“What advice do you have for companies with established fraud prevention strategies that leverage automation?”
This question is asked in many different ways. The bottom line is the same:
“We have a strategy and are comfortable with the losses that we have identified. Why fix what ain’t broke?”
First off, there are 2 fundamental issues with this mindset.
1. The majority of methods that are identified in the space have been discovered because they were successfully deployed against systems with “sufficient fraud prevention”.
Effective fraudsters rely on their ability to discover vulnerabilities at each touchpoint, while dancing around the prevention processes that are currently in place.
2. Fraudsters are infinitely more nimble than companies are.
Consider the last time your company identified a significant issue with some process and the resulting 20-step process that took 6 months to get to a final decision, 16 months of R&D, 6 months to deploy and 6 months of monitoring to determine the value of the change.
On the other hand, capable fraudsters have the ability to submit multiple orders at one time and attack multiple touchpoints, effectively stress-testing your system to discover vulnerabilities….. within minutes.
Below, I have outlined 3 pieces of advice that you can employ today to begin stress-testing the strategy that you currently have in place:
1. List and monitor the performance of every way that a user might interact with, or influence the operation of, your company.
For retail merchants, this will include the checkout form, the customer service center, etc. For FI’s, account creation, wire transfers, credit applications, etc…. apply this thought to your company, regardless of industry.
2. Verify authority of the collected information.
Most engagements between a user and a company can be looked at as a request accompanied by information.
Account creation, Checkout, Credit Applications, Profile Information Changes, Customer Service Requests…..
Ask yourself, which information do we collect and how can that information be leveraged for determinations. Validating information is no longer the only use for data. We now need to focus on verifying the authorization of the information.
3. Fraudsters evolve, so should you.
“Acceptable losses” are no longer isolated to financial statements. As we’ve seen over the last few years, brands have suffered heavy reputational damage because they were unprepared when the fraudsters / cyber criminals found an exploit and struck.
It isn’t enough to track what has made it through your current system. You need to look forward and monitor reports from across the marketplace….. Evolve to adapt.
Be proactive, my friends.