Cooking Out Friendly Fraud with EMV 3-D Secure

Member News
Friendly Fraud
Jordan Harris -- Ticketmaster
Aug 30, 2019
There are two things I really love in life: cooking and fighting fraud. Both have extremely satisfying results that are tangible and can be shared with others for satisfaction and validation. Unfortunately, with fighting fraud, just like with cooking, there can be unexpected consequences despite all the preparation, care, and time that went into crafting the masterpiece before you.

The other day I was making a low-carb lasagna with zucchini sliced into thin pieces using a mandolin. The secret to the dish is that you need to get the moisture out of the zucchini before you bake it. Those slices sat for 2 hours between napkins and in the end, I still wound up with a puddle of water on the surface on my otherwise flawless meal. The same thing can happen with fraud; you could build the most precise rule or train your model 3 times a week to spot bad actors and eliminate false positives, but 45 days later you still might get that infamous "it wasn't me" claim in your chargeback queue on a good account. It's frustrating.

There's nothing you really could have done, right? With my lasagna I could have waited even longer or used a food dehydrator, but my end product would have been less appetizing. The same goes for fraud. You could crank up the heat and manually review every single order, make the customer pay with ACH only, or mail in cash. But that doesn't really solve any problems, does it? The fact of the matter is that my lasagna water is just a cost of doing business with low-carb living and friendly fraud chargebacks are just a cost of doing business in the eCommerce world.

After EMV transition we all felt it. We knew we were going to and we all did less than we probably should have to prepare for the waves of fraud that shifted to eCommerce merchants. We all stayed focused on keeping the conversions high, the rejects low, and the chargebacks under 1% (.9% in October). Might as well make that your team motto right now. We used our rules engines and presented our manual review teams with shiny new tools to do identity checks deeper and more cleverly than ever before. Some of us dumped in some black box machine learning software that we kept hearing about. And life went on. But the fraudsters did the same. They started using machine learning, better botnets, and synthetic IDs. It all got harder, faster, and even more sophisticated. And then outside all of that, fraud cases still rolled in, even when we knew it was the real cardholder that did it! All-in-all: chargebacks kept coming.

Enter EMV 3-D Secure.

Just like low-carb eating, 3-D Secure is by no means new and works best when combined with something else. 3-D Secure should never be considered a "fraud prevention" tool. You still need to be able to identify fraud on your platform and be able to stop it if needed. I think 3-D Secure, especially EMV 3DS 2.0, is fantastic to get the loss dollars down. But to me, despite its usefulness, it is not the magic answer we all seem to be searching for. It is great not seeing fraud chargebacks rolling in your queue on transactions you shifted, but I feel for the more engaged, it can remove a valuable piece of information you need to be effective with your job. What it does well is preventing financial loss from those chargeback abusers who deceptively claim fraud. For example, it is effective for the person who buys a VIP package to a festival and posts pictures on Instagram and Facebook clear as day enjoying the festival -- with their face in every single one -- but still calls their bank and says, "I have no idea what this charge is!" Or the kid who took mom's credit card to buy those K-Pop tickets without asking and then said "I have no idea, momma" when the statement comes in the mail. It is nice not having to try to fight those only to lose when we all know darn well they did it!

It's also important to remember that the old phrase "out of sight, out of mind" applies here. You won't see liability-shifted chargebacks, but they still exist on your merchant account. You can still wind up in an excessive chargeback program even though you did not take a loss. It is a balancing act and you very much need to still be involved every day in monitoring activity on your platform. 3DS is just another layer in the lasagna that is your multi-layered fraud prevention approach. You might be able to relax calls to any step-up services, but you still need to be screening transactions like you normally would and blocking items, with or without a liability shift, or you might wind up in a world of hurt.

The other problem is the feedback loop. Unless you can get an easy to digest report that shows exactly what transactions were shifted but resulted in a chargeback, you can lose one of your most valuable tools, the negative feedback loop. When training a machine learning model, you need to provide it with the "bad" so it knows what to look for. You need to do this often. The same goes for people who use only rules engines, too. You need to be able to add the accounts, emails, credit cards, etc. to a negative list. You need to quickly review those shifted items to spot patterns and make new rules for when they come back. You cannot just treat it as a "Well, I don't get the chargebacks, so I don't care" because you should. You still get the hit on your merchant ID, and if you ever make a change that shifts away from 3-D Secure, you are going to want to be ready, just in case.

As our time here together is winding down and my next masterpiece is almost finished in the oven, I would like to leave you by stating, I love EMV 3-D Secure I really do. It is a fantastic product to limit the exposure and make finance teams happy everywhere. I especially love that it removes the most annoying type of chargeback, friendly fraud. We all know they did it, they are just wasting our team's time to prove, once again, that it was them. With that noise gone, our people can focus on the important parts of their jobs, protecting innocent consumers from becoming victims of fraud on our platforms. For us at Ticketmaster, it is also getting tickets into the hands of real fans who paid with their own hard-earned money for access to a memory they will have for the rest of their lives. That, like my lasagna, is the real reward in the end.

Thanks for your time and happy hunting!

And for those that want the recipe for my lasagna. Note: I cook it in the oven at 375 degrees for 45 minutes.

Jordan Harris is the Head of Chargebacks at Ticketmaster.

Blue-tinted background of a man watching a webinar

Host a Webinar with the MRC

Help the MRC community stay current on relevant fraud, payments, and law enforcement topics.
Submit a Request

Publish Your Document with the MRC

Feature your case studies, surveys, and whitepapers in the MRC Resource Center.
Submit Your Document

Related Resources

There are no related Events

Mar 08, 2023
First-Party Fraud: What It Is, and What It Isn’t

The fraud prevention industry is peppered with hundreds of vendors who mainly solve for third-party identity theft fraud. Some vendors branch out into synthetic fraud, including manipulated or fabricated identities, yet very few vendors tackle first-party fraud. First-party fraud is defined as the use of one’s own identity to open an account and use it to commit a dishonest act for personal or financial gain. It remains an elusive problem because there are no consumer victims in chargebacks, disputes, or overdraft fraud. Moreover, when it comes to the granular semantics of first-party fraud, different opinions start to clout the agreed-upon definition, making it difficult to classify, pinpoint, and ultimately combat these dishonest acts. 

Join this session to hear from industry experts about: Where do manipulated identity or rewards gaming abuse fall on the spectrum between first-party and synthetic fraud?  How do these categorizations differ by industry? In what ways do our assumptions around these semantics turn into ineffective proxies for first-party fraud?  How can we differentiate between a consumer’s intent to commit a dishonest act, versus a consumer who was manipulated into a dishonest act, versus a consumer making an honest mistake? 

The key is context. We need to understand a consumer’s act in context of other financial decisions they’ve made across various life stages, across different financial institutions, and across various economic environments. Behavioral anomalies across time and space will serve as better proxies in determining whether a consumer is a true first-party fraudster or whether new socio-economic conditions or happenstance interactions with malicious actors have resulted in a first-party-like occurrence. 

In order to achieve this level of context, a multi-industry data consortium is required. Consumer transactional behavior can then be analyzed across the financial ecosystem, over time, to correlate actions with true first-party fraud and to promote an ecosystem of trust.

There are no related Surveys

Cookies help us improve your website experience.
By using our website, you agree to our use of cookies.