Attackers are not just breaking into corporate systems for competitive or ideological espionage anymore. The personal and financial information stored in these systems is the raw material for their identity theft and fraud businesses. Defenders must be continually vigilant in seeking new and innovative ways to, first, detect point-of-sale (POS) fraud in real time with more advanced predictive analytics, but also with new payment and credit card technologies and practices that greatly decrease the opportunities available to attackers for stealing credit card or identity information in the first place. Posted: November 18, 2014

1. 21ct.com http://www.21ct.com/blog/have-we-reached-the-limits-of-predictive-analytics-in-pos-fraud-detection/
Have We Reached the Limits of Predictive Analytics in POS Fraud
Detection?
We’ve seen over the past year that cyber attacks are big
business. Attackers are not just breaking into corporate
systems for competitive or ideological espionage
anymore. For many attackers, the personal and financial
information stored in these systems is the raw material
for their identity theft and fraud businesses.
The availability of this data is increasing too. As
ecommerce volume continues to rise and the visibility of
Apple Pay is likely to increase mobile payments,
consumers are also disseminating their financial and
personal information more broadly than ever before, thus
providing even greater numbers of data-rich targets for
attackers.
Defenders must be continually vigilant in seeking new
and innovative ways to, first, detect point-of-sale (POS)
fraud in real time with more advanced predictive
analytics, but also with new payment system practices
that greatly decrease the opportunities available to
attackers for stealing credit card or identity information in
the first place.
POS Fraud Detection: Acceptable Snooping
Current POS fraud detection systems have gotten very good at detecting fraudulent transactions. In many ways they
are at the pinnacle of predictive analytics technology. They work largely through various kinds of anomaly detection.
Anomaly detection works by tracking your purchase history to define your "normal" behavior, then flagging anything
that appears abnormal:
Geographic anomalies like whether the physical locations or IP addresses of purchases are impossible based
on the time and place relative to other transactions.
Behavioral anomalies such as rapid-fire or automated purchases.
Purchase anomalies such as items that don’t fit a cardholder’s purchase profile or bulk purchases of high-
value items not usually purchased in bulk.
Collective intelligence that detects activity similar to suspicious activity reported by other customers.
Out of concerns for their privacy, many people (myself included) balk at the idea of companies snooping on them, and
they have a point when it comes to Google profiting off your personal data or stores tracking you via WiFi through
their store or so they can feed you ads. But the form of tracking we’re talking about here actually protects us. Because
the card issuer tracks your purchases (what, where, when, and how much), they can know, for example, that you’re a
single man and mostly use your card at Best Buy, Lowe’s, grocery stores, gas stations, and restaurants, so when they
see a $1500 shopping spree at the Coach store show up, that’s a red flag and they can contact you to confirm the

2. charge.
Unfortunately, though, while we’re getting better at defending against POS fraud, Newton’s Third Law of Motion
applies to cybersecurity and fraud detection as well as physics: every action has an equal and opposite reaction. The
continued improvement of POS fraud detection systems leads the fraudsters to innovate ways to evade them, and
the cyber arms race escalates.
So, here’s the question: Have we reached the limits of predictive analytics in POS fraud detection?
Perhaps. Fraudsters are evading anomaly-based POS fraud detection systems in a number of ways with innovations
in both technology and tactics. For example, they are using stolen and fraudulent cards in the home area of the
cardholder to avoid creating geographic anomalies. Some are also using new software that simulates the way
humans shop online, thus evading the behavioral and purchase anomaly defenses.
Potentially more serious, though, is that the sheer volume of fraudulent transactions may be overwhelming the fraud
detection systems. After the Target breach, Avivah Litanthe at Gartner suggested that “anomaly detection – which
most card fraud detection systems rely on – fails when there are too many anomalies or outliers as the outliers all
start looking normal.” Pretty chilling.
So again, we ask: Have we reached the limits of predictive analytics in POS fraud detection?
Probably not. The developers of these systems are as creative and motivated to defend against POS fraud as the
fraudsters are to commit it. At a minimum, though, the escalating cyber arms race will continue to increase costs
across the economy as defenders spend increasing resources defending against POS fraud.
If You Don’t Have It, No One Can Steal It
One promising development in stemming the tide of POS fraud has been the launch of Apple Pay. As we mentioned
above, mobile payment systems in general increase the attack surface by increasing the number of systems that
store sensitive data. Apple Pay, however, breaks that mold. Their innovative approach may provide a model for other
systems to help stem the tide of POS fraud.
As we discussed last week in our security and privacy review of Apple Pay, Google Wallet, and CurrentC, Apple Pay
does not store any financial or identity data in its system. This eliminates completely the potential for attackers to
breach the Apple Pay system and steal this sensitive information. You could say this is a kind of security by scarcity:
If you don’t have it, no one can steal it.
If Apple Pay becomes a huge success, other mobile payment systems and card issuers may take Apple’s lead and
not store financial or identity information at all. If these mobile payment systems serve only as a bridge to pass
payments through to the processing network using virtual, device-dependent card numbers, we can limit the number
of entities storing sensitive information (i.e., potential targets for attack). Restricting the storage of sensitive data to
only the card issuers and payment processors—for whom data security is a core competency and an essential part of
their business—would greatly reduce POS fraud and identity theft overall, which should be an incentive for card
issuers to consider this approach more generally.
Unfortunately, this would require mobile payment systems to accept the loss of user data in favor of these
“anonymous” tokenized cards. This is probably a non-starter for Google and others for whom data monetization is a
core business and retailers like those behind CurrentC who mine customer data for intelligence.
We’re unlikely to rid ourselves of physical credit cards in the near future, but if more mobile payment systems take
Apple’s lead and use device dependent virtual cards without storing sensitive data, we could go a long way toward
significantly reducing the incidence of identity theft and credit card fraud.

3. About Scott
Scott is a veteran technology writer, focusing on security, analytics, and fraud detection.
He also writes short stories, has a near encyclopedic knowledge of early eighties rock
music, is a sucker for liner notes, and owns a guitar signed by the late great Bo Diddley.
Connect: @ATXWriter | Google+
View all posts by Scott »