transaction fraud scoring - presentaiton€¦ · • e.g. retailer fraud index, merchandise fraud...
TRANSCRIPT
Copyright 2005, Experian-Scorex Proprietary and Confidential Release v1.0 // 0
Transaction Fraud Scoring
John Oxley
Credit Scoring and Credit Control IX, Edinburgh 2005
Release v1.0 // 1Copyright 2005, Experian-Scorex Proprietary and Confidential
Agenda
• Introduction• Credit card fraud losses and types of fraud• Authorisation and transaction flow
• Prevention and detection• Chip and PIN• Biometrics• Rule based system• Transaction fraud scoring
• Modelling process• Sample• Methodology
• Performance• % frauds detected • FPR etc.
• Score Implementation• Implementation mode• Preparation
• Monitoring• Performance degradation• Updating the model
Release v1.0 // 2Copyright 2005, Experian-Scorex Proprietary and Confidential
Fraud losses
Source: APACS, Bank of EnglandSource: APACS, Bank of England
• Total Losses on UK issued cards in 2004:
£504.8m20% increase on 2003
• Organised crime activity pre Chip and PIN
• Total Losses on UK issued credit cards due to Bad Debt in 2004:
£1,601m
• Fraud linked to organised crime and terrorism
Release v1.0 // 3Copyright 2005, Experian-Scorex Proprietary and Confidential
Fraud characteristics
• International organised crime• Rapidly changing methods
• Shoulder surfing• ‘Lebanese loop’• Skimming• Bin raiding• Bust out/sleeper fraud• Corrupt staff
• Technologically advanced• Fraudsters IT literate• Wire tapping• Hand held card readers• Phishing
Release v1.0 // 4Copyright 2005, Experian-Scorex Proprietary and Confidential
Fraud types
• Lost/stolen• Cards that have been reported by the cardholder as lost or stolen
• Counterfeit• A counterfeit, cloned or skimmed card is one that has been printed, embossed or encoded without
permission from the card company or one that has been validly issued and then altered or recoded. Also Computer generated card numbers, collusion, wire tapping
• Mail non-receipt• Cards stolen in transit - after card companies send them out and before the genuine cardholders
receive them
• Card not present• Usually the theft of genuine card details that are then used to make a purchase through a remote
channel such as the phone, Internet, fax or mail order.
• Identity fraud• A criminal uses fraudulently obtained personal information to open or access card accounts in
someone else's name. Perpetrated through Application fraud and Account takeover.
Release v1.0 // 5Copyright 2005, Experian-Scorex Proprietary and Confidential
Changing patterns of fraud – UK issued cards
2004
30%
26%
23%
14%
7%
1994
3%10%
73%
13%
1%
Card-not-presentCounterfeitLost and stolenMail non-receiptIdentity theft
Source: APACSSource: APACS
Release v1.0 // 6Copyright 2005, Experian-Scorex Proprietary and Confidential
Fraud losses – UK issued cards
0
20
40
60
80
100
120
140
160Lo
sses
(£m
)
Card-not-present
Counterfeit Lost and stolen Mail non-receipt Identity theft
Fraud Type
Fraud Losses 2004
Source: APACSSource: APACS
Release v1.0 // 7Copyright 2005, Experian-Scorex Proprietary and Confidential
Fraud losses – UK issued cards
0
10
20
30
40
50
60
70%
cha
nge
Card-not-present
Counterfeit Lost and stolenMail non-receipt Identity theft
Fraud Type
Fraud Losses 2004 cf. 2003
Source: APACSSource: APACS
Release v1.0 // 8Copyright 2005, Experian-Scorex Proprietary and Confidential
Fraud losses – UK issued cards
0
100
200
300
400
500
600Lo
sses
(£m
)
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004
Year
Fraud Losses 1995 - 2004
Source: APACSSource: APACS
Release v1.0 // 9Copyright 2005, Experian-Scorex Proprietary and Confidential
Extent of fraud – UK issued cards
Source: APACSSource: APACS
• Losses against turnover 2004 0.141%
• Losses against turnover 2003 0.135%
• Peak in 1991: 0.33%
Release v1.0 // 10Copyright 2005, Experian-Scorex Proprietary and Confidential
Agenda
• Introduction• Credit card fraud losses and types of fraud• Authorisation and transaction flow
• Prevention and detection• Chip and PIN• Biometrics• Rule based system• Transaction fraud scoring
• Modelling process• Sample• Methodology
• Performance• % frauds detected • FPR etc.
• Score Implementation• Implementation mode• Preparation
• Monitoring• Performance degradation• Updating the model
Release v1.0 // 11Copyright 2005, Experian-Scorex Proprietary and Confidential
Fraud prevention
• Verification and validation• The card is genuine• The cardholder is the rightful owner
• Chip and PIN• A chip (‘smart’) card holds encrypted details on a secure microchip that can store
and process information. The PIN replaces the signature for card present transactions
• Biometrics • Methods of identification by measuring unique human characteristics as a way to
confirm identity. Examples are finger or iris scanning or dynamic signature verification
• Card Security Code (CSC)• The last three or four digits of a number (formerly CV2) printed on or just below the
signature panel on payment cards. It can be requested for CNP transactions in addition to card expiry date etc.
• Other features• Holograms, UV, unique fonts
Release v1.0 // 12Copyright 2005, Experian-Scorex Proprietary and Confidential
The need for transaction fraud detection
• Around 10% of cardholders keep their PIN with their card• Fraud migration• Staff collusion• Merchant collusion• Increasing sophistication of fraudsters• Chip and PIN not yet applicable to CNP transactions
Release v1.0 // 13Copyright 2005, Experian-Scorex Proprietary and Confidential
Authorisation and transaction flow
Retailer
ExceptionFile
Cardholder
NETWORK
IssuerAcquirer
Statement
Purchase
-Transaction- Request - Response
Release v1.0 // 14Copyright 2005, Experian-Scorex Proprietary and Confidential
Fraud detection
• A transactional risk management system requires the capability to• detect fraud at the point of sale: authorisations• predict trends• assist in investigations• cope with new trends
• Rule based system• Transaction fraud score
Release v1.0 // 15Copyright 2005, Experian-Scorex Proprietary and Confidential
Fraud detection
• Rule based system• Relatively easy to use and maintain• Requires a logical and comprehensive work-flow system• Requires ability to load different types of data• Generally reactive • Example: Secana Card Protector
Release v1.0 // 16Copyright 2005, Experian-Scorex Proprietary and Confidential
Release v1.0 // 17Copyright 2005, Experian-Scorex Proprietary and Confidential
Rules based system
Datasources select Datasources select the data to be the data to be used in each used in each investigation. investigation. Grouped by Grouped by cardnumber or cardnumber or customer
Agents are the Agents are the Rules. Using input Rules. Using input from datasources from datasources and reports they and reports they select the select the exception exception transactions transactions ––manually or manually or automatically
customer
automatically
Release v1.0 // 18Copyright 2005, Experian-Scorex Proprietary and Confidential
Rules based system
Exceptions are Exceptions are placed in queues placed in queues for review by case for review by case handlers
Agents are the Agents are the Rules. Using input Rules. Using input from datasources from datasources and reports they and reports they select the select the exception exception transactions transactions ––manually or manually or automatically
Datasources select Datasources select the data to be the data to be used in each used in each investigation. investigation. Grouped by Grouped by cardnumber or cardnumber or customer
Exception issues Exception issues are either checked are either checked out as OK or out as OK or placed in case placed in case archives
handlersarchives
customer
automatically
Release v1.0 // 19Copyright 2005, Experian-Scorex Proprietary and Confidential
Rules based system
Reports• Feed back to the agents with list of cards that have been
exposed for a specific environment• A range of management reports can be generated
• False positive ratios• Success ratio for different agents• Performance of different operators• Can be mailed directly from the system
• Investigation of Common Points of Compromise (CPP)
Release v1.0 // 20Copyright 2005, Experian-Scorex Proprietary and Confidential
Transaction fraud score
• Dynamic• Proactive – predictive characteristics may change from transaction to
transaction• Components:
• Cardholder level profiles encapsulating normal transaction pattern• Frequency of use• Typical value range• Types of Goods purchased• Transaction types• Retailer profiles• Cash usage• Balance and Payment histories• Overseas spending patterns• Daily, weekly, monthly, & seasonal patterns
• Aggregator• Data combined for range of time/value intervals, merchant classification
• Score• Model to compare incoming transactions with the norm and known fraud
indicators
Release v1.0 // 21Copyright 2005, Experian-Scorex Proprietary and Confidential
Transaction fraud score
Data requirementsData requirementsImplementation Implementation considerationsconsiderations
Real TimeReal Time
‘One behind’‘One behind’
BatchBatch
Frauds detected
Cost
Release v1.0 // 22Copyright 2005, Experian-Scorex Proprietary and Confidential
Agenda
• Introduction• Credit card fraud losses and types of fraud• Authorisation and transaction flow
• Prevention and detection• Chip and PIN• Biometrics• Rule based system• Transaction fraud scoring
• Modelling process• Sample• Methodology
• Performance• % frauds detected • FPR etc.
• Score Implementation• Implementation mode• Preparation
• Monitoring• Performance degradation• Updating the model
Release v1.0 // 23Copyright 2005, Experian-Scorex Proprietary and Confidential
Modelling process
• Sample design and preparation• Segmentation
• Fraud types• Personal/company cards• Card types• Affinity scheme• Transaction’s country of origin • Transaction value
• Univariate analysis and feature extraction• Model construction with transformed predictive characteristics
Release v1.0 // 24Copyright 2005, Experian-Scorex Proprietary and Confidential
‘Observation’ periode.g. 12+ months
Create ‘Normal transaction pattern’
Sample design – an approach
Release v1.0 // 25Copyright 2005, Experian-Scorex Proprietary and Confidential
Observation pointe.g. statement cycle point
‘Outcome’ periode.g. Oct statement cycle
Exclude blocked A/CsCreate month-end snapshot
Update certain characteristics
‘Observation’ periode.g. 12+ months
Create ‘Normal transaction pattern’
Sample design – an approach
Release v1.0 // 26Copyright 2005, Experian-Scorex Proprietary and Confidential
Identify ‘late’ fraud notification
Post-outcome period2-3 months
‘Observation’ periode.g. 12+ months
Observation pointe.g. Sept statement cycle
‘Outcome’ periode.g. Oct statement cycle
Sample design – an approach
Release v1.0 // 27Copyright 2005, Experian-Scorex Proprietary and Confidential
Sample design
• Data issues• Accurate fraud flag• Sufficient fraud transactions• Authorised and non-authorised transactions• Declined fraud transactions• Account transfer processing: refunds, disputes
Release v1.0 // 28Copyright 2005, Experian-Scorex Proprietary and Confidential
0.11%
0.01%
0.12%
0.04%
0.08%
0.03%
0.08%
0.03%
0.00% 0.00%
0.05%
0.00%
0.02%
0.04%
0.06%
0.08%
0.10%
0.12%
0.14%
Issuer 1Issuer 2Issuer 3Issuer 4Issuer 5Issuer 6Issuer 7Issuer 8Issuer 9Issuer 10Issuer 11
US fraud sample
Fraud rate
Release v1.0 // 29Copyright 2005, Experian-Scorex Proprietary and Confidential
2002 Fraud Type – development sampleUS fraud sample
16.54%
27.52%
3.30%
8.36%
5.12%
2.03%
37.07%
0.04% 0.02%0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
CARD LOSTCARD STOLENCARD NOT RECEIVED
FRAUD APPCOUNTERFEITOTHER
STOLEN NUMBERMULTIPLE SALES DRAFT
ACCOUNT TAKEOVER
Release v1.0 // 30Copyright 2005, Experian-Scorex Proprietary and Confidential
Predictive characteristic set
• Four broad categories:• Indices and ratings
• E.g. Retailer fraud index, Merchandise fraud index, Transaction time index• Individual transaction fraud predictors
• compare the current transaction with the normal behaviour profile • is the normal behaviour profile stored or calculated each time?
• Typical fraud rules• E.g. accounts with more than 5 cash transactions in one day, accounts where
high value transactions are taking place in a country known for fraud, accounts used to make many telephone calls in one day
• Trigger events• Card issue, PIN request, change of address, overpayment, large payment
Release v1.0 // 31Copyright 2005, Experian-Scorex Proprietary and Confidential
Univariate analysis
# Transactions of unusual value
Good: Fraud indexGood: Fraud index
-600
-500
-400
-300
-200
-100
0
100
200
0 1 2 3 or more
Release v1.0 // 32Copyright 2005, Experian-Scorex Proprietary and Confidential
Univariate analysis
Merchant Category
-600
-500
-400
-300
-200
-100
0
100
200
300
400
Restaurant Transport ATM/Cash Jewellery Telecomms
Good: Fraud indexGood: Fraud index
Release v1.0 // 33Copyright 2005, Experian-Scorex Proprietary and Confidential
Univariate analysis
# Transaction velocity cf. average
Good: Fraud indexGood: Fraud index
-500
-400
-300
-200
-100
0
100
200
low medium high very high
Release v1.0 // 34Copyright 2005, Experian-Scorex Proprietary and Confidential
Methodology
INPUTSINPUTSAApp
• Artificial neural networks• Global approximation e.g. multilayer perceptron with backpropagation
learning algorithm
• Local approximation e.g. variants on radial basis function networks
• Regression techniques
WEIGHTSWEIGHTSwwjkjk
aa i=1i=1
aa i=2i=2
aa i=3i=3
aa i=4i=4
aaii=5=5
j=1j=1
j=3j=3
j=2j=2
k=1k=1OUTPUT oOUTPUT opp
Release v1.0 // 35Copyright 2005, Experian-Scorex Proprietary and Confidential
Agenda
• Introduction• Credit card fraud losses and types of fraud• Authorisation and transaction flow
• Prevention and detection• Chip and PIN• Biometrics• Rule based system• Transaction fraud scoring
• Modelling process• Sample• Methodology
• Performance• % frauds detected • FPR etc.
• Score Implementation• Implementation mode• Preparation
• Monitoring• Performance degradation• Updating the model
Release v1.0 // 36Copyright 2005, Experian-Scorex Proprietary and Confidential
Model performance
• Development and validation samples• For a given cut-off score
• % Fraud transactions detected• False positive rate
• transaction level and account level• balance fraud prevention against customer service
• # and % of accounts referred• fraud investigation team typically 5-6 people
• Value of frauds detected• % and value of first frauds detected
Release v1.0 // 37Copyright 2005, Experian-Scorex Proprietary and Confidential
Account False Positive Rate
0
50
100
150
200
250
30028
037
840
842
945
748
851
453
855
757
358
860
161
362
563
664
765
866
968
269
470
972
975
486
699
9
Score
AFPR
Cumulative False Positive Rate
Fraud score
Release v1.0 // 38Copyright 2005, Experian-Scorex Proprietary and Confidential
Account Fraud Detection Rate
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
280
378
408
429
457
488
514
538
557
573
588
601
613
625
636
647
658
669
682
694
709
729
754
866
999
Score
Pct o
f Acc
ount
s
Pct of Frauds Total Pct
Fraud score
Release v1.0 // 39Copyright 2005, Experian-Scorex Proprietary and Confidential
Account Fraud Detection Rate
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%9 15 21 26 44 57 77 95 112
127
141
155
166
180
191
201
210
219
228
236
243
249
254
258
288
False Positive Rate
Pct o
f Fra
uds
Scorex Transaction Fraud Score
20:120:1
90:190:1
False positive rate
Release v1.0 // 40Copyright 2005, Experian-Scorex Proprietary and Confidential
1.30%3.70%
50.00%
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
% Auths % Accounts % Fraud Accounts
Cutoff = 400Cutoff = 400False Pos. False Pos. ≈≈ 20:120:1
Model performance – tradeoff
Release v1.0 // 41Copyright 2005, Experian-Scorex Proprietary and Confidential
11.00%
28.00%
85.00%
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
% Auths % Accounts % Fraud Accounts
Cutoff = 550Cutoff = 550False Pos. False Pos. ≈≈ 90:190:1
Model performance – tradeoff
Release v1.0 // 42Copyright 2005, Experian-Scorex Proprietary and Confidential
Agenda
• Introduction• Credit card fraud losses and types of fraud• Authorisation and transaction flow
• Prevention and detection• Chip and PIN• Biometrics• Rule based system• Transaction fraud scoring
• Modelling process• Sample• Methodology
• Performance• % frauds detected • FPR etc.
• Score Implementation• Implementation mode• Preparation
• Monitoring• Performance degradation• Updating the model
Release v1.0 // 43Copyright 2005, Experian-Scorex Proprietary and Confidential
Score Implementation
• Implementation mode• Batch, One behind, Real time
• Preparation• Verify portfolio is appropriate• For existing customers, build profiles prior to implementation• Train fraud investigators• Install a mechanism to facilitate regular monitoring
Release v1.0 // 44Copyright 2005, Experian-Scorex Proprietary and Confidential
Agenda
• Introduction• Credit card fraud losses and types of fraud• Authorisation and transaction flow
• Prevention and detection• Chip and PIN• Biometrics• Rule based system• Transaction fraud scoring
• Modelling process• Sample• Methodology
• Performance• % frauds detected • FPR etc.
• Score Implementation• Implementation mode• Preparation
• Monitoring• Performance degradation• Updating the model
Release v1.0 // 45Copyright 2005, Experian-Scorex Proprietary and Confidential
Performance monitoring
0
20
40
60
80
100
120
Jan
Feb Mar AprMay Ju
n Jul
Aug Sep Oct Nov Dec Jan
Feb Mar
Month
Perf
orm
ance
Review feature
extraction
Review feature
extraction
1. Biannual review of feature extraction and model fine-tune
2. Full rebuild after 18-24 months
Release v1.0 // 46Copyright 2005, Experian-Scorex Proprietary and Confidential
Current developments
1. Include this technology in Secana Card Protector software
2. Apply a similar analytical approach to Merchant fraud in SecanaMerchant Monitor
Copyright 2005, Experian-Scorex Proprietary and Confidential Release v1.0 // 47
Transaction Fraud Scoring
John Oxley
Credit Scoring and Credit Control IX, Edinburgh 2005