Fraudsters Lie, but Math Tells the Truth

My lovely wife taught math for years. She’s passionate about her subject, which is why she’s very sought after as a tutor for everyone from little kids to grad students. I think what she loves about math is the fact that it’s so absolute. It’s either right or wrong, and it unlocks the secrets to how the universe works. There’s no subjectivity to it (unless you’re a political pollster), and numbers don’t lie (unless you were Enron’s accountant).

In the old days, identities didn’t lie either. You entered a username and password, and if they weren’t correct, you didn’t get in; if they matched up with your identity, you were fine. And that’s still the case—but all too often, the person or bot entering the username and password is not the individual belonging to those credentials. Untold billions in fraud result annually from this phenomenon, which has been fueled by the massive amounts of data stolen from credit bureaus and other places. But this is where math can absolutely help.

For nearly a quarter century, I’ve been in the business of helping people create and provision their identities and enabling them to authenticate and authorize the systems they need to access so they can do their jobs. Let’s record your name, number, title, and role and then let you log into your stuff. Over the last several years, that authentication has gotten, out of necessity, far more complex. It’s not just a username and password any longer: fingerprint, face, device, mother’s maiden name, and often some combination of those are required to assert identity. And this is all great for preventing evil logins, but that’s on Day 1 or 2. How about on Day 0, when those identities are first being established? How do we keep bad actors from creating false faces from the very start, using a mash-up of attributes? What’s the secret to preventing the genesis of synthetic identities that are part phony and, horrifyingly enough, part real?

A couple of years ago, some awful person tried appropriating my tax refund. Luckily the IRS suspected as much, giving me the option to prove myself as the true Jeff, create a PIN, and reclaim my return. In order to accomplish this, I had to answer a bunch of questions, like what the make of my car was in 1987, or the hair color of the kid I kicked the crap out of in fifth grade when he tried to steal my bike. I had to find my wife for help conjuring up some of the obscure information. This is called knowledge-based authentication, or KBA. Customers typically hate this, because 1) it’s too much like a test, and 2) they often don’t know their own answers, even when they register these answers when they first sign up. And it’s often based on data that’s been ripped off from the porous credit bureaus. These stolen attributes are the fuel to feed phony identities. Besides that, the hassle of KBA is what we in the security biz call “friction,” and it often causes potential customers to walk away.

A lot of outfits claim they can absolutely verify that somebody is who they say they are, and the way most of them do it is by checking to see if a valid name, SSN, phone number, and/or address are provided. Yeah, okay, there’s some value in that. But still, these are basic elements required by the (strangely named) US Patriot Act that can be acquired all too easily from social media and elsewhere, as well as from those aforementioned credit bureaus.

Rules-based approaches—meaning those that are very skeletal and strictly binary twinning (Did they provide the right SSN? Did they give us the right address?)—are too easily defeated. Sure, I give you some real identity elements, but do they all belong to the same real person? You don’t just want the numbers, you want them to fall into the right places and make sense together.  

Synthetic identities are commonly built using perfectly legit names, addresses, et al., and when assembled into a fake personage, they often pass muster. Companies, especially financial institutions, need to take measure of the relationships between these attributes.

A much better approach is to not only leverage many more elements but also correlate them. Does that phone number belong to that address? Does that name belong to that SSN? How old are these elements? Was the phone number and/or email created in just the last two weeks? Do any of these elements appear on known watchlists? There are many other such relationships you can build among your data to discern an applicant’s legitimacy.

Simple defenses keep out only the dumbest crooks and script kiddies. As fraudsters chronically evolve their highly focused attacks to thwart CSOs, who have to constantly catch up, the best defenses look at far more attributes, as well as their relationships, to mathematically predict the likelihood that an actor is a bad guy and eliminate a far greater percentage of those bad guys.

The kind of “math” we’re talking about can’t be performed by a rules-based engine, which relies on predetermined inputs and a dash of human intuition. Rules can’t predict new forms of fraud; they can only identify types of fraud that have been seen in the past. With artificial intelligence, you can use math at scale to predict with high accuracy whether the never-before-seen person is a fraudster or legitimate customer.  

Increasing the odds of validating identity decreases the odds of somebody sneaking through. Give the purveyors of fraud a higher threshold to overcome by making the numbers work against them, and they’ll fail the test a lot more often.

When it comes to fraud, numbers are your friend. Bad guys lie, but math does not.

Image source: flickr.com

Jeff Scheidel

Jeff Scheidel

Jeff Scheidel is a technologist with 34 years in software, including 26 years in security solution design. He is the author of numerous white papers on security and regulatory compliance, as well as a McGraw-Hill book on identity, access, database, and application protection. Jeff is an expert on compliance requirements across a number of industries, and has presented at a wide variety of security events.