In the past several years, we have seen a slew of breaches, hacks and data theft. With every successful cyber attack, the black market for personally identifiable information (PII) grows, widening the pool for malicious actors to buy stolen identities and engage in identity theft and mobile and online fraud. These crimes directly affect financial institutions' bottom line, causing millions of dollars in credit losses, plus the indirect loss stemming from wasted collections efforts and a drop employee productivity. Stopping this fraud without adding friction requires a unique approach. Learn how Fortune 500 companies leverage trusted identities by connecting offline consumer identities to online and mobile identities so they can conduct transactions that deliver frictionless customer experiences, while also mitigating identity fraud.
This web seminar will cover the following:
- Review the driving factors behind online and mobile account origination and account takeover fraud trends
- Understand how connecting offline, online and mobile identities can deliver frictionless customer experiences.
- Learn how using authoritative offline customer data combined with digital online and mobile identities can create trusted transactions that, mitigate fraud.
So now without further delay, let's begin today's event, sponsored by Neustar, hosted by American Banker. It's my pleasure to introduce your moderator for today, and that is Mike Perkowski. Mike, you have the floor.
Thank you very much. Ladies and gentlemen, welcome to today's web seminar. I am your moderator, Mike Perkowski. We're glad that you could join us for our program, Using Trusted Identities to Fight Fraud and Reduce Customer Friction. As you heard, this program is hosted by American Banker and sponsored by Neustar. We certainly appreciate and thank them for their support.
On our program today, we're fortunate to have two expert speakers who are going to be covering this topic in their presentations. And we're also going to be taking as many of your questions as time allows at the back end of our program today.
Julie Conroy - Fraud, Data Security, and Anti-money Laundering Expert
First, we're going to hear from Julie Conroy, research director at Aite Group in their Retail Banking and Payments Practice. Julie covers fraud, data security, and anti-money laundering issues. And she has more than a decade of hands-on product management experience working with financial institutions, payments processors, and risk management companies, including a number of years leading the product team at Early Warning Services. Julie is often quoted in numerous media outlets, including The Wall Street Journal, US News and World Report, American Banker, and The New York Times. We're fortunate to have Julie with us.
Ken Jochims - Fraud and Risk Prevention Solutions Expert
Julie is going to be joined by Ken Jochims, director of product marketing, fraud and risk prevention solutions at Neustar, where he is responsible for creating and delivering the company's risk solution and marketing strategies. Ken has more than 25 years of enterprise software product marketing experience delivering fraud prevention, customer support, identity and access management, and IT infrastructure solutions to Fortune 1000 companies and financial institutions. Prior to Neustar, Ken worked for ThreatMetrix, Guardian Analytics, Genesis, CA Technologies, BMC, NeXT Computer, and Apple.
We're very fortunate to have both Julie and Ken with us today. As you did hear, we're going to have some interactivity on this program today, including two polling questions. And in fact, what we got to do to get this program started is to kick off the first of those two polling questions. So if we could just ask you to give us your answer to the following question. And you can select as many of the following answers as applies to you.
What Are Your Biggest Fraud Concerns?
Which are the following areas of concern are the most important to your organization? And your choices are customer friction, account takeover, account origination fraud, contact center centric fraud, mobile channel fraud, and online channel fraud. We're going to let everybody have a moment to review those potential answers and then select the ones that are appropriate here.
Once again, which of the following areas of concern are the most important to your organization? Customer friction, account takeover, account origination fraud, contact center centric fraud, mobile channel fraud, and online channel fraud.
OK. What we're going to do now is we're going to take a peek at the answers, and we're going to turn it over to our presenters to get us started. So we can see that the number one answer is account origination fraud, 59%, followed pretty closely by account takeover, almost 54%. And in fact, a number of these selections here are either above or very close to 50%. So we have an audience that's concerned about a lot of these things.
Julie, anything in the results here surprise you or consistent with what you've learned in your practice?
No, I would say that this is very consistent with the conversations I've been having across the industry. Account origination fraud, account takeover are absolutely top of mind right now for a lot of the banks I'm talking to. And also the challenge of how do you combat those without introducing too much customer friction. So it's very in keeping with the discussion we're going to be having today.
Yeah, this is Ken. Absolutely. So I agree with that. And I think what's interesting is that over time, I think we've seen the mobile channel fraud come up. I think it's equal now to online. So that's interesting to see. And I think what's coming up kind of fast behind is a contact center fraud. I know that we're starting to hear that from a number of our clients as well. So good results.
Highly organized criminals are exploiting and monetizing personal data
Yeah, and the reality is that all of this stuff is interconnected. So as we see all of this data that's at the hands and at the disposal of the criminal rings today — and I love this graphic, because it just does such a great job of kind of visually depicting all of the breaches we've had over the past few years and just what a huge magnitude of data that's in the hands of criminals. And it's everything from PII, or Personally Identifiable Information, to credentials, to payment card data.
And they're making use of it, and they're making ample use of it. And as we saw in those polling results, a lot of it is manifesting as account takeover or it's happening in the online or mobile channel. But as I talk to many fraud executives at banks, there's also a lot of cross channel fraud going on. So I think that was really reflected in those polling results.
What we see is that the criminals also quickly are monetizing this data. And these are organized criminal rings that run themselves as businesses. They have the same types of revenue targets that those of us on the good guys' side have.
And the screenshot I think really encapsulates the extent to which they are highly organized and nimble. You can see that this particular screenshot is from the underweb. It's selling data compromised in a breach. It's got the full set of personally identifiable information.
It also provides buyers with some background on the type of place it came from and assurances that the people have good credit ratings. They're located in the Northwest part of the US. So it's just these underground markets are quickly releasing and monetizing that data.
At the same time that we're seeing such a huge concentration of data in the hands of criminals, we also have the largest card market on the planet migrating over to the EMV standard. And the one good thing about being the last G20 country to take that journey is that there's a lot of countries that we can look to that did this before us.
And as you look at data that came out of Canada — I could show a very similar chart for the UK — as Canada moved to EMV, application fraud rose pretty quickly there. As you can see, it more than doubled from 2012 to 2014. And the reality is that in the US market, it's probably going to be worse here because we have much less rigorous controls over what it takes to open up a new account.
So in Canada, there's still a pretty rigorous requirement that somebody show up at some point in the account opening process in person. As we know, in the US market, that's definitely not the case here. And the other migration path that we see post EMV is we see the fraud move to account takeover as well.
EMV Migration Led to Spike in Account Takeovers
And so as you look at the data that came out of the UK market after they migrated to EMV, you can see they migrated to EMV in the 2006, 2007 time frame. Immediately thereafter, we saw a sharp rise in account takeover fraud. They had their own version of the perfect storm at that time. Because at the same time they moved to EMV, they also moved to faster payments. So the fraudsters had quite a bit of fun over there in 2008 and 2009.
The banks deployed compensating controls. And we really saw the fraud come back down from 2010 through 2012. But then it really started significantly rising again. And as you can see, it spiked right back up to levels well above where they were pre-EMV. So as we at Aite Group talk to fraud executives at US financial institutions — and we've done a number of different surveys over the past year and a half or so looking at trends around account takeover and around application fraud — we're expecting to see something very similar in these markets.
As you can see by these charts, as we see that between 2014 and 2015 in the US market, we saw a very sharp rise in ATO. Going to consistently keep on rising from there. The criminals really didn't wait for EMV to hit this market before they started increasing their attacks.
And right now, as I talk to fraud executives, the consensus is that it's not really the fraud migration we're experiencing right now. It's more of the fact that there is so much of that credential and PII data in the hands of criminals, and they're making use of it. So unfortunately, I think what that means is we, just at the start of 2017, crossed over that 50% chip on chip marker in the US market.
And we're going to start seeing the counterfeit fraud worked out of the system. As EMV starts taking hold and starts having success, we're going to see increasing attacks on the application fraud side on the ATO side. And that really means that the banks, the e-commerce merchants, are going to need to fortify their controls, bolster their controls, and also do so in a way that doesn't introduce too much friction into the ecosystem.
As you look at the application fraud numbers as well, we're also seeing steadily rising application fraud. Bigger numbers on the credit card side of the house just because there's increased exposure there. But the DDA folks are feeling the pain as well.
Fraud Executives Struggle to Keep pace with Application Fraud
I just spoke at an event this week where I was sitting over dinner with was a number of fraud executives from banks and just the discussions that they're having about the variety of ways that criminals are coming at them with application fraud. And there's just not enough hours in the day or tools in the budget right now to keep pace. So it's not going to all be gloom and doom. I promise as I go along, I'll have some of the solutions that we're seeing come to bear as well.
And one of the other important factors as we're looking at this changing ecosystem is the fact that consumers are increasingly digital in everything they do, from having a multitude of apps on their phones that can help them with everything from shopping to fitness to personal finance, the mobile payments that we're seeing starting to gradually take hold, to fitness, with the Fitbits and those types of devices.
In the US market, that is still not necessarily extending to opening up new accounts. So while banks are working to try to migrate new account opening activity to those digital channels, right now, there is still a fair amount of friction in that process that is causing consumers to go to the branch. So we recently did a consumer survey where we asked consumers about how they're opening up their new checking accounts. And as you can see from this graphic, about 73% are still going into the branch.
We asked a follow-up question. How many of you tried starting in a digital channel and wound up in the branch? And as you can see, over a third of the folks that did wind up in the branch had started in either the online or mobile channel. What this doesn't capture is the fact that there's probably a lot of folks that started in the online and mobile channel, got frustrated and went somewhere else.
And so this is one of the reasons, as I talk to banks, that that customer experience aspect of the new account opening process is so important. Because we have this group of consumers out there whose expectations for a good digital experience has been set by brands like Apple and Amazon, who do make it very elegant and seamless. And so looking at these goals of migrating account applications to digital channels, that element of friction is very much top of mind for many of the banks I speak with.
As you can see from this graphic, we're seeing on the DDA side, or the Demand Deposit Account side of the bank, a small migration bringing more and more account origination into the online channels, a little bit more into the mobile channel. Some of that's coming out of the branch.
On the credit card side of the house where you don't necessarily have some of the same challenges in terms of having to fund the account, we're seeing a much more rapid migration of account opening from branch and physical retail locations into the digital channels. Well, this is great in terms of helping to meet bank self-service objectives and getting some of those transactions into the self-service channels. These applications and the resulting customers are often a bit more profitable. The account opening process looks better from an opex perspective.
We do see that on average, those applications that come in through digital channels are about eight times riskier. So we surveyed 83 US financial institutions last year about a variety of topics related to application fraud. And the remarkably consistent statistic that came out of those conversations was that as you look at the fraud rates in your digital channels versus branch, they're about eight times higher in the digital channels. And that makes sense as you look at all of that data that's been compromised. You can conduct much more automated attacks in the digital channels, and it's also a lower risk, because you're doing so in a faceless environment.
Banks Are Feeling the Brunt of Application Fraud Increase
As part of that research, we also asked the financial institutions what they plan to do about the rising threat environment. And it was interesting. As we cut the data by size of bank, we saw some really interesting differences between the largest banks and the smallest.
As you can see here, the community banks and credit unions that are less than $1 billion in assets — 80% of those folks do not plan to make any changes to their new account risk assessment process for demand deposit accounts over the next couple of years. By contrast, half of the larger institutions that we surveyed plan to either add or change vendors over the next couple of years.
I think part of the driver for this is that as I conducted interviews with those larger institutions, many of those folks are very much feeling the brunt of this application fraud increase that we're seeing across this market. And in fact, I had a number of larger banks tell me that they were seeing 100% year over year increases in application fraud. A lot of it was manifesting as third party fraud, leveraging identities that were compromised in the Anthem breach and some of these other big health care breaches.
Those banks are also seeing a steadily rising increase in synthetic fraud. And so many of them planned to add vendors. And as I drill down into the types of vendors that they planned to add, the digital channel was really a top priority for many of them. They were recognizing that the application fraud rate is higher there, that they're seeing a higher proportion of their originations taking place there. And so it was increasingly important to have solutions that help them better understand the broader digital identity of the consumers that were coming in.
As you look at the apps at the account takeover side of the equation, we see that credentials are rapidly garnering a premium in the underweb. So there is a great study that came out last year by Trend Micro, where their researchers went into the underground websites and looked at the prices that various compromised data elements were going for.
And as you can see here, a set of PayPal credentials — and these particular PayPal credentials had a guaranteed balance of $500 in the account — were going for $6.43 per credential. By contrast, in these same under websites, we were seeing that the average price of a payment card with CVV2, so it was capable of online transactions, going for around $0.22 per card.
And this really reflects the fact that when it comes to many of these payment card breaches, issuers have gotten pretty good about detecting the common point of purchase and then identifying the pool of cards that were exposed during that period of time and putting some compensating risk controls around those cards. So criminals are still absolutely having a great time with payment card fraud. But the window of opportunity, in many cases, is less than with a set of credentials, where you can't put a compensating set of controls around compromised credentials.
Unfortunately, we still have way too many consumers using the same set of credentials across all of their online relationships. We conducted a couple of different consumer studies over the past few months, and both of them found that the majority of consumers — well over 50% — use between one and five passwords across all of their online relationships. So as a criminal is buying this set of PayPal credentials, they know that not only will this get them into the PayPal account, but they can load those credentials into a bot, direct them against a whole bunch of other online properties, and the chances are they're going to get into other accounts and other e-commerce relationships as well.
So this is one of the key reasons why we see this rapidly rising tide of account takeover. The reality is that the useful days of the password as a security mechanism are long since over. It's a handy database lookup tool today and that's about it.
And so we really need to look more deeply into the digital identity of the consumer to better understand, is this my genuine consumer coming into me via the set of credentials, or is it the genuine person that owns the set of personally identifiable information, or is it a criminal that has bought this data on the underweb?
As I talk to fraud executives at financial institutions and at merchants, it's really all about how can we walk that fine line between the customer experience and effective risk management? And anymore, I think that fraud executives feel like they're wearing two hats that really have equal weight. One of them is that responsibility to the traditional responsibility of keeping the losses down, keeping the money from going out the door, catching the bad guys. But at the same time, as they're doing that, they're deploying new technologies to do this.
The other hat that they're wearing is that customer experience hat and making sure that the controls that are being deployed aren't having a detrimental impact on that customer experience. And that's a really tough line to walk. But the good news is that we're seeing more and more technologies that can facilitate this.
And in this era of big data and advanced analytics, we're seeing a lot more in the way of intelligence that can help drive some of that balance. Because the reality is that convenience continues to trump security for many consumers.
Despite Big Data Breaches, Consumers Are Still Exposing Themselves to Risk
There's a lot of studies out there that will ask consumers how much do you care about fraud, and because you care so much about fraud, are you willing to jump through x, y, and z hoops? But the reality is when it comes time to actually take those actions, convenience still trumps security.
And we conducted a global survey in early 2016. And this was the third in a longitudinal series that we've done every couple of years. And as you can see, we asked about a series of kind of common sense risky behaviors. Do you do these things — things like writing down your PIN number for your ATM card and keeping it in your purse, or do you shred your bank statements before you throw them away — a number of these types of things. And we looked at the number of consumers that had engaged in two or more of these risky behaviors.
And I was actually a little surprised it was only 53% that said that they did that. The disheartening thing was as we looked longitudinally, that number went up versus the survey two years prior. So even with all of the heightened awareness of database breaches and all the fraud risks out there, consumers just really aren't tending well to their financial security.
Because at the end of the day, in many countries, they still don't have a lot of personal exposure. It's inconvenience if your credit card gets breached. But at the end of the day, either the issuer or the merchant will keep that consumer whole. So they don't see a lot of out of pocket exposure there.
So for that reason, as I talked to fraud executives across the ecosystem at banks and merchants, improving the customer experience is absolutely a key driver of investment. One of the questions we asked as we conducted the research around the application fraud side of things last year was what are the most important elements in your business case as you are going to the well for funds for new technology?
And as you can see here, improving the customer onboarding experience was deemed important by 95% of the respondents. Detecting fraud came in second. But it was 11 percentage points behind. So it really emphasizes the fact that that customer experience is increasingly key.
And it's a competitive issue now. In my past life when I was managing a product management team for a fraud prevention vendor, we liked to say that fraud is not a competitive issue. But I think as we see more and more emphasis placed on that customer experience, it is becoming a competitive issue. Because those banks that can do fraud prevention better and in a more seamless and frictionless manner are winning over more customers.
The banks that I think are doing this well are building their security with the assumption that the bad guys are going to breach the perimeter. So there's no single point solution, I think, that can effectively stop these folks. So the concept of layered security is very important, and having at the top of those funnels a number of transparent technologies to that end user.
Mobile Devices Can Act as a Powerful Security Layer
One of the capabilities and the concepts that has emerged in a lot of the discussions I've been having with folks is this concept of the fact that this increasingly ubiquitous mobile device that we carry with us — it's now over 80% of the US population has a smartphone. In Canada, it's somewhere in the mid 70s for the smartphone population. And this very powerful device that is increasingly ubiquitous can be a really powerful security mechanism.
So many of the financial institutions that I'm speaking with are kind of doubling down on mobile. They are looking at fortifying that mobile channel and doing so not just to secure the transactions that are going through the mobile channel itself. But then you can use your knowledge of that mobile device to provide better, and in many cases less, friction-filled experiences in other channels.
One example, one of many examples of this, is if you have a high enough degree of security in your mobile device and you know that this is the customer that owns the smartphone, you know the smartphone doesn't have any malware presence on it, then the next time that that consumer calls into your contact center using that smartphone, you don't engage in the challenge questions. You just go about the business of solving their problem. And I've actually experienced this with one of my financial institutions, and it was a great experience. So I think we're going to see more and more emphasis on that mobile channel over the next few years and also just a broader understanding of that consumer's digital identity.
So before I turn it over to Ken, that threat environment will continue to escalate. If we look at the migration of EMV, we're going to be taking over the next few years about $4.5 billion worth of counterfeit fraud out of the ecosystem. And it's not just going to go away. The crime rings aren't going to get day jobs. They're shifting their tactics.
It's just like the UK. We're, at the same time, starting to inch our way towards faster payments. And that is going to significantly up the ante in terms of the risk associated with some of these payment transactions. So it's really important to continue to focus on broadening our understanding of identity, having a better understanding of all of these facets of our customers' digital identities. And I think the mobile device can help with many of these goals.
So with that, I'm going to turn it back over to Mike, who I think will take us through the next polling question.
That's right. Thank you, Julie. Great presentation, a lot of interesting data. We're going to, I'm sure, have a lot of questions about that when we get to the Q&A session. This is the second in our polling questions. What we'd like for you to do is to give us your answer to the following question. Which of the following areas of concern are the most important to your organization? Now, you can select any one or all of these answers, as many as appropriate.
I'm going to read the answers, because they're a little bit long. First, understanding mobile device information at the carrier level to better know phone details like prepaid, port date, SIM swap, et cetera. Second, faster identity verification to improve customer experience without resorting to second factor authentication or knowledge based questions. Third, understanding how to detect call spoofing to determine risk factors. And fourth, better methods to understand connections between offline customer data, such as name, address, phone, and email, and online data — device ID, cookies, IP addresses. OK?
Four choices there. You can select any or all of them. Understanding mobile device information, faster identity verification, understanding how to detect call spoofing, better methods to understand connections between offline data and online data. All right, in just a moment, we're going to share the results with you. I'm going to ask Julie and Ken to give us their thoughts on the takeaways, and then we're going to turn the program over to Ken to continue with the rest of the presentation.
All right, let's see what we have here. OK, so number one by far — faster identity verification to improve customer experience without resorting to second factor authentication or knowledge based questions, although the other three also were identified quite a bit. Wow. Julie and then Ken, any of your thoughts on how the results turned out here.
My money going in was on door number two, because that's just really consistent with a lot of the conversations I've been having. And I'm not surprised that that connection of offline and online customer data came in second, because it is that concept of the fact that the identity is about more than the PII now. It's really about this broad set of digital footprints that we all leave behind us. And if you can really connect those well, then you can help achieve that faster identity verification. So I think those two very much go hand in hand.
Well, yeah. I'll begin. I'll agree with you, Julie. It's a good setup for what I'm going to be talking about. But it was also interesting about the call spoofing in that it sort of maps the earlier pull that we had about call centers. So I just wanted to find out what folks were thinking about that as well. So yep, falls right within what we're thinking. OK, with that, I think we'll pick up and move on to the next slide.
So some of you may not be too familiar with Neustar. But I'll give you a quick rundown. We're a $1 billion plus services company. It started over 20 years ago as a spinoff from Lockheed Martin to run the network portability, or the impact for North America, and most recently Canada.
This is one of the world's most complex and large number management systems. And you've all used this to get a new cell phone number or have one ported. In fact, you probably use it just about every day when you're making either a phone call domestically or using text services as well.
So fast forward about 10 years. We really decided to grow the business into becoming an information services company. And today, where Neustar is, we've turned this vision into about a $500 million business. It's tripled over the last five years.
This growth has really been supported by four of our major business units. One of them is the marketing solutions. And what's interesting about all these is we all run off and support the same data model. So it's marketing solutions that enable marketers to identify, verify, and segment existing and potential customers. The communications side helps our clients be able to provision subscription customers and deliver call authentication. And then there's a security services that manage DDoS mitigation, DNS registry, and IP intelligence.
What we're really here to discuss today is the risk solutions. And they're really comprised of our Telephone Consumer Protection Act solutions, TCPA solutions, that deliver real accurate customer data to help business and financial institutions mitigate their risk for outbound calling based around that TCPA act. And specifically for this webcast, we'll be discussing our customer identification and fraud solution, which Julie alluded to, that connects this important thing here, offline and online and mobile data, so that you can really tell who's at the end of a transaction.
At Neustar, we strongly believe in providing data solutions that help get identity right. Because if you don't get identity right, everything else goes wrong from there. And that's something that I think Julie's research reported. And really, understanding identities means to be able to understand big data, another point that came out of the survey and Julie's data and something that we're all concerned about. And we were into the whole big data before it was kind of a cool thing.
At Neustar, all of the information services we deliver support and run what we call the OneID system. This really provides the ability to create and authoritatively understand identities based on connections between people, places, and devices. To provide some understanding on the breadth and depth of our data assets, first off is the big number, the lower right there, 220 million. This represents all the names of adults in the US.
The 16 million represents all the business addresses we have in the OneID system. And the 120 million count is all the household addresses. This data combined with the names data provides us a really complete view of the entire US consumer market. The big numbers, 45 billion and 11 billion, represent all the requests for data and updates to our digital identity system that include DNS services, IP address services, carrier data, cookie network data delivered from tens of millions of browsers, along with device fingerprint data.
Neustar data is assembled using combination sources from public and private sources. We use a proprietary method to compile information from hundreds of authoritative feeds that are evaluated and vetted for maximum accuracy. Data sources include telecommunications carriers, non-telco public data, retailers, client customer data, and transaction data, exceeding over 20 billion transactions a day.
Neustar uses a patented methodology to determine accuracy of source data based on in-house technology and experience managing real time transactions in sub-second speed. And more importantly, Neustar collects and maintains all of this data with a real focus on privacy, best practices, rules, and regulations.
So all this data really kind of creates an interesting challenge to be able to keep it current and corroborated, especially since the consumer data business is complex and really ever changing. In fact, there's a tremendous amount of data that changes on a regular basis. Tens of millions of consumers change phone carriers and numbers each year. 45 million folks relocate in the US every year, and over two million people legally change their name every year.
And by dealing with this kind of data for years now, it's been pretty clear to us that it degrades rapidly, causing it to be 60% out of date every two years, which is why it's so important that Neustar's data be kept up to date and corroborated so we can keep connecting the dots. Connecting the dots is what we call connection science. It's really what allows us to keep and create a deep understanding of the connection between people, places, and devices.
Connection science allows Neustar to authenticate data connections through three basic elements — addressing, the ability to understand the real time mapping of online and offline data interactions, analytics, the ability to mine insights and create linkages between people, places, and devices, really to bring it into focus to improve decision making to better identify customers from fraudsters, and then probably most importantly, authentication. Neustar's authentication capabilities really maintain currency, data currency, and are multi-sourced to connect both past and present identifiers, including name, address, phone number, email — the online. And then the offline — cookies, mobile device IDs, and then creating linkages between all those to deliver trusted IDs.
Applying connection science to Neustar data assets allows us to deliver identity solutions that help build trust in interactions by linking, as Julie mentioned, offline to online identities. Utilizing the industry's most extensive authoritative online customer data and linking it to digital identities, Neustar is really able to provide businesses with an intelligence required to make high value decisions regarding who's a customer versus a fraudster.
Building a Trusted Identity Is Critical for Businesses
Neustar lets businesses know who they're doing business with at the end of the transaction, creating really frictionless customer interactions, as we mentioned — so important. But so how do you determine who's on the end of a transaction? Well, as Julie mentioned earlier, there's eight times higher volume of fraud in the online channel.
So just how do you understand this? Well, it's basically to ask three questions. One is about is the user's identity verified. Can we verify who the person is that they say they are? And then is that identity linked to a trusted device?
And then what's really important is to be able to link to that analysis to establish that trusted ID. It used to be in the old school, you'd walk into a bank with your driver's license, and a credit card, or a social security card, and maybe your utility bill to open up a new account. But in today's world, not the same thing.
We don't do that anymore. And what's more important is everybody can do that online, sort of behind the scenes. So we need to take that same level of validation and be able to create — when customers create new accounts — and be able to verify them without adding friction.
So the process that we use to begin answering those questions really starts first with customers coming into a network. So you may have a user coming in from a computer or a device, mobile device, coming in from either a Wi-Fi network or over a mobile network — which sort of is an interesting — find some interesting problems there — to open an account, change their account settings, or purchase something, or have their mobile wallet provisioned, or even as we've noticed and discussed a little bit about reaching out to a contact center for help.
And we heard from Julie, all these types of transactions can be pathways to fraud. And it really can be hurdles to overcome if you're trying to reduce your fraud, like verifying the end user identity through two factor authentication, knowledge base authentication, or even more exotic means to help reduce fraud, but can also get in the way of customers. And we saw from the survey results that's probably a really bad thing to do. People will move quickly to a competitor if they're put through too many hoops.
Neustar — we really utilize the information provided by a customer. For example, during a new account signup or for other activities where it's provided by our client, it includes things like name, address, phone numbers — landline numbers, mobile numbers — an email address can be provided. And then in addition to this offline data, we also capture online data. And that includes a tremendous amount of information from the cookie network, the originating IP address, a device ID or fingerprint, and then the information we actually get from the mobile carrier as well.
From this data, Neustar can really start the process of identifying who's at the end of the transaction. You can see from the eye chart here, these are all the verification results that can pull in, really, this detailed analysis of all these elements to verify a customer's ID. And we not only just look at that PII data that we receive and verify, but we can also append additional data onto that analysis, like the carrier name of the phone number that's associated to the customer, and whether that mobile phone is prepaid, or other background detail.
We've been able to identify and see that customer based on historic cookie information or device data to be able to tie them to that interaction, along with previous use of email addresses, phone, and IP addresses. It's all great data for validating a user. But where it really gets interesting is we can apply connection science to all this information, really taking and linking this information together to create trusted IDs, and be able to create this connection between offline and online data.
To be able to create that, we look at things like the customer's name and determine if it matches with provided address, phone number, phone numbers if we get multiple ones, and email addresses. And then from there, we can layer on information from our cookie network to verify data linkages from online information that we can see to check, again, name, address, phone numbers, and IP address and verifying that the browser can be tied directly to the user.
Then we can layer in device fingerprinting to provide a verification process to understand the connections between the device acting as a proxy for the user and all the available additional data elements. Next, we can layer on mobile network operator information, since that's such an important channel for us to understand, that really can provide a detailed view of the mobile device and user data along with it, gaining some information regarding information about accounts, port status, SIM swap status, and forwarding information to better understand potential fraud risk.
And lastly, these linkages can be scored either separately throughout the process or combined into an overall risk score. Julie mentioned reducing the onboarding process. And we've got a great customer example. One of our clients is a major card issuer who wanted to create an instant credential solution to onboard customers rapidly and provide them new customer credit card credentials at the time of approval. So they were approved for the credit card, and the plastic would be dropped in the mail.
Effective Identify Verification Drives Excellent Customer Experiences
But the program really wanted to have customers get up and purchasing immediately. So the goal is to provide credentials, but at the lowest risk possible. So we help them provide that solution by analyzing key attributes, such as name, address, one or two phone numbers connecting those to the email address and the IP address, along with key associated attributes like phone type, the activity of the phone, information around whether that phone had been ported recently, whether it was a prepaid phone, and then their email attributes.
So we could link those to the phone number, to the address, to the email, to the IP address, and really establish a high degree of confidence, and also to make sure that that mobile number checked out to ensure that it wasn't a prepaid phone, that it wasn't recently ported, and that it had, actually, reasonable activity over the past 90 days. If that all checked out, then we could deem that customer trusted.
And all of that analysis took place in less than 250 milliseconds for us to make that determination. And then from there, the consumer would receive a text on the phone that we checked, so the verified phone number, so that that text could be verified, and then they could enter the code into their browser and receive their credentials. Following on from here, we can also add on and layer on information about our cookie network and device fingerprinting, or device ID, to really help squeeze out additional fraud. So in general, Neustar can provide these kinds of linkage and risk ratings, as well as overall risk scores in anywhere from 25 to about 250 milliseconds, which goes directly to the heart of the customer experience, getting customers through to complete their transaction as quickly as possible out and increasing your fraud risk.
Connecting Offline and Digital Identities
So Neustar — really, it's sort of that missing link between offline identities and digital identities to create these trusted interactions. We're really in a unique position in the market to provide this missing link between these two types of data elements and analyzing this information to really build these high confidence linkages to create trusted identities in pretty much real time.
And to back this all up, I'm happy to say that we have a number of the top credit card issuers as customers. We started out our relationship with all of these customers by providing them TCPA calling solutions to really help with their outbound calling compliance issues. And we extended that relationship to help them build and identify customers quickly, mitigate their fraud losses across things like account origination, account takeover, fraudulent logins, and card not present fraud. We also helped with representment into investigations to understand really what's behind chargebacks. We also help one of our clients keep their CRM database up to date to provide them better information for both outbound marketing efforts in conjunction with their TCPA compliance.
So some of our differentiators — talked about the identity platform, about being able to have one identity and a very large amount of data that spans across all of our businesses, the extensive data that we have that combines both offline, online, and mobile data, that's updated billions of times per day and comes in from over 200 authoritative data sources. And that's really about our proven ability to deliver those IDs, to help build those trusted interactions and deliver that to our clients so that they can more quickly let their customers through to what they're looking to get done.
And appreciate the time today. And if you want to learn a little bit more about this and all the great work that Julie does in her team, you can visit Aite Group at aitegroup.com to learn more about what they do. And also, from a Neustar perspective, you can visit us at risk.neustar to learn more about our risk solutions. And with that, I'll turn it back over to Mike for a Q&A.
Great. Thank you, Ken. Excellent presentations by both you and Julie. We do have a number of questions in the queue. And we want to try to get to a couple of them, at least, here in the remaining time that we have.
Key Strategies to Minimize Customer Disruption Due to Fraud
Julie, let's start with you with the first question. What are the key strategies to minimize customer disruption in case of potential fraud?
So yeah, I think that that's a good question. I think there's a bunch of key strategies. I would say one of the most important strategies is education. So if you are going to have some stepped-up authentication — which you're going to need to have, there's going to have to be some friction at some point — you need to have educated your customers so they know what to expect and what to do and not to be suspicious of it. Because some of the success of our anti-fraud training of customers has many folks suspicious, rightfully so, when they get surprising messages.
So I would say education is one of the top goals. And we just recently did a survey that shows that that education very much needs to be tailored by age and demographic. Because what will resonate and what millennials understand from a technology perspective is very different than what a senior might understand.
And I would say the second piece is to the extent that you're able, again, you want to have things behind the scenes. But if you do need to insert some friction, give the customer the opportunity to choose the form of friction and form of stepped-up authentication they would prefer. Because again, our research shows that what works well for a millennial or Gen X doesn't necessarily work so well for a senior.
Role of Secondary Authentication
OK, great. Ken, next question for you. How significant is the role of secondary authentication and optimizing the balance between fraud risk and customer experience?
Well, it is very important. And I think what we don't want to do is from our perspective, we don't want to go down that path unless it's absolutely necessary. So like in our credit card application, for example, we provided that as a secure means, once we've verified the phone, as a way to send the customer something that they actually wanted. And it wasn't something that we were doing to really verify them upfront.
So it's important. But unfortunately, it also adds that extra layer of friction. And if it's not done correctly — if numbers are ported, even though you're doing a second factor like through a phone, if you don't have the phone verified, you might just be asking the bad guy to verify that whatever they're trying to do is actually correct.
So it's important. But I think it has to be used in the context of making sure that the device that you're requesting that verification through also be verified.
Universal Reach of ATO Fraud
OK, great. Julie, this question is for you. Why do you think that markets that should not be typically affected by EMV migration, such as a lending market, are affected by ATO fraud anyway?
It's a good question. The organized crime rings really don't target their attacks by vertical. They're not siloed in the same way that many banks are, unfortunately. They're looking to leverage the compromised data that they can buy in the underweb, be it credentials or PII, and looking to maximize their opportunity with that. And so they will leverage that data in as many different ways as they can.
And that's why as I talk to the marketplace lenders in particular right now, they are seeing huge challenges. Because you can buy a set of personally identifiable information on the underweb and use it to get a sizable loan very quickly. So as we see the proverbial squeezing of the balloon and we take the fraud out of one place and put it another, it's going to go in a whole bunch of different places, anywhere that there is easy opportunity.
Fraud Indicators for VOIP and Call Forwarding
OK, great. We have time for one more question. And so Ken, this one is for you. From a fraud perspective, is Neustar able to tell if a phone number is voice over IP or if there is any kind of call forwarding?
So we're working on that right now with the carriers. And we can actually provide that information so we can determine whether or not a number has been ported. And we look for activity on the number. So if you have had a number that's been ported, like I go for my mobile phone to a VoIP or back and forth, we look at the use of that phone number over a period of time to understand whether it's being used by a verified person.
So if a number is ported recently and it's being used in some way to either open up a new account or something, that would raise the risk factor on approving that. But if you've seen that same number connected to an individual for a long period of time, then that fraud risk goes down dramatically.
OK, very good. Ladies and gentlemen, that does conclude our program for today. I want to once again thank our speakers, Julie Conroy and Ken Jochims, for their presentations and for their time on the question and answer session today. We really appreciate the insight that they were able to share.
We again want to acknowledge and thank Neustar for sponsoring this program. We really appreciate their support. And last and certainly not least, we'd like to thank all of you who attended this program and participated in any way. We thank you for your time.
We know that you all have very busy days, and we appreciate your spending a little bit of your busy day with us today. We hope that in the future you'll join us for another web seminar brought to you by American Banker and its sponsors.
So on behalf of everybody, I want to thank you again for coming. I'm Mike Perkowski, your moderator. Everybody have a great day. Take care.