Recently, my partner and CEO, Mr. Alex Zeltcer, wrote an article that was published in Benzinga and investing.com. The article highlighted the grave issues with organizations that rely on KYC to prevent fraud. In short, getting a KYC-verified account is easy. There are people whose sole work is to create new accounts, get them through the KYC process, and sell them on the Dark web. In professional jargon, they are called “mules”. These “mules” mostly come from low-income or low socioeconomic backgrounds (sometimes from third-world countries) where they care less about the reputation of their identities. Potentially, there are more than tens of millions like them – who, at any given moment, are ready to “sell” their identities for as little as $50 (i.e., the value of one of their paychecks).These accounts are then bought on the dark web by skilled fraudsters, who combine them with stolen payment instruments (also bought on the dark web) to generate triple-digit profits (!). The reason that KYC-verified accounts can yield really high profits is that they are more trusted by the merchants; and therefore, have low (or no) purchase limits. This causes a misconception where merchants consider them to be safer when in reality they are not. The painful fact is that statistically they are much riskier than non KYC’d accounts.Due to the nature of scalable fraud, it can be conducted by utilizing such techniques. In fact, we are seeing a new ‘KYC trafficking’ industry that is rapidly growing and getting stronger by the day.
Another common way for fraudsters to get their hands on KYC’d accounts is through hacking reliable customers using a combination of password hacking, social engineering, and the use of advanced technologies (e.g., headless browsers, cookie stealing), these are usually referred to as “Account takeover”. With today’s better awareness of account security and the use of two-factor authentication, it becomes harder for fraudsters to take over those accounts and that pushes the other methods to become their way of choice.
In addition to that, we also see a surge in the use of social engineering techniques (sometimes referred to as “victim assisted fraud”). This is a scenario where victims are led by fraudsters to use their legitimate, KYC’d accounts to perform a purchase and put the product/value in the hands of the fraudsters, which eventually gets the victim to lose both his money and the purchased product/value.
All in all, we see that those KYC’d accounts became the de-facto standard way to conduct sophisticated scalable fraud. As long as merchants wrongly consider those accounts as safe, it will continue to lead fraudsters in through that widely open door.
Fighting a justified war with the wrong tool
KYC is a United States regulation dating back to the 1990s. Post 9/11, the regulations were made more rigorous and grew in need around the globe. The “from where” and “to who” of tracking funds have become an important way for governments across the world to restrict illegal activities and protect individuals. Whether it’s due to identity theft, terrorism, money laundering, or financial fraud, the verification process has been helping public and private sector organizations for some time - but it has limitations.
One of the limitations of KYC as a payment fraud prevention tool is that it’s not an integral part of the payment process. This means that banks don’t match the identity of the stolen payment method owner to the KYC-verified account. On the merchant side, the merchant has narrow access to the payment methods’ details because of privacy and security policies, and the inherent architecture of the payment network.
In short, KYC is very good for complying with regulations, but never for payment fraud prevention. The sad fact is that when relying on KYC to prevent payment fraud, the merchant puts its business at a much higher risk.
There’s a better way
Although fraudsters are successfully committing fraud using a “KYC shield”, it doesn’t have to be this way. The first step in fighting is to clear the dust from the merchant’s eyes and realize that KYC DOESN’T PREVENT FRAUD. Without this simple understanding, any payment fraud solutions will fail.
Here are some fraud prevention methods to fight the problem effectively:
- Detecting in and out market anomalies – as you know, fraudsters using these methods are not amateurs; and this kind of fraud is no one-off. Focusing on bigger patterns while using in and out market context to detect anomalies prove to be a very effective method to fight scalable fraud.
- Analyzing complex user behavior – it’s easy to fake contextual data, but it’s almost impossible to imitate reliable user behavior when talking about tens of thousands of different factors. The fact that some fraudsters are trying to commit fraud at scale, using bots*, and different social engineering** techniques, don’t make it any easier and don’t make them less visible (wink)
- Bot detection and advanced technological features – velocity measurement, professional device fingerprinting, asking questions like ‘are the users using an emulator?’ ‘Are they trying to spoof device information?’, etc.
- Using AI to identify social engineering victims
Discover the real potential of the business
Having the right fraud prevention solution in place simply put, means growth. When sellers have, for instance, a high chargeback rate and they don’t know the source of the fraud, they typically tackle the problem from the wrong angle. They mostly start performing excessive filtering and increase declines. That’s their only weapon. But are they aware of the true cost? How many users are they churning? How many false positives do they have? Do you think they are aware of the actual numbers? We think not. If they did, they would have never used those methods.
Research from the nSure.ai data team includes an analysis of more than 12 million transactions in the digital goods space. With it, the team discovered that 87% of the declines were coming from legitimate buyers. Let the number sink for a moment … 87%! And we haven’t yet factored
in the user experience element or the low conversion rates hurt by excessive friction.
Knowing all of this is the first step. More importantly, making the connection for how fraud prevention leads to customer growth is the critical step.
If you have questions or want to better understand how fraud prevention directly links to growth with a solid ROI for your top and bottom line, just email me at ziv@nsure.ai