A new weapon in the fraud armoury

A new weapon in the fraud armoury

May 1991 Computer KNOWLEDGE-BASED SYSTEMS A NEW WEAPON ARMOURY IN THE FRAUD Jona than Killin Touche Ross, UK There are about 30 million credit car...

620KB Sizes 2 Downloads 166 Views

May 1991

Computer

KNOWLEDGE-BASED SYSTEMS A NEW WEAPON ARMOURY

IN THE FRAUD

Jona than Killin Touche Ross, UK There are about 30 million credit cards currently in circulation in the UK, and between lo%-20% have a transaction upon them each day. Of these, a number are used either by persons who have no right to the card, or by persons who have no intention of repaying the subsequent debt. The spectrum of fraud and bad debt costs the credit card business many millions of pounds each year. An estimate of 100 million losses on all forms of credit card fraud in the UK for the 1990/l 991 financial year is not unrealistic. The number of credit cards in circulation is expanding by about 10% a year. The fraud and bad debt problems seem to be increasing rather more than commensurately. It is easy to see why even a small reduction in these costs is desirable, if not necessary, for any player wishing to remain profitable in this increasingly competitive market. In as much as a classification of fraud is possible within this spectrum, pre-block fraud accounts for 70% of fraud losses. A ‘block’ is that action taken by a credit card issuer to ensure that, on the next occasion that a card is presented in payment for a transaction requiring an authorization, some form of positive identification will take place. It is only at this point that an issuer can withdraw a card from circulation. In March 1989, the Knowledge-Based Systems Centre (KBSC) of Touche Ross Management Consultants agreed with the fraud prevention department of Barclaycard that a KBS should be developed whose function was specifically to identify pre-block third party fraud on their Classic cards. (Third party fraud is perpetrated by people other than the legitimate cardholder(s), who have acquired the card either by finding, stealing, buying or intercepting it.) Historically, Barclaycard had only a reactive

01991

Elsevier Science Publishers Ltd

Fraud & Security Bulletin

ability in the area of credit card fraud. They were entirely dependent upon the public - usually either the card holder or the merchant-alerting them to the loss, theft or interception of a credit card. In the case of a lost or stolen card, this could happen within 48 hours. However, where a card has gone missing on an unused account, or has been intercepted before receipt by the legitimate applicant, it may require a statement of account to alert the cardholder to the fact that something is amiss, and thus to inform the card issuer. Given unfortunate timing such as holiday periods or business abroad, this may take two months to occur. Fraud of a very high value can be transacted over two months. A proactive approach had previously been attempted, using conventional computing techniques to solve the problem. The result of these efforts were multi-thousands of accounts output each day, with perhaps five or ten fraudulent accounts hidden amongst them. The volumes involved made any further action impossible. The decision to attempt a knowledge-based system solution to this problem was taken because of the perception that, given the necessary subjective, judgmental knowledge, fraudulent transactions could be distinguished from objectively identical non-fraudulent transactions. This would reduce the volumes output to a more manageable level, and increase the fraud identification hit rate. The system is called Fraudwatch, and this is the story of its development and behaviour. Why use a knowledge-based

system?

KBS technology frequently can be used to solve commercial problems that are intractable to conventional computing solutions. Where conventional systems process information in a deterministic fashion, using algorithms that guarantee a ‘correct’ solution given valid input, KBS process information in a probabilistic and uncertain fashion, using judgmental knowledge to generate inferences and give a solution that may be the ‘best answer available’. KBS rely upon judgmental knowledge (heuristics) for their power, and judgments can be wrong. However,

7

Computer Fraud & Security Bulletin

prepared

May 1991

to pay for the benefits of utilizing

judgmental knowledge. Simply knowing that stocks and shares fluctuate in value doesn’t stop individuals and organizations investing, indeed it is the prerequisite of investment. Yet ‘best

:;i,ii:,

,.‘i:;l:

I

,>::

::;.. : : ,:,

,,:,, j:,,,

1.::

:;......

::w :..

.:.

APPLICATION SURFACING

advice’ doesn’t have to be right, it just has to be the best judgment

in the light of information

available at the time the advice was given. The KADS KBS development methodology was utilized in the development of the Fraudwatch system. For the purposes of this paper, only a brief description of KADS will be given. Further details can be found from the texts listed in the bibliography at the end of this paper. The KBSC is the foremost UK proponent of KADS, having been involved with its instigation in 1983, and with its subsequent and current development, and the author has the grey hairs to prove it. Fraudwatch was originally conceived as a test of the KADS methodology, under the auspices of the European Strategic Programme for Research into Information Technology (Esprit) . The fact that the system is running live and is due to be re-engineered to cover the full Barclaycard range of plastic products speaks for the results of the test. KADS is a methodology for the development of knowledge-based systems. Based on software engineering practices, it provides a life-cycle model - an adapted spiral model - a modelling language for representing human expertise and user-system interaction, and a set of supporting tools and techniques for KBS analysis and design. KADS is reassuringly similar to conventional systems analysis and design practices though it differs in detail, providing the specific kind of support required for knowledge engineering projects. In KADS a thorough analysis is conducted before any design or implementation takes place. This contrasts with the rapid (or ‘rabid’ or EWOT)+

..‘..‘.,

:.

KNOWLEDGE ANALYSIS

IMPLEMENTATION

FIGURE

:..

REQUIREm ANALYSIS

I

7: The KADS KBS development process.

prototyping approach in which knowledge is elicited from an expert and directly coded using a ‘shell’ package. In scoping a KBS development using KADS, it is usual to identify an expert or collection of experts, who can provide the judgmental knowledge necessary for a KBS. In the case of Fraudwatch, this was somewhat problematic. Because there was no opportunity for the fraud department to engage in proactive fraud identification, the target system as required and specified was to perform a new function within the department. However, it was possible to identify a small group of people who had sufficient depth of expertise in credit card fraud behaviour for an initial, paper based, set of models to be built.

‘In fact, Fraudwatch began life as experiment F 12 Esprit project 1098. KADS was developed under Esprit projects 12 304 and 1098, which involved The Knowledge-Based Systems Centre at the Polytechnic of the South Bank, KBSC Ltd, and The Knowledge-Based Systems Centre of Touche Ross Management Consultants (these three being esentially the same set of people at different stages of commercial evolution); University of Amsterdam; STC Technology Ltd; Cap-Sogeti Innovation; SD-Scicon Ltd; NTE gmbh; SCS gmbh. KADS continues as Esprit project 5248 which indudes The Knowledge-Based Systems Centre of Touche Ross Management Consultants and ten other partners. +Expensive

8

Waste

of Time.

01991

Elsevier Science Publishers Ltd

Computer Fraud & Security Bulletin

May 1991

fraud model

case data

FIGURE 2: Inference structure for assessment

A model for assessing

fraudulent

behaviour

KADS is based upon a number of generic models of kinds of inference tasks. These models provide frameworks and structures for the kinds of information necessary to conduct a inference task, such as monitoring, classifying, diagnosing, assessing, planning and configuring. The model initially tabled as appropriate for Fraudwatch was that of heuristic classification. However, as the knowledge acquisition and analysis progressed, this model was seen to be inadequate in covering the knowledge used in identifying fraud. Consequently, the assessment model was adopted to steer our understanding and guide the analysis. This cycle of initial model adoption and subsequent refinement, within a family of inferences, is typical of the KADS method. The analysis and modelling progressed by the use of case studies, presented to those individuals identified as the most expert in the domain. It was possible to synthesize knowledge concerning typicality of behaviour from both fraudulent and non-fraudulent examples, and to apply this knowledge to the set of models that underpin the knowledge of the system. Initially, there were three basic models, one of which

01991

Elsevier Science Publishers Ltd

applied to new accounts, one of which applied to possible cash frauds and a third which applied to the run-of-the-mill type of transaction -we call it the ‘Spending Model’ for want of a better phrase. These were used to trial the system in December 1989, and the outputs used to refine the knowledge during 1990. The techniques used to build these models are new, both for KBS technology and for the KADS method. The integration of synthesized knowledge, on the basis of case studies that have their roots in real world examples, has shown that it is not necessary to have an expert -in the mould of Red Adair, or Sherlock Holmes on tap in order to describe significant knowledge-based tasks. Neither is it necessary to model an existing function within an organization - there may be significant benefit in placing a new ‘quick and dirty’ function at an earlier stage of the information flow in an organization. What Fraudwatch

does

Fraudwatch is made up of two programs, Select and Assess, shown diagrammatically below. Working in accordance with the batch processing methods of the master work groups,

9

Computer Fraud & Security Bulletin

May 1991

any account that has a transaction posted to it during a batch update is ‘considered’ by the

pattern of behaviour. This allows the system to avoid generalities in its detailed processing, and

Select program. This is done to reduce the volume of accounts that will be passed to Assess for further processing. The knowledge encapsulated in Select is necessarily general, and aimed at losing bona fide transactions without losing any potential fraud. It will be appreciated that it is not desirable to give any details of this knowledge. Suffice to say that Select reduces the number of accounts to be further processed by about 90%. Those accounts that pass Select are subsequently assessed according to the three models outlined above. Some of these models are exclusive, in that passing the model negates the requirement for further processing, and some are complementary, in that scores need to be gained from more than one model for a fraud to be positively assessed. All models contain both positive and negative indicators.

to judge a (set of) transaction(s) in relation to their relevant context alone. Transactions per se are not indicative of fraud, but only those which are out of character with the behaviour of a specific account.

Each account that passes through the Select program is assessed entirely upon its own merits and without reference to any other account or

accountswith transactions

I

+

selected accounts

accounts ranked by fraud likelihood

FIGURE 3: Outline of the fraud identification sys tern

10

The first version of Fraudwatch pre-block, third party credit card fraud rate of about one fraud for every thirty output. Upon refinement, we managed hit rate down to one in twenty.

identifies with a hit accounts to get the

At this level it has shown potential savings of up to f 3000 on some accounts, and averages at about f400 across all accounts. For the test periods that we used - March and April 1990 and the sub-set of work groups that the system has been working on, some 67 accounts were (eventually) manually classified as containing fraudulent transactions. During this period, 1120 accounts were output by Fraudwatch, which contained 59 of the 67 frauds. The remaining 8 were unidentifiable because of previous spending patterns and/or size of transaction. This version of the Fraudwatch system went live in November 1990. By the time that the inevitable glitches had been sorted out - “Printer, what printer?” - the system was running smoothly against all Classic and Mastercard accounts from the third week in November onwards. The Christmas rush pushed the system very close to its limits. Transactions processed were reaching close to three million per night, and Fraudwatch was reducing these to 450 accounts output as possible frauds, too many to chase all of them, but still a significant reduction. As Christmas passed, the volumes returned to normal. On a daily basis, Fraudwatch outputs about 150 accounts of which an average of 10 are fraudulent. These results are all the more encouraging as the main body of fraud that the system was intended to identify, cards intercepted before legitimate receipt, has been removed by alternative strategies. The latest version of Fraudwatch has shown three things. Firstly, that fraudulent behaviour can be modelled using KADS modelling techniques;

01991

Elsevier Science Publishers Ltd

May 7997

secondly, that these models are sufficiently dynamic to be able to hit the moving target of changing fraud patterns without critical loss of performance and with a minimum of maintenance; and thirdly, that KBS can provide extra security functionality in areas where there is an absence of expertise. The nature of fraud and the future Fraud is migratory by nature, and it has long been accepted that the first issuer to get effective proactive fraud identification mechanisms in place will reduce the amount of fraud attempted on their cards, as well as catch more of the actual fraud. Barclaycard have gone a long way towards winning that challenge. This ought to ensure that, within a relatively short period of time, all major issuers of credit cards will have some form of proactive fraud identification system. It is unlikely that any changes will be necessary to the structure of the Fraudwatch models, as these are now considered stable, and generic across pre-block fraud. The genericness of the inference models has always been one of the strongest features of the KADS method. In this instance, however, we seem to have a set of models that retain general applicability to fraud while at the same time being rather more instantiated with real world knowledge than is usually the case. This level of real world knowledge is representative of the ‘common sense’ knowledge which it has proven most difficult to capture in computer systems in general, and KBS in particular. It is the kind of knowledge which is transparent once conveyed - like not walking backwards when using a mine detector, or always varnishing a floor from the corners towards the door - although it may not have been ‘known’ without a context. Having captured this knowledge, it leads us to believe that this type of system can be developed over a number of similar applications, with real cost benefits available without the full cost of development being incurred every time. This does not indicate that short cuts may be taken during scoping and analysis, but rather that appropriate inference models can have some content stored within

01991

Elsevier Science Publishers Ltd

Computer Fraud & Security Bulletin

them, to act as guidance in future developments. This avenue of development is the future of Fraudwatch. Conclusion Fraudwatch is the first of a new generation of computer systems, based upon a thorough and methodical KADS analysis of a business problem, developed according to the best practices of software engineering, and integrated with existing mainframe DP systems, which also happens to be a KBS, and utilizes some Artificial Intelligence methods. Fraudwatch took about three man years to develop, from concept to final test version. Of these three years, about three man months were spent on coding - including learning how to use the package - nine man months were spent on the design of the system and eighteen man months were spent on knowledge acquisition and analysis. The rest was taken up with tasks not directly related to the development of the system, such as deciding what to do with the output produced by Fraudwatch, and how to measure the cost benefits of the system. It is to be anticipated that Fraudwatch will develop further over time, and this may have an effect on the nature of fraud, over and above the combined effect of a number of fraud identification KBS. If fraud migrates, it is because patterns of fraud take time to detect, and the same modus operandi can be deployed against one issuer after another, with roughly the same length of fraud ‘life’ for each. However, a community of issuers that all have fraud identification KBS based. upon the same generic models would be able quickly to install the same specific knowledge regarding changes in fraud patterns, if that knowledge was made generally available. This would have the effect of reducing fraud, even if only for the time it took organized fraud to come up with a different modus operandi. In actuality, the number of ways in which a credit card can be used fraudulently are limited, and most fraud is simply the rearranging of previously developed patterns. If the issuer community was prepared to fund the identification and dissemination of these patterns, and the upkeep of the knowledge

11

Computer Fraud & Security Bulletin

May 1991

underpinning them, KBS could virtually eliminate the fraudulent use of credit cards. Bibliography Hickman, F., Killin, J., Land, L., Mulhall, T., Porter, D. and Taylor, R., Analysis for know/edge-based systems: A practical introduction to the KADS methodology, Ellis Horwood, Chichester, 1989. Taylor, Ft. (ed), Porter, D., Hickman, F., Streng, K-H., Tansley, S. and Dorbes, G., System evolution - principles and methods, Deliverable G9, ESPRIT Project 1098, The Knowledge-Based Systems Centre of Touche Ross Management Consultants, 1989. and Taylor, R., A Porter, D. know/edge-based system for identifying credit card fraud, in research and development in expert systems VII: Proceedings of the tenth annual technical conference of the BCS SGES. Cambridge University Press, 1990.

IT SECURITY IN THE 1990s THE MANAGEMENT

OF CHANGE Dr Ken Wong PA Consulting,

UK

Many businesses will be going through some challenging times ahead. With the current economic recession seeing no signs of abatement, margins are squeezed. IT is being channelled to effect cost containment and improve business efficiency. Any spending on security is likely to be curtailed. New technology is being harnessed to provide an enabling vehicle to improve customer service, and move into unchartered waters to explore new business opportunities. New applications such as EDI, image processing and lap top computers also bring new risks to the organization. Some of the risks could directly impact the bottom line.

12

Electronic

data interchange

A major shift in corporate IT emphasis is the increasing move to share a common network with outside organizations. They may be the company’s suppliers, customers, business associates or even competitors. Electronic Data Interchange (EDI) among business partners is now accepted as a means to bring the services and products closer to customers. For instance, by sharing data and networking with the motor manufacturer, a car dealer can make last minute changes to a vehicle’s specifications, to accommodate a customer’s up-to-date requirements. By sharing a network with suppliers and customers, a manufacturer could benefit from the introduction of Just In Time techniques in the manufacturing process, to cut down on raw material stocks and only produce to order. However, the advantage obtained from speeding up the data interchange between business partners via paperless means could well be eroded through inadequate controls to maintain the integrity of such data interchange. If there is poor audit trail and poor error detection and recovery in the system, temporary failings in the hardware, software, power supply or operations staff could result in data drop out, duplication of data transfer, or data errors. Relationships between business partners could be seriously strained if loss liabilities resulting from data discrepancies are not satisfactorily resolved. Suppose the EDI system becomes disrupted. The failure could directly affect the company’s manufacturing capability. This is because the process is based on online capture of product demands to produce the goods required by timely stock replenishment from online links with suppliers. Suppose the EDI business data was misrouted to another trading partner or customer, say through a glitch in the hardware or software, or from human failings. Any commercial in-confidence business arrangements could be threatened with unintentional exposure to interested parties. This could lead to acute embarrassment if profit

01991

Elsevier Science Publishers Ltd