Author: Mark Gavigan

How to Avoid a Crypto Fraud Catastrophe

Once crypto is gone…it’s gone

Mark Gavigan
February 11, 2022

Once crypto is gone…it’s gone

Crypto fraud taking off

Crypto.com, one of the most popular crypto exchange marketplaces, made a big splash last Christmas when it usurped Staples Center as the home of the Los Angeles Lakers.

Recently, the company made another splash: a $34 million security breach.

The Crypto.com hack exemplifies the rise in crypto fraud over the past year, which jumped 79% in 2021 due in large part to synthetic identities. Per Pew Research, 86% of Americans are knowledgeable about cryptocurrency, and the amount of crypto users currently sits at around 300 million. With this number expected to go up, crypto apps face a herculean task in protecting their platforms from ATO (account takeover), money laundering, and other fraudster schemes.

Cryptic crypto

Balancing security with a seamless customer experience is a tough balance for companies employing traditional fraud prevention approaches. Unfortunately, most crypto apps lean into seamlessness and are too loosey-goosey at the account creation stage.

The real culprit here is static data — what crypto apps use to verify customer identity — social security numbers, dates of birth, names and addresses that can be purchased on the dark web for peanuts and cobbled into a synthetic identity. IP addresses? Those can be spoofed. And fraudsters can even pay a real person to verify their own identity through legitimate documents, such as a photo ID.

Glaring vulnerability at the account creation stage isn’t the worst part of the crypto fraud problem; it’s the fleeting nature of crypto itself. Cryptocurrency is not insured by the FDIC, so once it’s gone…it’s gone. Victims of the common “rugpull” scam know this all too well: a bad actor convinces them to invest in the newest (fraudulent) coin on the blockchain, only to vanish along with everyone’s funds and the bogus cryptocurrency that never was.

Multi-factor is hardly a factor

Complex passwords, OTPs, 2FA, and MFA can be effective in stopping fraud. But, as with Crypto.com’s 2FA approach, effective isn’t good enough.

For the advanced fraudster and their legion of bots, creating a synthetic identity or credential-stuffing or sim-swapping their way into ATO and money laundering is light work. The security protocols above are a decent start; however, they must be paired with dynamic, real-time insights to be truly impactful.

At Deduce, we are all about living in the here and now. There’s no time like real time when it comes to preventing crypto fraud or identity fraud at large, which is why we’ve built our real-time Identity Network that cross-references more than 450 million anonymized user profiles and 1.4 billion daily user activities across 150,000 websites and apps. It’s an added layer of real-time intelligence that identifies fraudsters and legitimate users with better accuracy and efficiency. It’s a winning trifecta of less fraud, less false positives, and less churn — users will login safely and seamlessly, and crypto apps can avoid a front-page breach.

Want to see how Deduce can fortify your app’s defenses? Drop us a line today and get started in no time.

Related Content

The Secret Weapon Against Synthetic Identity Fraud

Static data alone can’t ward off synthetic fraudsters

Mark Gavigan
February 4, 2022

Static data alone can’t ward off synthetic fraudsters

The synthetic ascension

In 2021, identity fraud targeting US-based e-tailers made up 30% of all fraud losses. Within that troubling percentage lies an uptick in synthetic identity fraud, in which bad actors fuse stolen data (phone numbers, emails) with fake data to create a bogus identity.

Post-pandemic, fraudsters have feasted on users’ anxiety and increased online activity, phishing login information with very little effort. Given this trend, experts foresee another rise in synthetic identity fraud in 2022, especially in the financial services arena and on platforms that utilize seamless signup and other quick decisions.

With factors like social security number randomization making synthetic “Frankenstein identities” more prevalent, stopping this mish-mashed form of identity fraud is imperative before it festers into a costly and potentially years-long disaster.

Not your average identity fraud

The challenge of preventing synthetic identity fraud lies in its patchwork composition. A synthetic identity pulls together fake and legit info from multiple sources instead of targeting a single consumer victim, making it much more difficult to detect. With no defrauded person to tip off companies, accounts created via synthetic identity can remain active indefinitely like clandestine, money-sucking leeches only to vanish once the on-file credit card maxes out.

Again, there’s no real-life person to trace the account back to, which complicates the identification of synthetic identity fraud, much less the calculation of losses (assuming fraud is circled as the culprit). Unfortunately, differing interpretations of synthetic identity fraud among enterprises can often chalk cases up to credit-related issues, leaving credit lenders and related providers to carry the financial burden.

If need be, synthetic fraudsters can bypass defenses with more than a fake SSN and stolen email. Forget Frankenstein identities — the craftiest of synthetic fraudsters are combining facial features from multiple people with AI to create realistic “Frankenstein faces.” Yet another wire-crossing maneuver that throws traditional fraud prevention solutions off the scent.

The synthetic antiseptic

Old school fraud prevention tools rely on static data such as physical address and device fingerprinting to detect bad actors. This won’t cut it for synthetic identity fraud.

The only way to effectively root out stealthy synthetic fraudsters is to combine static data with live and historical real-time user activity data. By adding this extra layer of real-time intelligence —behavioral biometrics, time of day, location, etc. — there are too many holes for fraudsters to cover up or build an authentic digital “legend” and more than enough information to help companies spot a fraudulent identity.

This is precisely the extra punch Deduce provides. We pack more than 450 million anonymized US profiles and 1.4 billion daily user activities (logins, account creations, checkouts, etc.) from over 150,000 websites and apps into our real-time Identity Network, protecting organizations from financial losses and the other nightmarish side effects of synthetic identity fraud. For example, a solution that’s solely reliant on static data will fall victim to false positives and ultimately turn good customers away, while the Deduce approach is able to contextualize scenarios where a new device or other factor may not be consistent with identity fraud.

Fraudsters can fake a number of different attributes, but nothing they spoof can outsmart the collective intelligence and profile history of the Deduce Network. The breadth and diversity of our data (transactions, social media activity, etc.) is too gargantuan — and too expensive for the average fraudster to circumvent.

Tap into the Deduce Identity Network today and bolster your defense against synthetic identity fraud. Contact us here to get started.

Related Content

Deduce 2021 Wrap-Up

The greatest hits from our 2021-derful mixtape

Mark Gavigan
December 21, 2021

The greatest hits from our 2021-derful mixtape

Grab your hot cocoa, eggnog and brandy, gingerbread cookies and peppermint bark. It’s time to play back the greatest hits from our 2021-derful mixtape.

From funding news and milestones to an awards list the size of a George R.R. Martin novel, Deduce was all gas and no brakes in 2021. With cybercrime costs forecasted to reach $10.5 trillion globally by 2025, we have no choice but to keep the pedal to the metal.

We couldn’t squeeze everything in here, so this is merely a taste of this year’s hits. Scroll your trackpad/mouse wheel/thumb and enjoy!

“A” summer to remember

After tripling our revenue growth in 2020 and ending the year with a funding announcement, we raised another round this past June. The Series A, led by Foundry Group, helped launch our Deduce Insights product: a “cybersecurity radar” powered by our FAANG-sized data stack that preempts fraudulent activity in Minority Report-like fashion and promptly alerts customers.

The fraud prevention and detection market is expected to hit almost $63 billion by 2028. Bad news for fraudsters; great news for us, our customers, and their users.

This year, we also moved the Deduce HQ from Philadelphia to New York City. Come pay us a visit — we’re missing our Philly cheesesteaks, but the pizza is amazing.

400 million reasons

In October, we crossed a major milestone: more than 400 anonymized profiles in our US Deduce Identity Network.

These profiles, comprising billions of daily online interactions across hundreds of thousands of websites and over one hundred attributes, power our algorithms that shut down fraudsters in real-time.

watching algorithms

As Jay-Z once said: “Men lie, women lie, numbers don’t.” These big numbers convey an important message: unparalleled protection against account takeover and account creation fraud, for companies of all sizes, and a Trusted User Experience that wows customers again and again.

Rolling out the red carpet

Our trophy case is piling up, affirming that our customers (and their customers) are enjoying the benefits of real-time fraud protection.

In 2021 we garnered big-time accolades, headlined by an honorable mention in Fast Company’s World Changing Ideas Awards (AI and Data), given to companies “that harness the power of data, machine learning, or artificial intelligence to understand the world and empower change.” We earned praise from The Edison Awards as well, and landed a top-10 spot among finalists in the RSA Innovation Sandbox competition.

Additional 2021 honors include:

Steering the thought leader ship

Deduce founder and CEO Ari Jacoby challenged all aspects of the fraud landscape throughout the year. ForbesMarketWatchYahoo, and more picked his brain for articles covering topics like malicious apps and brokerage account breaches.

Ari’s thoughts on “data poverty” and other industry trends led to a slew of podcast appearances. Secure VenturesThe Identity BriefCode Story, and Down the Security Rabbithole were only some of the pods that he blessed with in-depth industry knowledge.

Look out for plenty more from Ari (and Deduce CTO ​​Robert Panasiuk) in 2022.

An extraordinary turn of events

’Twas another challenging year for business meetings, but we exhibited at our first live event. Money 20/20 in Las Vegas attracted around 10,000 fintech professionals and the Deduce booth remained busy throughout. We were honored to welcome Silicon Valley Bank CISO and author Nick Shevelyov to a VIP dinner. Nick spoke to the audience about cyber risk and why he was moved to write Cyber War and Peace.

In December, the Merchant Risk Council invited us to present on their Webinar Wednesday program. Special thanks to Wilder Rumpf, founder and CEO of fintech startup and Deduce customer FinTron, who did an amazing job detailing their new customer onboarding pain points and how they will use Deduce Insights to reduce onboarding duration from 48 hours to real time.

Hire power

It’s official: we’re gonna need a bigger boat, er, Zoom room, because we beefed up our executive team!

you're gonna need a bigger boat

Robert Panasiuk, previously VP Product at Deduce, was promoted to CTO. The step up was well-earned: Robert spent nearly two years building the Deduce Identity Network — the largest network of its kind in the US, we might add — from scratch, along with our Deduce Insights and Alerts products.

Andy Sheldon, VP Marketing, joins the Deduce team after serving as VP Growth Marketing at Agari, another fraud prevention outfit. Andy previously spearheaded marketing efforts at companies like Microsoft, Sun Microsystems, and Conga.

Adish Kasi, VP Sales, comes to us from Shape Security after the company was acquired by F5 Networks for $1 billion. Adish combines impressive technical expertise with a customer-centric approach, skills he developed earlier in his career at Akamai and NYSE Technologies.

We also added Joe Mielzarek (Solutions Architect), Kishore Kodical (Director of Product), Bill Spinner (Account Executive), and Tim Flocke (Senior Data Scientist) to our anti-fraud squad.

That wraps up the wrap-up. We’ll see you on the other side of 2022, likely with your resolutions hanging on for dear life.

If you’re still compiling your list, here are two resolutions for the road: vary your passwords across websites, and always use the strongest possible password (ideally, one that doesn’t end in “123”).

Happy holidays from the Deduce team!

Related Content

Points Well Taken: The Growing Loyalty Fraud Problem

Fraudsters are pouncing on $48 trillion in unspent rewards points

Mark Gavigan
November 23, 2021

Fraudsters are pouncing on $48 trillion in unspent rewards points

Practically every B2C organization employs some type of loyalty program, and for good reason — companies love the uptick in spending and brand allegiance; customers love the free lattes and round-trip flights.

But no one is a fan of loyalty fraud. Except fraudsters, of course, snatching their share of the $48 trillion in unspent rewards points and either using them or selling them for profit. The latest ace up fraudsters’ sleeves has only become more prevalent during the pandemic. Even before the pandemic, loyalty fraud had doubled from 2017 to 2018.

Scroll down for the full download on loyalty fraud — including what happens when a company doesn’t combat it with an intelligent fraud prevention solution. (Hint: the negative impact stretches far beyond pocketbooks.)

Pointing in the wrong direction

From July 2018 to June 2020, fraudsters used stolen passwords to launch roughly 100 billion credential stuffing attacks. More than half of these incidents targeted retail, travel, and hospitality industries, companies that reward repeat guests with frequent flyer miles and complimentary hotel stays, free products and discounts. Airlines and hotel chains were especially hit hard post-pandemic — customers aren’t likely to access their rewards (and report a discrepancy) if they aren’t traveling.

Loyalty points are also emerging as a new virtual currency with increased spending flexibility, further incentivizing bad actors to target these accounts. For example, some brands allow customers to buy products on Amazon using their points.

Loyalty fraud, a form of account takeover (ATO), works like this. Hackers buy passwords off the dark web; then, after cracking the right login combination, they can sell a customer’s hard-earned loyalty rewards on the dark web for money (after the 2014 Hilton Honors hack, 250K Hilton Honors points sold for $3.50). If a customer uses the same password across multiple rewards accounts, hackers can access those points, too.

If a customer’s lucky, they’ll merely get their points drained and subsequently replenished — an issue costing merchants $1 billion per year — while fraudsters spend them or peddle them for profit. But personal info is what fraudsters are really after: credit card numbers, social security numbers, even seemingly harmless details like names, dates of birth, and phone numbers.

Points are one thing; accumulating an entire portfolio of personal information for a given individual — and seizing assets far more lucrative than loyalty rewards — is an account hijacker’s dream scenario.

The intangibles

When assessing the impact of loyalty fraud, it’s easy to get caught up in the financial costs: millions of dollars in reimbursed points, including refunding merchants like Amazon in the case of fraudulent points-for-product transactions; fines and lawsuits (if a data breach occurs); lost lifetime value of customers who jump ship. And don’t forget the time (i.e. money) customer support spends assuaging irate customers, investigating claims, and restoring stolen points.

But the intangible effects of loyalty fraud — which ultimately carry their own share of financial harm — may deal the most damage.

One of the first dominoes felled by a rampant loyalty fraud problem, particularly one rooted in a data leak, is customer churn. The outcry from affected users, in tandem with negative PR, is a serious reputation killer. A brand can’t create a Trusted User Experience without trust from its customer base. And building, or rebuilding, that trust with existing users — and new users isn’t possible without the help of a data-driven antifraud platform.

With ATO losses up 72 percent year-over-year, and loyalty fraud comprising a significant chunk of that number, brands must enlist a solution with ample data, and algorithms powerful enough to preempt fraudulent activity in real time — before points, personal details, and customer trust is lost.

Want to score points with your customers? Try Deduce for free today and see how our Identity Network of more than 450 million anonymized user profiles can neutralize ATO threats for companies of all sizes.

Related Content

Passwordless Login: a Similar Flight Pattern to TSA PreCheck, Global Entry

More users are leaving passwords on the tarmac

Mark Gavigan
November 12, 2021

More users are leaving passwords on the tarmac

The rigors of boarding an airplane post-9/11 are well-documented: ID checks; removal of belts, shoes, laptops, decanting your toiletries into three fluid ounce containers; frantically stuffing plastic tubs with personal belongings before the travelers behind you hum the Jeopardy theme.

Over the past two decades, however, frequent and occasional flyers alike have subscribed to expedited customs programs from the Transportation Security Administration (TSA) and ​​U.S. Customs and Border Protection (CBP) that slingshot travelers to their terminals with their clothes and luggage untouched. The friction alleviated by programs such as TSA PreCheck and Global Entry is comparable to the slog of old-school account login — travelers hate waiting in line; modern app users hate keying in username/password combos upon each visit or being asked to verify the email they have just entered in a different application.

Passwordless authentication is the account login equivalent of PreCheck and Global Entry. Here is why passwordless is taking off, and how apps are “boarding” their users expeditiously while creating a fraud-free, Trusted User Experience.

Passwords don’t fly anymore

Just as line-weary travelers have opted for PreCheck and Global Entry, research suggests more and more users are ready to leave passwords on the tarmac.

Earlier this year, Experian’s Global Identity & Fraud Report asked more than 2,700 businesses and 9,000 consumers about their preferred login approach. For the first time since Experian’s ran this annual report, passwords landed outside the top three. Respondents, more security-conscious amid a 20-percent bump in online traffic during the pandemic, felt more comfortable logging in via physical/behavioral biometrics and SMS pin codes.

The data dictates that we are rapidly approaching a passwordless future. Like the airline passengers who get in and out of customs with a simple biometric scan, a growing contingent of app users desire a quick and seamless customer journey. Businesses must answer the call by implementing passwordless login that operates in real time yet still mitigates fraud risk. It’s not just money that’s at stake either — it’s the trust of users.

A trusted user experience attracts frequent flyers

Frustrated as travelers may be with slow-moving lines, they’re unlikely to leave the airport and take Greyhound. They have a plane to catch, and anything short of death will not warrant a ticket refund. App users, on the other hand, inundated with platforms and services, have every reason to seek out a frictionless alternative.

Businesses that don’t adopt a passwordless approach risk losing customers, some of whom will share their sluggish user experience with others and ultimately damage a brand’s reputation. Even worse, companies with lengthy authentication processes at the account signup stage will dissuade people from using the product in the first place. Recently, one QSR company admitted that they lost 10 percent of new app signups due to the email verification step not being completed, rendering the fast food app a no-food app.

In the spirit of PreCheck and Global Entry, apps must expedite the user journey by installing a passwordless login apparatus that is fast as it is safe. This requires an intelligent fraud solution with enough data to authenticate users in real time and remain in lockstep with an ever-shifting cybersecurity landscape. By analyzing multiple factors in real time — device, geography, time of login, account activity etc. — platforms can verify fast and reliably at login, get users in-app in a flash, and create a Trusted User Experience that generates customer loyalty.

Deduce can’t expand the leg room on your next flight, but we can get your user authentication flying in no time. Try us for free today, and build a fraud-free, Trusted User Experience that converts your customers into frequent thumb-tappers and mouse-clickers.

Related Content

Account Verification: A Forgotten Source of Customer Churn

Customer churn can happen early — even before checkout

Mark Gavigan
October 21, 2021

Customer churn can happen early — even before checkout

Central to transforming the user experience is removing the friction involved in account creation verification. It’s the first step of the customer journey — before the customer is actually a customer — and often an overlooked source of churn. The Deduce team has seen cases in which companies signing up tens of thousands, or millions, of new users per month have lost 10 percent of these accounts due to email verification problems alone (verification emails landing in spam, issues with mobile email apps, etc.).

Track the lifetime value of those thousands of customers over time, not to mention the negative brand reputation accrued, and the damage is significant.

A new report from CMO Council, comprising 2,000 consumers from the US, UK, Canada, and Ireland, shows just how fed up customers are with frustrating authentication processes. Here are some notable takeaways:

  • More than 60 percent of consumers surveyed had canceled a transaction due to inefficient authentication
  • 81 percent of respondents indicated they would seek out companies that employed an easy and secure identity verification process
  • 34 percent preferred to use biometrics as a primary means of authentication; 10 percent preferred to use passwords

As for brand reputation, most respondents (53 percent) reported that login problems were a substantial detractor, and an overwhelming majority (85 percent) indicated they look down on a company with identity verification issues. This specifically rang true for banks, credit providers, mobile payment apps, and other types of financial services.

There is a way to eliminate this account creation friction. Deploy an identify fraud solution such as Deduce that can provide trust signals on each new account creation in real time. If the new customer is designated as trustworthy, take them down the Trusted User Experience journey to your application or service. If the solution determines potentially fraudulent account creation activity, route the user down the traditional path.

Here’s an example of a frictionless returning customer experience. Let’s say a fraud prevention solution flags potentially fraudulent activity when a customer, who’s attempting to use their saved credit card info, logs in to a new device to book a dinner reservation. The application, in this case Resy, a restaurant discovery platform, verifies the customer’s identity through the following steps:

  • First page: Enter email
  • Second page: Enter phone number
  • Third Page: Resy sends a text message with a code
  • Customer enters code and accesses the application

This is a brand that really cares about customer experience and wants to minimize steps/friction. At no point is the customer asked for their password.

Like Resy, other brands are upping their game in the user authentication department — Gartner expects more than 60 percent of large enterprises to adopt passwordless login by 2022. ​​But passwordless isn’t perfect: devices can be stolen, biometrics can be spoofed, and hackers will inevitably adapt to new authentication tools by way of SIM swapping, intercepting SMS messages, biometric database leaks, and other methods. To avoid customer churn caused by sluggish account verification, and thwart account takeover fraud, companies must ultimately simplify account verification via identity intelligence: a contextual, data-driven solution that can confirm a user’s identity in real time.

Click here to try Deduce for free and keep your customers moving with real-time identity verification.

Related Content

Deduce Surpasses 400M+ Anonymized User Profiles

Deduce’s real-time Identity Network just got bigger (and smarter).

Mark Gavigan
October 7, 2021

Deduce’s real-time Identity Network just got bigger (and smarter).

Why are Deduce customers jumping for joy and online fraudsters womp-womp-womping to the nearest exit? There are lots of reasons. More than 450 million reasons, to be exact.

Deduce recently surpassed 450 million anonymized user profiles to stop online identity fraud in its tracks. These profiles comprise Deduce’s real-time Identity Network and help determine if users are who they say they are. And don’t fret over those four-letter privacy acronyms like GDPR and CCPA — Deduce maintains these profiles in a way that is fully compliant.

Deduce CEO and co-founder Ari Jacoby illustrated the significance of the company’s latest milestone.

“Identity fraud is a huge problem facing every industry that registers or logs in customers but many companies are left with very small pools of customer data that they augment by scraping the dark web for compromised credentials — an approach similar to shutting the stable door after the horse has bolted,” said Jacoby. “A real-time, identity network that can draw from over 450M user profiles with billions of daily online interactions across hundreds of thousands of websites and over one hundred attributes allows businesses to detect and see threats before crooks even target an account.”

Deduce’s repository of 450 million profiles (and growing) preempts attacks so that execs can sleep at night knowing their company is safe from the stomach-turning dangers of account takeover fraud: lost revenue, customer churn, brand damage, chargeback fees, and regulatory fines. As Jacoby alluded to, Deduce’s anonymized profiles are collected from more than 150,000 websites, and are analyzed and scored based on more than 1.4 billion daily user interactions. Big-time numbers, big-time peace of mind for Deduce’s customers.

The continued bolstering of the Deduce Identity Network reinforces what Deduce set out to do from the jump: provide companies of all sizes FAAMG-level fraud protection, and in turn provide their users a Trusted User Experience that keeps them coming back again and again. Thanks to Deduce’s powerful algorithms, users are protected from all forms of identity fraud — account opening/new registration, account takeover, and account anomalies.

Want to tap Deduce’s real-time Identity Network and make your company a fraudster-free zone? Check out Deduce’s 90-second explainer video and activate a free trial here.

Related Content