Detecting Account Opening Fraud

The third episode of Digital Tells: A BioCatch Podcast tackles the global epidemic of identity theft, and the resulting fraudulent accounts that ruin personal credit ratings, perpetuate mule activity and money laundering, and drain institutions of $Billions annually. Tom O’Malley joins us again to discuss why most account opening fraud occurs online. Raj Dasgupta from BioCatch, discusses the peculiar online behaviors exhibited by cybercriminals, versus those of genuine account applicants; The Digital Tells that help Behavioral Biometrics distinguish between criminal and genuine activity. Ayelet Biger-Levin discusses BioCatch’s newly-announced Age Analysis Capability. And Howard Edelstein shares a story of account opening fraud detection that has become BioCatch lore. 

Tom O’Malley, a retired U.S. Department of Justice financial crimes prosecutor, founded a website, FrozenPII.org, which helps consumers protect their identity. Check it out!

Transcript

Have you ever been the victim of identity theft? Ever applied for a loan or a credit card, only to find out someone else has masqueraded as you and negatively effected your credit standing? Identity theft and new account fraud is a global problem. If you live in the United States, chances are you’ve been a victim – and if not ~ it’s likely someone close to you has been.

I was chatting with Tom O’Malley, the former federal financial crimes prosecutor you met in Episode 2, and we were discussing identity theft. The U.S. federal trade commission reported recently that $3.3B was lost in 2020 due to identity theft – that’s nearly double the $1.8B lost in 2019. 

And where are those stolen identities put to work? well, online of course – in the form of new accounts – credit card accounts, lines of credit, deposit accounts, you name it. Here’s Tom O’Malley

Tom O'Malley

Most often they're being opened remotely because it presents a little risk to the person who's opening an account. I mean, if you show a physically token something besides whatever documents you present, which are going to be fake driver's license, et cetera, you put yourself as a criminal at risk because there surveillance cameras. Nowadays, there's the ability to match surveillance footage with driver's license, facial recognition, driver's license. So typically criminals are not going to do this physically in a branch bank. They're going to do it remotely and they can do it remotely from anywhere in the world and depending on a bank's processes and fraud methods to detect fraud, it can be done from anywhere in the world, even though they're supposed to be a customer in the United States, opening up a bank account.

This is interesting, unlike the scams and account take over stories that we discussed in earlier episodes – crimes that disproportionately target older folks – Identity Fraud victims are more likely to be young… like under 40. In fact, in 2019 of the 1.6 million identity fraud reports in the U.S. – 44% were from people between the ages of 20 and 29. According to Equifax Canada, nearly half of all suspected fraud applications are for those between 18 and 24. 

Ok – so – somebody gets ahold your personal information, enough to open a credit card account in your name. Maybe they obtained your personal info on the dark web – maybe it was originally stolen in some big corporate data breach. And then that info, your data, is applied to an online form to open an account. Oh, by the way – it might not be a credit account – it could be just a bank account, so instead of obtaining false credit in your name – is used for shuffling money between accounts – for scams – or mule activities – both issues we’ll be taking a closer look at in later episodes. 

For this episode of digital tells, we’re taking a close look at the act of opening fraudulent accounts. Which, for those of us who have been victims, happens silently in the background… Before that heart-in-your-throat moment when you realize your credit rating has been ruined… or perhaps even worse, you’re contacted by law enforcement about scams or mule activities perpetrated in your name.

Also – very important note here – your credit rating – or mine for that matter – isn’t the only fall-out of identity theft. Financial institutions, credit issuers, they’re the ones usually taking the hard financial losses. A study released earlier this year by Javelin Strategy & Research, reported that combined fraud losses climbed to $56 billion in 2020 globally. Of that, traditional identity fraud losses totaled $13 billion. 

Well, back to that initial account opening, in episode 2 we got a glimpse into the sophistication and scale of cybercrime syndicates…. Scale meaning LOTS of accounts and lots of victims. It’s sendom just one account, rather it’s usually hundreds or even thousands of accounts opened in each campaign. 

And therein lays an opportunity for institutions to differentiate between legitimate and fraudulent applications. The Digital Tells of fraudulent applications – if you will.

Act 2

My colleague Raj Dasgupta and I were recently talking about what typically happens during the act of applying for fraudulent accounts. Raj is the Director of Fraud strategy at BioCatch, and has two decades of experience in the trenches – dealing with identity fraud issues at organizations like TransUnion, HSBC, and Symantec, among others.  

OK, so before I go to Raj – for just a moment – think about what you do when you open an online account… maybe your taking advantage of a great credit card deal with lots of hotel rewards points. Then put yourself in the seat of one of these highly specialized cybercriminals we discussed in episode 2 – how would you go about your job of applying for multiple fraudulent accounts – hour after hour – all day long?

OK – here’s Raj -  

Raj Dasgupta

Yeah, sure, I think copy pasting in online interaction can be on two different scenarios. One is account opening where you are copy pasting stolen information or made up information onto a form which is used for a new account opening. And it can be copy pasting the name, address or certain parts of the PII, quite likely from an application like an Excel sheet where you have all the stolen data. And within that copy pasting behavior. One is it's unusual for somebody applying for a new account to be copy pasting their own data. And the other is there can be copy paste and then erasing the pasted data, putting it in another form. As I was saying, it could be that the first name, last name are together in the Excel sheet. It's copied over to the first name field and then you cut the last name and place it in the last name for you. Very, very unusual scenarios or online behavior. 

Peter Beardmore

Let's transition to somebody actually reading this information. Right. So it's like long term memory versus short term memory. Can you can you talk about that a little bit?

Raj Dasgupta

So again, imagine in the context of account opening, you're typing in your name and address, Social Security number. You've been doing it for many, many years. It comes very fluently. You can type all the nine digits in at a steady cadence without stopping or without having to delete any digit and retype it in because you're essentially pulling it out of your long term memory and typing in the fraudster has stolen that information from somewhere else. That information does not belong to them. And they're either copy pasting the Social Security number or the name or address or typing it in. But because they're not familiar with that data, they'll make mistakes and they'll correct those mistakes. And then there type it again. 

Peter Beardmore

So that behavior – cutting and pasting – the pace and pauses exhibited when entering personal information – those are just some of the Digital Tells that are the underlying indicators for behavioral biometrics to distinguish between genuine and fraudulent online account opening.

In episode 2 we met Ayelet Biger-Levin, VP of Market Strategy at BioCatch. Later in the conversation we featured in episode 2, she went a little deeper into some of these indicators, and how BioCatch technology can make those distinctions.

Ayelet Biger-Levin

Some classic examples of the way that with this type of technology, we can distinguish between cyber criminal activity and genuine activity is by looking, by profiling the population and detecting differences between activities that correlate with fraud or correlate with genuine activity. So, for example, one thing that we observe when we track account opening activities is that there is a big difference between a cyber criminal and a legitimate actor and their familiarity with the process. A cyber criminal will be very, very familiar with the account opening process because they open many, many accounts every day. So they'll be very familiar with what are the mandatory fields. When you have a dropdown, they don't stop to select fields. They just go really quickly. They don't read the Ts and Cs, they won't select a credit card design. They'll just go very, very quickly and fill out the form, whereas the legitimate user will read the terms and conditions, will select their favorite credit card design, will think about their annual income, will select their interest rates and make decisions and selections. The process will be much longer. So that's one example. 

A second example is familiarity with data. A legitimate actor will be very, very familiar with their personal data. And when someone uses the data that they're familiar with, they will display use of their long term memory. So when they type, they will type continuously without pauses and they will, of course, know the data they might have Autofill, which is legitimate, and they'll enter the data fairly quickly. However, cyber criminals, when they need to enter personal data, they'll either copy or paste it from a list. They might type it because they try to memorize it. But we will see that they're using their short term memory and we'll see segmented typing along the way. They often have errors that they need to fix and they really display low familiarity with the data. It's interesting that some fields are actually not known to legitimate actors like think about part of the application process. You need to fill in a hotel rewards card.

That's not something that number is not something that you have in hand. You probably have to log into your email, look for that number, whereas a cyber criminal who knows the process and wants to fill out that that number potentially will have that readily available. 

Hopefully at this point the idea is pretty clear by now – cybercriminals and legitimate applicants behave differently. Form formality. Short term and long term memory access. And obviously cut and paste and autofills can also make great indicators. BioCatch can leverage these Digital Tells to help organizations that rely on online applications for their business - protect themselves from fraud losses. And they also help and protect society – people like you and me – from being victimized by identity thieves and cybercrime syndicates. 

But wait, there’s more. You may recall in episode 1 when I teased the idea that behavioral biometrics can actually guess your age. Not too long ago a BioCatch customer had an idea – if an application indicates the applicant is say 18 or 19 years old – or 75 or 85 years old for that matter – but the data is entered by someone say in their 40’s… could we detect that? It turns out, to a degree of certainty – we can! Here’s Ayelet again.

Ayelet Biger-Levin

When looking when analyzing the data and trying to find those correlations between ages and the use and the interaction. We found a shocking truth that for every year over 40, your keystrokes become slower. But specifically, there were nuances in things that we can look at, like shift to letter. So when you want to capitalize something, there are a few milliseconds added for every year over 40, and we could see a dramatic difference between someone in their 20s and someone in their 60s or 70s when conducting these activities. Another element is the use of a mobile device and the area in which users interact. So their swipe or the use of two thumbs versus a finger. A lot of indicators of age, very, very subtle things. But again, looking at the combination of those we're able to detect within five years, the age group that the user really belongs to.

Act 3

Alright, so, with all this technology to help differentiate between real and fraudulent account applications, you’ve got to figure that occasionally – some really interesting results follow. You’re going to want to listen up to this story… it’s a good one. 

If you’re like me, you may have worked for a company or two in your career that has its own folk-lore. I’ve actually worked for 3 or 4 . You know those stories that everyone’s heard – inside and outside the organization that make it fun to talk about. I once worked for a company whose founder “allegedly” ran over the car of a pizza delivery driver with his tank while the poor guy was carrying the pizza to the front door. That story still occasionally comes up in conversation – and I still can’t confirm or deny it.

Fortunately, BioCatch has no such infamous lore – but the story you’re about to hear I heard more than a few times. And this one I can not only confirm is TRUE, but it helps to make another really important point about the value of detecting accounting opening fraud using behavioral biometrics.

In episode 1 you met Howard Edelstein, BioCatch’s chairman . In a second here I’m going to drop you into more of the conversation he and I had. In this part he was talking about winning the business of a major financial services company and the early stages of their work with BioCatch. Here’s Howard.

Howard Edelstein

And the story in point was we identified this is a particular case that came out of an analysis while where they were becoming a client, a particular case where someone was applying for a credit card. We thought it was perfectly legit. They filled out the entire application. And anyone who filled out the application that way had to be OK. Well, the credit card company turned down the application and they turned it down because they told us it was fraudulent. And we said, OK. And we went back. And you were always trying to figure out, you know, if the model works and the AI is humming along and the data science team came back and said, listen, you know this. We looked at the data. This can't be a fraudulent applications the guy really knew what he was entering. And the credit card company said, you know, we don't want to piss you guys off or anything, but just want to tell you it really is fraud. And we went back and forth a few times and we said, well, how do you know that? And they said, it's really simple. The guy's dead. Well, that's one of those New York binary kind of answers, right? Dead not dead, you know? Well, our data science team doesn't exactly take that at face value. They said, I think we better call them and tell them the guy's not dead. And everyone kind of looked at each other and said, you got to be effing kidding. Really? What am I going to do with this gem of a piece of information? Right. Because in the end of the day, it turned out they actually called the guy for the reported the guy. And someone answered the phone purporting to be to the dead guy who was applying for a credit card. And one thing led to another, and it turned out that, believe it or not, the guy was far from dead. And this was determined through the use of behavior. So it's a really simple explanation, quite frankly. But the explanation was that someone, a legitimate person entering a legitimate information for legitimate credit card application mistyped a digit of his Social Security number in the U.S. that social corresponded to a social of someone who was deceased. The byproduct, well, that was actually decreasing false declines and increasing number of credit cards to give out, which also was a real revenue opportunity for them. So it's a win win win situation and behavior had never been used this way before.

Peter Beardmore

So this is a great story – which raises a few important points – none of which pertain to BioCatch resurrecting the dead.

But it’s important to understand, as we mentioned previously, that behavioral biometrics isn’t the only fraud detection technology out there. There are others. But none are infallible. And some may introduce friction (like asking life questions or imposing other obstacles) that prospects potentially just don’t want to deal with. And business spend lots (and lots) of money on marketing and customer acquisition… for organizations to lose a potential customer at the very point of filing out an account application / only because the anti-fraud tech is too cumbersome – or they accidently mistyped something – well – that’s just heartbreaking for marketers like me.

In episode 6 we’ll talk about the return on investment (or ROI) of behavioral biometrics. But suffice, it’s not just about stopping fraud. It’s at least equally about winning and retaining good customers. By reducing friction – and making for a great customer experience.

 Digital Tells is written and narrated by me Peter Beardmore, in partnership with my producer Doug Stevens of Creative Audio and Music, and with the unwavering support and sponsorship of my employer, BioCatch.

Special thanks to Ray Dasjupta, Ayelet Biger-Levin, and Howard Edelstein. We once again opened our episode with Tom O’Malley. Since Tom retired from the US Department of Justice, he’s started a website called FrozenPII.org. Pie is spelled PII (as in Personally Identifiable Information). The site helps consumers protect their identity. You can find a link in our show notes, check it out!

For more information about this episode, behavioral biometrics, or to share a comment or idea, visit biocatch.com/podcast.

Join us for episode 4, in which we’ll explore Scams. Did you know your car warrantee is about to expire? More importantly, what can be done to help detect when someone is about to be victimized by a scammer?

Until then, take care.