Francesco Fabbrocino of Dunmor presented at today’s SoCal Tech Forum at FoundrSpace in Rancho Cucamonga, California. His topic? Technology in FinTech/Fraud Detection. I covered his entire presentation in a running LinkedIn post, but I’d like to focus on one portion here—and my caveat to one of his five rules of fraud detection. (Four-letter word warning.)
The five rules
In the style of Fight Club, Fabbrocino listed his five rules of fraud detection:
1. Nearly all fraud is based on impersonation.
2. Never expose your fraud prevention techniques.
3. Preventing fraud usually increases friction.
4. Fraud prevention is a business strategy.
5. Whatever you do, fraudsters will adapt to it.
All good points. But I want to dig into rule 2, which is valid…to a point.
Rule 2
If the fraudster presents three different identity verification or authentication factors, and one of them fails, there’s no need to tell the fraudster which one failed. Bad password? Don’t volunteer that information.
In fact, under certain circumstances you may not have to reveal the failure at all. If you are certain this is a fraud attempt, let the fraudster believe that the transaction (such as a wire transfer) was successful. The fraudster will learn the truth soon enough: if not in this fraud attempt, perhaps in the next one.
But “never” is a strong word, and there are some times when you MUST expose your fraud prevention techniques. Let me provide an example.
Biometric time cards
One common type of fraud is time card fraud, in which an employee claims to start work at 8:00, even though he didn’t show up for work until 8:15. How do you fool the time clock? By buddy punching, where your friend inserts your time card into the time clock precisely at 8, even though you’re not present.
Enter biometric time clocks, in which a worker must use their finger, palm, face, iris, or voice to punch in and out. It’s very hard for your buddy to have your biometric, so this decreases time clock fraud significantly.
The four-letter word
Unless you’re an employer in Illinois, or a biometric time clock vendor to employers in Illinois.
And you fail to inform the employees of the purpose for collecting biometrics, and obtain the employees’ explicit consent to collect biometrics for this purpose.
Because that’s a violation of BIPA, Illinois’ Biometric Information Privacy Act. And you can be liable for damages for violating it.
In a case like this, or a case in a jurisdiction governed by some other privacy law, you HAVE to “expose” that you are using an individual’s biometrics as a fraud prevention techniques.
But if there’s no law to the contrary, obfuscate at will.
Communicating your anti-fraud solution
Now there are a number of companies that fight the many types of fraud that Fabbrocino mentioned. But these companies need to ensure that their prospects and clients understand the benefits of their anti-fraud solutions.
That’s where Bredemarket can help.
As a product marketing consultant, I help identity, biometric, and technology firms market their products to their end clients.
And I can help your firm also.
Read about Bredemarket’s content for tech marketers and book a free meeting with me to discuss your needs.
More information:
Bredemarket 