Precognitive is an eCommerce fraud prevention company protecting some of the worlds top luxury retailers using device intelligence, advanced behavioral analytics, and machine learning to stop fraud and protect customer accounts. Its recent acquisition by ShopRunner (an e-commerce network connecting millions of members w/ free 2-day shipping across 100+ retailers) gives it a unique perspective into how to win the high-stakes game of stopping fraudsters.
We sat down with Sam Bouso, CEO and Founder of Precognitive to talk about a number of topics including account takeover fraud (ATO), the use of biometric data, how to prevent e-commerce false declines, and preserving the customer experience.
1. The Precognitive website states the platform is designed to be a “hybrid of fraud prevention and cyber security technology”. Can you tell me a little bit about what the distinction between the two is, and how you use it to catch more fraudsters?
Fraud prevention is detecting and stopping acts of fraud such as payment fraud, or account takeover. It is done by analyzing transactional data (e.g. total value of an order, historic data relating to fraud for a given set of parameters like the postal code, IP address of the user, shipping locations, etc.) and applying predictive analytics to determine if a given event is good or bad.
Cybersecurity is focused on protecting systems from attacks, and abuse by looking at a different set of heuristics like TCP data, malware, application level exploits. For example, cybersecurity efforts may include protecting an authentication system from bot-based credential stuffing attacks or denial of service attacks.
As technology and automation advance we are seeing these two lines blur more frequently. Fraudsters are more technical, and the tools used to conduct complex attacks are freely available online. Today it is not uncommon for a fraud ring to start by conducting a credential stuffing attack to access legitimate consumer accounts, and subsequently using those accounts to defraud the business. The attacks themselves are becoming more of a hybrid.
By combining technologies to address both of these areas within the Precognitive platform, we are able to address more sophisticated attacks.
2. Keeping on the technology theme, you make a distinction between using the “dynamics of a transaction” vs. “user intent” as predictors of fraud. Why is user intent a better strategy, and what’s your best piece of advice for how merchants can shift their fraud prevention mindset and tactics to start taking it into account?
We marry behavioral analytics to transactional data. We did this because we were seeing serious issues at merchants. As attacks become more complex, most fraud solutions lack the data needed to mitigate these threats. Consequently, older technologies attempted to solve the problem by being more conservative and doing things like tightening rules, policies, and thresholds. This unfortunately does not work well and results in substantial false positives. We’re seeing reject rates of 4-6% of online orders. Statically, fraud is around 1% of transaction volumes, which means businesses are throwing away considerable amounts of good revenue.
To give you an example, many fraud prevention systems will either reject or flag the order for review if a new consumer transacting with a merchant for the first time places a high dollar order, purchases a high demand item, and has it overnight shipped. That is because all they see are the signals they’ve associated with fraud. We see this differently when we include behavioral analytics and can analyze the entire consumer journey. Let’s take that same transaction and add pre-transactional (intent) data to that story. Now we can see this user looked at that item six times over that past two weeks, they came through an Instagram link initially, and registered for the newsletter, looked at the product reviews, clicked through a retargeting ad but didn’t transact, and finally came back to purchase. That is a much clearer story and a common one we know to be a low risk consumer behavioral pattern.
Think about your buying process next time you’re shopping online. Fraudsters simply don’t behave that way. That is the power of behavioral analytics.
My first piece of advice to merchants is always to examine the percentage of orders they are rejecting and what the percentage of orders they allow turn out to be fraud. If either of those numbers is over 1%, they should start looking for solution providers or internal data assets that can help provide lift.
3. One specific piece of “user intent” cyber-security tech I thought was really cool is your Precog-BA “Biometric Profiling”, which uses gestures and user typing to “pre-detect” fraud. Can you explain the theory behind this methodology? And given peoples’ errating internet behaviors, how can you be sure they don’t generate a lot of “minority reports” (see how I did that?) and false positive declines?
Precog-BA is our flagship product. It provides behavioral analytics and behavioral biometric data. We use these data sources a bit differently to pre-detect fraud. On the behavioral analytics side we can see things like the speed a user moves through a website or app, what items they view and the frequency, actions like copy/pasting card numbers, and how they go through the conversion paths. As we see these patterns we start to establish what we call “BA Signatures”, and these signatures get classified as high and low risk. This lets us understand the granular details of user patterns and identify anomalies and even fraudster workflows. Once we learn those patterns we can identify them early in the process and know bad actors before they reach the point of conducting the fraudulent action.
The behavioral biometric data is used a bit differently, in that we observe signals like how a user types their username/password, how hard they press on their iPhone, and if they are left or right handed from their swipe gestures. We sample these interactions over multiple observations of the user/device and train models on what the user behavioral biometric signature looks like. On events such as a login, we can prevent ATO or challenge the user when those patterns do not match what we previously observed.
We never rely on a single piece of data. Let’s say you’re exhausted from the day and laying down in bed shopping. In this case, we may see an anomaly in the behavioral biometric data, but you’re probably still using the same device, accessing for a known geographic location, shipping to an address you’ve used before, etc. That additional data is used to validate the transaction even if everything is not a perfect match. It is when many things are wrong and simply don’t add up that we act.
4. On the topic of false declines, how can merchants balance the desire to collect as much data as possible with the need to preserve the customer experience? In your experience with your own tools, what should be proper balance be?
You should always avoid interrupting the customer experience. Good security and fraud prevention do not require user friction. Merchants need to balance access to data with the need to protect themselves and their consumers. As with anything related to predictive analytics, more quality data leads to better results.
When we started Precognitive, General Data Protection Regulation (GDPR) was already in existence so we adopted a privacy-by-design approach at inception and built around it. Even though we collect vast amounts of data through Adaptive-ID and Precog-BA, those products each live in a data silo, and anonymize their data. All the data we collect is collected passively, so we never interfere with the user experience.
When a consumer completes a transaction (purchase), the data we’ve collected is linked for that instance in time to make a real-time decision. This allows a balance of obtaining quality data without hampering user experience or creating privacy challenges.
In our experience, merchants should collect data they need to make informed fraud decisions. They can do that responsibly to help mitigate false positives and prevent fraud while still being a good steward. It takes some thought, time and effort to do it right.
5. Switching gears a bit, Precognitive uses both a rules engine and machine learning techniques. Many merchants understand those to be opposites. Can you explain how they can actually be used to complement one another?
The decision to implement both a rules engine and machine learning was one we made early in the product development stage. You are correct that there is a common misconception that these technologies are opposites – in reality, they complement each other nicely. Machine learning models are great at looking at large amounts of data and picking up subtle differences we as humans can’t easily see to create predictive models, but they can’t do things like enforce policy for which rules are great and easy to use. A machine learning model needs several observations to classify something as good/bad. When we experience a one-off or unique type of attack, we may not have the frequency of occurrences needed or might not have the luxury of time for a model to catch on. This is an excellent use case for rules and allows for minor augmentations to the model to be done ad hoc.
This level of flexibility is essential in this day and age. You need to be able to adapt over long term and short-term trends in fraud and do it quickly.
6. On the same theme, you also use industry-specific risk models. What factors do you consider when creating them, and what advice would you give to merchants looking to build their own?
We see data from over 150 businesses, including online retailers, online travel, and financial services. Businesses in a given industry have a fair amount of overlap in what their fraud looks like, so we’ve established industry models to serve as a baseline.
The industry models allow us to show immediate value. However, these businesses are never identical and, as a result, we layer in additional models on top of them specific to that client to get the best results.
For merchants looking to build their own system, they will need internal resources with subject matter expertise. The merchant should identify all their available data assets that can have usage for fraud prevention. Obviously, the transactional data is important, but looking at other data such as customer-relationship management (CRM) data is also very useful. For example, a long-term customer with prior purchase history will be much lower risk than a new consumer. The merchant should start by labeling their fraud data and running a preliminary analysis, then testing modeling techniques to see which approach works best for their company.
7. Speaking of risk models, Precognitive was recently acquired by ShopRunner, an e-commerce network offering free 2-day shipping to members. How did you adapt to the need to approve a large volume of orders with expedited shipping, a category usually considered to be at a higher-risk of fraud?
We don’t see two-day deliver as high risk. This is because we have an exhaustive data set to identify risk beyond relying on shipping method. While fraudster like quick delivery for obvious reasons, so do high-value consumers and expedited shipping is quickly becoming the norm. ShopRunner members are actually very low risk. They are consumers that have registered for the service and we see how they have previously behaved, so to us they’re a known entity.
Our ability to see past single factors like a shipping method and examine the full consumer journey is one of the reasons ShopRunner acquired Precognitive and one of the main reasons we’ve been so successful at reducing false positives. We share ShopRunner’s goal of providing customers with a frictionless and safe shopping experience.
8. To start finishing up with some specific fraudster tactics, Account Takeover Fraud (ATO) is an increasingly common strategy used by fraudsters across all industries. What does the cutting edge of this kind of attack look like? Is encouraging employee vigilance enough to prevent it, or is some kind of technological solution needed?
ATO has become a major issue. These attacks are now becoming multi-part attacks. They are generally a result of an unrelated data breach that happened elsewhere. The compromised credentials obtained by the attacker and are loaded in to freely available applications like Sentry MBA or Storm or custom application when dealing with more advanced groups. The attackers find reused credentials from the breach. They harvest those successful logins and either sell them off or use them to perpetrate the actual ATO.
What they do with the account depends on the application they’ve accessed and what they can do, i.e. make a purchase, change shipping address, steal loyalty points, etc.
One of the more concerning attacks we’ve seen is fraud rings scrapping accounts once they access them for data enrichment. It is a problem many merchants are oblivious to and one they need to start understanding, especially with increased liability from GDPR and California Consumer Privacy Act (CCPA).
When a breach happens, it is usually a username/password that gets breached. But if I can use those to access unwitting merchants’ site, I can then scrape information such as that consumers name, address, phone number, and any other information the consumer entrusted the merchant with (e.g. date of birth, sex, etc.). The attackers have now taken anonymous data and created a profile of personal data (PII). They are actively taking data that was somewhat worthless, enriching it, and now can sell the full identities on the Black Market at a much higher price than the credentials themselves were worth.
To combat this, companies should work with a solution provider that can address the multiple stages of the attack. It is a big undertaking for a merchant to do this alone and risky to get wrong.
9. Finally, something I found interesting is that despite the huge advances technology on both sides of the fraud battle, you cite the relatively low-tech email phishing scam as one of the tactics fraudsters still have success using. With such a basic tactic remaining effective, is it a mistake for merchants to believe any technology can solve all their fraud problems? How do they strike a balance between vigilance and paranoia?
You can never assume you are completely safe from all types of eCommerce fraud. Ensuring you have the proper technology solutions in place will help you address these issues and avoid paranoia. While technology won’t prevent humans from making bad decisions like replying to a phishing email, we can add layers of insulation to help mitigate the impact.
