“ Thursday. 7:26 pm. Dimly lit office room. Every pair of eyes in the room following fixedly the threads on the screen. We’re on the trail of a FRAUDSTER. Literally breathing down her neck. Her? We sometimes give them a name. Just like aerologists give names to hurricanes and cyclones, we dub hackers too. After all, they love taking on multiple IDs. I’m sure they wouldn’t mind. And so we’re following Catharina. Looks like a genuine cardholder at first glance. She’s just booked a flight. Must be in a hurry as the plane takes off in less than 42 hours. Or she’s a travel aficionado in a desperate need to visit Latin America. The email address has been active for quite a while. The telephone number is consistent with the country she’s apparently based in. She’s using a Galaxy S4. Spot on — old enough to discard easily and difficult to locate in case the police try to get hold of her. Jailbroken phone? Check. An older version of the app (more prone to security glitches)? Check! VPN? Nah. That would be too cliché. She’s grown out of it. Rhythmical, regular typing? Bingo! She’s a bot. On her way to commit a fraud. Wait… Are we just standing by and watching? Nothing to worry about — it’s only a test. And it took us less than 0.25 second.”
At Nethone we’re tirelessly dismantling and studying the anatomy of a perfect crime, a masterly fraud that goes unnoticed by the most thorough of systems, having soundlessly melted into a wave of countless payment transactions. We’re on a mission to achieve our goal — building a flawless solution that outsmarts safety systems — a Perfect Fraudster.
Hang on…
Shouldn’t we be doing the polar opposite? Well, the immune system learns how to recognize and defeat a virus after having been exposed to it and so a vaccine is introduced into the body to trigger the desired response. Likewise, since fraudsters are getting more and more tech savvy, we’re training our Machine Learning models by confronting them with fraud to beat scammers at their own game.
I’ll gladly explain why this reverse approach proves tremendously effective so follow along.
Online fraud — sophisticated mastery
Where there’s smoke, there’s fire. Where there’s money, there’s fraud. As simple as that. As soon as you go online with your business, you’re exposed to fraudsters’ attacks. On top of that, if travel or luxury commerce is what you’re building your empire upon, your company is even more vulnerable to cyber attacks.
And the scale of the problem is enormous. In 2016 only, worldwide card fraud losses amounted to $24.71 billion from counterfeit cards, CNP transactions, lost and stolen cards and chargeback fraud.
The attacks become proportionally sophisticated to constantly advancing anti-fraud systems. Fraudsters manipulate web browsers, operating systems and devices to prevent the system from identifying a specific computer so the fraudster could use it multiple times to commit a crime.
Fraudsters are also turning to Machine Learning to launch their attacks, for instance using Natural Language Processing algorithms to train their systems to write more sophisticated and believable phishing emails. Another example is a technique known as “raising the noise floor.” This trick is specifically meant to inundate the common machine learning models with as many false positives as possible. The systems will automatically recognize them as false alarms enabling the fraudster to start a genuine attack having prepared the ground beforehand.
An uneven fight
Fraud prevention is a race, an uneven battle in which you have to keep up or, ideally, outrun your indefatigable opponent — the fraudster.
Many anti-fraud systems rely on predefined rules. To put it briefly, there are sets of rules that dictate what should be done in case of a certain event or under specific circumstances, like blocking a transaction automatically when its value exceeds a certain amount. Nonetheless, there are no ready-made solutions that will always be effective when it comes to fraud fight. As a result, being overly reliant on tools does not work in the long term. The only necessary toolset consists of an improvement-oriented attitude and the research-driven ability to adapt.
Why? The fraudster never sleeps and is constantly on the lookout for yet another unprecedented way of fooling your system. There’s no chance for you to predict their next step, but you can know for sure it will come as a surprise. At times, you might even be led into thinking that your system is well prepared for some new scamming technique, but I can assure you it’s not. You will have your site hacked with a brand-new approach and who knows, it might be too severe a blow to stay in the game.
Machine Learning as a solution
When humans fail in detecting fraud, Machine Learning comes to the rescue. Those of you who aren’t yet familiar with the topic and would like to learn the basics are welcome to get our Beginners Guide to Machine Learning.
Just as a reminder, Machine Learning is a subfield of computer science that allows the machine to learn how to tell fraudsters from legitimate users.
Whenever a customer initiates a transaction, the Machine Learning model thoroughly x-rays their profile, analyzing thousands of pieces of information that wouldn’t necessarily seem related to a human being in search of suspicious patterns. Everything is completed in milliseconds without compromising the effectiveness of the solution.
Here at Nethone, our continuous efforts to excel in preventing cyber attacks go way further. We not only build Machine Learning models to detect fraudsters and catch them red-handed but also to simulate the fraudster’s behaviour to assess the resistance of our models to the canniest of fraudsters.
You might say we’ve embarked on an endless quest to build the Perfect Fraudster…
The idea behind the Perfect Fraudster
You probably haven’t heard of the OpenAI projects so let me present it to you briefly.
OpenAI is a nonprofit Artificial Intelligence research company supported by the biggest names in the industry, with Elon Musk on board. Its chief mission is to, just like they say, “discover and enact the path to safe artificial general intelligence”. In doing so, they’ve been pushing the frontiers of knowledge by experimenting with AI agents.
One of their projects consisted in turning AI agents against each other in basic games to achieve specific goals.
In one of the challenges — sumo wrestling — the AI agents were initially rewarded for exploring the ring and other minor activities. Later on, only the victory — pushing the opponent out of the ring — guaranteed a reward. The agents tried various techniques, often in vain, improving their skillset and agility at the same time. As a result, they reached the goal on their own merits.
The AI agents self-learned physical skills such as tackling, ducking, faking, kicking, catching, and diving for the ball, without any human intervention!
Interestingly, the agents were able to transfer what they learnt into other situations. For example, an agent trained on the self-play sumo wrestling task was able to succeed in the task of remaining upright despite being perturbed by a strong wind. The most interesting discovery of the project though was that the agents were not that successful (overall and in transfer learning) if they had only been trained to confront an opponent with specific traits, while the likelihood of success was much greater if they were put against opponents of varying characteristics.
Ok, but how does this apply to fraud prevention?
Let me explain.
Perfect Fraudster = Perfect Fraud prevention system?
This brings us back to what I said about fraudsters constantly changing tactics to spoof anti-fraud systems.
Why not simulate such fraudulent behaviour in-house and recalibrate the tactics to plot an impeccable online fraud? Once this is done, let the anti-fraud system confront that embodiment of a perfect fraudster to self-learn how to fight it and make it grow ever stronger.
What do we want to achieve? By applying this approach, we will proof Nethone against varied real-life environments and make it more agile and smarter than fraudsters. Currently, thanks to our models and the profiler, we’re capable of reducing the number chargebacks by 80% and the denial rate by 25%. We will continue to improve those numbers and make Nethone more resilient to fraudsters’ attempts at manipulation.
So to bring this to a close, in order to win this virtual war, we simply took to a Chinese saying “to know your Enemy, you must become your Enemy”.
Aleksander Kijek, CPO of Nethone
Originally published at nethone.com on February 14, 2018.
