Machine Learning networks outperform others....

Perhaps... but how relevant is it to your company and risks?

To those of you who assumed I am referring to a neural network or equivalent in deep learning. I am not.

You are right, however I have deliberately ignored this, here's why.

Neural networks are mostly opaque and not explainable. Their predictions cannot be interpreted, typically the features cannot be understood by the business, building and tuning is likely an architectural challenge that has low ROI for fraud prevention. To summarize it is overkill.

When I refer to ML networks, I mean entity link analysis. These have typically evolved into a graph database out of law enforcement / insurance from a classification based model.

For example how is this person, device, IP address, cookies, user agent, location address, social media footprint linked to another person’s, device, IP address...etc.

Vendors that utilize networks and apply ML against a network of data have a competitive advantage to others

• Proven Network - They may have stopped fraud in other financial institutions (FI's)
• Vast dataset - They will explain that the data they hold will enable them to prevent attacks for your FI.
• Community View - They often claim to have a comprehensive view of all events and transactions processed through the solution
• Immediate ROI - They will be able to get you up and running within days / weeks

The network built by the vendor may indicate fraud, or more realistically may be used in a Boolean way to identify interactions with historically proven fraud.

However, you need to ask yourself how relevant the data is to your product against your risks?

How relevant is:

Aside from considering the capability of the solution, fit to your product and risks you must also consider:

• How reliable is the data?
• How relevant is the data?
• How timely is the data?
• How confident are you in the company’s ability to protect from a pollution attack / misclassification?
• How confident are you that there will not be a data breach?
• How confident are you in the controls in place to anonymize any data fed to the network (more about that in the links at the bottom of the article?

Ultimately, how relevant is the fraud network to your business?

An example of where a great fraud network may miss the mark in eBanking and authentication is Amazon

Amazon are diversifying from an ecommerce space into eBanking due to AWS and have brought across some useful tools such as Amazon Fraud Detector.

Their CNP network is arguably one of the best in the world given their capability ship 1.6m packages a day confidently. Their refund process is likely the envy of many banks as is their ease to enable a secure payment transfer.

This however doesn’t transfer well as part of an Digital Banking Authentication and Fraud Detection tool.

Why?

The AWS model is strong at solving a different problem in a Card Not Present (CNP) space specifically detecting checkout/chargeback fraud. Important data points to the model:

In an eBanking space you are more interested in the interaction of the user. The interaction of a user comprises of

• Pre session
• During session
• Post session

Meaning the model is more interested in velocity-based features which can be attributed to user behaviour.

Typical data attributes are:

When you contrast this to CNP, then an IP address is of use, but we know IPv4 IP Addresses are recycled (I have some funny stories around that, but that's for another time).

The device can also be used but is it the same device used to bank as purchase on Amazon?

Email address is less relevant as are many of the features that make the CNP fraud prevention model performant. A CNP Model is typically evaluating checkout and chargeback risk.

Most fraud networks started in CNP and transferred to eBanking, threat metrix for example.

In eBanking authentication you are more concerned about frequencies and knowing your users. For example:

• Frequency of login requests/failed/succeeded
• Authentication requests/failed/succeeded
• Beneficiary creation requests/failed/succeeded
• Length of session
• Event sequence in a session over a period of time
• User interaction
• Session behaviour
• Transactional behaviour

Anti Virus (AV) and other Cyber Threat Intelligence (CTI) platforms may also be irrelevant.

Typically an AV will defend the enterprise, staff and technology from different types of cyber attacks such as:

• Phishing
• Man in the Middle (MitM)
• Malware
• Denial of service

Which sounds great, however it is likely to miss the mark.

Whilst it is true that they have class leading research and data on different attacks based with forensic understanding. It is also true that the vast majority of the data will be of low value to defend a digital banking product when used as a threat intelligence network as they typically do not look at the user and their spend / behaviour.

Attributes such as an IP address and device ID may not be useful.

For example they likely relate to the server initiating a spray and pray phishing attack or a command and control for the botnet, not the botnet devices themselves used in the attack against an eBanking product.

This is a subtle but important difference.

Thus the data will not relate to the device used in the attack on an ebanking user, and even if it did it is simple to recycle both of these attributes.

Where an AV is more powerful is when it is deployed clientside i.e. to protect a mobile device or laptop.

However how many users do you know that download an AV recommended by the bank, privacy is a big concern here as trusteer found out.

So do Fraud Prevention ML networks outperform others?

It depends on how relevant they are to your product and risks.

5 steps to evaluate an ML Fraud Network:

1. Identify data / risk relevance Evaluate if the vendor holds relevant data versus your product and whether the community faces the same risks.
2. Know your users and attacks Ensure you understand the interaction of your users, their sessions and the attacks they face. Compare this to an ML fraud network.
3. Run a PoC Confirm whether the solution would identify known fraud and not generate alert fatigue through high false positives on your existing data. It should be close out of the box.
4. Utilize OSINT and CTI Open Source Intelligence and Cyber Threat intelligence data may already be held by your company. This may be more relevant to your users and risks. Put this to use to defend your product.
5. Transparent and Explainable models Focus on transparent accurate privacy preserving data collection. Ensure ML models and predictions are explainable and can be trained

I hope this seventh article was of use to you and this concludes the common misconceptions series.

I will recap these articles next week for those who want a closing fast overview.

Feedback is very welcome, please do let me know if there are any problems and I will look to update the post. Or if you think there is something I’ve missed and should cover, then reach out.

I love to learn and hearing from you all!

Thank you for your time.

Links referred to in the article:

#fraudprevention #artificialintelligence #businessowners

Links