transaction fraud scoring - presentaiton€¦ · • e.g. retailer fraud index, merchandise fraud...

Copyright 2005, Experian-Scorex Proprietary and Confidential Release v1.0 // 0

Transaction Fraud Scoring

John Oxley

[email protected]

Credit Scoring and Credit Control IX, Edinburgh 2005

Release v1.0 // 1Copyright 2005, Experian-Scorex Proprietary and Confidential

Agenda

• Introduction• Credit card fraud losses and types of fraud• Authorisation and transaction flow

• Prevention and detection• Chip and PIN• Biometrics• Rule based system• Transaction fraud scoring

• Modelling process• Sample• Methodology

• Performance• % frauds detected • FPR etc.

• Score Implementation• Implementation mode• Preparation

• Monitoring• Performance degradation• Updating the model


Fraud losses

Source: APACS, Bank of EnglandSource: APACS, Bank of England

• Total Losses on UK issued cards in 2004:

£504.8m20% increase on 2003

• Organised crime activity pre Chip and PIN

• Total Losses on UK issued credit cards due to Bad Debt in 2004:

£1,601m

• Fraud linked to organised crime and terrorism


Fraud characteristics

• International organised crime• Rapidly changing methods

• Shoulder surfing• ‘Lebanese loop’• Skimming• Bin raiding• Bust out/sleeper fraud• Corrupt staff

• Technologically advanced• Fraudsters IT literate• Wire tapping• Hand held card readers• Phishing


Fraud types

• Lost/stolen• Cards that have been reported by the cardholder as lost or stolen

• Counterfeit• A counterfeit, cloned or skimmed card is one that has been printed, embossed or encoded without

permission from the card company or one that has been validly issued and then altered or recoded. Also Computer generated card numbers, collusion, wire tapping

• Mail non-receipt• Cards stolen in transit - after card companies send them out and before the genuine cardholders

receive them

• Card not present• Usually the theft of genuine card details that are then used to make a purchase through a remote

channel such as the phone, Internet, fax or mail order.

• Identity fraud• A criminal uses fraudulently obtained personal information to open or access card accounts in

someone else's name. Perpetrated through Application fraud and Account takeover.


Changing patterns of fraud – UK issued cards

2004

30%

26%

23%

14%

7%

1994

3%10%

73%

13%

1%

Card-not-presentCounterfeitLost and stolenMail non-receiptIdentity theft

Source: APACSSource: APACS


Fraud losses – UK issued cards

0

20

40

60

80

100

120

140

160Lo

sses

(£m

)

Card-not-present

Counterfeit Lost and stolen Mail non-receipt Identity theft

Fraud Type

Fraud Losses 2004




0

10

20

30

40

50

60

70%

cha

nge

Card-not-present

Counterfeit Lost and stolenMail non-receipt Identity theft

Fraud Type

Fraud Losses 2004 cf. 2003




0

100

200

300

400

500

600Lo

sses

(£m

)

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004

Year

Fraud Losses 1995 - 2004



Extent of fraud – UK issued cards


• Losses against turnover 2004 0.141%

• Losses against turnover 2003 0.135%

• Peak in 1991: 0.33%


Agenda








Fraud prevention

• Verification and validation• The card is genuine• The cardholder is the rightful owner

• Chip and PIN• A chip (‘smart’) card holds encrypted details on a secure microchip that can store

and process information. The PIN replaces the signature for card present transactions

• Biometrics • Methods of identification by measuring unique human characteristics as a way to

confirm identity. Examples are finger or iris scanning or dynamic signature verification

• Card Security Code (CSC)• The last three or four digits of a number (formerly CV2) printed on or just below the

signature panel on payment cards. It can be requested for CNP transactions in addition to card expiry date etc.

• Other features• Holograms, UV, unique fonts


The need for transaction fraud detection

• Around 10% of cardholders keep their PIN with their card• Fraud migration• Staff collusion• Merchant collusion• Increasing sophistication of fraudsters• Chip and PIN not yet applicable to CNP transactions


Authorisation and transaction flow

Retailer

ExceptionFile

Cardholder

NETWORK

IssuerAcquirer

Statement

Purchase

-Transaction- Request - Response


Fraud detection

• A transactional risk management system requires the capability to• detect fraud at the point of sale: authorisations• predict trends• assist in investigations• cope with new trends

• Rule based system• Transaction fraud score


Fraud detection

• Rule based system• Relatively easy to use and maintain• Requires a logical and comprehensive work-flow system• Requires ability to load different types of data• Generally reactive • Example: Secana Card Protector


Rules based system

Datasources select Datasources select the data to be the data to be used in each used in each investigation. investigation. Grouped by Grouped by cardnumber or cardnumber or customer

Agents are the Agents are the Rules. Using input Rules. Using input from datasources from datasources and reports they and reports they select the select the exception exception transactions transactions ––manually or manually or automatically

customer

automatically


Rules based system

Exceptions are Exceptions are placed in queues placed in queues for review by case for review by case handlers

Agents are the Agents are the Rules. Using input Rules. Using input from datasources from datasources and reports they and reports they select the select the exception exception transactions transactions ––manually or manually or automatically

Datasources select Datasources select the data to be the data to be used in each used in each investigation. investigation. Grouped by Grouped by cardnumber or cardnumber or customer

Exception issues Exception issues are either checked are either checked out as OK or out as OK or placed in case placed in case archives

handlersarchives

customer

automatically


Rules based system

Reports• Feed back to the agents with list of cards that have been

exposed for a specific environment• A range of management reports can be generated

• False positive ratios• Success ratio for different agents• Performance of different operators• Can be mailed directly from the system

• Investigation of Common Points of Compromise (CPP)


Transaction fraud score

• Dynamic• Proactive – predictive characteristics may change from transaction to

transaction• Components:

• Cardholder level profiles encapsulating normal transaction pattern• Frequency of use• Typical value range• Types of Goods purchased• Transaction types• Retailer profiles• Cash usage• Balance and Payment histories• Overseas spending patterns• Daily, weekly, monthly, & seasonal patterns

• Aggregator• Data combined for range of time/value intervals, merchant classification

• Score• Model to compare incoming transactions with the norm and known fraud

indicators


Transaction fraud score

Data requirementsData requirementsImplementation Implementation considerationsconsiderations

Real TimeReal Time

‘One behind’‘One behind’

BatchBatch

Frauds detected

Cost


Agenda








Modelling process

• Sample design and preparation• Segmentation

• Fraud types• Personal/company cards• Card types• Affinity scheme• Transaction’s country of origin • Transaction value

• Univariate analysis and feature extraction• Model construction with transformed predictive characteristics


‘Observation’ periode.g. 12+ months

Create ‘Normal transaction pattern’

Sample design – an approach


Observation pointe.g. statement cycle point

‘Outcome’ periode.g. Oct statement cycle

Exclude blocked A/CsCreate month-end snapshot

Update certain characteristics


Create ‘Normal transaction pattern’



Identify ‘late’ fraud notification

Post-outcome period2-3 months


Observation pointe.g. Sept statement cycle

‘Outcome’ periode.g. Oct statement cycle



Sample design

• Data issues• Accurate fraud flag• Sufficient fraud transactions• Authorised and non-authorised transactions• Declined fraud transactions• Account transfer processing: refunds, disputes


0.11%

0.01%

0.12%

0.04%

0.08%

0.03%

0.08%

0.03%

0.00% 0.00%

0.05%

0.00%

0.02%

0.04%

0.06%

0.08%

0.10%

0.12%

0.14%

Issuer 1Issuer 2Issuer 3Issuer 4Issuer 5Issuer 6Issuer 7Issuer 8Issuer 9Issuer 10Issuer 11

US fraud sample

Fraud rate


2002 Fraud Type – development sampleUS fraud sample

16.54%

27.52%

3.30%

8.36%

5.12%

2.03%

37.07%

0.04% 0.02%0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

CARD LOSTCARD STOLENCARD NOT RECEIVED

FRAUD APPCOUNTERFEITOTHER

STOLEN NUMBERMULTIPLE SALES DRAFT

ACCOUNT TAKEOVER


Predictive characteristic set

• Four broad categories:• Indices and ratings

• E.g. Retailer fraud index, Merchandise fraud index, Transaction time index• Individual transaction fraud predictors

• compare the current transaction with the normal behaviour profile • is the normal behaviour profile stored or calculated each time?

• Typical fraud rules• E.g. accounts with more than 5 cash transactions in one day, accounts where

high value transactions are taking place in a country known for fraud, accounts used to make many telephone calls in one day

• Trigger events• Card issue, PIN request, change of address, overpayment, large payment


Univariate analysis

# Transactions of unusual value

Good: Fraud indexGood: Fraud index

-600

-500

-400

-300

-200

-100

0

100

200

0 1 2 3 or more


Univariate analysis

Merchant Category

-600

-500

-400

-300

-200

-100

0

100

200

300

400

Restaurant Transport ATM/Cash Jewellery Telecomms



Univariate analysis

# Transaction velocity cf. average


-500

-400

-300

-200

-100

0

100

200

low medium high very high


Methodology

INPUTSINPUTSAApp

• Artificial neural networks• Global approximation e.g. multilayer perceptron with backpropagation

learning algorithm

• Local approximation e.g. variants on radial basis function networks

• Regression techniques

WEIGHTSWEIGHTSwwjkjk

aa i=1i=1

aa i=2i=2

aa i=3i=3

aa i=4i=4

aaii=5=5

j=1j=1

j=3j=3

j=2j=2

k=1k=1OUTPUT oOUTPUT opp


Agenda








Model performance

• Development and validation samples• For a given cut-off score

• % Fraud transactions detected• False positive rate

• transaction level and account level• balance fraud prevention against customer service

• # and % of accounts referred• fraud investigation team typically 5-6 people

• Value of frauds detected• % and value of first frauds detected


Account False Positive Rate

0

50

100

150

200

250

30028

037

840

842

945

748

851

453

855

757

358

860

161

362

563

664

765

866

968

269

470

972

975

486

699

9

Score

AFPR

Cumulative False Positive Rate

Fraud score


Account Fraud Detection Rate

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

280

378

408

429

457

488

514

538

557

573

588

601

613

625

636

647

658

669

682

694

709

729

754

866

999

Score

Pct o

f Acc

ount

s

Pct of Frauds Total Pct

Fraud score


Account Fraud Detection Rate

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%9 15 21 26 44 57 77 95 112

127

141

155

166

180

191

201

210

219

228

236

243

249

254

258

288

False Positive Rate

Pct o

f Fra

uds

Scorex Transaction Fraud Score

20:120:1

90:190:1

False positive rate


1.30%3.70%

50.00%

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

% Auths % Accounts % Fraud Accounts

Cutoff = 400Cutoff = 400False Pos. False Pos. ≈≈ 20:120:1

Model performance – tradeoff


11.00%

28.00%

85.00%

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

% Auths % Accounts % Fraud Accounts

Cutoff = 550Cutoff = 550False Pos. False Pos. ≈≈ 90:190:1

Model performance – tradeoff


Agenda








Score Implementation

• Implementation mode• Batch, One behind, Real time

• Preparation• Verify portfolio is appropriate• For existing customers, build profiles prior to implementation• Train fraud investigators• Install a mechanism to facilitate regular monitoring


Agenda








Performance monitoring

0

20

40

60

80

100

120

Jan

Feb Mar AprMay Ju

n Jul

Aug Sep Oct Nov Dec Jan

Feb Mar

Month

Perf

orm

ance

Review feature

extraction

Review feature

extraction

1. Biannual review of feature extraction and model fine-tune

2. Full rebuild after 18-24 months


Current developments

1. Include this technology in Secana Card Protector software

2. Apply a similar analytical approach to Merchant fraud in SecanaMerchant Monitor

Copyright 2005, Experian-Scorex Proprietary and Confidential Release v1.0 // 47

Transaction Fraud Scoring

John Oxley

[email protected]

Credit Scoring and Credit Control IX, Edinburgh 2005

transaction fraud scoring - presentaiton€¦ · • e.g. retailer fraud index, merchandise fraud...

Documents