FICO’s Scott Zoldi: Card-not-present fraud a growing threat
The company’s analytics chief talks fraud protection, trended data
Personal finance journalist with an eye for industry news
The shift to chip-enabled credit cards is making in-person purchases safer, but fraudsters are now targeting consumers where EMV can’t protect them.
As FICO Chief Analytics Officer Scott Zoldi noted in an October blog post, fraud activity in the U.S. is migrating to ATMs – most of which haven’t been upgraded to accept EMV debit cards. Online payments are also increasingly vulnerable – cybersecurity firm Iovation reported a 20 percent increase in online retail card fraud during this year’s Black Friday-Cyber Monday shopping period.
Fraud protection measures must evolve quickly to respond to emerging threats such as card-not-present fraud, and Zoldi stands at the forefront. He was recently recognized by Drexel University for spearheading the addition of analytics that adapt to changing fraud patterns to FICO’s Falcon fraud management platform. The innovations include self-learning transaction profiles, which among other things can analyze an individual’s charging patterns over time to better recognize fraud when it occurs.
FICO said the use of adaptive analytics helped one major debit card issuer see an 18 percent improvement in fraud dollars detected, and another global credit card issuer reduced false-positive cases by 17 percent.
We spoke to Zoldi to get his perspective on how fraud assessment models can evolve to make cardholders feel safe every time they pay. Zoldi also touched on the move by the major credit bureaus toward “trended data,” which analyzes individual consumer trends, such as how often they pay just the minimum on their credit card balances.
Q: In your view, what are some of the biggest fraud protection challenges we face today?
A: One of the more interesting challenges is the changing environment with chip and signature, which is causing the types of fraud that many of our systems and models are developed on to shift and morph over time. More and more fraud will be card-not-present. That requires that the models adapt and change.
At FICO, we spend a lot of time ensuring we can develop these models to be robust using historical data. We take the best of what we’ve learned from, say, how the EMV migration occurred in the U.K. and elsewhere across the globe to determine how the model should respond.
FICO Chief Analytics Officer Scott Zoldi
Q: What improvements or enhancements are needed to protect consumers?
A: I think one of the first things that needs to occur is a broader adoption of self-learning technology, from an analytics perspective. Beyond that, it’s monitoring the model performance over time and making sure the model is still being reactive. On the FICO side, I think we’ve done a good job at designing analytics to anticipate these changes. It’s not like the movement to chip and signature is a surprise to anyone.
That said, there still needs to be a recognition that fraud is changing, and the banks have to make some decisions. One decision might be that they say, “Well, I need to make sure that I’m monitoring my models, but then I might also need to change my philosophies.”
There used to be a philosophy that issuers don’t care as much about card-not-present fraud because of liability shifts, but ultimately there’s a relationship that a consumer has with their bank. There’s an ownership of the relationship there, where they probably do want to take a vested interest, so they can maintain a healthy relationship with their cardholders and not suffer a situation where their card goes to the back of the wallet because they’ve adopted a strategy that isn’t customer-centric – it’s more liability-centric.
Q: How secure should cardholders feel right now amid the shift to EMV?
A: From a consumer perspective, there are a lot more interesting things happening to protect their security. A lot of transactions at merchants are going to be encrypted at the point of sale, in terms of card numbers. These encryption schemes will be much more effective from a security perspective.
Q: What’s your view on the security of mobile payments?
A: There needs to be a lot more security on the phone itself. If you’re traveling overseas, and you download a banking app, you have to be concerned about whether it’s a legitimate app and not redirecting to an alternate app store, for instance. There is now a growing set of fake apps showing up. These can capture your details and use them directly or work in “man-in-the-middle” mode to provide you a sense of a working app so they can utilize the stolen credentials.
When it comes to funds movement, there are a lot of analytics and techniques that we’ve perfected over time in the card space that can also be right for mobile banking.
We utilize a set of technologies called recurrence lists or behavior-sorted lists in our fraud solutions. They keep track recursively of your “favorites,” such as ATMs, gas stations and merchants for cards. In the mobile space it would keep track of “favorite” amounts, destination accounts, etc. If you’re sending money to people you usually send money to and it’s the right amount, but it’s not the right cadence for when you send money, there are models that can give some level of confidence around that.
Q: The credit bureaus have begun to embrace trended data, which looks at factors such as whether consumers tend to pay their balances in full or just the minimum. Do you see FICO using trended data in its traditional credit scoring model? Is it used in other FICO scores?
A: I think that’s where things may very well be headed. We have a different type of score that’s used in credit card account management. Those sorts of models use trended information over time. It’s not a single snapshot – which you would have at origination time – it’s an ongoing score that remembers your good and bad behaviors over time. Those models have been very successful in terms of account management. You already have a relationship with the customer, and you have a lot of trended information in terms of how they’re paying and how they’re behaving as a customer. You need to leverage that behavior to make a better decision on how to engage with them.
That’s a natural direction for us to explore. It’ll be part of whether we see that being valuable information to have with respect to the origination-based scores.
- Credit freezes are now free – but do you need one? – Credit freezes, which keep lenders and other companies from viewing your credit, are now free. We compared them to other credit protection tools, including locks and monitoring services. Here's how to use them all to protect yourself ...
- Employer credit checks: Who does them, how they work and what laws apply – If you're applying for a new job, a credit check could determine your fate, depending on the position and where it's based. Here's how they work and what to expect ...
- My card issuer of 25 years suddenly wants to know more about me – Under the Patriot Act, banks are required to verify the identities of their customers and maintain accurate information on them. But my bank's demand to know how I earn my income is an invasion of my privacy ...