Fighting the Good Fight: How AI is fueling both sides of the cybersecurity arms race

By Ed McKinley

Ominous-looking aircraft patrol a dark and eerie sky, hovering now and then to fire a laser blast down at a ragged soldier scampering through the ruins of Los Angeles. Nearby, a gigantic armored vehicle rolls across the scorched earth, crushing the human skulls that litter the scene. It’s the dystopian future of the year 2029 depicted in the opening scene of The Terminator, the 1984 film that has enthralled generations of movie fans. The premise is that advanced machines are waging war to exterminate humanity.

Yet, who can forget the lighthearted banter of C-3PO and R2-D2, the affable android-robot duo in the original 1977 Star Wars movie? The pair provided comic relief to prevent the audience from overdosing on the strife among the humans “a long time ago in a galaxy far, far away,” as the setting is described in the movie’s opening crawl.

Outside of the Cineplex, man’s interface with artificial intelligence (AI) falls somewhere between those extremes of menace and frivolity. In the payments industry, AI is pitting good guys against bad guys. Thieves employ the technology in their quest to steal card data and transaction history, while the payments industry develops similar methods to foil their schemes. Some describe it as an arms race between good and evil.

But it’s a battle where the right side isn’t always winning, according to Adam Frisch, CEO of Buy It Mobility Networks, a company with offices in New York City and Atlanta that uses the automated clearing house (ACH) network to create “private label debit” on a customer-engagement platform. “Mobile transaction fraud is around 7 percent to 8 percent on average,” he says. “We know of two very well-known national brands that are actually losing money on mobile because of fraud.”

Online fraud attacks increased 8.9 percent over the course of 2016 as the spread of EMV pushed criminal activity out of brick-and-mortar stores and onto the internet, says Forter CEO and Cofounder Michael Reitblat, citing the company’s most recent global fraud report compiled by the Merchant Risk Council. Forter is a fraud prevention technology company that helps retailers approve or decline digital transactions.

Criminals are using AI to predict what websites consumers will visit or where they’ll use their phones to purchase goods and services, says one vendor, who requested anonymity to avoid identification with criminal elements. By becoming the “man in the middle,” crooks are able to steal personal and payment credentials and use them for fraudulent transactions, the vendor adds.

Fraudsters employ AI to probe defenses at financial institutions by using stolen credentials to make illicit transactions as small as a dollar and then increase the amount, says Steve Durney, senior vice president of issuer relations at Ethoca, a Toronto-based software as a service provider that helps 6,000 merchants and 500 card issuers work together on its network to combat fraud. Criminals are probing networks to discover if the card is still active and what amount is the limit for not raising suspicion, he notes.

Lawbreakers also use seemingly legitimate electronic transactions for money laundering, the phrase that describes erasing the taint of ill-gotten gains from activities like smuggling illegal drugs, notes Anand Rao, an AI expert and a partner at PwC Advisory, the international audit, tax, and consulting company. The government expects financial institutions to detect and report money laundering, he notes.

The Enemy

“The criminals—since 2000—have certainly raised their level of sophistication,” says Durney. The large breaches, including those at Target and Home Depot, have been well-documented, he notes. “The criminals have introduced what I would say is almost formal procedure and process of how you monetize and operationalize the thefts,” he says.

Crooks visit the “dark net” to buy stolen credit card information for perhaps $1.50 per identity, or they spend $5 or sometimes much more for data on purchasing habits they can use to target consumers for scams that range from fake travel vouchers to real-world home burglaries when transaction history indicates the owners are out of town, according to Monica Eaton-Cardone, COO and cofounder of Chargebacks911, which provides a risk management and mitigation platform and software as a service. Knowing a consumer’s purchasing behavior enables criminals to make transactions that seem “reasonable” and thus go undetected, she says.

The “dark economy” is booming in cyberspace, and fraudersters are leveraging tech and AI to steal and use data, 
Reitblat says. Denizens of that cyber underworld automate the process of using stolen identities to make fraudulent purchases from numerous merchants at once, he maintains. “The most unbelievable thing about these instigators is that the vast majority of them don’t consider themselves criminals,” he notes. “They consider themselves opportunists and savvy business people.”

In that virtual underground, some cyber criminals specialize in services to other cyber criminals, observes a vendor who asked not to be named. Some organizations focus on breaches; others concentrate on consolidating data on identity; and still others develop expertise in perpetrating transaction fraud. “It’s almost like you outsource what you need,” the vendor says. “They sell information back and forth.”

Eastern Europe and parts of Africa have earned reputations as centers of criminal hacking, identity theft, and social engineering, while Brazil seems to harbor more than its share of gas-pump skimmers, says Durney. As the scene becomes more dispersed, we’re seeing online criminals in Asia and the United States as well, he adds.

The Ally

To retaliate against that demimonde of online hoods, the payments industry is exercising at least one aspect of AI—machine learning. Machine learning occurs when computers observe and learn from patterns they perceive, says Rao. AI represents a giant step beyond directing computers to follow rules-based criteria laid out by humans, he contends.

“As soon as you delve into the e-commerce world, to stay competitive and keep up with fraud, you have to utilize machine learning components and AI technology in order to adapt,” says Eaton-Cardone.

Machine learning, sometimes called ML, occurs when computers analyze data given to learn on their own and then do something they weren’t programmed to do, says Reitblat. It happens when a machine can use data from the past to look at fresh data and predict a result for that new data. For example, knowing about past transactions should enable a machine to make predictions about whether a new transaction will prove to be fraudulent or genuine, he says.

Depending upon one’s definition of ML, the payments industry has been using the technology for a number of years, perhaps as early as the early 2010s, says Durney. “Moore’s law takes over where you have a doubling of capacity to churn through information every year,” he says, referring to the observation Intel Cofounder Gordon Moore made in 1965 that the number of transistors per square inch on integrated circuits had doubled every year since their invention.

ML constitutes one aspect of what’s considered AI, the emerging ability of computers to “think” like their human creators. The general definition of AI tends to change over time. Many regard it as a description of whatever developments have come most recently in cyber evolution, says Reitblat. He quotes a Gartner report to shed light on the real meaning of the often-used terminology: “The artificial intelligence acronym ‘AI’ might more appropriately stand for ‘amazing innovations’ that do what we thought technology couldn’t do.” The quotation comes from a Gartner piece entitled “A Framework for Applying AI in the Enterprise,” according to Reitblat.

However one defines AI or ML, pasting the technology onto an aging system won’t meet today’s needs, says Frisch of Buy It Mobility Networks. His company embeds AI and ML throughout its platform, using the technology when the customer comes onto the platform and while transactions occur, he maintains.

In payments, AI and ML comprise “three basic components,” Frisch explains. “We have to gather the right data, analyze the data correctly, and then apply the data to achieve the optimal outcome for the consumer and merchant.” Using those components effectively requires a balance between controls that are too tight, and thus disallow valid transactions, and too loose, which consequently permit fraud to occur, he notes.

To accomplish that, Buy It Mobility Networks uses the enrollment process to amass thousands of data points on each shopper, the shopper’s payment credential, and the device the shopper uses to pay. That information feeds into a risk-scoring engine that dictates how the system will monitor a consumer’s transactions. “Our system is constantly getting better at identifying trends,” he says. “If this data point corresponds to that data point, then it’s fraud. We recognize patterns.” After enrollment, computers track where and how consumers make transactions to spot anomalies that may indicate fraud.

In general, financial institutions are improving their response to fraud by eliminating the silos of data that in the past may have separated bits of information, says Durney. “A couple of banks are doing an exceptional job of looking across multiple verticals,” he maintains, creating usable information quickly. That way, they can “pattern” activity to spot dubious trends, he adds. “It’s cat and mouse or whack-a-mole,” he opines. “You stop one, and the next one pops up.”

Machines not only have to detect fraud, they have to do it in ways that humans can explain to each other, notes Rao. That way, financial institutions can describe to regulators exactly how criminals are illegally gaming the payments system, he says.

But the machines can’t do it all when it comes to fighting fraud, sources agree. “At Forter, we combine machine learning and human creativity to accurately prevent fraud at any scale for prominent e-commerce clients … our machines—guided and refined by our team of human researchers—effectively detect and prevent the vast majority of fraud accurately by learning to anticipate what fraudsters will do next,” says Reitblat.

The Humans

That coalition of man and machine seems likely to stay busy dealing with fraudsters for the foreseeable future, sources agree. As payments technology advances at a rapid pace, innovations are thoroughly tested in theory but—by 
definition—can’t be tested in the real world until they’re introduced into the real world, notes Eaton-Cardone of Chargebacks911. That provides opportunities for criminals who are working hard to keep up with change, she notes, describing the situation as a “petri dish for fraud.” Apple Pay, for example, succeeded only after the criminal element greeted the payment method’s introduction with an avalanche of fraud, she says.

The welter of complexity in the payments world also keeps the industry’s security community up at night, says Eaton-Cardone. More than 200 types of electronic payments—including everything from loyalty points and bank transfers to virtual cards and cash-back schemes—have come into use worldwide, and a third of them are less than six months old, she notes.

Meanwhile, the dark side of the transaction scene has proven resilient. When the industry closes a door to criminality, criminals tend not to make a career change and seek a job as a barista at Starbucks, says Durney. Instead, they adapt to the change and keep working to penetrate the defenses of the payments industry. The AI arms race continues. TT

Ed McKinley is a contributing writer for Transaction Trends. Reach him at [email protected].