigator may not have picked up on.
Ricardo Font:
Absolutely.
Jason Lord:
Ricardo, thank you so much for your time today. This has been most insightful, really appreciate it, and we thank all of you for tuning in.
We hope you'll join us for upcoming Fraudcast episodes. In the meantime, stay smart and stay safe.
Your essential go-to for all the absolute linkages between the day’s emerging fraud and identity trends, tropes and travails — delivered with straight talk and none of the false positives. Hosted by Jason Lord, VP of Global Fraud Solutions.
For questions or to suggest an episode topic, please email TruValidate@transunion.com.
The information discussed in this podcast constitutes the opinion of TransUnion, and TransUnion shall have no liability for any actions taken based upon the content of this podcast.