November 14, 2018
Fraud Arms Race
Stories from the Front Lines
Eric wraps up this fascinating dive into the world of fraud with Jared Dirkschneider, Senior Business Manager at Capital One. In this episode, Jared shares insights and anecdotes from a career spent battling credit card fraud.


Welcome back to the Finance Frontier. I’m your host, Eric Hathaway. Over the last few episodes, we’ve taken an in-depth look at fraud in financial services. Today, we’re taking yet another angle, one that focuses on the frontline fraud warriors. These people are using all the tools available as well as their insights and intuition to keep the organizations and the people who do business with them safe from fraud. I have the pleasure of speaking with Jared Dirkschneider, who is a Senior Business Manager with Capital One. I asked Jared how he got into the business of fraud in the first place.
Jared: I actually joined this area right when it became interesting. I’ve been very passionate about it ever since. But going back before then, I started my career with Cabela’s World’s Foremost Bank; they issue the Cabela’s Visa credit card. I started that role in their analytics area shortly after I graduated college and just worked my way up from there. Did a lot of analytics roles within there.
[00:01:00] The last four years I’ve been focused on the fraud strategy and analytics piece for Cabela’s. Like I said, that’s right when it really became interesting. That’s right around the time when the big Target data breach hit in November, of 2013. Home Depot was a big one right after. Hundreds of other mid- to small-size breaches. That’s when fraud just really started going through the roof in the industry.


As a retailer, obviously you are dealing in the card aspect of the business. What are the types of fraud you are seeing most prevalent?


Most prevalent in today’s world is definitely card-not-present fraud. Predominantly ecommerce fraud, but counterfeit credit cards is another major category that we’ve fought for a number of years. That one actually spiked right after that Target data breach that I mentioned. In 2014, it’s the heyday of counterfeit fraud. It was before the industry switched to EMV chip cards, which really shut down that ability for fraudsters to use counterfeit credit cards.


But we see all different types of fraud. We see lost card fraud, somebody picks it up and uses it; or physical stolen cards, all the way to the fraudulent applications that I mentioned. Now a big one that’s starting to come up is account takeover fraud. They’re exploiting our call center area, which is the weakest authentication point for banks right now.
Eric: Just to give an idea of how large it is, total percentage of fraudulent transactions compared to total transactions; do you know that number?
Jared: From a dollars perspective, it’s usually in the range of 15 to 20 basis points. It’s actually fairly small as a total percent of sales.


Okay. But transactions, we don’t have a number; that’s more total dollar volume in the store.
Jared: Purchase dollar volume.


Purchase dollar volume, interesting. Something that I found in a report that came out recently that CNP fraud is looking to exceed 7.2 billion dollars in the U.S. by 2020. That’s a big number as far as total. That’s inclusive of all retail financial services across the board, so that’s not just in retail services. The interesting side of it is that, that’s a huge increase since 2015. But ecommerce fraud as a whole globally is supposedly going down, but we’re still seeing the card-not-present increasing. Have you seen that same trend?



I’d say we’re seeing both increase. I’m not sure I would agree with that ecommerce globally going down, at least from an issuing bank perspective. Now, maybe part of that is shifting, whereas the retailers aren’t taking as many losses. But there is the other piece of card-not-present, which would be a keyed transaction, where it could be a catalog order or sometimes over-the-phone, something along those lines.


We’re seeing an increase in that because fraudsters are always looking for a loophole or something to change up the way they commit the fraud; because, we have thousands of fraud rules from a transaction perspective in our system right now. Most of them are focused on ecommerce or physical swipe or dipping of the card. I think fraudsters are always moving to that loophole or that area that’s not the focus. A keyed transaction has not historically been a problem for us.


Because they’re going to continue to fight new ways. I’d be curious as to how they’re fighting EMV. You said it dropped dramatically after the EMV chip came along, but that’s going to have to be addressed here pretty soon because somebody’s going to figure out how to get around that too.


I don’t know how or when they’re going to get around figuring out fraud with the EMV chip, but it’s definitely deterred them from that channel, and it’s just shifting to those other channels that we had talked about. It’s never going to go away. Fraud is always going to be there, we’re always going to be chasing their new ideas and finding the loopholes; which is why I think it’s a really interesting area to be involved with. Good job security, that’s for sure.
Eric: It’s not going away. That’s interesting. How do you go about creating a strategy from an institution perspective, keeping up with the changes and is it effective? Or are there different ways that you think you could go about it from an institution to be effective?


I’d say it’s definitely difficult to keep up with that. I can go back to about three years ago: we had a major company wide initiative because the fraud rates in 2014 were the highest we had ever seen. It definitely got the attention of our executive leadership. They started this company-wide initiative to address that increasing fraud landscape.


It had lots of different components. The EMV chip card reissue was a major one which helped drive down that counterfeit fraud that we talked about. Another big piece was, we implemented a new fraud strategy system. We were working with a fairly archaic system that had limited functionality within our rules that were targeting the fraud authorizations. So we implemented a new one.


In that strategy, was it something where you were building out and coming out with ways to address the fraud internally? There’s different companies out there providing tokenization options that we’ve talked about a little bit. Behavioral biometrics is something that some of these fintechs now are addressing in different ways. Was it a mix of both that you had to use to fight this, and how were you conglomerating all of that? What was the strategy to say, ‘We’re going to go out and use external data, we’re going to use our own data, and we’re going to bring those together’?


I’d say it was predominately using external vendors, external products to address our issues. We’re a fairly small- to mid-sized financial institution. We didn’t have a huge tech department to develop new tools and new applications. One of the other pieces of that landscape project I talked about was working with ID Analytics, where we installed a new model at the time of application to pick off suspected fraud. That’s been extremely beneficial for us. We’ve seen our application fraud losses come down almost 50% in the last few years from where we were.
Eric: Wow.



We were starting to have some conversations with some vendors that had some interesting solutions in the call center area. One of the vendors was Pindrop, that we were speaking with. They have a product or solution … whatever you want to call it … that analyzes the phone call, the background noise of the phone call. It’s pretty interesting. They call it phone printing, and they can tell you a number of different things. They can tell you where the call is being originated and if it’s being routed through different networks.
Eric: Really?
Jared: It can tell you the cell network that is being used. You can marry that up with the address and customer information we have on file and say, ‘Well, this looks weird. This doesn’t look like John Smith from Arkansas.’ You can essentially blacklist that voiceprint or that voice ID so that if that same person calls in again in the future, it’ll automatically flag it and say, ‘This is a bad guy.’


Just from the voiceprint; not the number but the actual voiceprint.
Jared: Yeah.
Eric: Wow, that’s incredible.
Jared: The call center is definitely the weakest point of authentication when it comes to banking. My experience with credit card banking, they’ve moved away from trying to attack our online services, knowing that we have some security procedures in place there. But the call center is definitely the point that they’re focused on right now.


Which is really interesting because, I think, as we have in this day and age moved to a more digital transaction, as financial institutions are moving more digital, fraud has increased because those digital channels are easier to access for some of these fraudsters. But you’re saying that you’re seeing now that a lot of these systems are being put in place and it is being fought effectively, that they’re almost moving back to that original from, and the call center is the weak spot.


That’s exactly right. Most companies are not investing in that area. They’re investing in all the digital stuff, the applications, the biometrics.
Eric: In the strategy that you created, it’s changed along the way. You talked a little bit about short-term and longer-term how you address those problems, a little bandaid fix, but then if it becomes a bigger problem, looking at more solution oriented. Would you change that strategy today if you had to redo it? Or was it the right strategy that you created three years ago?
[00:10:30] Because it’s not a market that lasts for 10 years and this strategy will work for 10 years. Probably no strategy is anymore. But was it the right strategy? Did it work? Has it worked? What would you do different moving forward? What do you see coming down the road that you would say, an institution really needs to pay attention to in developing a strategy around fraud prevention?


I’d say it was the right strategy at the time. But in retrospect I think it wasn’t a complete strategy. I think we missed the authentication concerns in the call center that we should have addressed at that time.
Eric: But did you have the knowledge three years ago? Was it happening enough to have made that part of the strategy or was it only a hole because hindsight sometimes 20/20? Right?
Jared: Right. At the time we didn’t have really any major issues within our call center authentication because the fraudsters were still running wild with counterfeit cards. They had no reason to do that channel.
[00:11:30][00:12:00] There’s another one that comes to mind when it comes to ecommerce fraud, there’s a lot of talk right now about 3-D Secure. The MasterCard version is called SecureCode, and Visa has one called Verified by Visa. Essentially, it’s a protocol online where the retailer is unsure about a particular transaction based upon thresholds that they put into place, they think it may be fraud; they can send that to the issuer and say, ‘Hey, we’re not sure about this one.’ At that point, it’s the issuer’s liability.


Traditionally ecommerce transaction, if it’s fraud, an issuer can charge it back to the merchant. That’s where the liability lies. But in this case, if the merchant’s participating with 3-D Secure and they’re not sure, and they send that over to the issuer to say, ‘Hey, you check on this,’ that’s when that liability shifts. Right now I think it’s important for issuers to look to participate with that so that they can make a better decision and decline the fraud.


Something that comes to mind is fraudsters … they’ve been doing this for a number of years … using brute-force attacks and they pick Credit master fraud, where they’ll take a set expiration date and CVV value and then they’ll run through combinations of account numbers until they get a hit; until they get something that gets approved. They can do that automatically through a computer program. It just runs through thousands in an hour or however fast it is. Then they can essentially get credit card information without even purchasing it on the black market.
Eric: The black market has become an interesting business. You can buy a credit card number for fifty bucks.
Jared: Or even cheaper in a lot of cases.


A lot of cases. And you can buy banks of them. There’s these service level guarantees where if the credit card numbers aren’t real, they’ll give you your money back. That’s a business model now. It’s no longer just a buy it and see what happens. This is a full-blown business model, which I think is going to become even more scary. We’ve seen the next generation come out. They aren’t going and working for some of these big businesses anymore; it’s start your own. As we start to challenge that model, does that become a normal business for some of these kids coming out of college? It’s easy, right? Yes it’s wrong, but there’s that balance and that gray area. I’m curious to see where that’s going to go.
Jared: That’s a scary thought.


It is. One of the areas we touched on briefly was the customer interaction. As fraud increases, as these different systems get put in place, as fraudsters combat those and more systems come to play; as a customer, I get a little tired of sometimes of a bank canceling my credit card if I move to a different state. Saying, ‘Hey, it’s on hold because we believe this might be a fraudulent transaction. Call in or send a code.’ The code comes, I’ve got to remember the number, I’ve got to stick it in.


It’s not a particularly smooth process. Obviously, being in the financial services sector, I do appreciate some of that information because they are protecting me as a consumer, number one. They’re protecting themselves as well. How do you balance that or how do you see that balance of fraud prevention and the customer experience? Because as customers, we are becoming very demanding and a little bit spoiled. We want things done instantaneously. We want money now, we want access to our account now; we don’t want to have to go through a bunch of processes.


Absolutely. It’s been a challenge ever since I can remember, even way before I was involved in this space. One of the things that we’ve taught our cardholders over time, to give us a quick call in advance if you’re going to be traveling somewhere or making a large purchase so that you don’t get interrupted. Now that actually opens the door for fraudsters in that call center authentication thing I was telling you, because they can do that in advance and then they get a lot more out of their fraud than they would have normally.


But we definitely monitor that very closely. We have a metric we call a False Positive Ratio, where it’s just the number of good transactions that we’re declining to the number of bad or fraudulent transactions. We try to keep that in the four to five to one range. It’s still 20 to 25% fraud rate, you could call it if you look at that way. I think that’s been a fairly good balance for us.


Of course, we always get customer complaints, and we’re always monitoring those. We evaluate every single rule we have in place on a weekly basis just to make sure that they’re still being effective. Because, if we put something in because we’re seeing a hot fraud trend, a week goes by, the fraud trend’s over, all we’re doing is declining legitimate customers. We want to be able to be on top of that quickly so that we’re limiting those bad experiences.
Eric: Absolutely. You mentioned a number of data points in a single transaction that are being checked. How many are there?


In a typical transaction you have probably five to 10 specific elements that are being checked just for validity and matching to the customer account record. I would say there’s another 40 to 50 different variables that we can use. Whether that be the merchant name or merchant category, all the way down to the distance from the cardholder’s home that I had mentioned. We can actually customize our own data elements and we can put things together and create a more specific type of data variable to use, to combat these fraud trends we’re seeing.


If you looked at a percentage of the data that you have compiled over the years of being in business, and then this external data, would you say there’s an equal mix of your using your own data and this external data? Or is it mostly external data now? There’s so much data that’s been produced over the years of their clients transacting with the business, that there is useful information within the organization as well. How to mix those two is something that’s being talked about in the market today.


That mix is growing more towards internal. Historically, when I first got into this space, it was largely using the elements from the Visa Authorization stream and the first data elements that were available to us. But that’s something that is very interesting, trying to leverage prior customer behavior in these decisions. This person travels to Canada to go fishing every June for the last 10 years; why are we declining him again? We should be able to leverage that information and make that positive.


Well, in taking that to the next level, it also came up … probably a novel concept … but that institutions might, possibly want to start sharing some of that data between each other, which could potentially become a database of information. If it were shared, it might help fight some of that fraud activity as well.


That’s interesting. I’ve participated in some of the industry round tables with a lot of the major banks … fight credit card fraud. It’s very interesting that the fraud space is definitely the most collaborative space across the whole industry. Everybody’s fighting the same battle and there’s really no secrets to be held onto. Everybody wants to chip in and get ideas from each other. Whereas, when you go to other round tables that talk about collections, practices or origination strategies, people hold those a little more, closer to the chest.


If these banks could be more collaborative, it might help set down or at least reduce some of that transactional or the cost in fighting fraud across all organizations.


Another thing that’s sad to think about, but the vast majority of fraud cases that we see, there’s no legal investigation going on. The banks are just writing it off in most cases. Unless it reaches a certain threshold like a very large loss, we may involve some of the authorities or some local PD for the area that we saw the fraud. But it’s sad, a lot of times these fraudsters are not even being investigated.
Eric: Is there a threshold from a retailer’s perspective? Does it matter or is it all at that card perspective where, ‘Are we going to go after the fraudster’?


It’s really a case-by-case basis. We had one particular example a few years back. There were multiple charges made to a Macy’s store in Pennsylvania. It was in a town very close to one of our Cabela’s stores there. We actually had Asset Protection within the Cabela’s store. We had a contact there, just told him what was going on. He had police contact in the area, so they ended up investigating and getting some video from the Macy’s store. Ultimately they caught the guy.
Eric: What kind of volume was that?


It was over a hundred thousand, yes. Similar threshold than what you’re talking about.
Eric: Those fraudsters that are five, ten thousand dollars, nobody’s chasing them down, so it doesn’t stop them from doing it. They just change the organization they’re going after almost. Anything else that, from the institution level, that we might not have covered as far as advice to an institution, looking at implementing a fraud strategy or addressing fraud today that we haven’t covered that you’d like to add?


Payment kiting, payment fraud. What we see is somebody would get a new account, let’s say a ten thousand dollar credit line. They would go out, max it out right away and then they’d make a payment, a full payment. But ultimately that payment comes back with insufficient funds, or that-account-does-not-exist type scenario. In the meantime, before we know the payment is no good, they went out and charged it up again. Now they got 20 thousand dollars on a 10 thousand dollar line.


It’s definitely a component to make sure that you’re addressing. We use historical information to come up with criteria that has a good chance of it being a bad payment, and then we can take an action to what we call float or hold the funds. We don’t release the available funds immediately. We hold them for seven or 10 days to make sure that the payment’s good.
Eric: Well, Jared, thank you very much for joining us today.
Jared: Thanks, Eric.


If you enjoyed this interview, don’t miss our other episodes. Subscribe to the Finance Frontier wherever you listen to podcasts, or listen online at thefincancefronter.com.

Love the show? Want to be featured as a guest? We’d love to hear your questions and comments and welcome guest recommendations. Our producer Sara Tatnall can be reached at sara.tatnall [at] zootweb.com.

Share This