Fraud Protection in Mobile Transactions

Jun 30

Fraud Protection in Mobile Transactions

In this episode of the Mobile Engagement Podcast, we’ve got a slight format change – I was in San Jose for a ThreatMetrix board meeting and took the opportunity to talk with Dean Weinert of ThreatMetrix who runs their Mobile SDK product for Fraud Protection.
Dean fills us in on common fraud protection use-case including some fascinating insight into the problems Stubhub solves in the real-time world of ticketing.



  • Its often about trust – clearing transactions so that people have a happy experience rather than blocking them.
  • Outmoded fraud protection solutions such as IP address blocking or not accepting non-US credit cards is counter-productive to your revenue model
  • Fraud is often about small transactions that leak a companies revenue. This can be things like account hijacks in a game where virtual goods can be bought and sold.
  • Many “mobile-first” companies are using fraud protection because stolen credit cards can be applied to new mobile user accounts.

Transcript Detail

David: Gidday, it’s David from StreetHawk and I’m talking to Dean Weinert of ThreatMetrix. ThreatMetrix, I know a little bit about, having started the company too many years ago. And Dean’s going to tell us a little bit about what they’re doing in the mobile security space, specifically what they do as they provide an SDK as part of their overall fraud solution. And we’ll talk about where they’re going, what’s happening and what are the various user cases in fraud and trust landscape. How are you, Dean?

Dean: Very good, David. Thank you for having me and welcome back to the office.

David: Thank you very much. Good to be here. [Laughter] So tell us a little bit about what you guys do today. Who would use you and how would they use you?

Dean: Right. So our customers are primarily eCommerce financial institutions that really need to gain additional context around the mobile devices that are being used to interact with their services, including things like log-ins, account registrations, payments and transactions in general.

David: Okay, cool. So in that situation, it’s around doing the transaction from the mobile, or traditionally it’s been about web, but mobile has been there as well too?

Dean: Correct. Obviously, our cornerstone has always been web. We have a very, very heavy play in pushing to mobile around three or four years ago, which is my main area of responsibility within the company. So being able to tie those two channels together to a proper omni channel solution we can do; you know, user and device recognition cross-channel is integral for customers these days.

David: Right, okay. So in terms of somebody who’s using the product, or in terms of somebody who’s trying to manage fraud, they’re sitting at a console somewhere or what’s the experience that somebody using that?

Dean: Wherever possible, a good fraud system really needs two facets: one, it has to be as hands-off as possible to make sure that it’s making those tough decisions for you wherever possible. But there’s always going to be a long tail of transactions that require some manual evaluation. So in conjunction with our policy engine, machine-learning capabilities, we also have a console that monitors fraud, manages and analyzes to sit there and look at the individual transactions and make decisions in real time based on the data that we present them.

David: Right, okay. So, say, on a decent eCommerce site, I’m doing a couple of thousand purchases per day – I’m not saying that’s a huge eCommerce, all I’m saying is it’s a decent eCommerce site, so I’m doing a couple of thousand or 10,000 – 20,000 transactions that might not be $50, $300 to $500 per day. There’s going to be a large net that actually are really clean transactions, and now they all look really good and there’ll be some that you’ll throw out to be, these look like no-brainer, these are actually really bad transactions. And then there’s ones, what you call the long-tail or whatever, there’s ones in the middle that you want to be able to review. And so, ThreatMetrix provides a certain amount of decision points that actually help that person make a decision on a human level for that.

Dean: Precisely. That’s right. And we do that for the most part with the inclusion of our proprietary data that we gather from the device, and then use that behavior over time etc. And we also have an open platform that enables us to plug into third-party services, such as if you want to do maybe a Facebook profile verification or some kind of address lookup just to verify the data that you have at hand.

David: Okay, alright. So that would be used in a trust scenario, like validating somebody?

Dean: Precisely, yes. In some cases, for instance, where we do some kind of address verification and it comes back as negative or maybe we do, add a band verification, or sorry, third-party verification to a telco carrier, and it comes back and says, “You know what, this phone is actually stolen.” So in most instances, when usually there is some kind of trust verification, but there is certainly user cases where you can use it to do the opposite.

David: Right. What other scenarios where you would actually kind of slam-dunk say this is a bad transaction?

Dean: Location is a huge part of typical user behavior. We’ve all seen it. We’ve all traveled. You’ve gone and used your card in some location that’s not indicative of your usual behavior and the card gets halted or cancelled. So certainly, location, I think people traveling is a completely natural and normal thing. People traveling and then doing things like trying to mask their location or use a VPN or some kind of hidden or anonymous proxy certainly does not constitute good behavior. So in those scenarios, really, anomaly is the keyword there. So any anomalous behavior or any attempt to go and mask or raid various data points, we do an integrity check on will cause flags in the system.

David: Right. Okay. Alright, so I’m an app developer when do I start to care about this particular stuff? It’s a scenario where I’m probably with an omni channel play such as a bank or a finance-type company, I’m doing a decent amount of transactions. I might be a market place. And so, I might be a market place and I have a large amount of transactions happening on mobile. Are they the kind of user cases that we tend to see, people who use the product?

Dean: Absolutely. And it probably comes as no surprise as well is we’ve also seen a massive increase in mobile-only companies approaching us. Despite the fact that we’ve always and always been an omni channel solution, we have a high number of customers that are onboarding at the moment that are mobile-only with definite issues there.

David: Yeah. I tell you what, I have this experience where I wanted use within Uber in equal amounts, then really, to try and sort of get my head around which one I prefer over time, and we’ll talk with this like into my Silicon Valley Bank credit – I don’t know if I’m announcing too much there – so I have this SVB card.

Dean: Are you sure it your card, not someone else’s?

David: It’s totally my card. [Laughter] And so they had some problem with it and I’ve not got through tech support ever since. So I’m not dissing them, I’m just saying that I’ve spent hundreds and hundreds of dollars with Uber in the last month. And you literally have missed out on that, and presumably there would be something that you guys could help out in terms of trust on that level, right?

Dean: Absolutely, yeah. I mean, trust, certainly, if the reason for these checks is to really rudimentary credit card check and something is not quite right going with that check, then it should be pretty trivial to fix. It could even be that they’re using existing fraud system that isn’t configured correctly or isn’t functioning the way that you’d anticipate it would be causing these kind of blocks. And I’m sure if that’s the case, you’re probably not the only one that’s been affected by that.

David: Yeah, it’s interesting because effectively, they might say, “Well, one customer is one customer.” It’s an edge case, but that one customer is generating hundreds of dollars per month. You would say that’s a pretty poor decision in that sense. So somewhere, what they want to do is actually introduce something that actually gives them additional trust uplift. In a situation, how bad can it be? I can take LIP line, and you know, whatever it is, $5 to $7 or something like that is what they’re going to lose out of that if they see the transaction fails from the credit card company or the bank in the longer term. They would see that within the first one or two transactions, right?

Dean: Exactly. So they lose potentially $5 – $10, but they’ve actually, in turning their business away, that actually turn away quite a lot more income. I think that is some of the clarity that you use when using these more rigid forward systems. When they use things like blacklist, for example, the minute, either your card, or you have been placed on some kind of blacklist that makes it very, very difficult off that list in a lot of instances, whereas, if we give you enough context around these particular transactions, say, “You know what, there’s one anomalous thing here, but we’re familiar with David’s reputation. We’ve seen him in our global network before. We know he travels to these locations often and exhibit this behavior and he’s exhibiting a similar behavior with us.” You can make a more informed decision instead of simply blocking you outright.

David: Right, okay. So you said you’re seeing a lot more action from mobile-first type companies. And this is like reflective of what’s going on in the Bay area at the moment, as there’s this incredible range of things you can do. You can get massages from your mobile – you know, legitimate ones. I was going to stay away from there and pretend that they’re maybe not. – So you can get massage. Sprig will deliver your food for you. And Instacard will deliver the ingredients for the meal. And it just goes on and on, and on. And is that the kind of companies you’re talking about in that situation?

Dean: Yeah, definitely. Certainly, those very mobile-specific companies, where you know it almost only makes sense to have a mobile presence. In other areas as well, the underbanked, so i.e. in certain countries that aren’t in a habit of going issuing bank accounts to users, or there aren’t even any kind of stable banking infrastructure in place in those companies, in those countries rather.

David: Something like “Pay-Uni” [0:08:23.5] ?

Dean: Correct. I don’t want to name any specifics. But we’ve been in touch with in excess of eight in the past month alone.

David: Right, right.

Dean: They’re incredible, I mean, they just exploded.

David: Yeah. I wasn’t personally aware of them until I chatted to an old friend of mine last night about that company.

Dean: And I think it’s happened by just way of culture. I mean, in certain regions, laptops and computers were very, very expensive once upon a time, and to this day, even remained that way. Whereas being able to get a smartphone that has Internet capability, that you can do banking on, it’s got Internet etc., is now a reality for a lot of these people. So they’d skip the entire desktop and web channel, and go straight to mobile.

David: Right. So does that mean the apps that are the best fit are the ones where commerce is flowing through it as opposed to in-app purchase or ad-supported stuff, like somebody’s got a game. Has there actually been a legitimate user case for somebody with a game that does in-app purchases to users, to ThreatMetrix SDK?

Dean: Absolutely. And it really comes down to what payment options they offer in that instance. So there’s a few fraudulent user cases there, one is we’ll do to have the ability to go and link a stolen credit card into their account and then go buy a whole bunch of stuff. And usually, that will do that, and then accumulate a large wealthy account, and then sell the entire account. So they’re not the ones that are caught with the account at the time fraud is retrospectively detected. But also, account takeover is very, very common in those regions as well. I mean, on myself, game online occasionally and I’ve got a gaming portfolio. It’s not a lot, it’s probably a thousand dollars’ worth of games and digital hearts and medals and various things like that, which I only did over the years. And they’re very, very lucrative for fraudsters, absolutely. I think we should never ever underestimate the power of micro transactions in-app these days. It’s so very simple to click a button and say, “Yes, I’ll buy a $5 digital heart” which means very little to me, but after three years of doing that, you’ve accumulated several thousand dollar-backpack or something which fraudsters would absolutely target.

David: Right. Now, it’s really interesting. I know we had that sort of issue in the early days with ThreatMetrix with people with micro transactions and someone in the Facebook world. So it’s just a replay of that. Those assets are valuable effectively.

Dean: Exactly.

David: Okay, cool. So we like to talk about one win and one fail. In terms of where you’ve seen the technology being deployed, has there been maybe a failure first? Has there been something that’s actually not been a good fit in that situation?

Dean: Not really. We really took an agnostic approach when we built our solution to make sure that obviously it was cross-platform, it caters for just about any user case you can think of. And I listed several earlier in terms of logging or account crash and et cetera. So we don’t have a very general SDK. And as such, I think our customers before they even look and have an understanding, we’ll hear the problems I’m trying to solve. I have this very generic SDK that has the ability to go and do that. So I think as such, we’ve been pretty fortunate there. I can’t say we’ve ever had a customer that’s pulled out from the store or cancelled an app deployment on account of our SDK, which is good. I don’t want to say we’re perfect, but so far we’ve had a pretty good track record.

David: Yeah. And so, on the flipside of that, both like the best kind of uplift that’s been seen, has that been in things like market places?

Dean: We’ve always tried to remain very much focused on protecting consumers as opposed to I guess publishing their behaviors and their activities online. So with that end, we’ve always tried to focus on FI and commerce as opposed to advertising platforms and things of that nature. So as I said, advertising has never really been where our core business is, so certainly, protecting the consumers in our associated finances.

David: Yeah, but in a situation where you do deliver a lot of value, has it been seen to be more in banking or more in, say, a market place-type situation where goods are being bought and sold? Or has it been more in eCommerce? Have you seen anywhere, like obviously a market place or an account hijack-type target like you’re just describing then? That’s the value for somebody, a bad guy to get access to a significant amount of stuff, but also in an eCommerce thing where you’ve just got a card, then you could lose a significant amount as well too?

Dean: Exactly. And there are different user cases as well, and also different amounts of money that usually get hijacked per user case. I mean, if you’ve completely taken over someone’s bank account, and they’ve got a huge line of credit on that account, I mean, the potential is fairly disastrous, whereas if I’ve just stolen David’s collection of 40 digital hearts from his favorite computer game, it’s probably not as damaging, although it’s not as tangible.

David: [Laughter] Yeah, exactly.

Dean: It’s not a good currency yet. And to put a number on it, we’re about 40% finance, 40% eCommerce, and 20% social-focused in terms of our revenue, so we have a good healthy split between the two. And the user cases aren’t too dissimilar between the two. Obviously, account takeover is tremendously concerning. In the eCommerce space there is certainly a difference. A card not present is what keeps most of our customers up at night before we engage them.

David: Right. Naïve question. [Laughter] Hopefully not a naïve answer. I’ll see what I can do. Bitcoin?

Dean: Yes.

David: Block chain, supposedly everything is traceable on the block chain, but what’s the reality? Is this still a place for this sort of stuff, if I kind of see that this probably is something that will happen maybe in gaming where virtual currency might become, sort of be the changer with bitcoin, which means you could move it off the platform, and I don’t know whether people are intending to do that, but it’s the new Disney dollar, isn’t it? [Laughter] I mean, I haven’t pulled everything out of my bank account and invested in bitcoin to really just yet. I’m kind of glad I haven’t in retrospect.

Dean: Yeah.

David: I’m not sure I’m wearing this today. It’s not up, I’m sure.

Dean: It’s definitely not up, no. I’ll tell you that. It’s actually not. But again, you’ve seen these really high-profile cases of account takeover with bitcoin. You steal someone’s private key, and you’ve effectively stolen their currency, which the whole idea was that it was a secure system. So they went to an almost paranoid degree when registering any user and establishing your funds. But the same factor means if you’re able to hijack their identity or their account, then you’ve got their assets.

David: Yeah, and quite often, like you see people or see startups floating around that are talking about the digital wallet on your mobile for that sort of stuff. In that case with you, if you lose your phone, you’re also losing—and losing the keys to the kingdom as well too, right?

Dean: Yeah, potentially.

David: Because the private key is there.

Dean: Yeah. And there’s a lot to be said for that reason for obviously in-app protection. But I think Apple specifically have done a tremendous job of protecting the device itself. If you’ve got the device biometrically secured with your fingerprint, I’ve got former phones which don’t always have the features it does. And I’ve been through it myself, helping friends that either have lost a phone, or have bought a second-hand phone and they’re trying to remove those protections. They really made it very difficult, and certainly if you’re still into that.

David: Right, okay. Cool. Alright, so let’s just have a look at the time. I think I can say I can cut those things out. So, I want to kind of maybe just get – let’s just do one or two user cases on a type of integration on an app. So I was talking to the guys the other day from StubHub, for example, ticket-type things and stuff like that. I could talk about that. Are they a known customer or they’re an SDK customer? They said they were an SDK customer.

Dean: They are, yes. So StubHub have been, and they’re ticketing customers that are probably heavy into ticketing customers.

David: Right. Do you think it will be a problem just to kind of, like if I say I met them at a conference the other day and they said they were using it?

Dean: No, sure.

David: Okay, so let’s have kind of an idea. Okay, let’s have a quick chat about the potential user case, like in a real-world situation. I was at a mobile marketing strategy conference the other day, and StubHub was there. And I said, “Do you guys use ThreatMetrix SDK?” And they said, “Yeah.” So tell us about how you think they might be using the technology in that situation?

Dean: They’ve done a very, very good job of their application in mobile apps specifically of being able to do an end-to-end purchase. So without any use of a desktop or whatsoever, you can use their app entirely natively either to buy or sell tickets. So it’s just basically an end-to-end commerce solution from the power of a mobile device. So with that said, they had some challenges that they were somewhat unfamiliar. I mean, previously, as you know, they’ve got a strong web presence as well, which is where I first encountered their service. Being able to make that transition from web to mobile was difficult for them on their own without the ability to go and identify users and their multiple families of devices. As you know, you’ve probably got several devices yourself. They’ve all got various different capabilities. So being able to tie those different personas to a different family of devices to identify fraud was an important user case for them, which we see successfully delivered, but also again making that transition from web to mobile to understand things like, well, hey, we’ve previously been doing things like blacklisting the IP address, whereas in mobile that doesn’t particularly make sense, whereas the user may hop between three or four different cell towers and subsequently IP addresses in a matter of minutes if they’re driving as opposed to a typical desktop user where their IP address is a lot more static.

David: Is there a lot people still doing that fraud protection 1.0 with IP address lists?

Dean: You’d be surprised. You’d be very surprised. I mean, it just seems to be a legacy facet of the fraud protection system. I mean, it also comes down to education as well. A lot of the people that who use and monitor these fraud systems almost use an IP address as a captcha and want to say, “Hey, this is bad behavior. Let’s blacklist their IP address. We’ll never see them again.” And it’s obviously not effective in this day and age.

David: Yeah, whereas if somebody was going to conduct some fraud, they might go to a Starbucks, or something like that, and they’d be effectively be using a disposable IP resource in that situation. And so, therefore, everybody else that comes along afterwards is like tied with the same brush in that situation.

Dean: Precisely. And we actually just had a look on that exact note, found a statistics from our network just last week where an average desktop user had between about 1.2 and 1.3 IP addresses in the space of six months. And a mobile user had about 2.6 to 2.7. So again, the metrics just look completely different between those two channels.

David: Right. Okay, so back to StubHub, because I’m a bit thick. So what are the key user cases then? Is it that somebody is actually trying to sell or buy with a stolen credit card? That’s like a low-hanging fruit?

Dean: Definitely. Absolutely.

David: And is there a situation where somebody’s trying to sell a fake ticket in that situation?

Dean: I’m not quite sure. It’s not something I’ve encountered. I mean, again, they’ve done a really good job. When you actually sell a ticket, you actually have to scan the barcode of the ticket or actually reach out to the ticket issuers to do a verification of the ticket to actually know if it’s legitimate. And they’ve done a really good job of that. One interesting case I’ve heard is people reselling tickets for things like parks and resorts. So they will get to the gate of a theme park, for example, or a concert or whatever the event is, and then they’ll use a stolen credit card once off to go and effectively buy the ticket to the concert and then delete all these application or wipe their phone or whatever, and then reinstall the app and then repurchase another ticket for their friend, and just do this over and over, and over for ten minutes leading up to the event. So they’ve got how many tickets, and they would just go on and check in on that. So the difficulty is, I mean, this is in real-time world. These guys are standing at the gate over the event buying these tickets. So if there’s any kind of manual review or retrospective manual review that has to happen which usually happens within the space of a day or two after a purchase, you just don’t get that opportunity. They’re buying the tickets on the spot right there with the stolen card, and checking to the event. And after that, they’re exactly there. They’re lost in the crowd.

David: So that’s pretty cool.

Dean: I thought it was an interesting user case. It’s good being able to do decision in real-time in those scenarios is imperative.

David: Right. Okay, cool. Yeah, because it’s actually a window where things happen very quickly in that situation. I remember the early user cases of the early situations that were happening in ticketing was there was also like rings of people buying up Britney Spears tickets like all in one go, that sort of thing. There wasn’t StubHub there in that scenario. Is that still kind of like the case when tickets go on sale?

Dean: Yeah, that’s always going to be the case. And there’s even people still. I mean, there are the hardcore people these days that will still go and camp out the ticketing offices overnight and kind of wait to go and buy the tickets in person. But I think there’s a lot more restrictions now placed on how many tickets you can buy per person, per event, etc. All of that comes down to understanding, well, “Am I being hit by some bug?” Or is there multiple people behind multiple computers making this purchase legitimately. Because I think what we understood at the time was there might have been 50 guys with 50 credit cards shared and then they had box that actually drove the transaction to scoop up all the stuff, the inventory as it came online.

David: Exactly. Yeah.

Dean: Yeah, it just monopolized the ticket industry. It’s also, I mean, the term the “digital scalpel,” where the scalpel will stand outside of a venue, the same scenario that I gave you earlier, that instead of buying the tickets himself, someone will come up to him and say, “Hey, I want to buy some tickets.” And say, “Alright, I’ll get you four tickets.” And you’re right then and there. He’ll jump on StubHub or something with a stolen credit card and buy the tickets, and e-mail them to that person. And that person just walks straight in broad daylight. They’re inventive.

David: Yeah, that’s cool with mobile.

Dean: If I was less honest, I’d probably be doing it myself.

David: Yeah, we always see better opportunities outside, yeah. Alright, that’s great. So tell us just in closing, if somebody wants to do this sort of capability inside their application, what’s it look like, because quite often there’s friction around getting an SDK inside an application. What’s the actual, sort of the guts of the process.

Dean: Yeah, so the normal price is something, again we’ve tried to keep it very generic SDK. It’s very easy to implement. It’s really only kind of one method that we used to go and invoke it and execute it. The real magic of it is what happens on the service. So in terms of the model that’s really a client-serving model, the SDK being the client are served, are really being the brains behind everything. So if you need to make policy changes and configuration changes to the way the client behaves on the device, you can do all of that from the server without having to push out updates in your SDK or anything of that nature. So, that was our primary design goal, when we built the SDK, was to make sure that, “Hey, you know what, ThreatMetrix wants to add some kind of new detection capability to the platform.” We don’t want our customers to have to go on scrambling, getting new SDK and go through the normal QA process and publish. They have to know all of that on our behalf. So moving a lot of that decision to the service side made a lot of sense as being very successful for us.

David: Right. But in a nut shell, you implement the SDK within the app, then there’s some backend work required in order to reach out from their system to our backend service to kind of tie all the data together that we gather from the device.

Dean: Point of transaction.

David: Precisely.

Dean: And that’s really it. It’s not rocket science. I mean, we’ve had customers implemented in the space of a single day.

David: Right. And so you’ve got to be using ThreatMetrix to begin with, I guess. And that’s it. You have to setup an account.

Dean: Correct, yes.

David: On the service side,

Dean: Yup, that’s right. Yeah, we’ve got a services team that onboard customers and hold their hands. We’ve got some default policy sets and things like payments account creation and things of that nature, just to get them up and running.

David: Alright, cool. Alright, well, I think that’s a good set of place to stop where we’ve hit the 20-something minute mark.

Dean: Right, David. Thanks for the chance to chat.

David: Yeah. I really appreciate it.

Dean: Likewise. Sounds good.

David: Cheers, mate.

Dean: Gidday, David. Thanks.

  Get our Referral Program Guide