Internet platforms need a frictionless solution to fight the fakes
On the Internet, the old adage, nobody knows you are a dog, can still ring true. All of the major Internet platforms, with the partial exception of Apple, are fighting frauds and fakes. That’s generally because these platforms either allow users to remain anonymous or because they use lax authentication systems that prioritise ease-of-use over rigour. Some people then use the cloak of anonymity in many different ways, such as writing glowing reviews of products they have never used on Amazon (in return for a payment) or enthusiastic reviews of restaurants owned by friends on Tripadvisor. Even the platforms that require users to register financial details are open to abuse. There have been reports of multiple scams on eBay, while regulators have alleged there has been widespread sharing of Uber accounts among drivers in London and other cities.
At the same time, Facebook/WhatsApp, Google/YouTube, Twitter and other social media services are experiencing a deluge of fake news, some of which can be very damaging for society. There has been a mountain of misinformation relating to COVID-19 circulating on social media, such as the notion that if you can hold your breath for 10 seconds, you don’t have the virus. Fake news is alleged to have distorted the outcome of the U.S. presidential election and the Brexit referendum in the U.K.
In essence, the popularity of the major Internet platforms has made them a target for unscrupulous people who want to propagate their world views, promote their products and services, discredit rivals and have ulterior (and potentially criminal) motives for participating in the gig economy.
Although all the leading Internet platforms use tools and reporting mechanisms to combat misuse, they are still beset with problems. In reality, these platforms are walking a tightrope – if they make authentication procedures too cumbersome, they risk losing users to rival platforms, while also incurring additional costs. But if they allow a free-for-all in which anonymity reigns, they risk a major loss of trust in their services.
In STL Partners’ view, the best way to walk this tightrope is to use invisible authentication – the background monitoring of behavioural data to detect suspicious activities. In other words, you keep the Internet platform very open and easy-to-use, but algorithms process the incoming data and learn to detect the patterns that signal potential frauds or fakes. If this idea were taken to an extreme, online interactions and transactions could become completely frictionless. Rather than asking a person to enter a username and password to access a service, they can be identified through the device they are using, their location, the pattern of keystrokes and which features they access once they are logged in. However, the effectiveness of such systems depends heavily on the quality and quantity of data they are feeding on.
In come telcos
This report explores how telcos could use their existing systems and data to help the major Internet companies to build better systems to protect the integrity of their platforms.
It also considers the extent to which telcos will need to work together to effectively fight fraud, just as they do to combat telecoms-related fraud and prevent stolen phones from being used across networks. For most use cases, the telcos in each national market will generally need to provide a common gateway through which a third party could check attributes of the user of a specific mobile phone number. As they plot their way out of the current pandemic, governments are increasingly likely to call for such gateways to help them track the spread of COVID-19 and identify people who may have become infected.
Using big data to combat fraud
In the financial services sector, artificial intelligence (AI) is now widely used to help detect potentially fraudulent financial transactions. Learning from real-world examples, neural networks can detect the behavioural patterns associated with fraud and how they are changing over time. They can then create a dynamic set of thresholds that can be used to trigger alarms, which could prompt a bank to decline a transaction.
In a white paper published in 2019, IBM claimed its AI and cognitive solutions are having a major impact on transaction monitoring and payment fraud modelling. In one of several case studies, the paper describes how the National Payment Switch in France (STET) is using behavioural information to reduce fraud losses by US$100 million annually. Owned by a consortium of financial institutions, STET processes more than 30 billion credit and debit card, cross-border, domestic and on-us payments annually.
STET now assesses the fraud risk for every authorisation request in real time. The white paper says IBM’s Safer Payments system generates a risk score, which is then passed to banks, issuers and acquirers, which combine it with customer information to make a decision on whether to clear or decline the transaction. IBM claims the system can process up to 1,200 transactions per second, and can compute a risk score in less than 10 milliseconds. While STET itself doesn’t have any customer data or data from other payment channels, the IBM system looks across all transactions, countrywide, as well as creating “deep behavioural profiles for millions of cards and merchants.”
Telcos, or at least the connectivity they provide, are also helping banks combat fraud. If they think a transaction is suspicious, banks will increasingly send a text message or call a customer’s phone to check whether they have actually initiated the transaction. Now, some telcos, such as O2 in the UK, are making this process more robust by enabling banks to check whether the user’s SIM card has been swapped between devices recently or if any call diverts are active – criminals sometimes pose as a specific customer to request a new SIM. All calls and texts to the number are then routed to the SIM in the fraudster’s control, enabling them to activate codes or authorisations needed for online bank transfers, such as a one-time PINs or passwords.
As described below, this is one of the use cases supported by Mobile Connect, a specification developed by the GSMA, to enable mobile operators to take a consistent approach to providing third parties with identification, authentication and attribute-sharing services. The idea behind Mobile Connect is that a third party, such as a bank, can access these services regardless of which operator their customer subscribes to.
Adapting telco authentication for Amazon, Uber and Airbnb
Telcos could also provide Internet platforms, such as Amazon, Uber and Airbnb, with identification, authentication and attribute-sharing services that will help to shore up trust in their services. Building on their nascent anti-fraud offerings for the financial services industry, telcos could act as intermediaries, authenticating specific attributes of an individual without actually sharing personal data with the platform.
STL Partners has identified four broad data sets telcos could use to help combat fraud:
- Account activity – checking which individual owns which SIM card and that the SIM hasn’t been swapped recently;
- Movement patterns – tracking where people are and where they travel frequently to help identify if they are who they say they are;
- Contact patterns – establishing which individuals come into contact with each other regularly;
- Spending patterns – monitoring how much money an individual spends on telecoms services.
Table of contents
- Executive Summary
- Using big data to combat fraud
- Account activity
- Movement patterns
- Contact patterns
- Spending patterns
- Caveats and considerations
- Limited progress so far
- Patchy adoption of Mobile Connect
- Mobile identification in the UK
- Turkcell employs machine learning
- Big Internet use cases
- Amazon – grappling with fake product reviews
- Facebook and eBay – also need to clampdown
- Google Maps and Tripadvisor – targets for fake reviews
- Uber – serious safety concerns
- Airbnb – balancing the interests of hosts and guests