Webinar Replay
Designing a Dynamic Fraud Response
Hello, good morning, good afternoon, and good evening, everybody.
I am Maya Gronovich Scott with Ping Identity, and I am so pleased to welcome Join you today to our panel on designing a dynamic fraud response.
It's very exciting because I've got 4 experts in the field of fraud prevention here with me Who will hopefully be able to share their insights and give you some things to think About as you move forward with your fraud prevention strategy.
So I will go ahead and toss it over to them to introduce themselves.
Let's start with Ashish.
Uh, thank you, Maya.
I'm very happy to be here.
Uh, my name is Ashish Jain.
I'm the CTO at Arcos Labs.
And we are, uh, a bot management, uh, fraud detection and account security company.
Uh, uh, prior to joining ARCOS, I used to lead, uh, Identity, Risk and Uh Trust teams at eBay.
Uh, and, uh, The Charter of My Team Included, Uh, the Global Registration, Authentication, uh, KYC account fraud, payment fraud, all cancellations, Disputes, and refunds.
So, that got me a good idea to go deeper into One merchant.
And now IARCOs at, uh, I used to spend time with a variety of the customers.
I've been in the INT space for almost two decades now, And, uh, uh, I also sit on the board of OpenID Foundation, and I think the intersection of Identity and fraud is very, very interesting and looking forward to having a chat with the, The panel today.
Thanks so much, and let's go ahead and move On to Ela.
Hello, uh, my name is Alaa Meat.
I'm the VP of Product for Bot Defender at Perimeter X, now a Human post-merger.
I'm looking forward to chatting, uh, with you as well, Shish and Robert around everything, Identity and Fraud, Um, whether it's with regards to paying, uh E-commerce and retail and everything in between.
Fantastic, and Robert.
Hi everyone, my name is Robert Panauk.
I'm the CTO here at Didi.
Um, we started to use to solve a very specific problem, um, Around fraud and identity, being able to Harness the intelligence from many, Many users interacting online, um, in the hundreds of millions in the United States.
Um, and I'm really excited to speak to the panelists here today as well.
Um, and give you some better insights.
Fantastic.
And then finally, Brandon, could you introduce Yourself, please?
Hi everybody, I'm Brandon Williams.
I'm the VP of Identity Strategy here at Ping.
Uh, before I was at Ping, I was, uh, running customer identity and a bunch of other security Functions for a large financial institution here in the States.
So, uh, dealing with fraud was something we had on an everyday basis.
And I'm happy to bring some of the trends and things that we learned, Uh, throughout the process here to the panel in the audience.
Fantastic.
Well, speaking of the trends and things that You have learned and are continuing to learn in your positions, Let's actually go ahead and start by defining the problem a little bit.
So, what are some of the trends that you're seeing in the fraud landscape today?
And what is the effect on organizations that are doing business online?
If you wanna, how about Robert?
You wanna go ahead and start this one off since You're all about that threat intel?
Yeah, absolutely.
Um, so, I think that we often have a Misconception of what fraud looks like and what a bad actor looks like.
Um, in many cases, when I've talked to individuals, especially practitioners, Um, sometimes there's a concept that a bad actor is maybe a Script Kiddie sitting, You know, behind the screen, similar to me in a hoodie and trying to gain access into a particular system.
In most cases, it's actually organized crime Activity.
Um, and you can see this across communities in The dark web, um, like Raid Forums, Hydra that were taken down, Um, prior to, which were a bit more accessible, Um, but also a lot of stuff that's posted on Placements.
Um, you can often find if you actually research, Um, other actors trying to gain access into your system, such as authentication forms, Registration forms, um, and that's that's one thing that I think as an industry, We really need to recognize because these individuals share their knowledge between each Other UM and on the fraud side, we often don't do that.
We often work in silos.
Um, so I think that collaboration and knowledge Sharing is also really important.
Likewise, with COVID and the opening of different security systems to allow remote Workers to work from home, quickly emerging.
Um, and building up of ecosystems to um Expedite shopping, uh, for retailers, and we have a lot of retailers on the call here today, has Also led to UM over 100% rise in ATO and also synthetic ID.
Um, it's a really huge problem in the United States, which numbers around $95 billion.
US dollars.
Um, so it's definitely something we need To work together to solve.
Yeah, Ashish, I see you nodding along.
Do you have anything to add to that?
Yeah, yeah, so like, first I agree with you know, a, A variety of things Robert says.
I just want to add a few more things.
Like if you, if I have to summarize.
I think we all would agree that in the last few years, the total number of fraud cases that, The total amount of consumer fraud that we are seeing has significantly increased, Right?
Whether the number, you know, I think I've Heard different stats and different data that you consume, It is, you know, 50 billion plus in terms of consumer fraud.
We have heard that.
The account takeover, you know, Robert, you mentioned a 100% increase.
We have heard the numbers, For instance, in our network, that 1 in every 5 login attempts on your site is actually an ATO Attempt.
Uh, we have heard a variety of data coming out That the 30% registrations are actually, uh, fake account registrations.
And from a trend standpoint, I feel like that there, the few things which have changed in the Fraud landscape.
The first one, I think, because of COVID, The number of people coming online for the first time has increased.
So, there's more ROI for fraudsters.
We saw first-time people using services, Uh, and suddenly the ROI became, uh, and that attracted a lot more people from a fraud Underground world.
The second trend that we have seen is that we Have seen a lot more hybrid attacks in this in the past we saw you call abuse, You know, a few people trying to, uh, to get, uh, account, take cover, and, and some organized crime.
Now, we are seeing a combination.
You know, I talk about the gig economy, is not just about, You know, Uber and DoorDash.
The gig economy is now when you are utilizing The low-wage, uh, people in the countries and, and using them as money mules or using them as Capture solvers to solve the problem.
The third part I have seen is that, you know, the sophistication of the attacks, Like Robert mentioned, these are organized collaborative efforts, And in the last few weeks itself, you have seen almost like fraud as a service, Like you have seen Evil Proxy coming in.
Like, you know, You can subscribe for $400 a month and you essentially get completely automated.
You have seen the Genesis Marketplace, which use password spraying and cookie stealing Together with an embedded browser.
Uh, we have seen Caffeine on the same front.
So I feel like if I have to, to, to think about it, in the last few years, The total number of people coming online has increased.
The fraud has become more and more hybrid, and the barrier to entry has become lower Simply because of the fraud at the service type of tools.
And together all of that, things like social engineering, synthetic identity are on the rise And something that we all have to be very, very careful for.
Yeah, I saw, I saw some nods, Brandon.
I'm actually interested to hear your take on this.
Because on the identity side, I've heard synthetic identity a couple of times.
There is a pretty strong link, I think, between fraud prevention and identity management.
So, what are you seeing?
So, I mean, I, I, the one thing that I took away from Ashish was the first-time users.
That's something that, um, you know, because of businesses pushing to find new ways to interact When they couldn't do it in person in 2020, they created this sort of rush of, Of, um, you know, forced interactions that happen digitally or where I can't see you, I'm not, you know, interacting directly with you face-to-face.
So, um.
You know, we would see things like the, the, you know, The hybrid type of attack that Ashish was talking about where I start with an online account, but I will then leverage the call Center and try to do, To conduct fraud that way, right?
So it's the companies that we see that we are.
Having the most amount of losses are ones that aren't anticipating multiple layers of controls To try to prevent and stop fraud, right?
So it's really when you look at, Uh, it's fraud detection and prevention is very similar to like cybersecurity.
Right?
So you can't prevent everything.
In fact, you probably don’t want to prevent everything because you want to see a bit of what's going on from an activity perspective.
And so you're probably gonna have some acceptable loss that you may be willing to take.
But what's more important is that you sort of take the, The easy fraud things to detect and block in for them.
To prevent them from happening, then focus on what are some patterns of behaviors that we Can UH create alerts for our fraud team to then follow up on, And then learn more about those, and is this something that this is rising or falling.
Um, so like 2020 and 2021, the biggest ones for us at the bank in my previous role, Uh, were romance scams and, um, IT scams.
Those were the biggest ones we were seeing.
Losses for, um, that were sort of third party losses, I'd say.
There was other fraud going on, but it was like friendly fraud and other types of problems.
When we look at that third-party external, um, it was trying to get the human to do something That would allow for something of value to be transferred.
It makes sense, and a lot.
I saw some nods along from you as well.
What do you have to add to the broad landscape trends that you're seeing in your role?
So I think you pretty much mentioned like 95% of what’s going on.
Um, I can, I can probably share at least the part about commoditization of like How to get an attack going, like Ashish mentioned, the fact that right now you can Pretty much buy all of the components that you need to create an attack for like 1 buck and a 5 Online.
Has changed the landscape dramatically.
Like you said, you're not just seeing Script Kitties, you're also seeing people who are Trying to do targeted attacks, who are no longer hackers, They are businesspeople, like fraudulent businesspeople, But still business.
They're trying to make a buck, And what that has kind of created over the last couple of years, Especially with COVID and everything else, is very targeted attacks, which are no longer just kind of what to Brandon's point, are not specifically geared towards like an account takeover.
That's just the beginning.
Since the attacker is now not a hacker, but a business person, Then they can tailor the attack.
Against that specific site or service that they're after.
If, for example, it's a retailer, then they start off with an account and move lateral.
If it's, for example, something more complex like a shared marketplace, There are about 10 different vectors of attack Once you have a fake account and a real account That you've taken over.
That can be a really big surprise for people who are managing security and risk at those Companies.
Um, so that commoditization piece and value That's behind it has like created a boom of targeted attacks, which are very interesting to track, and, and hard to protect from.
Can I just add a quick comment to, to what, uh, Elar was saying?
So, you know, uh, when you talk about targeted attacks and, You know, Brandon, you touched upon the, the, the fake accounts and all that, Like we have seen some very concrete examples, like, for instance, As a retailer, you know, you have, uh, for instance, uh, A marketing campaign to get new people to sign up, and you have, Uh, I mean, a million dollars.
In coupons, Like if you come in the first time, I'll give you $5 off.
And then people will create fake accounts.
And within a weekend, We saw the entire budget for marketing get spent because people created mass fake accounts.
Uh, we talked to a server company, which was giving free server resources, and fraudsters created fake accounts to use for crypto mining.
Uh, you mentioned ROM scam, then there was news about how that is on the rise.
We saw fraudsters trying to create.
Uh, in the gaming companies, uh, fake accounts, and then spam all the other gamers, Because the gaming company wanted to lower the barrier, but then they spammed everybody for Extra thing.
And even if they get 5% success, that it's still a very good ROI for a fraudster.
So, I think this targeted concept that Pillar Talk about, and not really a hacker, but actually a business person, But putting a fraud hat on is definitely on the rise.
Yeah, that makes sense.
So, then, I will ask you, Based on all of that and some of the things you've touched on around how you've got these Very professional fraudsters who are not just some kid in a hoodie in a basement, Right?
You've got these criminal organizations that are committing fraud.
They're committing these very targeted attacks.
They're attacking in various different ways.
They may be attacking via various different vectors that may be interacting with your Company in a lot of different ways.
So, given all of that, that companies need to defend against, What do you think are some of the, the really key, most important things that fraud teams Need to think about when they're designing their counter-fraud strategy?
And I'll toss this to whoever wants to start, because I bet all of you have thoughts on this Question.
Yeah, please.
I, I think maybe I'll echo what Brandon said, uh, a bit before you, But.
The way that we look at it, you need to take a Look at at least 3 things.
The first is, um, and I'll put on my pre-security hat for a second, As a security and fraud person, you're, you have to look at your role as an enabler.
If you're creating a system which blocks the company from doing what it's meant to do.
That's going to be a problem.
So you need to make sure that your fraud Positioning will allow the company to move, whether it's technologically, Whether it's through business opportunities or anything else.
If you're going to become a blocker, that's going to be held for you.
The second is User Experience.
It kind of ties into the first one, But it has its own merit, especially since whenever you add, Let's say something like a CAPTCHA.
There's always going to be someone from UX telling you, Guys, this is going to impact the phone, what's going on here.
And 3rd, which is what Brandon mentioned, is what we call defense in depth.
Like any security product, any in the world is always going to have false negatives and false Positives, and you're always going to want to have various layers in there.
Each layer kind of.
Um, again, to the point we went before, um, having like an impact on the funnel of fraud.
You want something that removes as much of the automated bot traffic, And then something is still going to get through.
If, for example, we're talking about ATO or credential stuffing, You don't necessarily need credential stuffing You mentioned cookie stealing.
That's always an option, and you're never going to be seeing a credential stuffing attack.
So you're going to need these layers of protection that help you kind of, um.
And they hold down the attack all the way to a point where someone can look at whatever is Left and clean that up as well.
So, I think three things: make sure you're An enabler and not a deterrent.
Think about the user experience of your own customers and defense-in-depth.
I like, I like that Ela, you're mentioning user experience, um, Because even a lot of our conversations, um, we are seeing that user experience is Predominantly becoming more and more important.
Um, there was a study out there, um, by I think by 451 Research, which essentially moved the fraud problem down to the 3rd slot of concerns and moved user Experience up to the first slot of concerns.
So, I think as an organization, You need to collaborate a lot more between Security, UX, Um, and business in order to get better outcomes, and not only measure your capture rate In terms of fraud, but also measure UM all of those false positives and the impact on the experience that they're having.
But also what we're seeing and the way that we think about the landscape, Um, and really touching a lot of the points that, you know, Uh, we've all mentioned here so far, is that there are two parts.
One is that every sort of experience online begins with identity.
So, the core question, um, is really is the individual behind the screen and the actor that is acting with someone’s credentials or with someone’s information, Let's say I have a date of birth, his social security number, and an address.
Is that actually the individual behind the screen?
Um, and the second one is sort of this idea of continuous authentication.
You don't want to just protect your registration page.
You don't just want to protect your authentication page and how you authorize users.
Um, you don't want to just look at checkouts.
You really want to look at the behavior of an individual and continue verifying that Individual in the background.
As these activities take place.
And this becomes also really important from a UX perspective.
So, you know, I get really frustrated with some of the APPs I use because I can log into Amazon On my phone, and they never lock me out.
It's one swipe, I purchase something, done.
I haven't been asked to log back into Amazon for probably six months to a year.
There's other APPs that I use in retail space or banking and I have frequented them.
I use the same credentials, networks, and the same device, and they still have to Periodically reauthenticate.
Um, and in a strategy where you've employed continuous authentication, You're actually able to continuously verify the individual in the background, and that allows You to extend the session.
It allows you to understand this is the same actor, um, and really extend that trust and Improve UX.
Um, and I know she also talked about UX.
Quite often, um, so I'll let you continue the conversation.
Yeah.
So, I think, look, the continuous Authentication is a very, very big topic.
Uh, so, For a second, I'm gonna punt it and I'll come back to it, Uh, if you have, uh, time at the end.
Uh, but the three things, uh, you know, you mentioned, how should we kind of design it, what the, the, the team should think about.
I'm just gonna paraphrase some of the things that, you know, Both Robert and Elar touched upon.
I, uh, the, The first one I want to mention, like the defense in depth, Uh, and, uh, defrauders continue to evolve.
And, you know, There are multiple tools that you can have.
There's not really a single bullet.
You know, you cannot just say that, hey, look, I'm gonna do SMS as a requirement for every Registration, and that will solve the problem because we have seen that being solved by evil Proxy and, you know, the middle attacks.
At the end of the day, same thing with CAPTCHA, there is some friction that you potentially May have introducing, uh, but regardless of that, you're gonna have some false negatives, You're gonna have some false positives, and you need to kind of continue to manage them as you Grow your business.
The other part I want to say is that, Uh, you need to start with monitoring and measuring, because if you can't monitor, And monitor and measure, then it is very hard for you to build and develop new strategies.
Many times when we get to talk to customers, they do not really have a very concrete sense Of how do they measure false positives, how do they measure chargebacks, How long does that take it, and do they use that to continue to define their strategy.
And then the third point, Robert, you mentioned earlier that there's a little bit better Collaboration in the underground economy than we have on the good sides of the people.
So, I think frauds will continue to evolve, And we have to act with a sense of urgency.
But I think we also need to figure out how we pool resources, How do we share best practices with each other, you know, Multiple banks and e-commerce and different vendors, we have not done enough to, To share what we are all collectively fighting.
I think that's the other thing as an industry, We should spend some time on.
Yeah, there's a couple of things in there that I heard that I want to dig into.
Um, I do wanna touch on UX because I think that's a huge topic and that's one of the Reasons that we're all here together today, right?
Because we're trying to address the UX problem.
But before we go there, because that might be a little bit of a lengthy one, I do wanna touch on something else.
I think it was Robert who said that.
The way that you should be looking at a customer journey should be a customer's journey As a whole versus looking at individual events like checkout or login, Or wherever it is that you're putting those controls.
So, if you're looking at protecting the entire customer journey, Right, from beginning to end, and you're really looking at it holistically, I know that there are a lot of counter-fraud tools out there, And they all come into play at various points throughout that journey, Right?
There're some things you can know at once That the user begins interacting with you, and then there're some things you might not know Until much later as you're watching their behavior and seeing how they're interacting, And then there's some things that you flat out.
Can't know until they get to the point of Putting in their payment method.
Let's say if we're in a retailer, You can't check that payment method until you see it.
So, if you're thinking about all of those things coming in at different points, How do you think fraud teams should be leveraging these different tools with their Different timing?
Within their fraud response.
And we didn't hear from you, Brandon, earlier, so if you want to kick this one off, that would be great.
Sure.
I mean, I think one of the things that you're Sort of hinting around without really saying it is that it's, There, there are some different types of conversations that have to happen that aren't Really related to speeds and feeds.
It's things like, is your fraud team resourced?
Appropriately for the type of things and tools that you're wanting to solve for, And, you know, you also have to make a determination of, Um, do we care about certain things?
So, as an example, I gave a talk, um, at a conference about a month ago about bots, Just, you know, talking about how defenders, how do blue teamers defend against bots.
And one of the first things that we talked about is like, Look, this is before you do anything from a Tech perspective, This is a risk management discussion that needs to happen.
And you need to understand, like, what do you want to do if I detect some type of event.
So, in the case of, like, let's do something that's not as hot a topic anymore this time Last year.
PS5s were released, and people rushed, Bots are rushing to get the PS5s to sell them on the secondary market for 2X.
The original retailer may say, you know what, I don't care, I made a sale, whatever, it's fine.
Or that retailer may say, You know what, no, I want to give people, humans, actual humans, A fighting chance to get one of these things, So then I'm going to put tools in place, Uh, that are going to prevent what I determine as a bot through that whole journey from, You know, completing one of those, those purchases, right?
So, I think it's well, I didn't sort of directly answer the question.
I mean, it is one of those things that you kinda have to lay out on a whiteboard if you're Able to get in person and sit down and, you know, draw that customer journey from left to Right, and look at historical, um, fraud that That's happened at your company to try to Understand, you know, what people are, where are the soft spots that the fraudsters are Pushing on to try to find where they can, you know, extract value.
Um, and then have that real serious conversation with Management, Like, look, if we wanna defend against all of this, this is what it's going to cost from a Resource personnel perspective, from a tool perspective, um, And then sort of gauge it, yes, we’re OK with this, no.
We're not.
It's, it's all about the trade-offs that you're going to have, and it actually does create a fun conversation because you will have those, Those trade-off conversations throughout your, you know, Designing that journey from left to right.
Yeah, I can tell you, being a retailer in the past that I don't think any retailer would be OK with the bot and the PS5 story that you uh mentioned, Brandon, because from a trust and building loyalty among your consumers' standpoint, You don't.
Want to do that.
Like, it's, it's, you know, at some point in time, it's not just about whether or not I was Able to sell all the PS5s.
It is also that was I able to bring the value To my members so that they come in here next time and the, and the time after that.
Yeah, no, I, I get it, and I feel like depending on where you are in that life cycle, So there may be some retailers that are just trying to make a quick buck by selling Something cheap.
And then there's others that are trying to Build a long-standing, you know, sort of relationship with the customer, Um, and we can talk about user journey.
There's some things we should talk about, You know, we can pump that down the road later For user journey because there's a whole lot of Interesting things we can talk about fraud-wise, about what are the impacts of doing things.
Certain ways.
Uh, but no, I, I 100% agree that it's, It does come down to what that position of the retailer wants to do, Um, and then that, that's that conversation that you have in management.
You don't necessarily have that in a fraud department or in a Security department or Something like that.
You'll have that with management.
Yeah, and I think in, in terms of the user journey, so again, Prior to Arcos, I ran this for eBay, like, we used to call them checkpoints.
So, when a user comes in, registration is the first time you, You interact with the service, then you have login, then you browse an item, Then you add an item to the cart, then you go to the checkout with Then check out, Then you enter a shipping address, you enter a credit card, You click OK.
Uh, and then the follow-up, you get the review.
Order, and then you potentially can do refunds, cancellations, and disputes, Disputes.
So, all of them are checkpoints.
I think the point to note is that what many companies don't do very often is that they Treat these checkpoints in isolation.
So, the data, and the data can be IP and finger device fingerprinting or behavior biometrics, Or how do you interact across the site.
Many times these checkpoints in big companies are owned by different teams.
So, the checkout, for instance, in all big companies is a separate team.
The identity responsible for registration and authentication is a separate team.
The Risk and Fraud BU, which manages the overall losses and, You know, money-back guarantees and all that is a separate team.
And what big companies have not done well is making sure that the data and the Interaction of the user, uh, across all of those different checkpoints is shared, So that you kind of build collective intelligence and not just continuous Authentication that Robert mentioned, but continuous fraud detection as the user is moving across the site.
And that's, that's a really good point, Ashish, because I think we often think about siloing Between business units, um, but reality is that there's also siloing within the different steps Of that journey.
And I, I do want to point out that the DaVinci platform and orchestration in general becomes Really important here.
So being able to use these different types of Tools as part of these journeys and then bring that.
Data together UM is a really important component.
And then also having the ability to be able to change outcomes based on results within that Journey, change the tools that you're using.
So, for example, Um, you'll be using a perimeter tool like Carcos using ourselves, um, within the identity Verification for different parts of that journey, whether that's login or registration.
Checkout UM, and there may be other places you might not be using all of your.
Tools like Doc Verification.
Um, that might be something you're only doing a Registration.
You're definitely not doing that at Authentication.
So, having a flexible platform that's allowing You to link all that data together and link those tools, um, so that you're getting that Whole fraud strategy in place is really, really important.
Secondly, you also want to make sure that you're able to very quickly change Configuration, change settings.
If you need to, Um, for example, blacklist an IP space because something really nefarious is going on.
Um, in a particular um online community.
Um, you don't want that to result in a Jira ticket, for example, Out to your Dev team that takes 2 weeks to deploy.
Um, so having one platform in place that's able to do that cohesively, Um, is also a core part of the strategy.
A lot, you seem to have something.
Yeah, please go ahead.
So I'm, I'm, I'm kind of biased and, and it's funny, but I'm biased towards like the same Kind of solution, um, like the way that we've been looking at this is, is exactly the same as the Shish Robert and Brennan have been mentioned like.
On one end, you've got silos within organizations, um, And on the other end, you want this continuous authentication kind of mindset or, um, continuous Approval of, yeah, this is who, like that person says he is, And he's doing something that he's meant to be doing.
And the way that we've been looking at it is that kind of, to Robert's point, If you have a single place where all teams kind of funnel their insights and configurations into, whether it's from one system or another or several systems from the same company, Again, a little biased, um.
That facilitates the sharing of like knowledge and information within the company, which then creates a better fraud and risk solution, because instead of just saying, Yeah, this login was fine; this credit card is OK, then you have a point of reference where You're, you're saying, yeah, this guy usually comes in from here.
And all of a sudden these requests, which are a little weird, Came from a different device.
Nothing weird happened later on, so it's fine.
Or all of a sudden you see that they're changing their addresses and ordering something from someone completely different while they're accessing another computer.
So these kinds of sharing of information across systems or divisions within the company is Absolutely paramount to create a strong fraud presence.
And just to kind of very quickly add on, on this topic and also But, You know, the whole isolation which happens in the companies and a little bit on the same Front as the user experience.
The other part to keep in mind that uh Even if it is the same checkpoint, But the metrics that the different teams are responsible for are sometimes different, Right?
So, we mentioned that any time a new user Interacts with your service, registration, login, and account recovery are one of the First experiences a user would have to go through.
Keep in mind that these are also the three most attack points by the fraudsters' registration, Login, and account recovery.
So, anytime when you want to lower the friction for your good user on these 3 checkpoints, You have potential that you may be lowering their defenses for the bad actors on the same 3 Checkpoints.
Now, as an Identity team, you generally measure The completion rate, like the, the number of people who show up on your registration page, Number of people who complete the registration.
For login, how many people can successfully sign in.
If you look across the industry, the numbers depend upon the type of the business, But across the industry, the registration rates go somewhere between 55% to 65%.
I, I, I land on your registration page, and then I'm going to complete it.
The login registration, the login success rates in the industry are about 85 to 95%.
So, if you have a team for identity, they're going to say, I want to grow this, so I'm going to lower the friction.
And uh, because every 2% increase in registration or login results in top line.
If you're a fraud team, you're gonna say that I want to mandate SMS on every registration, And that by itself will drop your registration by approximately 20%.
So then, as a company, I want to reduce losses, but then I'm on a mandate SMS, but that may result in 20% registration drop.
How do I find that balance?
And if these two teams are working in isolation, How do I break the tie?
Yeah, that's actually a great segue to the big topic, right, That's been on our minds since the very beginning.
It's come up a couple of times.
Let's go ahead and talk about customer Experience.
So, as you say, fraud prevention and customer Experience have often been at odds.
There's been this perspective that to have one Be excellent; the other is probably going to be poor, and vice versa.
There will always be impact.
There will always be trade-offs.
What are your thoughts on ways to lessen that impact?
And do you believe it's possible to get to a point where both the customer experience for The legitimate user and fraud prevention to protect you from illegitimate users can be Excellent simultaneously?
I'll toss this to anyone who has thoughts on the topic.
I think I'm sure we all have thoughts on the topic.
All right, well then, let's start with Ela because he spoke first, and then everybody will Have things to say, because this is the big one, right?
This is the thing that people struggle with so much.
I think fraud teams struggle with this tremendously.
They get blocked when they're trying to put in protections to protect revenue, But customer experience teams are saying, but we're, you know, We're seeing abandonment, we're seeing card abandonment, we're seeing session abandonment, We're seeing users refuse to register, we're seeing registration drop off, So.
How do you solve it?
So, I think the key here is to look at it from like two directions.
One is we need to make, you know, life for Fosters as hard as possible, But um we need to make life for human beings as simple as possible, And we do this with a variety of things.
It's ranging from low-friction captures as Simple as possible versus those horrible things we had back in the 90s, We all know and love.
Um, and then we go all the way down the Solutions which are not necessarily captured Driven.
Like one example is what Apple just came out With, uh, private access tokens.
That's an example of something which is not a Capture solution, but it gives you an option to exonerate based on the signal.
Now, there's a whole bunch of other exoneration type signals.
Uh, every once in a while, uh, fraud prevention kind of narrows down, And focuses on seeing, um, these are the signals to identify an attack, And that automatically makes everything negative.
And then that creates a lot more false positives.
While if you're looking at exoneration signals, again, such as the Apple access tokens, Then you have an option to say, so this guy is a little fishy, But he has all these wonderful exoneration signals.
Let's let him pass through until we see something very concrete, And then, uh, to Robert's point comes in the continuous authentication or to Ashish's point.
Where you look at the customer journey and say, OK, so everything was okay, Or at least not fraudulent, but at this point, this is where this guy Did something close enough to be dangerous for the company that we definitely want to Block them, and then you lower actual impact on real users almost to nothing.
Yeah, I think, oh, go ahead.
I was gonna say one thing I would stress, if, And if I have to give one message, Before you invest into your fraud tools, you should invest into your monitoring and Measurement tools, because, uh, many times, because all of those things, There is not really a silver bullet.
You want to be able to try a variety of things, And it is very important for you to be quick to measure the impact of this on your customer based around false positives and false negatives.
And I think that the second point would be that in, in addition, We touched upon the Orchestration Platform, we touched upon the fact of how can I use the Same data, you know, across different checkpoints.
The, the other part which is kind of connected to that is, Uh, you want to be able to have different types of methods and apply them based on a risk-based decisioning.
You know, You know, Robert touched upon the example that sometimes when I log into Amazon, I never log in for 6 months, but in some places, I log in every other week.
Uh, there are a bunch of passive signals that you can collect.
And when you talk about different data, I can have the data because of history, I can have data because of the network, and I can have the runtime contextual data.
So, if I know that you are coming from the same device, from the same IP, And you log in at 9 o'clock every single day, Can I not ask you for SMS authentication as an Example?
And, and in a, similar to, you know, You mentioned privacy, access tokens, the other part, which is, Again, top of the mind these days is passkeys and passwordless, And, I would have the same answer that.
Even when you do not ask the user to authenticate, or any Authentication method you Use, you are still about 90, 95% completion rate.
On the other hand, if you have enough passive signals that you can completely skip it, And same MobileIron device, same IP, same net, uh, that is 100% completion rate.
So, you have to kind of balance what I call the risk-based authentication, That is not a challenge every single time.
Leverage the historical data, contextual data, and passive signals to decide what is right Way to challenge or put friction in front of your customers or, Or bad users.
I love what Ashish is saying because we focus on that view.
We focus on understanding this activity before a user even lands on a retailer's page or a Banking page and really understanding that from the web at large.
Um, and the dimensionality of that is very typically device, The network type, the IP, the type of activity.
One of the things that we discovered from our research also is that sometimes things that seem suspicious or seem actually are not, and then things that may be benign, um, are actually A fraudster trying to do something malicious.
A really good example of this was an attack that we saw fairly recently on an account Opening page for a credit issuer, um, where there were all of these single characters Variations to the street address and someone was basically trying to test to see what could They get through the form with the IDM data they already had.
Um, versus, for example, seeing someone suddenly at 3 o'clock in the morning, Not expecting them to interact, but they've just changed their activity because they've Taken a new job where they're now a shift worker working a night shift.
Um, being able to see that data and see it before that user lands on your page to make a More intelligent decision, um, is really crucial in improving the experience.
Um, secondly, as she, she also mentioned, you know, the importance of being able to skip a Verification.
Um, so one of the places where we see a lot of Friction with our customers, um, is in the um email verification.
So, you register on a website and the site says, OK, We need to verify that this email is actually you.
Proof possession by logging into your email Client, clicking the link, And now we're going to give you the green check box to say, This is actually you.
If you're able to do that with other sources of data such as Digital Identity Verification, Um, you're able to bypass that step in many cases.
So across our Platform, if we see that a user is stable, We see that they exhibit the same characteristics across many different websites That are visiting, it empowers you to be able to skip that journey.
Yeah, the last example, um, that I do want to share with this audience is something very specific to onboarding.
Um, so, you know, think of your typical onboarding workflow, Um, especially in more vulnerable cases where you might be extending credit.
Um, so the first thing that you might do is you might verify in your doc fee check to say, OK, the Social Security number, the date of birth, and the address match.
Um, you might do a call out and see if that address is something that is part of that Individual's record.
Um, if the user has recently moved, for example, um, that will come back as a mismatch.
So then, what is your next step?
Your next step might be to do dock fee.
Someone takes a picture of your Driver's License.
Once again, if they moved, they haven't updated their driver's license.
Um, and then what's the last step you do?
You send them over to manual reviews.
Someone now calls up the individual.
Verifies some additional UM details, then makes a decision, potentially whether or not To approve that.
By the time you're done, you've created a really poor customer experience, um to someone That has done something really innocent.
They just moved, Which actually happens quite frequently about 20% of the time annually.
Um, and you've also incurred really large costs to the tune of $50 to even $100 depending on The industry and the types of checks that you're doing.
Um, so, I would, I would encourage people to take a look at all of the different types of Solutions and the ways that they can build better strategies, um, to make those decisions up Funnel, whether that is to increase ROI, um, increase um revenue and profit, Or whether that is to create a better user experience.
I think I'm gonna toss this over to Brandon as well because, Uh, at Ping, we are always focusing on that idea of letting your customers experience a Better experience, and we are obviously trying to come in and Build up architecture that will help all of these fantastic detection and Decisioning tools come in to solve some of these convoluted fraud issues.
So, Brandon, I'd love to hear your take on the user experience.
How do you build fraud prevention into a user experience that remains seamless?
What does that look like?
Yeah, no I, so I think, um, you know, the teams here has already hit on a lot of the examples of how this happened, and it's really one of those, you know, It's not a one size fits all scenario.
Like every single interaction is an opportunity To deliver something that is great and something that, um, the person walking away from That experience feels like, hey, that was a great interaction I just had.
And it, you know, everybody's got a different reason why they're, They're coming in to, to work with a particular business.
So being able to, you know, sense early on and make predictions about what is this person Going to do.
Um, how can I enrich the information that I'm Looking at to make decisions earlier on without having to ask them to, to give me more information, kind of like what Robert was talking about, Right?
So, um, the more I can get that into my, My profiling, and then start to make decisions downstream, I can, Uh, you know, hopefully I'm doing it the right way, but I can start choosing pathways, You know, sort of nudging them down a certain pathway, uh, That I choose, that is gonna help them get from, you know, Left to right, the fastest, most efficient way.
I think ultimately one of the challenges that, um, you know, We, we have, we try to build these things is That sometimes we're, We're, we may be guessing, like we think this is the right thing to do.
Do, so we're going to build this, this experience left to right, then roll it out.
And where I think one of the cool features of DaVinci that I really love is that there's The ability to do AB testing in your flows, right?
So you can say, I want to send 50% of the traffic this way, I wanna send 50% this way, and I wanna evaluate the outcomes when they got to the other side.
Were there fewer problems?
Did one flow, um, Yield in more fraud losses?
Did your one flow have more abandonments, If we're talking retail, that they just said, you know what, This is too difficult.
I'm going to go to the, The other retailer that I know that, that has already built a profile on me, Right?
Um, and, and then, you know, sort of having That all the way through discussion of, OK, from a risk perspective in the business, How much risk are we willing to take?
So I think a really prime example we have that risk discussion for retail, For online retail, is the use of a fraud tool called 3D Secure.
You know, here in the States, we typically don't see it deployed as much.
Now you, I, I have seen it personally deployed with higher dollar purchases.
If, if there's a higher purchase, then, you know, they may just send through the 3D Secure, Um, set up, but.
Um, for my colleagues in Europe, 3D Secure is part of doing, You know, a lot of online transactions.
It's not something that's necessarily as Foreign, um, as it would be here in the States, but if you go through that step and you Complete that step; you're very well protected as a retailer, Versus saying, you know what, I don't want to put, I don't want to confuse somebody.
I want them to go through the purchase, get to the end.
And then we'll figure it out on the, on the back end.
We'll do analytics on the backend to determine, you know, How likely this is to result in a chargeback or some sort of fraudulent thing, So.
Um, you know, all that to say, like, it is Something that, you know, each business must understand from their users and their flow.
Their sort of customer journey, uh, but, you know, using tools that sort of help create a More enriched, uh, decision-making platform, and then sending people down the right flows to Sort of like understand that each customer is an individual, and they need to be treated.
Individually, uh, so that they have the best experience for them.
So, just 1 30-second comment.
I, I was part of eBay when we rolled out PSD2 and SCA in Europe.
So I have some, you know, I, I, I won't get to share it, but how did the user experience change because of that mandate?
Uh, I'm gonna still, you know, repeat the two things that Brandon, What you said is that first, uh, there is no such thing as one size fits all.
You need to understand the context, like the, the login experience for Netflix, which you log in every day, or, or Snap, which you log in multiple times a day, or Airbnb, which you log in potentially once every 3 months, Or taxes you do once a year, is very, very different.
So, you need to understand that part, and diversity of your users.
The second one you touched upon was just the whole AB testing and to be able to monitor.
The impact of different flows, both on the good customer journey and on being able to prevent The bad losses.
So, I think those two things are very Critical that we should not ignore.
Fantastic.
There's been a lot of really great discussion, and I do wanna be cognizant of the time of our listeners, so we're gonna do a lightning round Where I'm going to ask you a question and ask you each to give me one quick answer.
So, given everything that we have discussed today and all of these various moving parts, What would be one piece of advice that you would offer to fraud teams about architecting Their fraud response, given the fact that the fraud landscape changes quickly, Um, the need to keep up with fraudsters, the need to keep up with customer experience, The need to keep all of this in mind in order to combat fraud successfully today.
And also tomorrow, next week, and next month, one.
Your top piece of advice, Ashish, I'm gonna start with you.
What do you think?
See, I was hoping you would give me some time To think a little bit if it's only one thing.
I know I put you on the spot.
I'm sorry.
It's fine, but I, so I would, I would, Uh, since I'm going first, I'll say, I get to say a little bit too.
One of them is, uh, monitoring; invest in your monitoring solutions, And second is defense in depth, because you're gonna need more than 11, Fraud prevention techniques, uh, based on your customer base.
Awesome.
Ela, what do you think?
Um, if it's just one, listen to all of the advice we mentioned on this webinar.
A little more useful, then definitely defense in depth.
I, I completely agree with Ashish.
That's, that's the only way to go with what's Going on in the ecosystem today.
You have to have multiple layers to kind of Protect each other from mistakes.
Makes sense, Robert.
Um, I, I obviously agree with what we've already said.
If I were to add anything, I would say align your organizational KPIs, Um, make sure that UX is focused on a component of security, and make sure that security is also Focused on a component of UX so that you're building better synergies between those teams And you're breaking down those silos internally, and then everything else that we're talking About here will fall into place.
That's a great one, Brandon.
Yeah, Robert stole mine, so, uh, the one that I'll do instead, Uh, is really, um, thinking about the refinement, like dig into the defense-in-depth controls that you've looked out, uh, that you've laid out, Um, and spend time really making sure you understand why things are being done.
You know, Treated in a specific way, whether this is fraud or this is not fraud, And then really focus on ways to optimize so that not only are you optimizing that customer Experience, kind of, you know, that KPI alignment, but you're also sort of optimizing The cost and effort required to detect some of the easier, uh, types of fraud that we'll See.
Awesome.
Well, thank you all very much for being here with me today.
I think this was a great discussion.
I hope for those of you out there listening, You learned something new, and we've given you some things to think about.
Thanks again for joining us today, and have a great rest of your day.
I am Maya Gronovich Scott with Ping Identity, and I am so pleased to welcome Join you today to our panel on designing a dynamic fraud response.
It's very exciting because I've got 4 experts in the field of fraud prevention here with me Who will hopefully be able to share their insights and give you some things to think About as you move forward with your fraud prevention strategy.
So I will go ahead and toss it over to them to introduce themselves.
Let's start with Ashish.
Uh, thank you, Maya.
I'm very happy to be here.
Uh, my name is Ashish Jain.
I'm the CTO at Arcos Labs.
And we are, uh, a bot management, uh, fraud detection and account security company.
Uh, uh, prior to joining ARCOS, I used to lead, uh, Identity, Risk and Uh Trust teams at eBay.
Uh, and, uh, The Charter of My Team Included, Uh, the Global Registration, Authentication, uh, KYC account fraud, payment fraud, all cancellations, Disputes, and refunds.
So, that got me a good idea to go deeper into One merchant.
And now IARCOs at, uh, I used to spend time with a variety of the customers.
I've been in the INT space for almost two decades now, And, uh, uh, I also sit on the board of OpenID Foundation, and I think the intersection of Identity and fraud is very, very interesting and looking forward to having a chat with the, The panel today.
Thanks so much, and let's go ahead and move On to Ela.
Hello, uh, my name is Alaa Meat.
I'm the VP of Product for Bot Defender at Perimeter X, now a Human post-merger.
I'm looking forward to chatting, uh, with you as well, Shish and Robert around everything, Identity and Fraud, Um, whether it's with regards to paying, uh E-commerce and retail and everything in between.
Fantastic, and Robert.
Hi everyone, my name is Robert Panauk.
I'm the CTO here at Didi.
Um, we started to use to solve a very specific problem, um, Around fraud and identity, being able to Harness the intelligence from many, Many users interacting online, um, in the hundreds of millions in the United States.
Um, and I'm really excited to speak to the panelists here today as well.
Um, and give you some better insights.
Fantastic.
And then finally, Brandon, could you introduce Yourself, please?
Hi everybody, I'm Brandon Williams.
I'm the VP of Identity Strategy here at Ping.
Uh, before I was at Ping, I was, uh, running customer identity and a bunch of other security Functions for a large financial institution here in the States.
So, uh, dealing with fraud was something we had on an everyday basis.
And I'm happy to bring some of the trends and things that we learned, Uh, throughout the process here to the panel in the audience.
Fantastic.
Well, speaking of the trends and things that You have learned and are continuing to learn in your positions, Let's actually go ahead and start by defining the problem a little bit.
So, what are some of the trends that you're seeing in the fraud landscape today?
And what is the effect on organizations that are doing business online?
If you wanna, how about Robert?
You wanna go ahead and start this one off since You're all about that threat intel?
Yeah, absolutely.
Um, so, I think that we often have a Misconception of what fraud looks like and what a bad actor looks like.
Um, in many cases, when I've talked to individuals, especially practitioners, Um, sometimes there's a concept that a bad actor is maybe a Script Kiddie sitting, You know, behind the screen, similar to me in a hoodie and trying to gain access into a particular system.
In most cases, it's actually organized crime Activity.
Um, and you can see this across communities in The dark web, um, like Raid Forums, Hydra that were taken down, Um, prior to, which were a bit more accessible, Um, but also a lot of stuff that's posted on Placements.
Um, you can often find if you actually research, Um, other actors trying to gain access into your system, such as authentication forms, Registration forms, um, and that's that's one thing that I think as an industry, We really need to recognize because these individuals share their knowledge between each Other UM and on the fraud side, we often don't do that.
We often work in silos.
Um, so I think that collaboration and knowledge Sharing is also really important.
Likewise, with COVID and the opening of different security systems to allow remote Workers to work from home, quickly emerging.
Um, and building up of ecosystems to um Expedite shopping, uh, for retailers, and we have a lot of retailers on the call here today, has Also led to UM over 100% rise in ATO and also synthetic ID.
Um, it's a really huge problem in the United States, which numbers around $95 billion.
US dollars.
Um, so it's definitely something we need To work together to solve.
Yeah, Ashish, I see you nodding along.
Do you have anything to add to that?
Yeah, yeah, so like, first I agree with you know, a, A variety of things Robert says.
I just want to add a few more things.
Like if you, if I have to summarize.
I think we all would agree that in the last few years, the total number of fraud cases that, The total amount of consumer fraud that we are seeing has significantly increased, Right?
Whether the number, you know, I think I've Heard different stats and different data that you consume, It is, you know, 50 billion plus in terms of consumer fraud.
We have heard that.
The account takeover, you know, Robert, you mentioned a 100% increase.
We have heard the numbers, For instance, in our network, that 1 in every 5 login attempts on your site is actually an ATO Attempt.
Uh, we have heard a variety of data coming out That the 30% registrations are actually, uh, fake account registrations.
And from a trend standpoint, I feel like that there, the few things which have changed in the Fraud landscape.
The first one, I think, because of COVID, The number of people coming online for the first time has increased.
So, there's more ROI for fraudsters.
We saw first-time people using services, Uh, and suddenly the ROI became, uh, and that attracted a lot more people from a fraud Underground world.
The second trend that we have seen is that we Have seen a lot more hybrid attacks in this in the past we saw you call abuse, You know, a few people trying to, uh, to get, uh, account, take cover, and, and some organized crime.
Now, we are seeing a combination.
You know, I talk about the gig economy, is not just about, You know, Uber and DoorDash.
The gig economy is now when you are utilizing The low-wage, uh, people in the countries and, and using them as money mules or using them as Capture solvers to solve the problem.
The third part I have seen is that, you know, the sophistication of the attacks, Like Robert mentioned, these are organized collaborative efforts, And in the last few weeks itself, you have seen almost like fraud as a service, Like you have seen Evil Proxy coming in.
Like, you know, You can subscribe for $400 a month and you essentially get completely automated.
You have seen the Genesis Marketplace, which use password spraying and cookie stealing Together with an embedded browser.
Uh, we have seen Caffeine on the same front.
So I feel like if I have to, to, to think about it, in the last few years, The total number of people coming online has increased.
The fraud has become more and more hybrid, and the barrier to entry has become lower Simply because of the fraud at the service type of tools.
And together all of that, things like social engineering, synthetic identity are on the rise And something that we all have to be very, very careful for.
Yeah, I saw, I saw some nods, Brandon.
I'm actually interested to hear your take on this.
Because on the identity side, I've heard synthetic identity a couple of times.
There is a pretty strong link, I think, between fraud prevention and identity management.
So, what are you seeing?
So, I mean, I, I, the one thing that I took away from Ashish was the first-time users.
That's something that, um, you know, because of businesses pushing to find new ways to interact When they couldn't do it in person in 2020, they created this sort of rush of, Of, um, you know, forced interactions that happen digitally or where I can't see you, I'm not, you know, interacting directly with you face-to-face.
So, um.
You know, we would see things like the, the, you know, The hybrid type of attack that Ashish was talking about where I start with an online account, but I will then leverage the call Center and try to do, To conduct fraud that way, right?
So it's the companies that we see that we are.
Having the most amount of losses are ones that aren't anticipating multiple layers of controls To try to prevent and stop fraud, right?
So it's really when you look at, Uh, it's fraud detection and prevention is very similar to like cybersecurity.
Right?
So you can't prevent everything.
In fact, you probably don’t want to prevent everything because you want to see a bit of what's going on from an activity perspective.
And so you're probably gonna have some acceptable loss that you may be willing to take.
But what's more important is that you sort of take the, The easy fraud things to detect and block in for them.
To prevent them from happening, then focus on what are some patterns of behaviors that we Can UH create alerts for our fraud team to then follow up on, And then learn more about those, and is this something that this is rising or falling.
Um, so like 2020 and 2021, the biggest ones for us at the bank in my previous role, Uh, were romance scams and, um, IT scams.
Those were the biggest ones we were seeing.
Losses for, um, that were sort of third party losses, I'd say.
There was other fraud going on, but it was like friendly fraud and other types of problems.
When we look at that third-party external, um, it was trying to get the human to do something That would allow for something of value to be transferred.
It makes sense, and a lot.
I saw some nods along from you as well.
What do you have to add to the broad landscape trends that you're seeing in your role?
So I think you pretty much mentioned like 95% of what’s going on.
Um, I can, I can probably share at least the part about commoditization of like How to get an attack going, like Ashish mentioned, the fact that right now you can Pretty much buy all of the components that you need to create an attack for like 1 buck and a 5 Online.
Has changed the landscape dramatically.
Like you said, you're not just seeing Script Kitties, you're also seeing people who are Trying to do targeted attacks, who are no longer hackers, They are businesspeople, like fraudulent businesspeople, But still business.
They're trying to make a buck, And what that has kind of created over the last couple of years, Especially with COVID and everything else, is very targeted attacks, which are no longer just kind of what to Brandon's point, are not specifically geared towards like an account takeover.
That's just the beginning.
Since the attacker is now not a hacker, but a business person, Then they can tailor the attack.
Against that specific site or service that they're after.
If, for example, it's a retailer, then they start off with an account and move lateral.
If it's, for example, something more complex like a shared marketplace, There are about 10 different vectors of attack Once you have a fake account and a real account That you've taken over.
That can be a really big surprise for people who are managing security and risk at those Companies.
Um, so that commoditization piece and value That's behind it has like created a boom of targeted attacks, which are very interesting to track, and, and hard to protect from.
Can I just add a quick comment to, to what, uh, Elar was saying?
So, you know, uh, when you talk about targeted attacks and, You know, Brandon, you touched upon the, the, the fake accounts and all that, Like we have seen some very concrete examples, like, for instance, As a retailer, you know, you have, uh, for instance, uh, A marketing campaign to get new people to sign up, and you have, Uh, I mean, a million dollars.
In coupons, Like if you come in the first time, I'll give you $5 off.
And then people will create fake accounts.
And within a weekend, We saw the entire budget for marketing get spent because people created mass fake accounts.
Uh, we talked to a server company, which was giving free server resources, and fraudsters created fake accounts to use for crypto mining.
Uh, you mentioned ROM scam, then there was news about how that is on the rise.
We saw fraudsters trying to create.
Uh, in the gaming companies, uh, fake accounts, and then spam all the other gamers, Because the gaming company wanted to lower the barrier, but then they spammed everybody for Extra thing.
And even if they get 5% success, that it's still a very good ROI for a fraudster.
So, I think this targeted concept that Pillar Talk about, and not really a hacker, but actually a business person, But putting a fraud hat on is definitely on the rise.
Yeah, that makes sense.
So, then, I will ask you, Based on all of that and some of the things you've touched on around how you've got these Very professional fraudsters who are not just some kid in a hoodie in a basement, Right?
You've got these criminal organizations that are committing fraud.
They're committing these very targeted attacks.
They're attacking in various different ways.
They may be attacking via various different vectors that may be interacting with your Company in a lot of different ways.
So, given all of that, that companies need to defend against, What do you think are some of the, the really key, most important things that fraud teams Need to think about when they're designing their counter-fraud strategy?
And I'll toss this to whoever wants to start, because I bet all of you have thoughts on this Question.
Yeah, please.
I, I think maybe I'll echo what Brandon said, uh, a bit before you, But.
The way that we look at it, you need to take a Look at at least 3 things.
The first is, um, and I'll put on my pre-security hat for a second, As a security and fraud person, you're, you have to look at your role as an enabler.
If you're creating a system which blocks the company from doing what it's meant to do.
That's going to be a problem.
So you need to make sure that your fraud Positioning will allow the company to move, whether it's technologically, Whether it's through business opportunities or anything else.
If you're going to become a blocker, that's going to be held for you.
The second is User Experience.
It kind of ties into the first one, But it has its own merit, especially since whenever you add, Let's say something like a CAPTCHA.
There's always going to be someone from UX telling you, Guys, this is going to impact the phone, what's going on here.
And 3rd, which is what Brandon mentioned, is what we call defense in depth.
Like any security product, any in the world is always going to have false negatives and false Positives, and you're always going to want to have various layers in there.
Each layer kind of.
Um, again, to the point we went before, um, having like an impact on the funnel of fraud.
You want something that removes as much of the automated bot traffic, And then something is still going to get through.
If, for example, we're talking about ATO or credential stuffing, You don't necessarily need credential stuffing You mentioned cookie stealing.
That's always an option, and you're never going to be seeing a credential stuffing attack.
So you're going to need these layers of protection that help you kind of, um.
And they hold down the attack all the way to a point where someone can look at whatever is Left and clean that up as well.
So, I think three things: make sure you're An enabler and not a deterrent.
Think about the user experience of your own customers and defense-in-depth.
I like, I like that Ela, you're mentioning user experience, um, Because even a lot of our conversations, um, we are seeing that user experience is Predominantly becoming more and more important.
Um, there was a study out there, um, by I think by 451 Research, which essentially moved the fraud problem down to the 3rd slot of concerns and moved user Experience up to the first slot of concerns.
So, I think as an organization, You need to collaborate a lot more between Security, UX, Um, and business in order to get better outcomes, and not only measure your capture rate In terms of fraud, but also measure UM all of those false positives and the impact on the experience that they're having.
But also what we're seeing and the way that we think about the landscape, Um, and really touching a lot of the points that, you know, Uh, we've all mentioned here so far, is that there are two parts.
One is that every sort of experience online begins with identity.
So, the core question, um, is really is the individual behind the screen and the actor that is acting with someone’s credentials or with someone’s information, Let's say I have a date of birth, his social security number, and an address.
Is that actually the individual behind the screen?
Um, and the second one is sort of this idea of continuous authentication.
You don't want to just protect your registration page.
You don't just want to protect your authentication page and how you authorize users.
Um, you don't want to just look at checkouts.
You really want to look at the behavior of an individual and continue verifying that Individual in the background.
As these activities take place.
And this becomes also really important from a UX perspective.
So, you know, I get really frustrated with some of the APPs I use because I can log into Amazon On my phone, and they never lock me out.
It's one swipe, I purchase something, done.
I haven't been asked to log back into Amazon for probably six months to a year.
There's other APPs that I use in retail space or banking and I have frequented them.
I use the same credentials, networks, and the same device, and they still have to Periodically reauthenticate.
Um, and in a strategy where you've employed continuous authentication, You're actually able to continuously verify the individual in the background, and that allows You to extend the session.
It allows you to understand this is the same actor, um, and really extend that trust and Improve UX.
Um, and I know she also talked about UX.
Quite often, um, so I'll let you continue the conversation.
Yeah.
So, I think, look, the continuous Authentication is a very, very big topic.
Uh, so, For a second, I'm gonna punt it and I'll come back to it, Uh, if you have, uh, time at the end.
Uh, but the three things, uh, you know, you mentioned, how should we kind of design it, what the, the, the team should think about.
I'm just gonna paraphrase some of the things that, you know, Both Robert and Elar touched upon.
I, uh, the, The first one I want to mention, like the defense in depth, Uh, and, uh, defrauders continue to evolve.
And, you know, There are multiple tools that you can have.
There's not really a single bullet.
You know, you cannot just say that, hey, look, I'm gonna do SMS as a requirement for every Registration, and that will solve the problem because we have seen that being solved by evil Proxy and, you know, the middle attacks.
At the end of the day, same thing with CAPTCHA, there is some friction that you potentially May have introducing, uh, but regardless of that, you're gonna have some false negatives, You're gonna have some false positives, and you need to kind of continue to manage them as you Grow your business.
The other part I want to say is that, Uh, you need to start with monitoring and measuring, because if you can't monitor, And monitor and measure, then it is very hard for you to build and develop new strategies.
Many times when we get to talk to customers, they do not really have a very concrete sense Of how do they measure false positives, how do they measure chargebacks, How long does that take it, and do they use that to continue to define their strategy.
And then the third point, Robert, you mentioned earlier that there's a little bit better Collaboration in the underground economy than we have on the good sides of the people.
So, I think frauds will continue to evolve, And we have to act with a sense of urgency.
But I think we also need to figure out how we pool resources, How do we share best practices with each other, you know, Multiple banks and e-commerce and different vendors, we have not done enough to, To share what we are all collectively fighting.
I think that's the other thing as an industry, We should spend some time on.
Yeah, there's a couple of things in there that I heard that I want to dig into.
Um, I do wanna touch on UX because I think that's a huge topic and that's one of the Reasons that we're all here together today, right?
Because we're trying to address the UX problem.
But before we go there, because that might be a little bit of a lengthy one, I do wanna touch on something else.
I think it was Robert who said that.
The way that you should be looking at a customer journey should be a customer's journey As a whole versus looking at individual events like checkout or login, Or wherever it is that you're putting those controls.
So, if you're looking at protecting the entire customer journey, Right, from beginning to end, and you're really looking at it holistically, I know that there are a lot of counter-fraud tools out there, And they all come into play at various points throughout that journey, Right?
There're some things you can know at once That the user begins interacting with you, and then there're some things you might not know Until much later as you're watching their behavior and seeing how they're interacting, And then there's some things that you flat out.
Can't know until they get to the point of Putting in their payment method.
Let's say if we're in a retailer, You can't check that payment method until you see it.
So, if you're thinking about all of those things coming in at different points, How do you think fraud teams should be leveraging these different tools with their Different timing?
Within their fraud response.
And we didn't hear from you, Brandon, earlier, so if you want to kick this one off, that would be great.
Sure.
I mean, I think one of the things that you're Sort of hinting around without really saying it is that it's, There, there are some different types of conversations that have to happen that aren't Really related to speeds and feeds.
It's things like, is your fraud team resourced?
Appropriately for the type of things and tools that you're wanting to solve for, And, you know, you also have to make a determination of, Um, do we care about certain things?
So, as an example, I gave a talk, um, at a conference about a month ago about bots, Just, you know, talking about how defenders, how do blue teamers defend against bots.
And one of the first things that we talked about is like, Look, this is before you do anything from a Tech perspective, This is a risk management discussion that needs to happen.
And you need to understand, like, what do you want to do if I detect some type of event.
So, in the case of, like, let's do something that's not as hot a topic anymore this time Last year.
PS5s were released, and people rushed, Bots are rushing to get the PS5s to sell them on the secondary market for 2X.
The original retailer may say, you know what, I don't care, I made a sale, whatever, it's fine.
Or that retailer may say, You know what, no, I want to give people, humans, actual humans, A fighting chance to get one of these things, So then I'm going to put tools in place, Uh, that are going to prevent what I determine as a bot through that whole journey from, You know, completing one of those, those purchases, right?
So, I think it's well, I didn't sort of directly answer the question.
I mean, it is one of those things that you kinda have to lay out on a whiteboard if you're Able to get in person and sit down and, you know, draw that customer journey from left to Right, and look at historical, um, fraud that That's happened at your company to try to Understand, you know, what people are, where are the soft spots that the fraudsters are Pushing on to try to find where they can, you know, extract value.
Um, and then have that real serious conversation with Management, Like, look, if we wanna defend against all of this, this is what it's going to cost from a Resource personnel perspective, from a tool perspective, um, And then sort of gauge it, yes, we’re OK with this, no.
We're not.
It's, it's all about the trade-offs that you're going to have, and it actually does create a fun conversation because you will have those, Those trade-off conversations throughout your, you know, Designing that journey from left to right.
Yeah, I can tell you, being a retailer in the past that I don't think any retailer would be OK with the bot and the PS5 story that you uh mentioned, Brandon, because from a trust and building loyalty among your consumers' standpoint, You don't.
Want to do that.
Like, it's, it's, you know, at some point in time, it's not just about whether or not I was Able to sell all the PS5s.
It is also that was I able to bring the value To my members so that they come in here next time and the, and the time after that.
Yeah, no, I, I get it, and I feel like depending on where you are in that life cycle, So there may be some retailers that are just trying to make a quick buck by selling Something cheap.
And then there's others that are trying to Build a long-standing, you know, sort of relationship with the customer, Um, and we can talk about user journey.
There's some things we should talk about, You know, we can pump that down the road later For user journey because there's a whole lot of Interesting things we can talk about fraud-wise, about what are the impacts of doing things.
Certain ways.
Uh, but no, I, I 100% agree that it's, It does come down to what that position of the retailer wants to do, Um, and then that, that's that conversation that you have in management.
You don't necessarily have that in a fraud department or in a Security department or Something like that.
You'll have that with management.
Yeah, and I think in, in terms of the user journey, so again, Prior to Arcos, I ran this for eBay, like, we used to call them checkpoints.
So, when a user comes in, registration is the first time you, You interact with the service, then you have login, then you browse an item, Then you add an item to the cart, then you go to the checkout with Then check out, Then you enter a shipping address, you enter a credit card, You click OK.
Uh, and then the follow-up, you get the review.
Order, and then you potentially can do refunds, cancellations, and disputes, Disputes.
So, all of them are checkpoints.
I think the point to note is that what many companies don't do very often is that they Treat these checkpoints in isolation.
So, the data, and the data can be IP and finger device fingerprinting or behavior biometrics, Or how do you interact across the site.
Many times these checkpoints in big companies are owned by different teams.
So, the checkout, for instance, in all big companies is a separate team.
The identity responsible for registration and authentication is a separate team.
The Risk and Fraud BU, which manages the overall losses and, You know, money-back guarantees and all that is a separate team.
And what big companies have not done well is making sure that the data and the Interaction of the user, uh, across all of those different checkpoints is shared, So that you kind of build collective intelligence and not just continuous Authentication that Robert mentioned, but continuous fraud detection as the user is moving across the site.
And that's, that's a really good point, Ashish, because I think we often think about siloing Between business units, um, but reality is that there's also siloing within the different steps Of that journey.
And I, I do want to point out that the DaVinci platform and orchestration in general becomes Really important here.
So being able to use these different types of Tools as part of these journeys and then bring that.
Data together UM is a really important component.
And then also having the ability to be able to change outcomes based on results within that Journey, change the tools that you're using.
So, for example, Um, you'll be using a perimeter tool like Carcos using ourselves, um, within the identity Verification for different parts of that journey, whether that's login or registration.
Checkout UM, and there may be other places you might not be using all of your.
Tools like Doc Verification.
Um, that might be something you're only doing a Registration.
You're definitely not doing that at Authentication.
So, having a flexible platform that's allowing You to link all that data together and link those tools, um, so that you're getting that Whole fraud strategy in place is really, really important.
Secondly, you also want to make sure that you're able to very quickly change Configuration, change settings.
If you need to, Um, for example, blacklist an IP space because something really nefarious is going on.
Um, in a particular um online community.
Um, you don't want that to result in a Jira ticket, for example, Out to your Dev team that takes 2 weeks to deploy.
Um, so having one platform in place that's able to do that cohesively, Um, is also a core part of the strategy.
A lot, you seem to have something.
Yeah, please go ahead.
So I'm, I'm, I'm kind of biased and, and it's funny, but I'm biased towards like the same Kind of solution, um, like the way that we've been looking at this is, is exactly the same as the Shish Robert and Brennan have been mentioned like.
On one end, you've got silos within organizations, um, And on the other end, you want this continuous authentication kind of mindset or, um, continuous Approval of, yeah, this is who, like that person says he is, And he's doing something that he's meant to be doing.
And the way that we've been looking at it is that kind of, to Robert's point, If you have a single place where all teams kind of funnel their insights and configurations into, whether it's from one system or another or several systems from the same company, Again, a little biased, um.
That facilitates the sharing of like knowledge and information within the company, which then creates a better fraud and risk solution, because instead of just saying, Yeah, this login was fine; this credit card is OK, then you have a point of reference where You're, you're saying, yeah, this guy usually comes in from here.
And all of a sudden these requests, which are a little weird, Came from a different device.
Nothing weird happened later on, so it's fine.
Or all of a sudden you see that they're changing their addresses and ordering something from someone completely different while they're accessing another computer.
So these kinds of sharing of information across systems or divisions within the company is Absolutely paramount to create a strong fraud presence.
And just to kind of very quickly add on, on this topic and also But, You know, the whole isolation which happens in the companies and a little bit on the same Front as the user experience.
The other part to keep in mind that uh Even if it is the same checkpoint, But the metrics that the different teams are responsible for are sometimes different, Right?
So, we mentioned that any time a new user Interacts with your service, registration, login, and account recovery are one of the First experiences a user would have to go through.
Keep in mind that these are also the three most attack points by the fraudsters' registration, Login, and account recovery.
So, anytime when you want to lower the friction for your good user on these 3 checkpoints, You have potential that you may be lowering their defenses for the bad actors on the same 3 Checkpoints.
Now, as an Identity team, you generally measure The completion rate, like the, the number of people who show up on your registration page, Number of people who complete the registration.
For login, how many people can successfully sign in.
If you look across the industry, the numbers depend upon the type of the business, But across the industry, the registration rates go somewhere between 55% to 65%.
I, I, I land on your registration page, and then I'm going to complete it.
The login registration, the login success rates in the industry are about 85 to 95%.
So, if you have a team for identity, they're going to say, I want to grow this, so I'm going to lower the friction.
And uh, because every 2% increase in registration or login results in top line.
If you're a fraud team, you're gonna say that I want to mandate SMS on every registration, And that by itself will drop your registration by approximately 20%.
So then, as a company, I want to reduce losses, but then I'm on a mandate SMS, but that may result in 20% registration drop.
How do I find that balance?
And if these two teams are working in isolation, How do I break the tie?
Yeah, that's actually a great segue to the big topic, right, That's been on our minds since the very beginning.
It's come up a couple of times.
Let's go ahead and talk about customer Experience.
So, as you say, fraud prevention and customer Experience have often been at odds.
There's been this perspective that to have one Be excellent; the other is probably going to be poor, and vice versa.
There will always be impact.
There will always be trade-offs.
What are your thoughts on ways to lessen that impact?
And do you believe it's possible to get to a point where both the customer experience for The legitimate user and fraud prevention to protect you from illegitimate users can be Excellent simultaneously?
I'll toss this to anyone who has thoughts on the topic.
I think I'm sure we all have thoughts on the topic.
All right, well then, let's start with Ela because he spoke first, and then everybody will Have things to say, because this is the big one, right?
This is the thing that people struggle with so much.
I think fraud teams struggle with this tremendously.
They get blocked when they're trying to put in protections to protect revenue, But customer experience teams are saying, but we're, you know, We're seeing abandonment, we're seeing card abandonment, we're seeing session abandonment, We're seeing users refuse to register, we're seeing registration drop off, So.
How do you solve it?
So, I think the key here is to look at it from like two directions.
One is we need to make, you know, life for Fosters as hard as possible, But um we need to make life for human beings as simple as possible, And we do this with a variety of things.
It's ranging from low-friction captures as Simple as possible versus those horrible things we had back in the 90s, We all know and love.
Um, and then we go all the way down the Solutions which are not necessarily captured Driven.
Like one example is what Apple just came out With, uh, private access tokens.
That's an example of something which is not a Capture solution, but it gives you an option to exonerate based on the signal.
Now, there's a whole bunch of other exoneration type signals.
Uh, every once in a while, uh, fraud prevention kind of narrows down, And focuses on seeing, um, these are the signals to identify an attack, And that automatically makes everything negative.
And then that creates a lot more false positives.
While if you're looking at exoneration signals, again, such as the Apple access tokens, Then you have an option to say, so this guy is a little fishy, But he has all these wonderful exoneration signals.
Let's let him pass through until we see something very concrete, And then, uh, to Robert's point comes in the continuous authentication or to Ashish's point.
Where you look at the customer journey and say, OK, so everything was okay, Or at least not fraudulent, but at this point, this is where this guy Did something close enough to be dangerous for the company that we definitely want to Block them, and then you lower actual impact on real users almost to nothing.
Yeah, I think, oh, go ahead.
I was gonna say one thing I would stress, if, And if I have to give one message, Before you invest into your fraud tools, you should invest into your monitoring and Measurement tools, because, uh, many times, because all of those things, There is not really a silver bullet.
You want to be able to try a variety of things, And it is very important for you to be quick to measure the impact of this on your customer based around false positives and false negatives.
And I think that the second point would be that in, in addition, We touched upon the Orchestration Platform, we touched upon the fact of how can I use the Same data, you know, across different checkpoints.
The, the other part which is kind of connected to that is, Uh, you want to be able to have different types of methods and apply them based on a risk-based decisioning.
You know, You know, Robert touched upon the example that sometimes when I log into Amazon, I never log in for 6 months, but in some places, I log in every other week.
Uh, there are a bunch of passive signals that you can collect.
And when you talk about different data, I can have the data because of history, I can have data because of the network, and I can have the runtime contextual data.
So, if I know that you are coming from the same device, from the same IP, And you log in at 9 o'clock every single day, Can I not ask you for SMS authentication as an Example?
And, and in a, similar to, you know, You mentioned privacy, access tokens, the other part, which is, Again, top of the mind these days is passkeys and passwordless, And, I would have the same answer that.
Even when you do not ask the user to authenticate, or any Authentication method you Use, you are still about 90, 95% completion rate.
On the other hand, if you have enough passive signals that you can completely skip it, And same MobileIron device, same IP, same net, uh, that is 100% completion rate.
So, you have to kind of balance what I call the risk-based authentication, That is not a challenge every single time.
Leverage the historical data, contextual data, and passive signals to decide what is right Way to challenge or put friction in front of your customers or, Or bad users.
I love what Ashish is saying because we focus on that view.
We focus on understanding this activity before a user even lands on a retailer's page or a Banking page and really understanding that from the web at large.
Um, and the dimensionality of that is very typically device, The network type, the IP, the type of activity.
One of the things that we discovered from our research also is that sometimes things that seem suspicious or seem actually are not, and then things that may be benign, um, are actually A fraudster trying to do something malicious.
A really good example of this was an attack that we saw fairly recently on an account Opening page for a credit issuer, um, where there were all of these single characters Variations to the street address and someone was basically trying to test to see what could They get through the form with the IDM data they already had.
Um, versus, for example, seeing someone suddenly at 3 o'clock in the morning, Not expecting them to interact, but they've just changed their activity because they've Taken a new job where they're now a shift worker working a night shift.
Um, being able to see that data and see it before that user lands on your page to make a More intelligent decision, um, is really crucial in improving the experience.
Um, secondly, as she, she also mentioned, you know, the importance of being able to skip a Verification.
Um, so one of the places where we see a lot of Friction with our customers, um, is in the um email verification.
So, you register on a website and the site says, OK, We need to verify that this email is actually you.
Proof possession by logging into your email Client, clicking the link, And now we're going to give you the green check box to say, This is actually you.
If you're able to do that with other sources of data such as Digital Identity Verification, Um, you're able to bypass that step in many cases.
So across our Platform, if we see that a user is stable, We see that they exhibit the same characteristics across many different websites That are visiting, it empowers you to be able to skip that journey.
Yeah, the last example, um, that I do want to share with this audience is something very specific to onboarding.
Um, so, you know, think of your typical onboarding workflow, Um, especially in more vulnerable cases where you might be extending credit.
Um, so the first thing that you might do is you might verify in your doc fee check to say, OK, the Social Security number, the date of birth, and the address match.
Um, you might do a call out and see if that address is something that is part of that Individual's record.
Um, if the user has recently moved, for example, um, that will come back as a mismatch.
So then, what is your next step?
Your next step might be to do dock fee.
Someone takes a picture of your Driver's License.
Once again, if they moved, they haven't updated their driver's license.
Um, and then what's the last step you do?
You send them over to manual reviews.
Someone now calls up the individual.
Verifies some additional UM details, then makes a decision, potentially whether or not To approve that.
By the time you're done, you've created a really poor customer experience, um to someone That has done something really innocent.
They just moved, Which actually happens quite frequently about 20% of the time annually.
Um, and you've also incurred really large costs to the tune of $50 to even $100 depending on The industry and the types of checks that you're doing.
Um, so, I would, I would encourage people to take a look at all of the different types of Solutions and the ways that they can build better strategies, um, to make those decisions up Funnel, whether that is to increase ROI, um, increase um revenue and profit, Or whether that is to create a better user experience.
I think I'm gonna toss this over to Brandon as well because, Uh, at Ping, we are always focusing on that idea of letting your customers experience a Better experience, and we are obviously trying to come in and Build up architecture that will help all of these fantastic detection and Decisioning tools come in to solve some of these convoluted fraud issues.
So, Brandon, I'd love to hear your take on the user experience.
How do you build fraud prevention into a user experience that remains seamless?
What does that look like?
Yeah, no I, so I think, um, you know, the teams here has already hit on a lot of the examples of how this happened, and it's really one of those, you know, It's not a one size fits all scenario.
Like every single interaction is an opportunity To deliver something that is great and something that, um, the person walking away from That experience feels like, hey, that was a great interaction I just had.
And it, you know, everybody's got a different reason why they're, They're coming in to, to work with a particular business.
So being able to, you know, sense early on and make predictions about what is this person Going to do.
Um, how can I enrich the information that I'm Looking at to make decisions earlier on without having to ask them to, to give me more information, kind of like what Robert was talking about, Right?
So, um, the more I can get that into my, My profiling, and then start to make decisions downstream, I can, Uh, you know, hopefully I'm doing it the right way, but I can start choosing pathways, You know, sort of nudging them down a certain pathway, uh, That I choose, that is gonna help them get from, you know, Left to right, the fastest, most efficient way.
I think ultimately one of the challenges that, um, you know, We, we have, we try to build these things is That sometimes we're, We're, we may be guessing, like we think this is the right thing to do.
Do, so we're going to build this, this experience left to right, then roll it out.
And where I think one of the cool features of DaVinci that I really love is that there's The ability to do AB testing in your flows, right?
So you can say, I want to send 50% of the traffic this way, I wanna send 50% this way, and I wanna evaluate the outcomes when they got to the other side.
Were there fewer problems?
Did one flow, um, Yield in more fraud losses?
Did your one flow have more abandonments, If we're talking retail, that they just said, you know what, This is too difficult.
I'm going to go to the, The other retailer that I know that, that has already built a profile on me, Right?
Um, and, and then, you know, sort of having That all the way through discussion of, OK, from a risk perspective in the business, How much risk are we willing to take?
So I think a really prime example we have that risk discussion for retail, For online retail, is the use of a fraud tool called 3D Secure.
You know, here in the States, we typically don't see it deployed as much.
Now you, I, I have seen it personally deployed with higher dollar purchases.
If, if there's a higher purchase, then, you know, they may just send through the 3D Secure, Um, set up, but.
Um, for my colleagues in Europe, 3D Secure is part of doing, You know, a lot of online transactions.
It's not something that's necessarily as Foreign, um, as it would be here in the States, but if you go through that step and you Complete that step; you're very well protected as a retailer, Versus saying, you know what, I don't want to put, I don't want to confuse somebody.
I want them to go through the purchase, get to the end.
And then we'll figure it out on the, on the back end.
We'll do analytics on the backend to determine, you know, How likely this is to result in a chargeback or some sort of fraudulent thing, So.
Um, you know, all that to say, like, it is Something that, you know, each business must understand from their users and their flow.
Their sort of customer journey, uh, but, you know, using tools that sort of help create a More enriched, uh, decision-making platform, and then sending people down the right flows to Sort of like understand that each customer is an individual, and they need to be treated.
Individually, uh, so that they have the best experience for them.
So, just 1 30-second comment.
I, I was part of eBay when we rolled out PSD2 and SCA in Europe.
So I have some, you know, I, I, I won't get to share it, but how did the user experience change because of that mandate?
Uh, I'm gonna still, you know, repeat the two things that Brandon, What you said is that first, uh, there is no such thing as one size fits all.
You need to understand the context, like the, the login experience for Netflix, which you log in every day, or, or Snap, which you log in multiple times a day, or Airbnb, which you log in potentially once every 3 months, Or taxes you do once a year, is very, very different.
So, you need to understand that part, and diversity of your users.
The second one you touched upon was just the whole AB testing and to be able to monitor.
The impact of different flows, both on the good customer journey and on being able to prevent The bad losses.
So, I think those two things are very Critical that we should not ignore.
Fantastic.
There's been a lot of really great discussion, and I do wanna be cognizant of the time of our listeners, so we're gonna do a lightning round Where I'm going to ask you a question and ask you each to give me one quick answer.
So, given everything that we have discussed today and all of these various moving parts, What would be one piece of advice that you would offer to fraud teams about architecting Their fraud response, given the fact that the fraud landscape changes quickly, Um, the need to keep up with fraudsters, the need to keep up with customer experience, The need to keep all of this in mind in order to combat fraud successfully today.
And also tomorrow, next week, and next month, one.
Your top piece of advice, Ashish, I'm gonna start with you.
What do you think?
See, I was hoping you would give me some time To think a little bit if it's only one thing.
I know I put you on the spot.
I'm sorry.
It's fine, but I, so I would, I would, Uh, since I'm going first, I'll say, I get to say a little bit too.
One of them is, uh, monitoring; invest in your monitoring solutions, And second is defense in depth, because you're gonna need more than 11, Fraud prevention techniques, uh, based on your customer base.
Awesome.
Ela, what do you think?
Um, if it's just one, listen to all of the advice we mentioned on this webinar.
A little more useful, then definitely defense in depth.
I, I completely agree with Ashish.
That's, that's the only way to go with what's Going on in the ecosystem today.
You have to have multiple layers to kind of Protect each other from mistakes.
Makes sense, Robert.
Um, I, I obviously agree with what we've already said.
If I were to add anything, I would say align your organizational KPIs, Um, make sure that UX is focused on a component of security, and make sure that security is also Focused on a component of UX so that you're building better synergies between those teams And you're breaking down those silos internally, and then everything else that we're talking About here will fall into place.
That's a great one, Brandon.
Yeah, Robert stole mine, so, uh, the one that I'll do instead, Uh, is really, um, thinking about the refinement, like dig into the defense-in-depth controls that you've looked out, uh, that you've laid out, Um, and spend time really making sure you understand why things are being done.
You know, Treated in a specific way, whether this is fraud or this is not fraud, And then really focus on ways to optimize so that not only are you optimizing that customer Experience, kind of, you know, that KPI alignment, but you're also sort of optimizing The cost and effort required to detect some of the easier, uh, types of fraud that we'll See.
Awesome.
Well, thank you all very much for being here with me today.
I think this was a great discussion.
I hope for those of you out there listening, You learned something new, and we've given you some things to think about.
Thanks again for joining us today, and have a great rest of your day.