Identity theft: How machine learning protects against online fraud.

As digitalization of business increases, companies and every single one of us become more vulnerable. In 2021 the security researchers at the Hasso Plattner Institute in Potsdam recorded more data leaks on German websites than ever before. Theft of digital identities has climbed again as well. Trading in personal data is a billion-dollar business not only for Silicon Valley giants like Google and Facebook, but also for cybercriminals, according to the Institute. In e-commerce alone, experts estimate that worldwide losses due to online fraud totaled 20 billion dollars in 2021. That represents an increase of approximately 18 percent compared to the previous year. Identity proofing, the Institute says, has become the number one challenge for companies in e-commerce and the finance industry. Fraudsters are getting more and more sophisticated and are operating in all channels. 

To find out how companies can protect themselves against online fraud, we conducted a video interview with Frank Heisel. Frank is Managing Director of RISK IDENT. Like EOS, the company, which is headquartered in Hamburg’s Hafencity , is part of the Otto Group. According to Frank, it is market leader for anti-fraud software in the German speaking countries. The diversified customer base includes retail corporations like Otto and Breuninger, Deutsche Telekom and Vodafone, the car rental company Sixt, and Deutsche Bahn. In the financial sector, banks and payment providers protect themselves with RISK IDENT software. EOS clients also benefit (see the interview on page 31). Around the world, RISK IDENT secures annual revenue of 80 billion euros for its clients, according to Frank. 

Frank’s vision is a world without online fraud. He realizes that this is a utopia. “But it is what drives us.” He says the 75 members of the RISK IDENT team are so committed because they know they are doing good. “In the end we not only protect companies against payment defaults—because identity theft can happen to anyone—but also society as a whole,” says Frank. “This type of fraud also finances terror and organized crime.” But how can companies protect themselves effectively? 

The best chance of preventing fraud is to recognize attempts early on. Frank explains how it works: “Criminals typically place more than one order. They use different identities or e-mail addresses, but don’t have an infinite number of devices. We see with device fingerprinting that we are getting an order from Anna, one from Jay, another one from Paula, but all of them use the same device. When we recognize that, we can identify and predict fraud attempts better.” 

FRIDA uses machine learning algorithms to generate links between these transactions and reveal patterns. “She” wonders, for instance: Have I seen this first name in this region within a radius of xx meters in combination with this shopping cart before? 

Frank says fraudsters are remarkably persistent. “Even if they run into a brick wall a number of times, they do succeed eventually. The point is to make sure they do not succeed twenty times by using the same method.” So, the goal is damage control. Complete protection is impossible. That is the harsh reality. 

FRIDA adapts to master the challenges in fraud recognition and prevents false positives to protect the company’s revenue and its legitimate customers. Frank explains: “Within the milliseconds it takes to process a transaction, retailers have to decide whether to accept or reject the order.” 

Companies trying to defend themselves have to ask how inconvenient they want to make things from the criminals’ point of view, says Frank. The higher the firewalls to minimize fraud, the more steps are required. Having too many steps obviously clashes with the online shop’s goal of offering its “good” customers the fastest possible shopping experience, ideally with many payment options. 

For some time we have seen the effects of increased security—especially the use of a PIN or TAN—when we shop online or transfer money. By requiring two-factor authentication, EU countries comply with stricter rules imposed by Brussels, specifically the Payment Services Directive PSD2. “This extra PIN is nothing dramatic, but it can be irritating,” Frank admits. Even then, the additional step does not provide 100% security. Theoretically, text message TANs can be intercepted or misused if your cell phone is lost or stolen. 

As an anti-fraud software provider, RISK IDENT does not want to impede ordering processes or financial transactions and prefers to “fly under the radar,” says Frank. “Our algorithms predict in a matter of milliseconds the likelihood that an order is fraudulent.” Banks or retailers base their risk decisions on these predictions. 

Whether or not algorithms and machine learning are involved, human beings still play a key role in this process and especially in borderline cases. “Since people are sometimes better at assessing a situation, we allow our customers to intervene manually between the ordering and the shipping process and perform a plausibility check themselves,” says Frank. Anti-fraud defense works, he believes, only when technology, data and people’s know-how mesh. “Artificial intelligence as the sole solution will be utopian for many, many years.” 

Currently, e-commerce and telecommunications make up more than half of RISK IDENT’s revenue. Frank predicts that the financial sector in particular will have to make major investments in cybersecurity. After all, most financial institutions keep pushing the digitalization of their processes so consumers can transfer and receive money within seconds. “Instant payment is the vision all credit institutions are working on.” The amounts involved in lending differ greatly from those in online retailing. “In Germany, an installment loan of EUR 80,000 may be issued without any collateral,” Frank says. So a great deal more money could quickly fall into the wrong hands. 

In the EU, government programs should provide greater security by putting digital forms of ID on smartphones, for example. In Estonia consumers can already shop online with their ID card. Will these steps really increase security? Frank remains skeptical. Sure, he argues, central datastores make life easier for all of us. “But only up to the point when they get into the wrong hands,” he says. “If you look at all the data breaches worldwide, you must assume that it can happen anytime, anywhere,” he says. Sometimes, he adds, those who help build a system later become co-perpetrators. In other cases, weaknesses in software or third parties are to blame. 

In India, for example, a central database was hacked last year. “That is worst case.” In central databases, the damage is in all likelihood even greater, as the personal data volume is larger and, above all, the data have been verified. 

The latest cybercrime status report by the German Federal Criminal Police Office (BKA) suggests that criminals on the web are not deterred by more sophisticated defense methods. “Nowadays, very few cybercriminals can commit their crimes by themselves, without critical support from third parties,” it says. Instead, the report continues, they resort to professional service providers from the dark web. The phenomenon of cybercrime-as-aservice is rooted “in the professional, loosely structured criminal association of the underground economy, which is based on the division of labor and the pursuit of financial gains,” according to the BKA. Frank agrees. “It is a never-ending cat-and-mouse game,” he says. 

Thanks to the pandemic, we communicate online and via mobile channels, transfer money and shop online more than ever before. Annual damage caused by cyberattacks around the world is estimated to be in the trillions of dollars. Online fraud has evolved into a serious cost factor for companies. To put it differently: If you lower fraud expenses, you gain a competitive edge. In an ideal world, according to Frank, a business such as RISK IDENT would not even exist. “We really are an unnecessary industry,” he says. “However, data security is not and never will be an obsolete issue.”