Subscribe
Share
Share
Embed
Payments fraud doesn't begin and end with stolen credit cards. There are sophisticated international networks of criminals who dedicate their entire lives to scheming and scamming merchants and consumers for every cent that they can extract. But there are also experts in the payments fraud field who are actively fighting back. True Fraud features real-life stories of the battles that are raging across the world, one transaction at a time.
Welcome to True Fraud. I'm your host, Pablo Torres. I'm the head of risk and compliance at Reach. Today, we're gonna talk about the, something that a lot of people have probably seen over the news, something that has affected businesses in general, I think specifically for online businesses and for possibly the people from Australia. There was, an article that came out a few months ago, I wanna say maybe 3 months ago, that talks about 4 of the main banks in Australia that were, I guess, attacked and they or they were subject to an attack of ransomware.
Pablo Torres:And there was a lot of data that was compromised during that attack. Here at Reach, we're we're always looking into what's hot, I guess, in the market when it's in regards to data and who has had access to it. Most of the times whenever you see articles like this is for something that happened months months ago. When we started going through through a lot of the the the volume that we were seeing from Australia, where we have metrics, that we have, different types of engines and alerts that give us metrics in regards to, you know, increases of chargebacks, increasing suspicious activity, increasing failed authorizations, or, you know, just data in general. The the interesting part or I guess where where all of that data comes handy is when you put it all together, and then you start applying it to kind of real life statistics.
Pablo Torres:We noticed that there was an increase in fraud related chargebacks. We we thought that it was interesting because it seemed almost like something was happening in Australia. And this is and I'm talking about, you know, summer of 2023. This is way before the the article the article had come out. But whenever we notice anything, we deploy controls that are that's based on the criteria of the the pattern that we that we have identified.
Pablo Torres:In this case, we were seeing this across the board, which tells us something a little bit different. It tells us that there's something much bigger going on. And then as we deployed specific controls to identify the the the criteria of that pattern, so we want to provide the best service possible for our partners, but also maybe we don't wanna get in the way of something that they they're likely are doing on their end. And so some of those controls may be basic. Basically, what we did was just adjust and adapt some of our existing controls.
Pablo Torres:It's it's interesting how regardless of of this happening of the the, you know, the compromising of, of these main four banks in Australia, the the patterns don't change that much. It's more about, the volume that you're dealing with. And and, of course, there's gonna be more people that get their hands on them, so there's gonna be more activity online, and there's gonna be people that are doing things slightly different. But it's kind of a like, if everyone went to the same school. And and I remember I I gave this this talk, I want to say maybe 6, 7 years ago in San Francisco about the school of fraud and how it seems like whenever you like you look at the patterns from each country and maybe sometimes based on the the specific payment method, because some of those payment methods are based on geographically or are limited geographically.
Pablo Torres:It seems like they all go to sort of the same school. I'm sure that that's gonna change, as people get more savvy and and they get more connected with logs and and just data that that they come across online. But it still seems like the base of of it all is it's kind of follows the same the same path. You know, it's it's it's sort of a a river. And and in that river, there's the people that are trying to commit fraud, and then you just add more people to that same stream and everyone kind of follows the same path.
Pablo Torres:Every once in a while, you know, if you think about it with the analogy, there might be some rain, which is, you know, if you wanna compare it to data, then there's gonna be more data and it's just gonna overflow and there's gonna be, you know, a few more paths that that are gonna get formed with that overflow of of water. And so it's sort of the same the same way it happened in Australia, where we we started seeing a few different trajectories of of the data and and patterns of of the the data that was being used. We were able to identify identify the banks that were involved in that. And of course, the our controls were based on on that data. And then months later, you know, it we I remember we even had this internal meeting where we were saying kind of like, in the line, something along the lines of Australia is on steroids, you know, in regards to how much activity we were seeing coming from, from that country.
Pablo Torres:Of course, the moment that that article was published, then a lot of people kind of queued into the, hey. That probably has to do with that charge that I saw on my credit card for $20 that a lot of people just brush off and they just move on. Right? And and in this case, a lot of these people likely reported their their cards to their bank as lost or stolen. And a lot of that activity has gone down a lot.
Pablo Torres:We're still seeing a lot, a lot of stuff going on in Australia, but it was very interesting how our team was able to identify this much, much earlier than when it was, like, when it was really reported. Right? Again, whenever you hear of anything going on in the industry, it's likely at least 3 months old. And so when the article came out, we were in a meeting and one of our agents shared the article and we were kind of all like, that makes sense. Okay.
Pablo Torres:And, of course, you know, like in, previous episodes, I've talked about how in the payment industry, you have these silos and these companies that are kind of trying to handle handle that data, and and they're trying to to do their job by mitigating fraud. But at the same time, you have the the nemesis, which is this organized crime group that is connected by all of the the data that's available in the market. On this side, we're looking at companies that have access to that data, but they handle it in silos and they develop their own strategies because they make a profit out of that. And they don't want to share that strategy with the other companies to mitigate the fraud because in the end, that's a business. But and then we have on the other side, the people that are trying to use that data to also generate profit.
Pablo Torres:But because everyone is using the same information, then everyone is sort of connected, you know, in one way or another. Right? And it last time I remember I talked about the, the, the dark web and, and, you know, I think the access to data has become so prevalent and there's so much of it that you don't even really need to to get as far as, you know, trying to use the Onion router or anything like that. You can. I remember just somebody trying to add me on a fake Instagram profile that I have, and it was this kid from somewhere in the States that was selling credit cards on Instagram.
Pablo Torres:And the the photos on the profile were just a bunch of cards laying on his bed, and that was it. You know? So it you don't even need to to go that far. Sometimes even just by doing a quick Google search, you can find blogs where they're selling Netflix accounts. Sometimes they're even just free, you know, they just post them there and then you can have access to that.
Pablo Torres:And then of course, if you want to go a little bit deeper and commit some fraud, then you can try to find some information about that person with that email, and then try to access other merchants that you may see on their Facebook profile that they use or, you know, something like that. So again, the the access to information is so prevalent. There's there's so much of it out there. It seems like nobody's afraid of sharing it in their social media profiles, and it's just so so easy to really have access to it. You don't need to get too far.
Pablo Torres:When you're a merchant and there's so many things that you're trying to take care of, You have your fulfillment center. You have your couriers. You have, your marketing team. You're trying to sell. You're trying to figure out what payment methods to offer.
Pablo Torres:And and really, the last thing that comes to mind is something, you know, somebody's gonna try to commit fraud and and hit your your account or is gonna try to to get goods for free. Everyone is is vulnerable and and I think it's like I said before, it's not a matter of if, it's more of when. And I think that when you get into this market, especially if you're gonna go global, you need to be aware of what's happening out there. Reading, just keeping, taps on if there's any any company that was hacked. You know, you don't need to focus on just banks in order to to figure out what's gonna affect you.
Pablo Torres:It could be anything. Could it could be that billions of records that were obtained from multiple companies, one of them being Twitter or x. The data that was collected from that platform is not credit card data. Or maybe it is, but I'm sure that the majority of it is just emails and names. And that alone is already a really good start for people to to try to obtain access to other platforms that that person uses.
Pablo Torres:Even if they don't try to to gain access to that platform, but just creating an alternate identity for that person and then start opening, accounts or profiles in other platforms using that information, that already is is committing fraud. Right? And so if you're a merchant and you think that only when there's credit card information involved in the data that gets compromised, then you're limiting your view as to what's, how vulnerable you are. And so you want to make sure that the articles that you're reading on a daily basis, you are trying to adapt how that can affect you as a business. For example, maybe there's no credit card information involved in that, but maybe you're seeing a lot of brand new accounts being opened on your platform, and maybe they're not adding payment methods yet.
Pablo Torres:How do you know that maybe this group figure out that because you offer some sort of referral program? Now these people have access to thousands of emails with names and legitimate information so that if your fraud team, if you have a specific fraud team is trying to validate these identities, they're gonna find them on social media and they're gonna say, yeah, this looks good. And they might not be connected, but the fact that you're getting a referral from another person. And then suddenly one day, all of these people are trying to buy the same item and everyone is gonna get 10, $15 off. But you giving them access to that referral program, then you're gonna start losing a lot of money.
Pablo Torres:This is something that should be attracting new buyers, legitimate buyers. And when you have something like that, then you're just giving them access to some of the merchandise that you're covering, some of that costs that you're losing through the referral program. But these people are abusing it. So you're actually going to be losing that much more money. And so just because there's there's no credit card involved or maybe not a fraudulent transaction happening during the creation of these profiles or during the checkouts of of this merchandise, it doesn't mean that it's not fraud.
Pablo Torres:You need to be able to adapt. You need to be able to identify the data that's available out there in the market and how it can be used against you. Again, it's not always just a fraudulent transaction that turns into a chargeback. The majority of the times is. But you need to look at your profile and see how can they take advantage of what I'm offering.
Pablo Torres:Another way, for example, would be what we see with with some of the the countries where they offer low risk payment methods. And a lot of the times these payment methods, they get used to to place these orders. And so there might not be a chargeback associated with with them. You know, we're in Mexico, there is this payment method called OXO. And and basically, you just go and pay at a convenience store, and that's it.
Pablo Torres:And that's that's your order. Really, OXO doesn't care if they get they're getting paid with money that came from somebody getting mugged or from a credit card that was compromised or anything like that. They don't. So there's no risk associated with that. Right?
Pablo Torres:Wrong. Cause you're thinking, well, there's not going to be any chargeback. So I'm just going to get my sales and that's it. Well, what about your reputational risk? What about you as a business?
Pablo Torres:And you're letting transactions from people that are getting their cards compromised, and then they're seeing the payment for OXXO with the name of your business account. And so all of these things, they affect your business in very different ways. And so if you're just saying that the only protection that you should have is in regards to the credit cards or PayPal or the the corners or, you know, the payment methods where you can get affected by getting a dispute or a chargeback associated with each charge, then then you're limiting that view and then you're becoming you're becoming vulnerable. So nobody's impervious to these attacks. A couple years back, we started getting calls from the RCMP and it was, actually RCMP people asking about cards from their credit union.
Pablo Torres:And they were asking who we were. And after a few calls and we started asking the questions back to to the people that we're calling, and it was very clear to us that their credit union had been targeted. And all of the credit cards that were part of the RCMP for that area were targeted, and it that data was compromised. So it was out in the market. And so there were a bunch of transactions that that, had gone through some some of the the accounts.
Pablo Torres:Again, they had the correct address. They had the right names. They had the some of some of the transactions actually even had in the shipping address. They had the names of the daughters of the officers, which was very interesting to see. So, again, social media right there.
Pablo Torres:Right? And so when we figure this out, then, of course, we block the the bin and then, you know, we took action in regards to where the data was coming from, how many transactions were affected. You as a cardholder, you're never gonna think, that, oh, you know, that attack is never gonna get to me. But it it will. It probably already has.
Pablo Torres:Again, you know, like I said before, there's so many cards in the market that it is more likely that your card will go will expire before it gets used. And so it doesn't mean that your personal information is not out there. It just means, it's a matter of time. A lot of a lot of the the the data that's available, you know, specifically with this Australian attack will affect your business, not only in the way that you're gonna look at the the transactions that are turning into chargebacks. But it's also gonna translate into the success rate of transactions that you have.
Pablo Torres:If you're looking into kind of your average Australian success auth rate, it being 95, 96, 97%, and then suddenly you see a drop and you're looking at 70%. It's not because you you're doing your business wrong. It's because of what's happening out there. What's in the environment that's affecting your business? And so being aware of those things also help you identify the strategy that you should be following.
Pablo Torres:Because at that point, when you're seeing that that amount of failed authorizations, you might freak out and go to your service provider and say, hey. Your business sucks. But it's not that. It's actually the banks are doing their jobs. So they're failing those to to start with.
Pablo Torres:And then if the your your payment service provider, it's also rejecting a bunch of transactions. It's not because they're just rejecting legitimate people. So get educated as to what's happening out there in the market and then, use that. All of these things are like the the combination of of it all as complicated as, or as as overwhelming as it seems. It's it's really it begins with just getting educated, staying on top of of the news, staying on top of the way that you handle your data, the way that you can access it, and then using the the the opinion for from the experts.
Voice Over:Brought to you by the reach network. Visitwithreach.com/network for more.