Webinar Replay
Fraud Prevention Across the Digital Customer Journey
As more transactions move online, the cost of online fraud is rising, And fraudsters are getting smarter.
Fraud prevention needs to happen throughout the Customer journey, and it needs to be invisible to legitimate users.
If providers, our customers get it wrong, they risk losing trust.
Market share, and millions of dollars.
With the PingOne cloud platform, fraud.
Protection starts at the first interaction and continues through the entire customer journey.
Fraud signals feed into authentication and authorization decisions to stop fraudsters from Creating accounts, logging in, and completing transactions.
Enterprises can orchestrate multiple fraud signals to ensure they prevent fraud, But don't create friction for real users.
Detect fraudulent activity as it happens, mitigate risk, and shut down fraudsters before Loss occurs.
Apply learnings and reinforce your defenses.
All while legitimate users transact with ease and confidence.
Hello and thanks for joining another Truth in IT event.
I'm Ryan Neufeld.
Welcome to today's webcast, Fraud Prevention Across the Digital Customer Journey.
Today's webcast is sponsored by Ping Identity.
I'm standing in today for Dave Lippman, who's feeling a bit under the weather, So shout out to him, and let's hope he feels better soon.
In just a minute, I'm gonna hand things over to Mike Matchett.
Mike is Principal Analyst and CEO with Small World Big Data.
And Mike will be joined today by Maya Ogronovich Scott, Product Marketing Manager with Ping Identity.
Before we go to Mike and Maya, I want to go over just a few housekeeping tips.
We expect today's webcast to last about 40, maybe 45 minutes.
And we'll be taking your questions and comments in the chat room.
So without further ado, let me hand it over to Mike Matchett.
Here you go.
Hey, hey, thanks, Ryan.
Uh, this is, uh, you know, kind of sad that we don't have Dave here today, But I'm glad to see you, uh, filling in.
Uh, and for those of you who don't know, Ryan and I used to work together many, many years ago.
So, uh, it is definitely a small world.
Uh, well, let's get on with this today.
I've got a really exciting, Uh, Product Marketing Manager to talk to, Maya.
Welcome, Maya.
Thank you.
Thanks for having me.
I'm excited to chat through.
Um, our thoughts on fraud prevention and how it can be done in a better way.
Yeah, let's, let's start with that.
So Ping Identity is, You're, in that area of IAM for, for most people, they know the top IAM vendors.
Ping Identity is right up there.
Uh, why are we talking about fraud prevention, uh, when you are known for identity?
So, it's funny because we are best known for identity, but I think that identity and access Management tools actually have a very important role to play in preventing fraud.
And we'll talk a little bit about the ways that you can bring those in together with Traditional fraud tools that most fraud teams are accustomed to using.
To really get to a better, more integrated approach, which allows you to preserve a good Customer experience, while also effectively preventing fraud on your website.
And at Ping, uh, we actually now have an end-to end fraud prevention solution which begins with Fraud detection goes all the way through fraud decisioning, fraud mitigation, And then orchestration of those full customer journeys, so we can do the whole thing.
Uh, and we're really passionate about getting that message out there because I think there's A lot of people who don't yet know that Ping is in this game.
All right, so I'm sure we'll see a lot more details here as we go.
But let's just start with, uh, fraud itself.
Uh, we know about lots of security threats These days.
Everyone hears about ransomware and how Expensive it is.
How big a problem is fraud?
Fraud is a huge problem.
Online fraud is a really expensive reality that A lot of businesses are grappling with these days.
Um, online fraud has always been an issue for as long as business has been online, Right?
But so much business moved online during the Pandemic.
And I think the current stat is something like About 1/3 of purchases that moved online because of the pandemic will never go back to in-store.
So, on the e-commerce side, there's just a Consistently higher level of traffic than you used to see, And a lot more people are embracing things like online banking, Uh, and interacting digitally with various different types of services.
And so, online fraud becomes more and more of a problem and more and more expensive, The more of your business is happening online.
Uh, the estimated cost of e-commerce fraud alone, so we're not even talking about Financial services and banking, uh, was about $20 billion in 2021.
Wow.
And we've seen a significant increase in fraud Threats against businesses since the start of the pandemic.
Um, I believe the current number is somewhere around 46%.
So, you are seeing that continue to climb, and then businesses are increasing their investment in their counter-fraud measures.
Uh, it's estimated that $63.5 billion will be Spent on fraud detection and prevention solutions by 2023.
So businesses that are existing online and that are interacting with their customers online really have a huge fraud problem that they need to tackle.
Right?
And if they don't spend all that money on fraud Detection and prevention, the, the cost of fraud would go way up, You know, multiples, I'm sure, right?
Like that's sort of, uh, you have to spend the money to prevent the fraud or the fraud's gonna Happen.
Yeah, so for e-commerce again, um, it's, It's an e-commerce stat that I think is really telling: For each $1 of fraudulent purchase That you have to resolve later after the fact, It costs you over $3 to resolve.
OK, so, uh, if you spend the money afterward, you're even going to end up spending more to Get to get, to get out of it, uh, on top of what the fraud itself costs.
Uh, so we talked a lot about, uh, uh, security in the past with lots of other folks, And that we talk about how it's breaking down into not just at the front door, Right?
You can't, you can't just look at things at a firewall anymore or at one point in a life cycle.
You have to start looking at things across that.
So, I, I understand that when you guys look at fraud there at Ping Identity, You're thinking, uh, that this is more of an ongoing process.
Tell us about your kind of perspective on that.
Sure, so fraud can occur at any stage of the user journey.
So the way that I'm going to define just the high-level touchpoints of the user journey is You have the initiation of a session where a new user begins their interaction with the Digital property.
Um, they're an unknown user at that time, They may or may not register for an account, um, They may or may not log in.
They may or may not perform other activities within the account, such as managing the profile, managing preferences, um, Adding or deleting payment information.
Uh, even viewing things within the account, ultimately, you go to a money movement or Checkout moment where you're hitting Buy or you're hitting Transfer, Or some sort of movement of finances is happening, and at the end you have a complete Transaction, and then the session ostensibly ends.
Or perhaps you go back to an earlier piece where after the transaction you're going back to Profile Management, etc.
But ultimately, Those are the touch points that define a user session.
In either an e-commerce or a financial services setting.
Now, now, now, why don't, why don't people just then just really focus on that checkout stage?
You could catch all the fraud if you do that really well.
Right?
You could just isolate that down and stop all The fraud from happening.
So, the thing is, That's generally how fraud prevention has worked in the past.
Is that you begin at checkout, and there are old fraud prevention tools that are still very Effective to the degree that they were designed to be effective to find credit.
Card fraud or payment fraud or things at the point of checkout.
But there's a lot of damage that fraudsters can do prior to the moment of checkout, And there's a lot of things that can happen in a lot of context that you're missing if you Start scanning for fraud at the point of checkout.
So, you can identify bots and emulators very early in the session, And there's almost no situation where you're going to say, It's probably OK that this bot is on my website, and I'm going to let them continue on until They get to the point of checkout and see what they do.
Um, there's a rise in new account fraud, where maybe you are redeeming a sign-up bonus, Where every person you refer, you get a $10 coupon; you've referred 600 new customers Because you put in a bot that's just registering your new accounts, And then you're collecting that money.
Um, or loyalty points or things like that, uh, the theft of airline miles, For example, is a huge deal.
Those are actual loyalty points that have a financial value.
There are things that can happen at the point of account takeover where the transaction might Not look.
Problematic, because at the point of Transaction, you are not seeing any sort of activity that rings to you as odd.
The credit card is legitimate; it's tied to the legitimate user who logged in using their Legitimate credentials, and if the level of checking that you're doing is, Is this a real account?
Does this credit card belong to this account?
Have they used it before, And that's all you're looking at?
The fraudster got access to that person's login information; they can absolutely go in and buy Things, and that's where all of those chargebacks that cost three times as much as the Cost of the initial transaction come from.
And there's a lot of chargebacks that fraud Teams are having to deal with resolving.
A lot of fraud teams are inundated.
With Chargeback resolution, because if you're missing all of the behavioral and other context From earlier in the session, you may not be able to accurately detect and prevent fraud at The point of checkout.
No, I was just curious here, if, If the transaction place is too late, I mean if there's lots of fraud that could Happen upstream from there, it seems like now there's a lot more people in a business that might be responsible for, or dealing with fraud rather than just a fraud team that's been Identified.
Uh, how have you been seeing that?
Who's responsible for this kind of fraud prevention within companies these days?
So generally, the fraud team is still the primary primary group that is responsible.
Sometimes they'll report up to Finance, sometimes they'll report up to the CISO.
There's kind of different reporting structures that we've seen among our customers and Prospects, but ultimately those fraud prevention measures that they put in are often touched directly by other technical teams, by identity and access management teams, Um.
Because these fraud prevention measures, Especially if they're starting to implement them earlier in the session and at multiple Points throughout the session are going to now have a serious impact.
Whether positive or negative, overall user journey that digital teams are concerned With.
Uh, so if, if, if more and more folks are Responsible for fraud across the company, there's a lot more stakeholders looking at that.
Uh, it must be kind of interesting then to say, how do I move my organization From looking at just that checkout piece to how do I get ahead of it, and how do I meet all These different user groups' needs.
Right.
So, I think that fraud prevention is generally moving away from a transaction-centric model.
Um, when you are looking at payment fraud exclusively, as we discussed earlier, There's a lot of context that you missed.
There's a lot of points at which you're going to let that fraudulent transaction through because you don't have enough information to Realize that it ought to be stopped.
So, we're seeing a move from a transaction-centric model where you're looking At payment.
Um, only to a session-centric model where You're doing real-time risk assessment continuously throughout the session.
This can greatly improve detection rates because you have a lot more information than You can take in.
Um, and it'll give you increased flexibility in How you mitigate too.
Nothing is more frustrating.
Let me ask you if you've ever had this Experience.
You find a product that you want to buy online, And it's with a retailer you haven't shopped with before, But the deal is great, you're very happy, you go in, You put in your information.
Then you get this proof you're not a robot, and it's a grainy picture of a mountain.
And there's some cars, and it says pick all of the ones that have traffic lights.
And you spend 40 minutes wondering whether the pole that the light is attached to counts as a Traffic Light or doesn't, and whatever you decide, you end up being wrong, And then your session gets killed and you don't buy the thing.
Uh, fire hydrants, uh, boats, motorcycles, uh, Was there a bicycle in this picture?
I've had them all, and I've had the problem with, with, I've had that problem with almost every single request to capture.
I find CAPTCHA really high friction, uh, when they are, And they're not very effective.
The truth of the matter is that the more Advanced bots that are out there today are statistically better than humans at filling out Captchas.
I mean, because when we're doing captchas, We're actually in the background, we think training the bots.
At Google or whoever it is, to do better at it.
So of course they're going to learn and be better at it.
Yeah, so while I'm not saying every bot is sophisticated enough to bypass CAPTCHA, and CAPTCHA absolutely does catch less sophisticated bots, It's a terrible experience for the customer.
Um, when you start thinking about international users who may not know what an American school Bus looks like, and you're asked for pictures of buses and all you see is a school bus, And you might never have seen one outside of perhaps a film.
Um, we see more issues arising from that where the term for something might be different or The way something looks depending on country might be different.
So it's just, it's not a very efficient mode of mitigating fraud.
Other things that happen at the point of transaction where you're suddenly pushed Through 3 or 4 security steps will cause a lot of session and card abandonment.
And the business doesn’t want that, right?
If you’re at the point that the, That the customer was about to give you their money, you want to make it as easy as possible For them to do that.
So, you have to increase your flexibility as to How you mitigate.
You need to be able to mitigate earlier and have kind of a softer mitigation approach.
When you're in your account and you've logged in and you are changing your profile settings And let's say your retailer asks you for MFA, like saying, Hey, we just sent you a one-time code.
Please click, etc.
That's a lot less painful than filling out that capture or having to re-enter your Password 6 times, or having to create an account.
There's just a lot of things that can happen, um, late in the game that are not very good Experience.
When you shift them earlier, Sometimes it's more palatable.
All right, so, so I'm learning two things here.
One is, You shouldn't do just your fraud detection at the end of that e-commerce transaction, because You're going to miss a lot of fraud that could happen before that.
Uh, and then the second thing is, if you start your fraud detection earlier in that session, You can detect it, and, and, or even prove that it's not fraud and ease the customer journey to Actually pushing the buy button, improving business there.
So there's, it sounds like there's some trade-offs going on there between Uh, You know what security or fraud people are doing, and, You know, how the business people want things to happen.
Yes, so there's a constant balancing act happening, right?
The risk of online fraud is high, as we discussed.
There's a lot of money being lost to online fraud, and fraud teams and financial teams are Quite concerned about that.
On the other hand, uh, consumers have an all-time low friction tolerance.
They want it to be easy.
They want every transaction done online.
To be as simple as buying something from Amazon.
One of the reasons Amazon is so popular is that They have a really smooth, easy, slick customer experience.
And when you put in additional fraud measures, a lot of times you can upset that balance.
So you have one side of the business that cares deeply about reducing fraud losses.
And then you have another side of business that cares about reducing losses of a Completely different type.
Um, card abandonment rates are extremely high.
It's almost 70% of carts that get filled with Goods never get checked out.
The estimated loss, which obviously you can only estimate to cart abandonment, Is about $18 billion a year, which is pretty Close to that number that is lost to online Fraud.
So, on the business end, the business people Who are thinking about how to design a customer experience that will encourage a customer to Cough up their hard-earned money, they're thinking about how do I make them stay?
How do I not drive them away with too many steps, too much complexity, A difficult checkout process, um, and just optimizing checkout alone is estimated to Improve retention by over 35%.
Yeah, I was gonna say, 20 $20 billion there, $20 billion over there, You know, it's pocket change, right?
It's like sooner you'll be talking about Real money if you add that up.
Uh, so, uh, what do, what, what do we do practically, um, If we don't want to lose $40 billion.
Uh, on our e-commerce sites now, and it's, and we want to look at things on a session basis.
How should we start thinking about approaching our e-commerce, Uh, uh, sessions or our online sessions?
How do we, How do we, how do we start to retool our own sort of best practices for that?
Sure.
So, this ultimately is why Ping is in this game.
Um, your counter fraud toolbox really needs to expand.
There are things that you can do with other types of tools, Other than the standard fraud detection tools that you are using, that can bring about a decrease in fraud losses, while also bringing about a decrease in Friction for your legitimate customers.
The goal is to get those two sides of the business to stop butting heads and to realize That their ultimate goal is the same.
They want to increase revenue.
They want to improve retention; they want to decrease loss.
And both things can happen at the same time, but you have to look at fraud prevention in a Different way.
So, obviously, you have to keep your fraud Detection up to date, right?
If all of your fraud detection tools were Purchased 10 years ago, likely there are things you're missing based on the way that the fraud Landscape has.
Evolved, and you may want to add more fraud detection tools, Which, by the way, fraud detection is an additive space.
I very rarely see a customer or prospect say, none of our detection tools are working.
I want to throw them out and start fresh with something new.
It's a matter of, we're catching X amount, and we need that raised by 10%.
Show us that you can bring in a detection tool that's going to catch what my other tools are Missing; together, I'm going to get a better picture of what is happening across my digital Estate.
So that's the first piece: you gotta improve Your fraud detection.
Nothing happens if you can't see what’s happening.
But beyond fraud detection, there are other Types of tools that you should be bringing into bear.
Um, there's a lot of analysts talking about this at this point.
Gartner's talking about it, and I've heard it from customers and prospects, too, That there's a lot of blurred lines now between that online fraud detection space.
And then the identity proofing space, and user authentication.
Space and all of those things kind of have to come together and be orchestrated into one Cohesive approach to building a user journey that's going to be secure without Being full of friction and pain.
So, you bring those fraud detection tools together with your IAM tools, Your various Access-Management-AM tools, um, with your identity proofing or identity verification Tools, um.
You put in a slick orchestration layer up top, and you make them come together.
To give you a holistic approach that's going to basically solve various Problems in one go.
So, you want something that's able to aggregate those fraud signals from various Places.
Um, you want to be able to enforce access.
Dynamically.
So you want to be able to change.
Your mind about whether a user is authorized to view something or perform an action Or or hit that checkout button based on the context that's coming in from those aggregated Signals, and you need to be able to leverage identity verification and identity proofing in The cases where it's warranted.
All right, so we're not, we're not again either.
Just checking things at that transaction checkout stage or when someone logs in the First time and then trusting them throughout the whole thing, We're going to start to look at that entire session from a couple of different perspectives, But looking for signals of fraud all along and having the ability to change our responses if We detect something, which is quite clever.
I'm getting a feeling here, though, if I'm looking at this, and I'm kind of an IT person And looking at the infrastructure and the tool sets and the rest of it.
I've got a lot of solutions.
You mentioned that people could have lots of Different pieces and moving parts on this.
Uh, if I want to get to here, and I want to start thinking this way, Do I have to really rip and replace all that stuff and put in a more cohesive platform that takes you from end to end, uh, 'cause that's kind of what it's starting to look like a Little bit.
So, no, I don't think you do.
Uh, here's the thing, you have a lot of fraud signals coming in today, If you are an online business.
The general number that I have heard from customers and prospects and polling folks On other events that we've done is between 4 and 8 sources of risk signal, And you are looking at different things, which may come up at different times throughout the User journey.
Um, at, at that tail end where you're getting To the point of checkout, you're looking at things like verifying the card and, You know, the transaction type and the transaction amount, And maybe at the point of login, you're looking at, um, You know, time and date, and the location of the user, uh, And maybe at the point of registration, you might be checking the device fingerprint.
Um, you're looking at.
Network characteristics at various points.
Maybe you have a list of Users, uh, or you have, you have a subpopulation of Users who you feel are of higher risk that you might want to treat differently in some way.
Um, and these different things are coming in at different points in time from these different Tools.
So the way to make sure your tools are Working for you efficiently is, is not to rip them out.
The way to ensure that all of those different detection tools are working for you efficiently Is to centralize your fraud decisioning.
So, more and more we're seeing a drive toward building a centralized fraud decisioning hub Where you can house all of your business policies in your fraud logic, and you can threat score in aggregate.
Um, so, perhaps you've got some threat signals coming in from Ping.
Perhaps you're using, you know, our fraud detection, and you're also using BioCatch and Theft metrics, and maybe you've got Sift going on at the point of transaction.
Uh, maybe you're using the AIbot Manager, like, there's a lot of different options of things that you might be using right now, and all of them are telling you whether or not they think The user is legitimate.
They are telling you this at different times throughout the user journey.
And most of those fraud detection tools don't mitigate.
All they do is ring like an alarm in an empty house, right?
So the decisioning platform is connecting that alarm to, um, an operations center.
That is going to make a decision about whether or not to send the fire department.
Right?
The house is on fire; we need to do something.
So, centralizing decisioning, if you don't have something in place that can do that, That is a really useful tool to put in place to organize everything you already have deployed.
The threat score and aggregate, and to choose the points throughout the user journey where You want to check and recheck whether or not they should be authorized to continue.
So lifting that authorization layer essentially out of the individual applications, Um, and putting it in something that's going to be able to change dynamically.
So it's not exclusively based on they logged in, they're fine, We're good, right?
It's going to let you change your mind because Maybe a human logged in.
And they had the password and the username, and it looked all right.
And then, now that they're in, they've deployed a bot to do credit card testing, and they've left.
That user that looked OK before doesn't look OK anymore, but if you're only looking at the point of login, You're going to miss that entirely.
Yeah, so this allows us to, uh, basically go get best of breed, Uh, or best-in-class, uh, solutions for our various things that we're doing on our Applications and our Platforms to users, right?
It could be a very complex set of services We're offering to the world, and each one of them could have their own best, Best in class tools for this, and then make some smarter intelligence about it.
I might assume more general intelligence.
Decisioning, uh, I like, I like the word Decisioning.
Uh, I also want to say detecting, but I know that's wrong, So we're just gonna say detection and decisioning.
Uh, so, uh, when we make these decisions, then, uh, I, I thought it was interesting you said.
We can start to do mitigation actions, uh, I assume policy based, That these are things that can be, can be, uh, tuned over time then and do something Intelligent.
How does that part fit in?
Right, so your decisioning tools should be able to communicate with your mitigation tools, Whatever those might be.
For some customers, for some users, uh, you might feel that simply pushing for MFA is Adequate.
Maybe it's just a particularly high transaction.
Amount.
Or there's something that looks a little bit Not right, but based on your risk tolerance, you think as long as they complete MFA you're Good to go.
Um, maybe for certain specific things, Depending on your industry and depending on the use case, You might want them to verify their identity.
You might want to say, I want to see your driver's license, and I want to see you take a selfie, And I want to see that the name on that Driver's License, Uh, matches the name on the account, and the face on that driver's license matches your face.
That you are who you say you are.
Um, maybe in some cases, you want to terminate the session.
You just want to kill the session and say, Sorry, something went wrong, You know, but you want to minimize the amount of times you do that.
Right?
'Cause you don't want false positives.
You want to give the legitimate user a chance to prove that they are legitimate, But if you're clearly seeing behavior that can only be accomplished by a bot or emulator, Um, the user is clicking on one pixel.
A human finger cannot do that.
You know this is not a human.
You can terminate that session feeling fairly confident that you haven't just stymied a Legitimate user from transacting with you.
Um, and there are various other types of mitigation workflows that you might want to Build it.
You might want to push certain types of Transactions to manual review and have, you know, a screen pop-up saying, You know, your transactions being manually reviewed, You will be contacted within X amount.
Um, you may want to take users through a series of questions or screens to check if they've been socially engineered.
Maybe they got an email from a Nigerian prince, and they're about to transfer their life Savings, and you really want them to think about who asked for that and why.
Uh, and we do actually have customers who are using our tools in such a way as to catch those Socially engineered transfers, where the fraud occurred outside of your digital property.
So no amount of user behavior analytics is going to show that to you, Because it's a legitimate user logging into their own account, Moving their own money of their own free will, but under false pretenses because they have Been scammed.
All right.
I, you know, again, I look at this and I think there's so much possibility here to do better Job and like claw back some of the $20 billion in fraud loss and some of the $20 billion, Uh, in cart abandonment and, and come out ahead on both sides of that.
Uh, one of the things, though, it's still a little concern about is this involves a lot Of different teams, if I'm, if I'm looking at this right, Right?
You have application owners, you have fraud Owners, you now have identity owners, you have some, Uh, people who are, uh, doing some business logic and so on.
Uh, does this decisioning, the central point decisioning help bring those teams together to Make a better, like Management decision over all this, Or do they end up fighting over who gets control?
It does.
So the really cool thing about centralizing Your decision in this way is that it gives you a place to clearly.
Put in words, your business logic and your policies that will determine how potentially Fraudulent sessions are treated.
You can audit them, You can change them, and by lifting that out of the individual application layer, It's kind of owned in one place.
What we have found is that fraud teams tend to Own the business logic in the decisioning portion.
And then IAM teams tend to own the higher level orchestration layer that connects everything Together, and you just sort of plug in those decisioning points in the moments in the Flow where it's appropriate to check again.
This session seemed fine when user performed action X.
Now, they are doing action Y.
Let's check again.
There might be new context that has come in through one of our other detection tools that tells us we should now treat them differently.
There's an interesting separation of concerns there too, Which I think is good.
So you've got a single central point for the Fraud policies, uh, separate from the people who are maybe doing DevOpsy things all day long and making changes and things, and they're not able to go in there necessarily and change the Fraud detection policies.
We've, we've heard from a lot of fraud teams that they really want, Um, an isolated, uh, limited access place to build out their fraud policies that's easy Auditable, that, you know, is easily modifiable, and that is a place that if they change Something in there, not break the overall user journey flow, which is something that has definitely happened and causes additional friction that is unnecessary between fraud and business teams.
Yeah, so let's talk about that.
So, I mean, the goal here is to really try to Make what you're doing.
Uh, not just frictionless to the end customer, but maybe even lubricate what they're doing so that they're not interfered with by people who are doing fraud, Right?
So you're, you're, you're not just reducing the Chargebacks the company has to deal with, but you're hopefully improving the customer Experience.
How, how do you view that, and are there, Are there features and approaches using this that make that better?
Yeah, I think the ultimate goal, uh, that everyone in a business can agree to is the more Invisible so that fraud prevention is to a legitimate customer, The better.
So, when this works as it should.
Your legitimate users should be having a very easy experience where they go to your website, Uh, perhaps they log in, or perhaps they're auto logged in through your app.
And they go to transact, and they click Buy, and they click Confirm.
And it's done, right?
Um, but an illegitimate user is stymied at every single turn.
Because you are seeing that there's behavior or other characteristics or factors that don't Line up, and you are making sure that it’s very difficult for them to get through.
So, when you start with a population of users who enter your site, You can almost immediately weed out the non-human users.
Right?
If you've got a good detection tool in place.
That can separate bots from humans, um, it'll tell you that the way that this user is Moving.
Or the way that this user is clicking or The speed at which this user is doing certain things is just not human.
That there's no human who can do what this user is doing, Therefore this user is not a human; they are a machine.
You can kill those sessions with comfort.
You know that there's nothing good.
That could have come from allowing them to Continue to register an account and do other things.
Um, and then you separate your users on the back end.
Right?
So you never tell them that this is what you're Doing, but you separate your users by risk level, and the number of risk levels that you have is entirely up to your fraud team and how in-depth you want to get with your business Policies.
And your low-risk users who are exhibiting good Safe behaviors have a very smooth and easy experience, and they never see those additional Fraud prevention touchpoints at all.
Your users who are suspicious on some level, um, will have a different experience.
And you can customize that experience based on the level of risk that you perceive you have.
So, so financially, so if I, if I'm a recurring customer and I'm going in and I'm ordering Something worth $5 every other day, and I just want a quick transaction, You can identify me, see that that's me, shows me, and let me through and just do that, And I don't have to fill out a CAPTCHA every time I want to order a box of toothpicks or Whatever it is, right?
I mean, I personally think you should never have to fill out a CAPTCHA at all.
I am fighting.
You're on a mission to get rid of CAPTCHA.
I am.
It's terrible.
No one likes them.
They're awful.
I want them to go away.
Oh man, Google, sorry about that.
Uh, so, uh, but, but you know, on the other hand, if I'm coming in and I want to buy a Motorcycle and I'm in Boston where I'm at, and I want to buy it in San Francisco, where I'm not, And there's all sorts of flags and arrows going up.
I may still be a legitimate buyer.
Maybe I'm buying it for my brother as a present or something like that, but, um, I would then be channeled down into something that says, Well, you're a little bit riskier now.
You got to do some verification.
Maybe you got to make a phone call, maybe provide a driver's license and fax something, Although no one faxes anymore, but the equivalent, the equivalent of that.
Hopefully we do this all digitally, right?
Yeah, I can tell how old I am.
I'm dating myself here.
Like I'm I'm dating myself.
Just fax it in.
Um, but you know, we take a picture of their Phone and we We can do all sorts of other types of digital signatures and, and digital verification proofs and things like that.
So that's, that's interesting.
And if I'm explicitly identifying that now, in my e-commerce, Uh, processes that I have a fraud team who has the authority to make those policy decisions, I can now start to actually put KPIs on that and start to measure in sort of, Sort of a virtuous loop and report to management that, Uh, I'm actually clawing back some of the money that we've been maybe invisibly losing, Right?
Right, so, uh, it should become kind of a Virtuous cycle.
If you build this all together and you integrate it the way that we believe that it Should be done.
Your fraud detection, which is where the cycle Starts, should continuously evolve because everything else is going to evolve.
So, you've got your detection step, um, you're detecting fraudulent activity as it happens.
You are then pushing to Decisioning to make those decisions in real time and then push for Real-time mitigation.
So fewer things get to charge back.
Fewer things come to manual review, freeing up the time and resources Energy of the fraud team that is inundated with these manual reviews, To actually look through now the intelligence that has come out of those first three steps, All of the reporting, all of the various things that will show you, You know, here is all of the users, and here are the sessions that were identified as Fraudulent and, um, you know, here are the cases where they managed to MFA in versus the cases Where the session was killed, versus cases Where X thing happened, Uh, are your policies working well?
Are there things that you are missing?
Are there things that still end up coming in to charge back because your policies need tweaking?
So now you use that intelligence to change your policies, and you orchestrate those Touch points into the broader user journey to ensure that the overall user journey, User flow is still quite smooth for those users who are not doing things that look suspicious Risky.
And you modify those risk levels, uh, And now once again you're detecting, but you're smarter about what your detection tools are Telling your decisioning tool, your business policies have improved, So now it's even harder to get through, and the cycle continues to go around.
All right.
And, and when we're doing this cycling around, Uh, again, we could probably have some, some, some reports and measurements at each point to Tell us how well we're doing, and, and, and do that continuous improvement stuff.
Uh, when we are thinking about this, and, uh, looking at now implementing this, Uh, can we sort of summarize for folks what they need to do more practically.
Uh, to, to get from where they are today to taking new steps.
Was there, is there some sort of advice you can help people with and say, like, Well, look, here, look at what you're doing and then here's maybe the right place to, To start digging in.
Sure.
So I would say the first step is start with detection, right?
You can't stop what you can't see.
So, figure out whether your existing fraud detection is adequate or whether there are Swaths of fraudulent activity that you're still missing, and whether you need to add an Additional layer of detection on top.
I think that's the first thing you have to do is kind of take stock of your detection estate And see if you're seeing everything, but maybe not in time because, You know, the mitigation automation isn't there, or you're just not seeing everything.
So depending on how well your detection is working, you may want to tweak there.
Next, you have to figure out how to automate your mitigation.
And I really do believe that centralized fraud decisioning, especially in situations where There's multiple signals from multiple vendors coming in, is a great way to do that.
So that you can make those real-time mitigation decisions and push for real-time mitigation Without ever having a human team member involved in reviewing the transaction.
Right, so if you don't have a decisioning layer, but you are doing fraud detection with multiple Vendors and signal types.
I would recommend the next recommendation I would say is implement Centralized decisioning, Right?
So you can't manage, you can't manage what you can't measure, which would be the detection part, and you can't manage what you can't Manage, which would be the mitigation decisioning part.
Uh, and once I've got those pieces in place, and then I want to do a better job.
Right?
So I, I, I, I, I learn, right?
What, tell me, what's learning in terms of Ping Identity here?
So.
You should be able to leverage the reporting And the intelligence that comes out of your detection, decisioning, and mitigation tools To sit down with your fraud teams and see what is actually happening and where the gaps are.
Um, or maybe where your measures are too draconian, right?
Where there are places where you are.
Making it too difficult to transact versus places where there are gaps.
Uh, and so using that information that you're pulling from those earlier steps, You should be able to tweak your fraud response.
This is also where centralizing those business policies becomes very useful Don't have to hard code a change in policy into 6 individuals.
Applications, you just go to one place and you write a sentence saying, You know, for transactions over $5000, do this.
Regardless of which e-commerce path they've taken or which application they're actually Doing across your company, right?
So the business logic is more straightforward.
In that fraud decisioning layer, um, and not necessarily embedded by 5000 different developers in different pieces of code.
Um.
And then the other piece of this that's really important is orchestration.
Um, there's a lot of talk about identity orchestration right now, And, uh, we at Ping feel really strongly that if you have a good orchestration engine, Then you can build those user experiences look exactly the way you want them to, and maintain their security while also being easy for your end users to go through.
A good orchestration layer will let you pull in all of those different tools from different places, your, your 4 to 8 detection tools, your decisioning tools, Your mitigation tools.
Maybe you have MFA with one provider, But you're doing ID verification with another provider, right?
It doesn't matter.
You should be able to build those all in one.
Seamless user journey.
The user shouldn’t need to know that there’s 16 vendors on the back end on your part.
They just need to know they go to your website and have an easy time buying Something or transferring funds.
That's the goal.
At the end of the day, you're just again reducing that friction while catching all the Fraud.
So one of the things I like here is that you've Got this.
Again, we talked about this earlier, separation of concerns.
So the fraud logic is in one place, and the identity orchestration can kind of wrap around That, but you do have that fraud logic lifted up from the End Tools, So it's, it's decisioning here and not decisions made in lots of different Microservices, for example, or spread out throughout the day.
So that's really good.
Uh, and then that, um, Do you have, uh, uh, just a couple of examples of people who have now adopted this approach and have, and have seen some significant improvements?
Sure, so we've got a few customers that are doing pieces or chunks of the Fraud prevention journey with us, right?
This is still a fairly new initiative for us.
We're really excited about it.
We're going forward and we're getting more and More people kind of signing on and giving this a try, But some of our early successes have been really telling.
Um, I have one financial services customer who implemented centralized decisioning.
And some of our tools for mitigation, and they, within, I believe it was something like 10 hours of go live.
10 hours, OK, because it's not, Not like 10 days or 10 months, 10 hours.
No, 10 hours of go live, We stopped 12,000 pound sterling scam.
So in less than a day, it paid for itself and then some, And they're continuing to see they've, they've implemented our tools not across every single Channel, and I can't speak in too much detail about them, Right, because they haven't consented to be named, but um, The channels where they have implemented our tools, they are seeing a statistically Significant decrease in fraud losses.
And, and I would imagine that, uh, one of the things I wanted to point out earlier is that, You know, we, I cover a lot of IT products or IT tools, A lot of backroom stuff.
Uh, but as we're talking about this, this isn't simply backroom.
This is Front Room.
This is board-level visibility kinds of things.
So, uh, if you're learning and you're going back a slide or two, and we're getting these Reports and audits.
This is stuff that could be elevated up, not Just to management, but to the executive team and even the boardroom about how you're Improving what you're doing in the company across the board, which I just think is critically important for people's professional development, and of course The success of the organization today.
That's great.
So, uh, so Maya, we're kind of running a little Bit out of the end of our session here.
If someone is more interested in, uh, Learning about, uh, this process we put on this more converting to a session-oriented thing Versus transaction-oriented and looking at the different ways Ping Identity can help them make That journey or complete that, uh, that, that virtuous cycle we talked about.
What would you have them go look at or give them some resources?
Sure, I would, uh, invite them to visit our website, come to pingidentity.com.
There is a Mitigate Fraud Risk, uh, solution page that talks about all of the pieces of this In greater detail.
We have quite a few additional pieces of Content for you to peruse, uh, but ultimately, reach out to us if you have a fraud prevention Initiative and you want to talk to us about how this could look in real life in your Individual organization, because every Organization's approach is going to be a little Bit unique.
Uh, because it's an additive business, None of us are ever going to come in and tell you, let's rip out everything you have.
We're gonna put in PingOne end to end, and it's going to work.
We have an end-to-end solution.
It does work.
If you have things that are already working for you, let's pick and choose the pieces where you Need to improve, and, you know, our, our solution architects can help make that real You.
Kind of like that glue or expanding foam, You can put it on top of whatever you have, and it's going to unify it into one solid infrastructure.
Oh man, we've got a lot of analogies here today, Maya.
Thank you for, thank you for being here, uh and Explaining this.
Uh, I learned a lot, actually, about fraud.
Detection.
I thought it was pretty simple, but there's Actually some subtleties to it that are worth exploring.
Uh, so thanks.
Yeah, you're very welcome.
It was great to have this chat with you today.
All right, uh, back to you, Ryan.
Uh, what have we got?
Well, thank you both Mike and Maya.
I think that was a very useful discussion.
And I think our audience definitely appreciates all that information.
I want to say thank you to Ping Identity for sponsoring, and of course, Thank you to everyone who came today.
It wouldn't be an event without you all.
And a big uh shout out to Dave.
We hope Dave gets better soon.
He will be back in the saddle for the next event.
And once again, I'm Ryan Neufeld with Truth and IT, and we hope you have a great day.
Thanks.
Fraud prevention needs to happen throughout the Customer journey, and it needs to be invisible to legitimate users.
If providers, our customers get it wrong, they risk losing trust.
Market share, and millions of dollars.
With the PingOne cloud platform, fraud.
Protection starts at the first interaction and continues through the entire customer journey.
Fraud signals feed into authentication and authorization decisions to stop fraudsters from Creating accounts, logging in, and completing transactions.
Enterprises can orchestrate multiple fraud signals to ensure they prevent fraud, But don't create friction for real users.
Detect fraudulent activity as it happens, mitigate risk, and shut down fraudsters before Loss occurs.
Apply learnings and reinforce your defenses.
All while legitimate users transact with ease and confidence.
Hello and thanks for joining another Truth in IT event.
I'm Ryan Neufeld.
Welcome to today's webcast, Fraud Prevention Across the Digital Customer Journey.
Today's webcast is sponsored by Ping Identity.
I'm standing in today for Dave Lippman, who's feeling a bit under the weather, So shout out to him, and let's hope he feels better soon.
In just a minute, I'm gonna hand things over to Mike Matchett.
Mike is Principal Analyst and CEO with Small World Big Data.
And Mike will be joined today by Maya Ogronovich Scott, Product Marketing Manager with Ping Identity.
Before we go to Mike and Maya, I want to go over just a few housekeeping tips.
We expect today's webcast to last about 40, maybe 45 minutes.
And we'll be taking your questions and comments in the chat room.
So without further ado, let me hand it over to Mike Matchett.
Here you go.
Hey, hey, thanks, Ryan.
Uh, this is, uh, you know, kind of sad that we don't have Dave here today, But I'm glad to see you, uh, filling in.
Uh, and for those of you who don't know, Ryan and I used to work together many, many years ago.
So, uh, it is definitely a small world.
Uh, well, let's get on with this today.
I've got a really exciting, Uh, Product Marketing Manager to talk to, Maya.
Welcome, Maya.
Thank you.
Thanks for having me.
I'm excited to chat through.
Um, our thoughts on fraud prevention and how it can be done in a better way.
Yeah, let's, let's start with that.
So Ping Identity is, You're, in that area of IAM for, for most people, they know the top IAM vendors.
Ping Identity is right up there.
Uh, why are we talking about fraud prevention, uh, when you are known for identity?
So, it's funny because we are best known for identity, but I think that identity and access Management tools actually have a very important role to play in preventing fraud.
And we'll talk a little bit about the ways that you can bring those in together with Traditional fraud tools that most fraud teams are accustomed to using.
To really get to a better, more integrated approach, which allows you to preserve a good Customer experience, while also effectively preventing fraud on your website.
And at Ping, uh, we actually now have an end-to end fraud prevention solution which begins with Fraud detection goes all the way through fraud decisioning, fraud mitigation, And then orchestration of those full customer journeys, so we can do the whole thing.
Uh, and we're really passionate about getting that message out there because I think there's A lot of people who don't yet know that Ping is in this game.
All right, so I'm sure we'll see a lot more details here as we go.
But let's just start with, uh, fraud itself.
Uh, we know about lots of security threats These days.
Everyone hears about ransomware and how Expensive it is.
How big a problem is fraud?
Fraud is a huge problem.
Online fraud is a really expensive reality that A lot of businesses are grappling with these days.
Um, online fraud has always been an issue for as long as business has been online, Right?
But so much business moved online during the Pandemic.
And I think the current stat is something like About 1/3 of purchases that moved online because of the pandemic will never go back to in-store.
So, on the e-commerce side, there's just a Consistently higher level of traffic than you used to see, And a lot more people are embracing things like online banking, Uh, and interacting digitally with various different types of services.
And so, online fraud becomes more and more of a problem and more and more expensive, The more of your business is happening online.
Uh, the estimated cost of e-commerce fraud alone, so we're not even talking about Financial services and banking, uh, was about $20 billion in 2021.
Wow.
And we've seen a significant increase in fraud Threats against businesses since the start of the pandemic.
Um, I believe the current number is somewhere around 46%.
So, you are seeing that continue to climb, and then businesses are increasing their investment in their counter-fraud measures.
Uh, it's estimated that $63.5 billion will be Spent on fraud detection and prevention solutions by 2023.
So businesses that are existing online and that are interacting with their customers online really have a huge fraud problem that they need to tackle.
Right?
And if they don't spend all that money on fraud Detection and prevention, the, the cost of fraud would go way up, You know, multiples, I'm sure, right?
Like that's sort of, uh, you have to spend the money to prevent the fraud or the fraud's gonna Happen.
Yeah, so for e-commerce again, um, it's, It's an e-commerce stat that I think is really telling: For each $1 of fraudulent purchase That you have to resolve later after the fact, It costs you over $3 to resolve.
OK, so, uh, if you spend the money afterward, you're even going to end up spending more to Get to get, to get out of it, uh, on top of what the fraud itself costs.
Uh, so we talked a lot about, uh, uh, security in the past with lots of other folks, And that we talk about how it's breaking down into not just at the front door, Right?
You can't, you can't just look at things at a firewall anymore or at one point in a life cycle.
You have to start looking at things across that.
So, I, I understand that when you guys look at fraud there at Ping Identity, You're thinking, uh, that this is more of an ongoing process.
Tell us about your kind of perspective on that.
Sure, so fraud can occur at any stage of the user journey.
So the way that I'm going to define just the high-level touchpoints of the user journey is You have the initiation of a session where a new user begins their interaction with the Digital property.
Um, they're an unknown user at that time, They may or may not register for an account, um, They may or may not log in.
They may or may not perform other activities within the account, such as managing the profile, managing preferences, um, Adding or deleting payment information.
Uh, even viewing things within the account, ultimately, you go to a money movement or Checkout moment where you're hitting Buy or you're hitting Transfer, Or some sort of movement of finances is happening, and at the end you have a complete Transaction, and then the session ostensibly ends.
Or perhaps you go back to an earlier piece where after the transaction you're going back to Profile Management, etc.
But ultimately, Those are the touch points that define a user session.
In either an e-commerce or a financial services setting.
Now, now, now, why don't, why don't people just then just really focus on that checkout stage?
You could catch all the fraud if you do that really well.
Right?
You could just isolate that down and stop all The fraud from happening.
So, the thing is, That's generally how fraud prevention has worked in the past.
Is that you begin at checkout, and there are old fraud prevention tools that are still very Effective to the degree that they were designed to be effective to find credit.
Card fraud or payment fraud or things at the point of checkout.
But there's a lot of damage that fraudsters can do prior to the moment of checkout, And there's a lot of things that can happen in a lot of context that you're missing if you Start scanning for fraud at the point of checkout.
So, you can identify bots and emulators very early in the session, And there's almost no situation where you're going to say, It's probably OK that this bot is on my website, and I'm going to let them continue on until They get to the point of checkout and see what they do.
Um, there's a rise in new account fraud, where maybe you are redeeming a sign-up bonus, Where every person you refer, you get a $10 coupon; you've referred 600 new customers Because you put in a bot that's just registering your new accounts, And then you're collecting that money.
Um, or loyalty points or things like that, uh, the theft of airline miles, For example, is a huge deal.
Those are actual loyalty points that have a financial value.
There are things that can happen at the point of account takeover where the transaction might Not look.
Problematic, because at the point of Transaction, you are not seeing any sort of activity that rings to you as odd.
The credit card is legitimate; it's tied to the legitimate user who logged in using their Legitimate credentials, and if the level of checking that you're doing is, Is this a real account?
Does this credit card belong to this account?
Have they used it before, And that's all you're looking at?
The fraudster got access to that person's login information; they can absolutely go in and buy Things, and that's where all of those chargebacks that cost three times as much as the Cost of the initial transaction come from.
And there's a lot of chargebacks that fraud Teams are having to deal with resolving.
A lot of fraud teams are inundated.
With Chargeback resolution, because if you're missing all of the behavioral and other context From earlier in the session, you may not be able to accurately detect and prevent fraud at The point of checkout.
No, I was just curious here, if, If the transaction place is too late, I mean if there's lots of fraud that could Happen upstream from there, it seems like now there's a lot more people in a business that might be responsible for, or dealing with fraud rather than just a fraud team that's been Identified.
Uh, how have you been seeing that?
Who's responsible for this kind of fraud prevention within companies these days?
So generally, the fraud team is still the primary primary group that is responsible.
Sometimes they'll report up to Finance, sometimes they'll report up to the CISO.
There's kind of different reporting structures that we've seen among our customers and Prospects, but ultimately those fraud prevention measures that they put in are often touched directly by other technical teams, by identity and access management teams, Um.
Because these fraud prevention measures, Especially if they're starting to implement them earlier in the session and at multiple Points throughout the session are going to now have a serious impact.
Whether positive or negative, overall user journey that digital teams are concerned With.
Uh, so if, if, if more and more folks are Responsible for fraud across the company, there's a lot more stakeholders looking at that.
Uh, it must be kind of interesting then to say, how do I move my organization From looking at just that checkout piece to how do I get ahead of it, and how do I meet all These different user groups' needs.
Right.
So, I think that fraud prevention is generally moving away from a transaction-centric model.
Um, when you are looking at payment fraud exclusively, as we discussed earlier, There's a lot of context that you missed.
There's a lot of points at which you're going to let that fraudulent transaction through because you don't have enough information to Realize that it ought to be stopped.
So, we're seeing a move from a transaction-centric model where you're looking At payment.
Um, only to a session-centric model where You're doing real-time risk assessment continuously throughout the session.
This can greatly improve detection rates because you have a lot more information than You can take in.
Um, and it'll give you increased flexibility in How you mitigate too.
Nothing is more frustrating.
Let me ask you if you've ever had this Experience.
You find a product that you want to buy online, And it's with a retailer you haven't shopped with before, But the deal is great, you're very happy, you go in, You put in your information.
Then you get this proof you're not a robot, and it's a grainy picture of a mountain.
And there's some cars, and it says pick all of the ones that have traffic lights.
And you spend 40 minutes wondering whether the pole that the light is attached to counts as a Traffic Light or doesn't, and whatever you decide, you end up being wrong, And then your session gets killed and you don't buy the thing.
Uh, fire hydrants, uh, boats, motorcycles, uh, Was there a bicycle in this picture?
I've had them all, and I've had the problem with, with, I've had that problem with almost every single request to capture.
I find CAPTCHA really high friction, uh, when they are, And they're not very effective.
The truth of the matter is that the more Advanced bots that are out there today are statistically better than humans at filling out Captchas.
I mean, because when we're doing captchas, We're actually in the background, we think training the bots.
At Google or whoever it is, to do better at it.
So of course they're going to learn and be better at it.
Yeah, so while I'm not saying every bot is sophisticated enough to bypass CAPTCHA, and CAPTCHA absolutely does catch less sophisticated bots, It's a terrible experience for the customer.
Um, when you start thinking about international users who may not know what an American school Bus looks like, and you're asked for pictures of buses and all you see is a school bus, And you might never have seen one outside of perhaps a film.
Um, we see more issues arising from that where the term for something might be different or The way something looks depending on country might be different.
So it's just, it's not a very efficient mode of mitigating fraud.
Other things that happen at the point of transaction where you're suddenly pushed Through 3 or 4 security steps will cause a lot of session and card abandonment.
And the business doesn’t want that, right?
If you’re at the point that the, That the customer was about to give you their money, you want to make it as easy as possible For them to do that.
So, you have to increase your flexibility as to How you mitigate.
You need to be able to mitigate earlier and have kind of a softer mitigation approach.
When you're in your account and you've logged in and you are changing your profile settings And let's say your retailer asks you for MFA, like saying, Hey, we just sent you a one-time code.
Please click, etc.
That's a lot less painful than filling out that capture or having to re-enter your Password 6 times, or having to create an account.
There's just a lot of things that can happen, um, late in the game that are not very good Experience.
When you shift them earlier, Sometimes it's more palatable.
All right, so, so I'm learning two things here.
One is, You shouldn't do just your fraud detection at the end of that e-commerce transaction, because You're going to miss a lot of fraud that could happen before that.
Uh, and then the second thing is, if you start your fraud detection earlier in that session, You can detect it, and, and, or even prove that it's not fraud and ease the customer journey to Actually pushing the buy button, improving business there.
So there's, it sounds like there's some trade-offs going on there between Uh, You know what security or fraud people are doing, and, You know, how the business people want things to happen.
Yes, so there's a constant balancing act happening, right?
The risk of online fraud is high, as we discussed.
There's a lot of money being lost to online fraud, and fraud teams and financial teams are Quite concerned about that.
On the other hand, uh, consumers have an all-time low friction tolerance.
They want it to be easy.
They want every transaction done online.
To be as simple as buying something from Amazon.
One of the reasons Amazon is so popular is that They have a really smooth, easy, slick customer experience.
And when you put in additional fraud measures, a lot of times you can upset that balance.
So you have one side of the business that cares deeply about reducing fraud losses.
And then you have another side of business that cares about reducing losses of a Completely different type.
Um, card abandonment rates are extremely high.
It's almost 70% of carts that get filled with Goods never get checked out.
The estimated loss, which obviously you can only estimate to cart abandonment, Is about $18 billion a year, which is pretty Close to that number that is lost to online Fraud.
So, on the business end, the business people Who are thinking about how to design a customer experience that will encourage a customer to Cough up their hard-earned money, they're thinking about how do I make them stay?
How do I not drive them away with too many steps, too much complexity, A difficult checkout process, um, and just optimizing checkout alone is estimated to Improve retention by over 35%.
Yeah, I was gonna say, 20 $20 billion there, $20 billion over there, You know, it's pocket change, right?
It's like sooner you'll be talking about Real money if you add that up.
Uh, so, uh, what do, what, what do we do practically, um, If we don't want to lose $40 billion.
Uh, on our e-commerce sites now, and it's, and we want to look at things on a session basis.
How should we start thinking about approaching our e-commerce, Uh, uh, sessions or our online sessions?
How do we, How do we, how do we start to retool our own sort of best practices for that?
Sure.
So, this ultimately is why Ping is in this game.
Um, your counter fraud toolbox really needs to expand.
There are things that you can do with other types of tools, Other than the standard fraud detection tools that you are using, that can bring about a decrease in fraud losses, while also bringing about a decrease in Friction for your legitimate customers.
The goal is to get those two sides of the business to stop butting heads and to realize That their ultimate goal is the same.
They want to increase revenue.
They want to improve retention; they want to decrease loss.
And both things can happen at the same time, but you have to look at fraud prevention in a Different way.
So, obviously, you have to keep your fraud Detection up to date, right?
If all of your fraud detection tools were Purchased 10 years ago, likely there are things you're missing based on the way that the fraud Landscape has.
Evolved, and you may want to add more fraud detection tools, Which, by the way, fraud detection is an additive space.
I very rarely see a customer or prospect say, none of our detection tools are working.
I want to throw them out and start fresh with something new.
It's a matter of, we're catching X amount, and we need that raised by 10%.
Show us that you can bring in a detection tool that's going to catch what my other tools are Missing; together, I'm going to get a better picture of what is happening across my digital Estate.
So that's the first piece: you gotta improve Your fraud detection.
Nothing happens if you can't see what’s happening.
But beyond fraud detection, there are other Types of tools that you should be bringing into bear.
Um, there's a lot of analysts talking about this at this point.
Gartner's talking about it, and I've heard it from customers and prospects, too, That there's a lot of blurred lines now between that online fraud detection space.
And then the identity proofing space, and user authentication.
Space and all of those things kind of have to come together and be orchestrated into one Cohesive approach to building a user journey that's going to be secure without Being full of friction and pain.
So, you bring those fraud detection tools together with your IAM tools, Your various Access-Management-AM tools, um, with your identity proofing or identity verification Tools, um.
You put in a slick orchestration layer up top, and you make them come together.
To give you a holistic approach that's going to basically solve various Problems in one go.
So, you want something that's able to aggregate those fraud signals from various Places.
Um, you want to be able to enforce access.
Dynamically.
So you want to be able to change.
Your mind about whether a user is authorized to view something or perform an action Or or hit that checkout button based on the context that's coming in from those aggregated Signals, and you need to be able to leverage identity verification and identity proofing in The cases where it's warranted.
All right, so we're not, we're not again either.
Just checking things at that transaction checkout stage or when someone logs in the First time and then trusting them throughout the whole thing, We're going to start to look at that entire session from a couple of different perspectives, But looking for signals of fraud all along and having the ability to change our responses if We detect something, which is quite clever.
I'm getting a feeling here, though, if I'm looking at this, and I'm kind of an IT person And looking at the infrastructure and the tool sets and the rest of it.
I've got a lot of solutions.
You mentioned that people could have lots of Different pieces and moving parts on this.
Uh, if I want to get to here, and I want to start thinking this way, Do I have to really rip and replace all that stuff and put in a more cohesive platform that takes you from end to end, uh, 'cause that's kind of what it's starting to look like a Little bit.
So, no, I don't think you do.
Uh, here's the thing, you have a lot of fraud signals coming in today, If you are an online business.
The general number that I have heard from customers and prospects and polling folks On other events that we've done is between 4 and 8 sources of risk signal, And you are looking at different things, which may come up at different times throughout the User journey.
Um, at, at that tail end where you're getting To the point of checkout, you're looking at things like verifying the card and, You know, the transaction type and the transaction amount, And maybe at the point of login, you're looking at, um, You know, time and date, and the location of the user, uh, And maybe at the point of registration, you might be checking the device fingerprint.
Um, you're looking at.
Network characteristics at various points.
Maybe you have a list of Users, uh, or you have, you have a subpopulation of Users who you feel are of higher risk that you might want to treat differently in some way.
Um, and these different things are coming in at different points in time from these different Tools.
So the way to make sure your tools are Working for you efficiently is, is not to rip them out.
The way to ensure that all of those different detection tools are working for you efficiently Is to centralize your fraud decisioning.
So, more and more we're seeing a drive toward building a centralized fraud decisioning hub Where you can house all of your business policies in your fraud logic, and you can threat score in aggregate.
Um, so, perhaps you've got some threat signals coming in from Ping.
Perhaps you're using, you know, our fraud detection, and you're also using BioCatch and Theft metrics, and maybe you've got Sift going on at the point of transaction.
Uh, maybe you're using the AIbot Manager, like, there's a lot of different options of things that you might be using right now, and all of them are telling you whether or not they think The user is legitimate.
They are telling you this at different times throughout the user journey.
And most of those fraud detection tools don't mitigate.
All they do is ring like an alarm in an empty house, right?
So the decisioning platform is connecting that alarm to, um, an operations center.
That is going to make a decision about whether or not to send the fire department.
Right?
The house is on fire; we need to do something.
So, centralizing decisioning, if you don't have something in place that can do that, That is a really useful tool to put in place to organize everything you already have deployed.
The threat score and aggregate, and to choose the points throughout the user journey where You want to check and recheck whether or not they should be authorized to continue.
So lifting that authorization layer essentially out of the individual applications, Um, and putting it in something that's going to be able to change dynamically.
So it's not exclusively based on they logged in, they're fine, We're good, right?
It's going to let you change your mind because Maybe a human logged in.
And they had the password and the username, and it looked all right.
And then, now that they're in, they've deployed a bot to do credit card testing, and they've left.
That user that looked OK before doesn't look OK anymore, but if you're only looking at the point of login, You're going to miss that entirely.
Yeah, so this allows us to, uh, basically go get best of breed, Uh, or best-in-class, uh, solutions for our various things that we're doing on our Applications and our Platforms to users, right?
It could be a very complex set of services We're offering to the world, and each one of them could have their own best, Best in class tools for this, and then make some smarter intelligence about it.
I might assume more general intelligence.
Decisioning, uh, I like, I like the word Decisioning.
Uh, I also want to say detecting, but I know that's wrong, So we're just gonna say detection and decisioning.
Uh, so, uh, when we make these decisions, then, uh, I, I thought it was interesting you said.
We can start to do mitigation actions, uh, I assume policy based, That these are things that can be, can be, uh, tuned over time then and do something Intelligent.
How does that part fit in?
Right, so your decisioning tools should be able to communicate with your mitigation tools, Whatever those might be.
For some customers, for some users, uh, you might feel that simply pushing for MFA is Adequate.
Maybe it's just a particularly high transaction.
Amount.
Or there's something that looks a little bit Not right, but based on your risk tolerance, you think as long as they complete MFA you're Good to go.
Um, maybe for certain specific things, Depending on your industry and depending on the use case, You might want them to verify their identity.
You might want to say, I want to see your driver's license, and I want to see you take a selfie, And I want to see that the name on that Driver's License, Uh, matches the name on the account, and the face on that driver's license matches your face.
That you are who you say you are.
Um, maybe in some cases, you want to terminate the session.
You just want to kill the session and say, Sorry, something went wrong, You know, but you want to minimize the amount of times you do that.
Right?
'Cause you don't want false positives.
You want to give the legitimate user a chance to prove that they are legitimate, But if you're clearly seeing behavior that can only be accomplished by a bot or emulator, Um, the user is clicking on one pixel.
A human finger cannot do that.
You know this is not a human.
You can terminate that session feeling fairly confident that you haven't just stymied a Legitimate user from transacting with you.
Um, and there are various other types of mitigation workflows that you might want to Build it.
You might want to push certain types of Transactions to manual review and have, you know, a screen pop-up saying, You know, your transactions being manually reviewed, You will be contacted within X amount.
Um, you may want to take users through a series of questions or screens to check if they've been socially engineered.
Maybe they got an email from a Nigerian prince, and they're about to transfer their life Savings, and you really want them to think about who asked for that and why.
Uh, and we do actually have customers who are using our tools in such a way as to catch those Socially engineered transfers, where the fraud occurred outside of your digital property.
So no amount of user behavior analytics is going to show that to you, Because it's a legitimate user logging into their own account, Moving their own money of their own free will, but under false pretenses because they have Been scammed.
All right.
I, you know, again, I look at this and I think there's so much possibility here to do better Job and like claw back some of the $20 billion in fraud loss and some of the $20 billion, Uh, in cart abandonment and, and come out ahead on both sides of that.
Uh, one of the things, though, it's still a little concern about is this involves a lot Of different teams, if I'm, if I'm looking at this right, Right?
You have application owners, you have fraud Owners, you now have identity owners, you have some, Uh, people who are, uh, doing some business logic and so on.
Uh, does this decisioning, the central point decisioning help bring those teams together to Make a better, like Management decision over all this, Or do they end up fighting over who gets control?
It does.
So the really cool thing about centralizing Your decision in this way is that it gives you a place to clearly.
Put in words, your business logic and your policies that will determine how potentially Fraudulent sessions are treated.
You can audit them, You can change them, and by lifting that out of the individual application layer, It's kind of owned in one place.
What we have found is that fraud teams tend to Own the business logic in the decisioning portion.
And then IAM teams tend to own the higher level orchestration layer that connects everything Together, and you just sort of plug in those decisioning points in the moments in the Flow where it's appropriate to check again.
This session seemed fine when user performed action X.
Now, they are doing action Y.
Let's check again.
There might be new context that has come in through one of our other detection tools that tells us we should now treat them differently.
There's an interesting separation of concerns there too, Which I think is good.
So you've got a single central point for the Fraud policies, uh, separate from the people who are maybe doing DevOpsy things all day long and making changes and things, and they're not able to go in there necessarily and change the Fraud detection policies.
We've, we've heard from a lot of fraud teams that they really want, Um, an isolated, uh, limited access place to build out their fraud policies that's easy Auditable, that, you know, is easily modifiable, and that is a place that if they change Something in there, not break the overall user journey flow, which is something that has definitely happened and causes additional friction that is unnecessary between fraud and business teams.
Yeah, so let's talk about that.
So, I mean, the goal here is to really try to Make what you're doing.
Uh, not just frictionless to the end customer, but maybe even lubricate what they're doing so that they're not interfered with by people who are doing fraud, Right?
So you're, you're, you're not just reducing the Chargebacks the company has to deal with, but you're hopefully improving the customer Experience.
How, how do you view that, and are there, Are there features and approaches using this that make that better?
Yeah, I think the ultimate goal, uh, that everyone in a business can agree to is the more Invisible so that fraud prevention is to a legitimate customer, The better.
So, when this works as it should.
Your legitimate users should be having a very easy experience where they go to your website, Uh, perhaps they log in, or perhaps they're auto logged in through your app.
And they go to transact, and they click Buy, and they click Confirm.
And it's done, right?
Um, but an illegitimate user is stymied at every single turn.
Because you are seeing that there's behavior or other characteristics or factors that don't Line up, and you are making sure that it’s very difficult for them to get through.
So, when you start with a population of users who enter your site, You can almost immediately weed out the non-human users.
Right?
If you've got a good detection tool in place.
That can separate bots from humans, um, it'll tell you that the way that this user is Moving.
Or the way that this user is clicking or The speed at which this user is doing certain things is just not human.
That there's no human who can do what this user is doing, Therefore this user is not a human; they are a machine.
You can kill those sessions with comfort.
You know that there's nothing good.
That could have come from allowing them to Continue to register an account and do other things.
Um, and then you separate your users on the back end.
Right?
So you never tell them that this is what you're Doing, but you separate your users by risk level, and the number of risk levels that you have is entirely up to your fraud team and how in-depth you want to get with your business Policies.
And your low-risk users who are exhibiting good Safe behaviors have a very smooth and easy experience, and they never see those additional Fraud prevention touchpoints at all.
Your users who are suspicious on some level, um, will have a different experience.
And you can customize that experience based on the level of risk that you perceive you have.
So, so financially, so if I, if I'm a recurring customer and I'm going in and I'm ordering Something worth $5 every other day, and I just want a quick transaction, You can identify me, see that that's me, shows me, and let me through and just do that, And I don't have to fill out a CAPTCHA every time I want to order a box of toothpicks or Whatever it is, right?
I mean, I personally think you should never have to fill out a CAPTCHA at all.
I am fighting.
You're on a mission to get rid of CAPTCHA.
I am.
It's terrible.
No one likes them.
They're awful.
I want them to go away.
Oh man, Google, sorry about that.
Uh, so, uh, but, but you know, on the other hand, if I'm coming in and I want to buy a Motorcycle and I'm in Boston where I'm at, and I want to buy it in San Francisco, where I'm not, And there's all sorts of flags and arrows going up.
I may still be a legitimate buyer.
Maybe I'm buying it for my brother as a present or something like that, but, um, I would then be channeled down into something that says, Well, you're a little bit riskier now.
You got to do some verification.
Maybe you got to make a phone call, maybe provide a driver's license and fax something, Although no one faxes anymore, but the equivalent, the equivalent of that.
Hopefully we do this all digitally, right?
Yeah, I can tell how old I am.
I'm dating myself here.
Like I'm I'm dating myself.
Just fax it in.
Um, but you know, we take a picture of their Phone and we We can do all sorts of other types of digital signatures and, and digital verification proofs and things like that.
So that's, that's interesting.
And if I'm explicitly identifying that now, in my e-commerce, Uh, processes that I have a fraud team who has the authority to make those policy decisions, I can now start to actually put KPIs on that and start to measure in sort of, Sort of a virtuous loop and report to management that, Uh, I'm actually clawing back some of the money that we've been maybe invisibly losing, Right?
Right, so, uh, it should become kind of a Virtuous cycle.
If you build this all together and you integrate it the way that we believe that it Should be done.
Your fraud detection, which is where the cycle Starts, should continuously evolve because everything else is going to evolve.
So, you've got your detection step, um, you're detecting fraudulent activity as it happens.
You are then pushing to Decisioning to make those decisions in real time and then push for Real-time mitigation.
So fewer things get to charge back.
Fewer things come to manual review, freeing up the time and resources Energy of the fraud team that is inundated with these manual reviews, To actually look through now the intelligence that has come out of those first three steps, All of the reporting, all of the various things that will show you, You know, here is all of the users, and here are the sessions that were identified as Fraudulent and, um, you know, here are the cases where they managed to MFA in versus the cases Where the session was killed, versus cases Where X thing happened, Uh, are your policies working well?
Are there things that you are missing?
Are there things that still end up coming in to charge back because your policies need tweaking?
So now you use that intelligence to change your policies, and you orchestrate those Touch points into the broader user journey to ensure that the overall user journey, User flow is still quite smooth for those users who are not doing things that look suspicious Risky.
And you modify those risk levels, uh, And now once again you're detecting, but you're smarter about what your detection tools are Telling your decisioning tool, your business policies have improved, So now it's even harder to get through, and the cycle continues to go around.
All right.
And, and when we're doing this cycling around, Uh, again, we could probably have some, some, some reports and measurements at each point to Tell us how well we're doing, and, and, and do that continuous improvement stuff.
Uh, when we are thinking about this, and, uh, looking at now implementing this, Uh, can we sort of summarize for folks what they need to do more practically.
Uh, to, to get from where they are today to taking new steps.
Was there, is there some sort of advice you can help people with and say, like, Well, look, here, look at what you're doing and then here's maybe the right place to, To start digging in.
Sure.
So I would say the first step is start with detection, right?
You can't stop what you can't see.
So, figure out whether your existing fraud detection is adequate or whether there are Swaths of fraudulent activity that you're still missing, and whether you need to add an Additional layer of detection on top.
I think that's the first thing you have to do is kind of take stock of your detection estate And see if you're seeing everything, but maybe not in time because, You know, the mitigation automation isn't there, or you're just not seeing everything.
So depending on how well your detection is working, you may want to tweak there.
Next, you have to figure out how to automate your mitigation.
And I really do believe that centralized fraud decisioning, especially in situations where There's multiple signals from multiple vendors coming in, is a great way to do that.
So that you can make those real-time mitigation decisions and push for real-time mitigation Without ever having a human team member involved in reviewing the transaction.
Right, so if you don't have a decisioning layer, but you are doing fraud detection with multiple Vendors and signal types.
I would recommend the next recommendation I would say is implement Centralized decisioning, Right?
So you can't manage, you can't manage what you can't measure, which would be the detection part, and you can't manage what you can't Manage, which would be the mitigation decisioning part.
Uh, and once I've got those pieces in place, and then I want to do a better job.
Right?
So I, I, I, I, I learn, right?
What, tell me, what's learning in terms of Ping Identity here?
So.
You should be able to leverage the reporting And the intelligence that comes out of your detection, decisioning, and mitigation tools To sit down with your fraud teams and see what is actually happening and where the gaps are.
Um, or maybe where your measures are too draconian, right?
Where there are places where you are.
Making it too difficult to transact versus places where there are gaps.
Uh, and so using that information that you're pulling from those earlier steps, You should be able to tweak your fraud response.
This is also where centralizing those business policies becomes very useful Don't have to hard code a change in policy into 6 individuals.
Applications, you just go to one place and you write a sentence saying, You know, for transactions over $5000, do this.
Regardless of which e-commerce path they've taken or which application they're actually Doing across your company, right?
So the business logic is more straightforward.
In that fraud decisioning layer, um, and not necessarily embedded by 5000 different developers in different pieces of code.
Um.
And then the other piece of this that's really important is orchestration.
Um, there's a lot of talk about identity orchestration right now, And, uh, we at Ping feel really strongly that if you have a good orchestration engine, Then you can build those user experiences look exactly the way you want them to, and maintain their security while also being easy for your end users to go through.
A good orchestration layer will let you pull in all of those different tools from different places, your, your 4 to 8 detection tools, your decisioning tools, Your mitigation tools.
Maybe you have MFA with one provider, But you're doing ID verification with another provider, right?
It doesn't matter.
You should be able to build those all in one.
Seamless user journey.
The user shouldn’t need to know that there’s 16 vendors on the back end on your part.
They just need to know they go to your website and have an easy time buying Something or transferring funds.
That's the goal.
At the end of the day, you're just again reducing that friction while catching all the Fraud.
So one of the things I like here is that you've Got this.
Again, we talked about this earlier, separation of concerns.
So the fraud logic is in one place, and the identity orchestration can kind of wrap around That, but you do have that fraud logic lifted up from the End Tools, So it's, it's decisioning here and not decisions made in lots of different Microservices, for example, or spread out throughout the day.
So that's really good.
Uh, and then that, um, Do you have, uh, uh, just a couple of examples of people who have now adopted this approach and have, and have seen some significant improvements?
Sure, so we've got a few customers that are doing pieces or chunks of the Fraud prevention journey with us, right?
This is still a fairly new initiative for us.
We're really excited about it.
We're going forward and we're getting more and More people kind of signing on and giving this a try, But some of our early successes have been really telling.
Um, I have one financial services customer who implemented centralized decisioning.
And some of our tools for mitigation, and they, within, I believe it was something like 10 hours of go live.
10 hours, OK, because it's not, Not like 10 days or 10 months, 10 hours.
No, 10 hours of go live, We stopped 12,000 pound sterling scam.
So in less than a day, it paid for itself and then some, And they're continuing to see they've, they've implemented our tools not across every single Channel, and I can't speak in too much detail about them, Right, because they haven't consented to be named, but um, The channels where they have implemented our tools, they are seeing a statistically Significant decrease in fraud losses.
And, and I would imagine that, uh, one of the things I wanted to point out earlier is that, You know, we, I cover a lot of IT products or IT tools, A lot of backroom stuff.
Uh, but as we're talking about this, this isn't simply backroom.
This is Front Room.
This is board-level visibility kinds of things.
So, uh, if you're learning and you're going back a slide or two, and we're getting these Reports and audits.
This is stuff that could be elevated up, not Just to management, but to the executive team and even the boardroom about how you're Improving what you're doing in the company across the board, which I just think is critically important for people's professional development, and of course The success of the organization today.
That's great.
So, uh, so Maya, we're kind of running a little Bit out of the end of our session here.
If someone is more interested in, uh, Learning about, uh, this process we put on this more converting to a session-oriented thing Versus transaction-oriented and looking at the different ways Ping Identity can help them make That journey or complete that, uh, that, that virtuous cycle we talked about.
What would you have them go look at or give them some resources?
Sure, I would, uh, invite them to visit our website, come to pingidentity.com.
There is a Mitigate Fraud Risk, uh, solution page that talks about all of the pieces of this In greater detail.
We have quite a few additional pieces of Content for you to peruse, uh, but ultimately, reach out to us if you have a fraud prevention Initiative and you want to talk to us about how this could look in real life in your Individual organization, because every Organization's approach is going to be a little Bit unique.
Uh, because it's an additive business, None of us are ever going to come in and tell you, let's rip out everything you have.
We're gonna put in PingOne end to end, and it's going to work.
We have an end-to-end solution.
It does work.
If you have things that are already working for you, let's pick and choose the pieces where you Need to improve, and, you know, our, our solution architects can help make that real You.
Kind of like that glue or expanding foam, You can put it on top of whatever you have, and it's going to unify it into one solid infrastructure.
Oh man, we've got a lot of analogies here today, Maya.
Thank you for, thank you for being here, uh and Explaining this.
Uh, I learned a lot, actually, about fraud.
Detection.
I thought it was pretty simple, but there's Actually some subtleties to it that are worth exploring.
Uh, so thanks.
Yeah, you're very welcome.
It was great to have this chat with you today.
All right, uh, back to you, Ryan.
Uh, what have we got?
Well, thank you both Mike and Maya.
I think that was a very useful discussion.
And I think our audience definitely appreciates all that information.
I want to say thank you to Ping Identity for sponsoring, and of course, Thank you to everyone who came today.
It wouldn't be an event without you all.
And a big uh shout out to Dave.
We hope Dave gets better soon.
He will be back in the saddle for the next event.
And once again, I'm Ryan Neufeld with Truth and IT, and we hope you have a great day.
Thanks.
Start Today
Contact Sales
See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.