Devising an Information Based Strategy for Fighting Fraud

John F. Ellingson, President, NBIB
E-mail: JohnE37179@aol.com 

"Everything should be made as simple as possible, but not simpler." Albert Einstein

You can beat some fraudsters all of the time, all of the fraudsters some of the time, but you can't beat all of the fraudsters all of the time!

Introduction

Fraud is growing world wide at nearly exponential rates. Few if any perpetrators are discovered, caught and prosecuted. In the United States government estimates place the total impact of fraud at more than 18% of GNP.

History

• Fraud seems to be basic to human nature. Fraud is the intentional exploitation of the greed of the victim.

• Fraud has grown hand-in-hand with the expansion of the digital infrastructure for commerce and communication.

• While not part of the design of the digital infrastructure, greatly increased fraud is a natural consequence of the creation of immense opportunities to manipulate the digital system we all rely on. Digitization has removed human instinct and face-to-face interactions from nearly every level of commerce and communication. Fraud is the result.

• Historically we have relied on cops to help us fight crime. Unfortunately there are few in law enforcement that have the in-depth understanding of digital transaction. Despite this shortcoming we still largely rely on former law enforcement officials to provide the strategy for dealing with the digital crime of modern fraud. Complicating the problem is that the strategies created by the "cops" are communicated to "nerds" with little understanding of fraud. The result is the standard model for fighting fraud is largely ineffective. Despite the complex and sophisticated nature of many of the fraud fighting systems, they remain unable to thwart the rapid growth of fraud.

The need for a universally accepted definition of fraud

• Fraud is an intentional act of deception for the purpose of committing a theft. All too often fraud is confused with other activities.
• It is crucial that a uniform definition of fraud be generally accepted. Without a uniform definition we will never be able to agree on a measurement of the problem, or share information that has the same meaning to everyone.

• Fraud is most frequently confused with credit abuse, either by those attempting to get more than they deserve, or by those seeking to avoid a poor credit history. This class of behavior is what most fraud detection systems uncover. This should not be confused with the fraud that is perpetrated as a "business" by organized enterprises.

• There are those individuals who will occasionally perpetrate a fraud simply because they can. These are the amateurs - this does not imply a lack of sophistication - only that these individuals act alone. Then there are professionals who set about to perpetrate numerous frauds as part of a single cohesive scheme. These criminal enterprises are well organized, financed, and equally technically adept as the most sophisticated systems they victimize.

• Fraud now stretches across the globe. A fraud that victimizes a bank in the US may originate in Russia (ask Citicorp).

The business model for fraud

• One of the myths about fraud is that it is practiced by people who would do much better if they "only used their talent for legitimate purposes". Nothing could be further from the truth. Professional fraud is a business. As a business all of the advantages go to the fraud. When the victim and the perpetrator or fraud are viewed as competitors, the victim should lose every time.

Crime pays

• Consider the following:

1. A common check fraud involves the counterfeiting of payroll checks. Here's how it works: On Friday an employee of a supermarket that accepts payroll checks is given a bribe of $100 (or sex or drugs) and "borrows" a local payroll check. The "borrowed" check is supplied to a gang member who scans it into his computer. The check is then returned to the supermarket employee (the process takes minutes), who replaces it and no one is the wiser.
2. The scanned check is altered and printed numerous times (100 for our example) with the same or multiple payee names. (These checks average from hundreds to low thousands of dollars). On Wednesday, the 100 counterfeit checks, with a total face value of $150,000 dollars is sold for $15,000 on the street.
3. The buyer of the checks, working with several confederates, attempts to pass these counterfeit checks at supermarkets, check cashing services and local banks. Only one in four of the checks is successfully negotiated.

The economics of fraud

• The analysis:

1. First level - investment = $100 - return = $15,000 - profit = $14,900/week - $774,800/year - annualized ROI = 774,800%
2. Second level - investment = $15,000 - return = $37,500 - profit =
3. $22,500/week - $1,170,000/year - annualized ROI = 20,800%
4. How well are your investments performing?
5. Other interesting information: The Comptroller of the Currency reports that 1,200,000 counterfeit checks are successfully negotiated every day.

• Consider that in the above example 75% of the bad checks are detected and not paid and the fraud scheme is phenomenally successful at every level. Conventional wisdom in fraud detection technology would consider a system that detected 75% of the attempted fraud as being successful! What is wrong with this picture?
• The model for identity fraud is similar to check fraud. Electronic identities are stolen in quantity from various sources. The stolen identities are then brokered on the street at about $10 each. Each stolen electronic identity has thousands of useful variations. Purloined and manipulated identities are harder to detect than counterfeit checks.
• This means that the risk of detection (which has no bad consequences for the crook - it's just part of doing business.) is lower for the crook than in check fraud. It also means that the technology to defeat identity fraud must be even more robust than the technology used to attack other kinds of fraud.

• So much money flows through the hands of organized crime that these enterprises, like other businesses, must find ways to move and invest their money. The only reasonable way to rapidly move large sums of money, whether you're a legitimate business or organized crime, is through the banks. If you're a crook, this process is called money laundering. The government requires banks to report all large cash transactions and all suspicious activities. FINCEN keeps track of these transactions. Since the criminal knows the rules about reporting large movements of money through the banking system, the criminal must not be associated with his cash movements. To avoid association with money laundering activities the criminal employs a number of deceptions. These range from the use of otherwise legitimate enterprises to move ill-gotten gain, creation of bogus entities and the use of deceptive identities.
• As we've seen, fraud pays and pays very well. In recent years criminals at home and abroad have resorted to violent activity to protect their "turf" in fraudulent enterprises. White colar crime used to be non-violent - not true anymore.
• Many of the same criminal organizations that participate in other criminal activities, such as the distribution and sale of illegal drugs, also participate in wide-ranging frauds.
• In addition, foreign criminal enterprises from Nigeria, Russia, and Asia all conduct frauds in the United States.

Who commits fraud?

• Fraud has become big business. In the United States fraud is the equivalent size of 18 companies the size of general motors. While much fraud detection technology focuses on (and detects) individuals perpetrating fraud - or serious credit abuse, most fraud perpetrated by organized criminal elements remains undetected and undeterred.

• Individuals who perpetrate fraud usually do so for their own profit and not to profit some enterprise. While some of these individuals are both creative and technically adept, they lack the sophistication and resources available to organized crime.

• A recent survey indicated nearly seventy percent of the population would steal from a public utility if they thought they would get away with it.
• This is a frightening prospect, particularly if you run a business that resembles a public utility - businesses such as telecommunications, insurance, cable television distribution, banking, credit, etc. Most of these enterprises are viewed as impersonal, uncaring, and rich. The victimization of these businesses can therefore be rationalized as both victimless and just - the perpetrator of fraud against these enterprises becomes Robin Hood.

Who can be victimized?

• Anyone and everyone is a potential direct victim of fraud. Large sophisticated and automated digital systems are the most vulnerable.

Who is the victim of fraud?

• We all are. Fraud is the equivalent of an invisible tax of about $2500 a year on every man, woman and child in the United States. We all pay this fraud tax in the form of the higher cost of goods and services we all buy.

Anonymity, privacy and fraud

• There are universals in the commission of fraud: The perpetrator must remain anonymous, or when discovered, untraceable. As a culture we are caught in a difficult dilemma; we want to remain anonymous in environments like the Internet in order to preserve our privacy. In the world of the information age there is so much data about each individual available through public, government and private sources that privacy in traditional terms has become almost meaningless. The result is the creation of nirvana for the perpetrator of digital crime and wide-scale fraud.
• Because there is no central clearinghouse for information about individuals there is no way for an individual or organization to know when, or even if, an individual's privacy has been compromised. Digital identities have become a commodity for criminals and a growing market in digital identities has sprung up in the last several years.
• Identity dealers (those who sell purloined complete digital identity packages) have started to plague the telecommunications industry and will soon spread to all segments of the economy who utilize or rely on identity information supplied in any electronic form.
• Because criminals depend on anonymity they have made the wireless telecommunications system their communications choice. Cellular phones are completely anonymous and basically untraceable.

Disappearing boundaries and borders

• While the borders and boundaries between nations and states within nations remain fixed on the map and on the ground, they are all but meaningless and invisible to the digital commerce that dominates the world economy. While the decline in the importance of governmental borders is widely recognized, probably the most important border to become fuzzy is that between an individual and their identity as they and their family and friends see it and their digital identity as it is used by governments and commerce.
• Nearly all of our transactions and communications involve some form of digital identity. This is one of the most fundamental cultural changes that has come about through the ubiquitous use of digital devices and digital information.

How does privacy legislation impact fighting fraud?

• Most privacy legislation makes the false assumption that personal information that resides in numerous databases can be protected from unauthorized distribution. In the current information environment this protection is simply not available. By mandating protection for personal information the honest operators of information systems will do their best to comply, while the unscrupulous will be unfettered. The likely result will be even more unauthorized abuse of personal information.
• Crooks will be free to use the information any way they choose while the legitimate user of such information will have greater restrictions on the use of such information, which will make the prevention and detection of information and identity fraud more difficult.
• The bottom line will be a result that is the opposite of that which was intended. As with other digital technology, there is likely to be an unintended consequence that is worse than what was preexisting.

Reestablishing identity confidence

• One of the most difficult tasks facing commercial providers of identity information will be the prevention of the erosion of confidence in such information. While we have become reliant on digital identity information for the conduct of most commercial and consumer transaction, the advent of electronic commerce will greatly intensify both the reliance on such information and the opportunity for such information to be coopted and abused for criminal purposes.
• A number of strategies and technologies have been proposed and introduced to deal with this issue. They range from simple PINs and passwords though encryption (RSA PGE) to various biometric components.
• However, all of these strategies and technologies are incapable of providing any real security unless all of the links in the information chain of transaction and identity can be confidently assured to be accurate and reliable. There are so many weak links in the chain today, and as proposed for tomorrow, that it is reasonable to assume the asymptotic growth of digital fraud will continue and even accelerate.

Developing a comprehensive strategy

• An important part of any fraud strategy development is the decision of the point at which the effort is focused. The obvious choice in fighting fraud is should the focus be on prevention or detection. This does not mean the choice is one of "either - or", but where should the primary effort be focused?
• In the present climate the focus is on the detection of fraudulent transactions. This is the weaker of the two choices. The reason is simple: for there to be a fraud to detect the risk of loss either is imminent or the loss has just occurred.
• With a strategy focused on prevention the risk of loss is typically remote and the opportunity for a fraudulent transaction is avoided.

• The present dominant strategy of fraud detection is driven largely by the availability of transactional data. Since this data is currently being processed we might as well review it for fraud.
• Added to this approach is the misconception that fraud prevention is more difficult and costly than prevention.

• The risk of loss is higher with detection strategies. Because the transaction is either on-going or has just occurred any ability to stop the loss is dependent upon real-time action, or the ability to "catch the crook" and recover the loss.

• Because digital systems are so good at processing transactions a false assumption is made that the system will be equally good at detecting fraud. We now know this is not true.
• The common approach to this system of detection relies heavily on computer modeling and regression analysis. It should be remembered that both of these approaches are at best good approximations of reality and at worst are bad approximations or no approximation at all.
• In reviewing the typical fraud (illustrated by the counterfeit check scheme shown earlier), it should be obvious that a system that is less than 95% effective will provide little if any barrier to the fraud artist. None of the sophisticated modeling or neural network systems in use or contemplated today even reach the 95% level of accuracy. Therefore, reliance on these systems benefits the crooks whom become free to operate in the 5% to 25% undetectable region with complete immunity.

• Even with the best digital security system it is still people who are the weakest link. Recently I had the opportunity to rent a car from a major company at the Los Angeles airport. I had a colleague with me. The car was in my name and I was told over the phone that my colleague could not pick up the car ahead of my arrival. When I picked up the car, I asked my colleague to drive. When leaving the rental lot the guard required us to show him the rental contract and my valid driver's license. Since my colleague was driving, he passed the contract and my picture ID (DL) to the guard who carefully examined the documents, thanked my colleague - addressing him as me, and released the car. Needless to say, no one would confuse me and my colleague; but the guard did.
• The bottom line here is that regardless of how well the system operated to check my credit card and verify my driver's license, anyone who was male could have driven that car out of the lot with a reasonable facsimile of a driver's license bearing my name. Within hours the car could have been parted out in Mexico.
• All of this comes back to the old banking adage of "know your customer". And never assume your system is secure because it is operating on the latest computer using sophisticated technology.
• Fraud-fighting strategies must encompass the entire system; including the human links in the chain.

• Law enforcement has always had the roll of catching crooks after a crime has been committed. While there are dedicated law enforcement officers who work fighting white collar crime, the successful prosecution of a perpetrator of fraud that results in the criminal serving any significant jail time is rare indeed.
• In all but few jurisdictions there are insufficient resources to prosecute and try fraud cases. There are a number of reasons for this - fraud cases take more prosecutorial time and effort than do violent crimes - juries with the attitude that fraud against large corporations are victimless are hard pressed to convict - even after conviction there is little room in overcrowded jails for white collar criminals.
• Therefore it is not realistic to look to law enforcement or stronger laws to provide any deterrent to fraud.

Misplaced confidences

• We all too frequently place confidence in systems because the seem sophisticated beyond our ken and therefore must be capable. This is certainly true in the arena of fraud. Relying on systems that would detect and prevent 90% of all fraud attempts are really failures. We lose sight of the fact that the high volume digital transaction systems we have created are very attractive to high volume crime. By building a system that functions in the hundreds of millions or billions of transactions we attract and encourage the crook to push that system by generating large volumes of attempted fraud. The crook knows that 90% of fraud will be detected and can thrive on the 10% that is undetected.
• We need to design systems that can approach 100% effectiveness. While there are those that suggest this as an unrealistic goal, such effectiveness can be achieved. However, achieving this level of success is not without some risk. One way to achieve 100% success is to increase the cost of perpetrating fraud to a level that other activity or targets for fraud become more attractive. An example of this is the nearly 100% success in detecting and defeating cloning fraud in cellular communication. The result is not a decrease in fraud losses, but the change in method of the fraud artist from cloning to subscription fraud. This evolution was from a lower loss per incident fraud to a higher loss per incident fraud.

Partial solutions as an invitation to disaster

• Solving half a problem can lead to misplaced confidence and an increased risk. By analogy, if we were to build a house with very strong walls and windows to keep out thieves, but not put locks on our doors we would have accomplished nothing.

• Using technologies such as SET or RSA to protect the transaction in transit is a solution that provides protection at the least likely point of attack. Certainly transactions should be protected en route, but the attractive target for fraud are the accumulated transactions at the end of the line, not one-by-one en route. Those employing such technology must be prepared to provide adequate protection at the other more vulnerable points of attack.
• Encryption is a means of protecting the anonymity of communications rather than a deterrent to fraud.

Fraud and the Internet

• Gnawing at the core of the opportunity presented by the Internet is the question of what will increased opportunity for fraud mean. Even more basic is the question of whether or not an open system of the magnitude of the Internet can be protected against misuse. Consider the multimillion dollar international fraud perpetrated against CitiCorp initiated in Russia, involving several South American locations and loci on both coasts of the United States.

• In looking at the Internet and trying to find where it is vulnerable to attack one can only conclude that it is vulnerable everywhere: At the use location, at the merchant location, at the routers, at the banks - anywhere there is an input or output or presence. Vulnerability is increased by the totally anonymous environment of the Internet. Embryonic strategies such as digital certificates of authenticity create a sense of security while providing very little real security.
• The largest risk in the use of the Internet for important communications and/or commerce is that to date no one has as yet adequately addressed the issue of ensuring who is on either end of the communication on the net. All that can be ensured today is the legitimacy of a digital identity. To many this may seem all that is needed, or all that is possible. However, since the abuse of legitimate or altered digital identities simple and a growing concern the focus needs to be on a means of assuring that the user of a digital identity is also the owner of the digital identity.
• One technology that can offer part of a solution to this problem is the use of biometrics. However it must be remembered that no biometric can tell any use the identity of the person whose biometric is offered. A fingerprint or iris scan does not have a name. The name must be attached to the biometric at some point. If the wrong name is attached and then the biometric is relied upon to verify the identity, it will always confirm the wrong identity - even if the technology is flawless.

• Electronic commerce is no different than the transaction between the local merchant and customer that took place one hundred years ago. The parties must know each other. If what existed a century ago can be integrated into electronic commerce all of the other risks can be managed with existing technology and common sense.

Failed strategies of the past

• The common approach employed by many companies to fight fraud has been to employ the methods of law enforcement in catching criminals. Catching a criminal is a good thing to do, but it does very little to fight fraud. The strategies that have evolved following this approach have focused on information that is required to locate a crook. However, the last decade has clearly demonstrated that this approach is a failure. It is unlikely that any segment of the economy has come close to growing as fast as fraud has in the last ten years. It has taken Microsoft twenty years to grow to the position it has today. In just half that time fraud in the United States has grown to be larger than fifty Microsofts.
• This strategy of emulating law enforcement operates on the assumption that it is effective to detect fraud as or after it occurs and then focus on the crook. The strategy that is needed is not one of detection, but one of prevention. Since it is unlikely that identifying, arresting and trying the perpetrator will have much of an impact on fraud losses, preventing the loss should be the focus today.

What information is needed to fight fraud?

• There seems to be an assumption that more is always better when it comes to information that is used to find and fight fraud. Underlying this assumption is the corollary belief that the information that is analyzed is true. Neither of these assumptions should be accepted on their face when analyzing fraud. Crucial to dealing with information supplied or about a fraud or the perpetrator should be the underlying premise that fraud and perpetrators rely upon deception for success. By using all of the information that may be available and assuming it to be true actually aids and abets the perpetration of fraud.
• It is easy for the perpetrator of fraud to manipulate data. This can be done by utilizing the normal channels of information gathering (account applications) or through the co-opting of insiders.
• Most systems in use today to detect fraud are in some sense rule based. It should be assumed that the perpetrator of fraud knows and understands all of the rules. If there is a way to use the rules to circumvent the system, it will be done.
• While modeling is an accepted way of discovering fraud, it should also be remembered that one of the keys to successful fraud is to emulate normal behavior and to supply the victim with information and circumstances that seems normal.

• Derogatory files have played an important role in credit analysis. The use of such files for the detection or prevention of fraud should be approached with caution. Key to the effective use of derogatory files is the assumption that the information in the file can be related to new information and prior behavior can then be used to predict future performance. In the case of fraud this may not be possible. Every fraud is eventually discovered and the perpetrator knows this and takes it into account.
• Frauds are finite in extent. All frauds end - none are perpetual. The professional perpetrator knows before setting out to commit fraud that the information used in the perpetuation of the fraud will end up on one or more derogatory databases. Therefore in the continued perpetration of fraud the perpetrator must devise a strategy that avoid the association of the new fraud with the prior frauds.

• There are three distinct activities that are frequently confused: credit abuse, simple fraud and professional fraud. Each of these activities cause losses, but are significantly different in both the level of risk they represent and in the sophistication of the schemes used.
• Credit abuse is a negligent act. While it may come close to being a fraud, there is usually some intent to pay the obligation incurred at some time. There are those who simply are poor credit risks. Credit risks of all kinds can be handled by conventional credit risk analysis.
• Simple fraud is the type of fraud that may evolve from credit abuse when an individual is trying to avoid a bad credit history, or it may simply be someone taking advantage of the opportunity to steal because they figure they can get away with it. This sort of fraud is usually detected by existing means and when detected the perpetrator may be found and the obligation collected.
• Professional fraud is perpetrated as part of a planned scheme and usually involves multiple events either serially or simultaneously. Most of these frauds are not detected until the loss occurs. These perpetrators are sophisticated, have access to the best technology and are a "business" for the perpetrator. Because this sort of fraud represents low risk and high reward for the perpetrator it is very attractive and profitable. Most of this fraud is not well accounted for by victims in analyzing the effectiveness of their fraud-fighting strategy.

Dissecting a fraud

• Frequently I hear from someone whose job it is to fight fraud "think what a success the perpetrator would have been if only he had used those talents for a legitimate purpose." Every time I hear this comment from someone who is suppose to have some level of expertise in fraud fighting I realize that they are underestimating their opponent and don't turly understand fraud. Fraud is one of the lowest risk and most profitable enterprises. Fraud is practiced by some of the most creative and talented people with great resources at their disposal. Most professional perpetrators know more about their victim and the victim's operation than the victim does.
• The result of the mind set that perpetrators of fraud are somehow defective is inadequate strategies for fighting fraud. We have all seen the comments by those touting fraud prevention efforts that they have discovered perpetrators using Social Security Numbers of dead people, or the addresses used are mail drops. Sure, there are perpetrators of fraud who might try these subterfuges. But that is really "Fraud for Dummies". The professional fraud artist who represents the great risk knows that most systems screen for Social Security Numbers from the death list and that programs check date and place of issue against date of birth information. Serious frauds don't fall into these traps.

• The single element present in all frauds is an element of deception - a lie.
• The second common element is an effort to avoid an association with previous bad acts. Sometimes the first and second element are combined in a single act of deception - usually a lie about the identity of the perpetrator. This may be all it takes to perpetrate a successful fraud.
• Most of the information supplied by the perpetrator of fraud is true and can be verified. Smart perpetrators of fraud try to tell as much truth as they possibly can.
• Professional perpetrators of fraud know that the fraud is temporary event and will end and be discovered. Therefore the perpetrator builds this into the plan and is not concerned in the least that the fraud will be unmasked. All the perpetrator needs is to achieve the goal of the fraud before discovery. Discovering the fraud after the perpetrator has succeeded in reaching his goal does nothing to beat that particular fraud. It may provide interesting and useful information about fraud that can be utilized in the future.
• Once special screens to detect fraud achieve a level of success the type of fraud being perpetrated will change. Perpetrators don't do what doesn't work.
• Perpetrators can operate successfully with 95% of the attempts at fraud being detected and thwarted. It is not a victory over fraud to simply stop most of the attempts.
• Smart perpetrators try very hard to look just like everyone else and are usually successful. Therefore, modeling is not a particularly effective means of fighting fraud.

• Since the sophisticated high-risk perpetrator thoroughly understands this information systems in-place to catch him, he knows that the information that is part of the fraud lost will become part of a "watch strategy" to catch him next time, he must avoid being trapped. To do so he must "abandon" the identifying information he used to perpetrate the fraud.
• This raises an interesting issue about what "abandon" means in this context. What is means is changing identifying information sufficiently to avoid being associated with the previous loss. It may be as simple as changing a single letter in a family name and one digit in a social security number. Cross checking addresses and phone numbers may detect the previous fraud. However, since we are such a mobile society and in a relatively short period of time many legitimate individuals may share the address and phone number the perpetrator used.
• All of these abandon identities end up on derogatory files. If a means to associate the abandoned identity with the new identity is employed, the new identity can be successfully associated with the previous activity and the fraud prevented. Preventing fraud in this way is much more effective than trying to detect the fraud as or after the loss occurs.

• All fraud schemes are finite in nature. They all conclude. The conclusion of the fraud is inevitable. The end of the scheme is part of the perpetrator's plan. It is usually at the end that the scheme is discovered. In fact, many fraud detection strategies only operate after the fraud is completed. The proponents of this strategy wrongly think they have a success if they detect fraud at this point. Most of these strategies are aimed at detecting fraudulent transactions. The perpetrator doesn't care if you detect the transaction. They overwhelm the system with transactions and some get through. By using these fraudulent transaction detection strategies you force the perpetrator to evolve a system to beat the strategy.

 

• To effectively defeat fraud strategies must focus at the beginning of the process; not the end of the process. Detect the perpetrator at the inception of the fraud, not the conclusion. The focus should not be on the transaction, but the entry into the system. One of the inevitable problems with transaction pattern analysis systems is the anomalous behavior of legitimate users result in many false responses and a high cost of operating such a system involving call centers etc.

Summary

Our current approach to fraud is largely ineffective. We are creating new opportunities for fraud on the Internet. Generally we don't understand fraud or have common definitions. We don't have coordinated efforts. Things will get much worse before they get better. We design systems without regard to how they might be compromised. One prime example is the design of the Medicaid system. This system was elegantly designed as a payment system. It provides payments very well, so well in fact, that approximately 25% of the payments go to perpetrators of fraud. The system was never designed to verify claims, but only as a payment system.

In designing systems for electronic commerce we should keep in mind how those systems fit in the universe of commerce which contains criminal commerce as well as legitimate commerce.

Further Reading: