Author: Mark Gavigan

The New Bonnie and Clyde: SuperSynthetic Identities

How SuperSynthetic identities carry out modern day bank robberies

Mark Gavigan
September 12, 2023

How SuperSynthetic identities carry out modern day bank robberies

The use cases for generative AI continue to proliferate. Need a vegan-friendly recipe for chocolate cookies that doesn’t require refined sugar? Done. Need to generate an image of Chuck Norris holding a piglet? You got it.

However, not all Gen AI use cases are so innocuous. Fraudsters are joining the party and developing tools like WormGPT and FraudGPT to launch sophisticated cyberattacks that are significantly more dangerous and accessible. Consumer and enterprise companies alike are on high alert, but fintech organizations really need to upgrade their “bot-y” armor.

Each new wave of bots grows increasingly stronger and brings its unique share of challenges to the table—none more than synthetic “Frankenstein” identities consisting of real and fake PII data. But, alas, the next evolution of synthetic identities has entered the fray: SuperSyntheticTM identities.

Let’s take a closer look at how these SuperSynthetic bots came to be, how they can effortlessly defraud banks, and how banks need to change their account opening workflows.

The evolution of bots

Before we dive into SuperSynthetic bots and the danger they pose to banks, it’s helpful to cover how we got to this point.

Throughout the evolution of bots we’ve seen the good, the bad, and the downright nefarious. Well-behaved bots like web crawlers and chatbots help improve website or app performance; naughty bots crash websites, harm the customer experience and, worst of all, steal money from businesses and consumers.

The evolutionary bot chart looks like this:

Generation One: These bots are capable of basic scripting and automated maneuvers. Primarily they scrape, spam, and perform fake actions on social media apps (comments, likes, etc.).

Generation Two: Web analytics, user interface automation, and other tools that enable the automation of website development.

Generation Three: This wave of bots adopted complex machine learning algorithms, allowing for the analysis of user behavior to boost website or app performance.

Generation Four: These bots laid the groundwork for SuperSynthetics. They’re highly effective at simulating human behavior while staying off radar.

Generation Five: SuperSynthetic bots with a level of sophistication that negates the need to execute a brute force attack hoping for a fractional chance of success. Individualistic finesse, combined with the bad actor’s willingness to play the long game, makes these bots undetectable by conventional bot mitigation and synthetic fraud detection strategies.

Playing the slow game

So, how have SuperSynthetics emerged as the most formidable bank robbers yet? It’s more artifice than bull rush.

Over time, a SuperSynthetic bot uses its AI-generated identity to deposit small amounts of money via Zelle, ACH, or another digital payments app while interacting with various website functions. The bot’s meager deposits accumulate over the course of several months, and regular access to its bank account to “check its balance” earns the reputation of a “customer in good standing.” Its credit risk worthiness score increases and an offer of a credit card or a personal, unsecured loan is extended.

At this point it’s hook, line, and sinker. The bank deposits the loan amount or issues the credit card and the fraudster transfers it out, along with their seed funds, and moves on to the next unsuspecting bank. This is a cunning, slow-burn operation only a SuperSynthetic identity can successfully carry out at scale. Deduce estimates that between 3-5% of accounts onboarded within the past year at financial services and fintech institutions are in fact SuperSynthetic Sleeper identities.

Such patience and craftiness is unprecedented in a bot. Stonewalling SuperSynthetics takes an equally novel approach.

A change in philosophy

Traditional synthetic fraud prevention solutions won’t detect SuperSynthetic identities. Built around static data, these tools lack the dynamic, real-time data and scale needed to sniff out an AI-generated identity. Even manual review processes and tools like DocV are no match as deepfake AI methods can create realistic documents and even live video interviews.

An individualistic approach offers little resistance to SuperSynthetic bots.

Fundamentally, these static-based tools take an individualistic approach to stopping fraud. The data that’s pulled from a range of sources during the verification phase is only analyzing one identity at a time. In this case, a SuperSynthetic identity will appear legitimate and pass all the verification checks. Fraudulent patterns missed. Digital forensic footprints overlooked.

A philosophical change in fraud prevention is foundational to banks keeping SuperSynthetic bots out of their pockets. Verifying identities as a collective group, or signature, is the only viable option.

A view from the top

Things always look different from the top floor. In the case of spotting and neutralizing SuperSynthetic identities, a big-picture perspective reveals digital footprints otherwise obscured by an individualistic anti-fraud tool.

A bird’s-eye view that groups identities into a single signature uncovers suspicious evidence such as simultaneous social media posts, concurrent account actions, matching time-of-day and day-of-week activities, and other telltale signs of fraud. Considering the millions of fraudulent identities in the mix, it’s illogical to attribute this evidence to mere happenstance.

There’s no denying that SuperSynthetic identities have arrived. No prior iteration of bot has ever appeared so lifelike and operated with such precision. If banks want to protect their margins and user experience, verifying identity via a signature approach is a must. This does require bundling existing fraud prevention stacks with ample (and scalable) real-time identity intelligence, but the first step in thwarting SuperSynthetics is an ideological one: co-opt the signature strategy.

Related Content

AI-Generated Identity Fraud Vs. Real-Time Identity Intelligence. Who Wins?

How a top-down approach can unmask AI-generated fraudsters

Mark Gavigan
September 12, 2023

How a top-down approach can unmask AI-generated fraudsters

Whomever’s side of the AI debate you’re on there’s no denying that AI is here to stay, and has barely started to tap its potential.

AI makes life easier on consumers and businesses alike. However, the proliferation of AI-based tools helps fraudsters as well.

As the AI arms race heats up, one emerging threat that’s tormenting businesses is AI-generated identity fraud. With help from generative AI, fraudsters can easily use previously acquired PII (Personal Identifiable Information) to establish a credible online identity that appears human-like, replete with an OK credit history, then leverage deepfakes to legitimize a synthetic identity with documents, voice, and video. As of April 2023, audio and video deepfakes alone have duped one-third of companies..

Without the proper fortification in place, financial services and fintech businesses are prime targets for AI-generated identities, new account opening fraud, and the resultant revenue loss.

The (multi)billion-dollar question is, how do these companies fight back when AI-generated identities are seemingly indistinguishable from real customers?

Playing the long game

There are several ways in which AI helps create synthetic identities.

For one, social engineering and phishing with AI-powered tools is as easy as “PII.” Generative AI can crank out a malicious yet convincing email or deepfake a document or voice to obtain personal info. In terms of scalability, fraudsters can now manage thousands of fake identities at once thanks to AI-assisted CRMs and marketing automation software and purpose-built platforms for committing fraud such as FraudGPT and WormGPT. Thousands of synthetics creating “aged” and geo-located email addresses, signing up for newsletters, and making social media profiles and other accounts—all on autopilot. This unparalleled sophistication is the hallmark of an even more formidable synthetic identity: the SuperSyntheticTM identity.

Thanks to AI’s automation and effective utilization of previously stolen PII data, SuperSynthetic identities can assemble a credible trail of online activity. But these SuperSynthetics have a credible (maybe not an 850 but a solid 700) credit history, too. Therein lies the other challenge with AI-generated identity fraud: the human bad actors behind the computer or phone screen, pulling the strings, are remarkably patient. They’ll invest actual money by making deposits over time into a newly opened bank account, or make small purchases on a retailer’s website to build “existing customer” status, to gradually forge a bogus identity that lands them North of $15K (according to the FTC, a net ROI of thousands of dollars). AI-generated fraud is a very profitable business.

The chart above shows how a fraudster boosts credibility for an identity both online and with credit history before opening a credit card or loan, or even transacting via BNPL (Buy Now Pay Later). They sign up for cheap mobile phone plans, such as Boost, Mint, or Cricket, or make small pre-paid debit card donations to charities linked to their social security number. They can even use AI to find rental vacancies in MLS listings in a geography that maps to their aged and geo-located legend, in order to establish an online activity history of paying utility bills. The patience, calculation, and cunning of these fraudsters is striking—and just as dangerous as the AI that fuels their SuperSynthetic identities.

Looking at the big picture

Neutralizing AI-generated identity fraud requires a new approach. Traditional bot mitigation and synthetic fraud prevention solutions reliant upon static data about a single identity need some extra oomph to stonewall persuasive SuperSynthetics.

These static data-based tools lack the dynamic, real-time data and scale necessary to pick up the scent of AI-generated identity fraud. Patterns and digital forensic footprints get overlooked, and the sophistication of these fake identities even outflanks manual review processes and tools like DocV.

The bigger problem is that, when today’s anti-fraud solutions pull data from a range of sources during the verification phase, they’re doing so on an individual identity basis. Why is this problematic? Because a SuperSynthetic identity on its own will look legitimate and pass all the verification checks—including a manual review, the last bastion of fraud prevention. However, analyzing that same identity from a high-level vantage point changes everything. The identity is revealed to be a member of a larger signature of SuperSynthetic identities. Like a black light, this bird’s-eye view uncovers previously obscured, digital forensic evidence. 

But what does this evidence even look like? And what does it take to transition from an individualistic to a signature-centered approach?

The key to the evidence locker

AI-generated SuperSynthetic identities leave behind a variety of digital fingerprints or signatures. A top-down view reveals suspicious patterns across millions of fraudulent identities that are too identical to be a coincidence. 

For example, if the same three identities post a comment on the New York Times website every Tuesday morning at 7:32 a.m. PST, the chances these are three humans are infinitesimally small and therefore it’s clear that each is in fact SuperSynthetic.

Switching over to a top-down approach isn’t merely a philosophical change. Unlocking the requisite evidence to thwart AI-generated identities demands premium identity intelligence at scale, combined with sophisticated ML that gathers and analyzes large swaths of real-time data from diverse sources.

In short, an activity-based, real-time identity graph capable of sifting through hundreds of millions of identities.

Protect your margins (and UX)

A ginormous real-time identity graph rivaling the likes of big tech? This may seem like an unrealistic path to stopping AI-generated identities. It isn’t.

Deduce employs the largest identity graph in the US: 780 million US privacy-compliant identity profiles and 1.5 billion daily user events across 150,000+ websites and apps. Additionally, Deduce has previously seen 89% of new users at the account creation stage—where AI-generated synthetics typically pass through undetected—and 43% of these users hours before they enter the new account portal.

Deduce’s premium identity intelligence, patented technology, and formidable ML algorithms enable a multi-contextualized, top-down approach. Identities are analyzed against signatures of synthetic fraudsters—hundreds of millions of them—to ensure they’re the real McCoy. It’s a far superior alternative to overtightening existing risk models and causing unnecessary friction followed by churn, reputational harm, and revenue loss.

Want to outsmart AI-generated identity fraud while preserving a trusted user experience? Contact us today.

Related Content

Thwart Digital Goods Fraud with Real-Time Data

In the war against digital goods fraud, real-time is the only time

Mark Gavigan
March 24, 2023

In the war against digital goods fraud, real-time is the only time

Today’s customer wants it, and they want it now. But, until teleportation becomes a reality, purchasing physical products online won’t satisfy their need for instant gratification. This is a big reason why digital goods purchases jumped 51% from 2020 to 2021, and, at last check, 65% in 2022.

The instant delivery of digital goods—software, event tickets, and especially online gift cards—spells trouble for e-commerce companies. Whereas physical merchandise often provides a multi-day delivery buffer allowing ample time for fraud detection and investigation, digital download products require an immediate decision on fraud. This overburdens the majority of fraud stacks and gives fraudsters the upper hand.

How can e-commerce merchants effectively combat digital goods fraud at scale—and steer clear of false positives—when these purchases demand a snap judgment?

The digital goods dilemma

Analysts anticipate that e-commerce merchants will lose about $24 billion to online payments fraud by 2024. Along with other types of e-commerce fraud, such as friendly fraud, new account fraud, and account takeover (ATO), digital goods fraud will wreak havoc in its own right.

Unlike purchasing physical products online, the instantaneous nature of buying digital products presents unique challenges:

Immediate delivery. With digital goods arriving to customers in mere seconds, e-commerce companies with traditional fraud stacks can’t review orders, successfully sniff out fraudulent transactions, or initiate manual reviews. It’s real-time or nothing, approve or reject.

False positives. Split-second approval times depend on strict guidelines to determine if digital goods customers are legit. Because fraud is so prevalent, e-tailers have tightened up security protocols more than ever and given rise to false positives. Wrongly identifying customers is the fast track to churn and lost revenue.

Lack of data. For merchants with an outdated fraud stack, or one that is based solely on transaction records or static data, digital goods purchases don’t provide nearly enough real-time data to accurately verify a transaction. No phone number, no physical address, no transaction history. Seasoned bad actors can easily deploy their arsenal of stolen or fake emails, combined with stolen credit card numbers, and mask their identities via proxy servers.

Whether a company is selling physical or digital products online, today’s lofty user experience (UX) expectations remain intact. Many customers are too impatient for passwords and confirmation emails and one-time passcodes (OTP). UX potholes typically lead to reputational blemishes and churn. E-gift cards, one of the more popular digital purchases, can cause similar damage if fraudsters get a hold of them.

E-gift cards leading the pack

E-gift cards, arguably, are public enemy number one in the war against digital goods fraud. In-store gift cards and e-gift card sales are expected to exceed $238 million by 2025. Given our increasingly online world and the growing consumer need for instant gratification, e-gift cards will likely comprise most of these sales. And, just as likely, a significant portion of e-gift card “customers” will be fraudsters.

Fraudsters purchase online gift cards using stolen payment info. More often than not their intention is to either resell the gift card for profit, or use it to launder money by using a stolen credit card to buy a legitimate debit card or merchandise gift card. E-gift cards are a win-win-win for bad actors: they are easy to obtain, easy to redeem, and practically untraceable since they require little to no personal data at checkout (usually just payment details and an email). Armed with their new legitimate digital card, a fraudster can enter a store and purchase a high-ticket product such as a flat screen TV or computer with no chance that the transaction will fail at checkout. 

All digital goods fraud is bad news for e-tailers, but the effects of e-gift card fraud are particularly devastating. Chargebacks, customer experience issues, lost inventory. If consumers buy online gift cards from fraudsters and redeem them, companies, in most cases, will have to eat the cost of these transactions.

And don’t forget about the reputational impact. Similar to the fallout from false positives, victims of online gift card fraud, none too pleased with the merchant, will probably take their future business elsewhere.

Fraud detection in a flash

Unfortunately for online merchants, fraud risk, and the demand for digital goods and instant gratification, have reached an all-time high.

Fortunately for online merchants, the real-time data needed to thwart digital goods fraud, and approve genuine customers, is not the stuff of make-believe.

Deduce equips e-commerce vendors with the breadth of real-time, multi-dimensional identity intelligence and speed to approve or deny digital goods transactions at scale. When e-tailers layer Deduce on top of their existing fraud stack, they’re tapping into a network of 660 million US privacy-compliant identity profiles and 1.5 billion daily user activity events across 150,000+ websites and apps. Unlike transaction-specific identity data, Deduce captures a wide range of online activity (banking, gaming, communicating, browsing, shopping, etc.) for every identity. In many cases Deduce will have seen the customer within hours of their checkout and will know if the identity is legitimate or fraudulent. Stripped-down as digital goods purchases are—no phone number, no address, etc.—Deduce’s network still possesses enough real-time and historical data to determine if a user is the real deal.

To date, Deduce has seen close to 90% of customers within its network. So, if Deduce doesn’t recognize an identity, chances are that prospective digital goods customer is up to no good—or, at the very least, should be given a closer look. Multiple customers confirm that fraud is 10 times more likely if Deduce has not previously seen an identity on the network. On the other hand, Deduce’s real-time data ensures good customers are identified as such, and don’t fall victim to rigid fraud guidelines.

Real-time data, sourced from the largest identity graph in the US, is the only viable means of fighting digital goods fraud and keeping legitimate customers happy.

Contact us today and see why there’s no time like real-time.

Related Content

Early Bird Gets the Fraudster: How to Stop Credit Application Fraud

A preemptive and UX-friendly approach to credit funnel optimization

Mark Gavigan
March 8, 2023

A preemptive and UX-friendly approach to credit funnel optimization

It’s one thing to Know Your Customer; it’s another to Know Your Con-Artist. KYC checks, ostensibly, prevent banks from doing business with bad actors, but doing so requires neutralizing fraudsters at the point of entry, before they’re able to apply for a loan.

In other words: early bird gets the fraudster.

A preemptive strategy is the only realistic way to effectively prevent credit application fraud—when a fraudster submits personally identifiable information (PII) to apply for credit (credit card, loan, etc.). This approach saves banks from running costly, unnecessary credit checks on fraudsters, and ensures genuine customers are identified up front and not wrongfully declined. It also curbs the risk of fraudsters slipping through the credit application process scot-free. In a 2018 study, one major North American bank issued 1,400 credit cards per month to fraudsters—a loss of ~$500,000 per month.

But is spotting fraud pre-credit application, before the verification stage, even feasible?

A never-ending money hole

Before we discuss the practicality of shutting down fraudsters pre-credit application, let’s look at the two glaring downsides of not adopting this approach. Problem number one: credit application fraud can be a significant money pit (and time suck) for banks.

Factoring in the cost of running a credit application through third party sources—namely, multiple credit bureaus—can cost between $3-5 per application. The fraudster may then be asked to verify their document, a fabricated driver’s license matching their details, which costs the bank another $3-4 per applicant. Manual review alone can cost another $50-75. And, since synthetic identity fraud is now the largest form of identity fraud in the country, there’s a good chance banks could be chasing a made-up, nonexistent entity.

Synthetic identity fraudsters, whose fake identities are stitched together using bits and pieces from real identities, exploit the very processes that banks and fraud solutions rely on. For example, most banks look for static PII data such as a social security number or date of birth when analyzing credit applications, which is easily obtainable from the dark web. Additionally, synthetic fraudsters will often apply for credit with two lenders to compensate for the identity’s lack of credit history. Ironically, the first lender’s rejection of credit will usually initiate a credit file that enables the second credit application to go through. Low credit limits? Synthetics can work around that, too. A few small transactions here and there, paid off at the end of the month, and they can steadily increase their spending limit until it’s worthwhile to cash out.

A churn for the worst

Not detecting fraud until after the credit application process lets more fraudsters in. It also keeps more good users out.

For instance, geography is a common false positive trigger if a user has recently moved. After this user fills in their basic info, including their address, and creates an account, you can almost guarantee a red flag from the credit bureau. The new address doesn’t match what’s on file. Next step? Document verification. And if users are still around at that point, banks should count their lucky stars.

Legitimate users with thin files are the most likely to get declined. “Thin file” refers to applicants whose credit history is so sparse that standard fraud prevention tools lack the data to calculate risk. A thin file applicant might be a student applying for their first credit card. Other examples include immigrants without credit history in the US; consumers who haven’t used credit in a long time; and people who predominantly use cash over credit.

According to an Experian report, about 62 million Americans have a thin file.

Unlike synthetic fraudsters, who are cunning enough to establish a semblance of credit history by applying to multiple lenders, genuine identities with thin files are often automatically declined. Many of these rejected users will apply to another bank, resulting in churn and lost revenue. Even worse, a substantial amount of unfair declines could harm a bank’s reputation over the long term.

It starts at the top

We’ve established that preventing credit application fraud and false positive declines isn’t tenable unless banks act before applicants apply for credit. But rearranging the UX and security for the credit application process isn’t entirely an in-house operation. It requires assistance from a powerful and highly intelligent first line of defense, with a data stack that rivals the FAANG gang.

Deduce’s real-time identity network fits the description: 660 million US privacy-compliant identity profiles and 1.5 billion daily user events across 150,000+ websites and apps. With this magnitude of data powering their credit app fraud prevention efforts, banks can identify fraudsters and legitimate users pre-credit application, effectively bridging security and UX.

Deduce’s approach to preventing credit application fraud

As illustrated in the graphic above, if the Deduce Identity Network deems the user a fraudster, they’re sent to a landing page devoid of a loan or credit application option; if the user is legit, they’re presented with a list of loan or credit options that fit their needs. This is credit funnel optimization done right.

It’s no wonder that some leading financial institutions, such as SoFi, have adopted this preemptive, highly optimized approach to their credit application journeys. Aside from thwarting fraudsters and false positives, and improving conversion rates, checking for fraud upfront assists marketing efforts. If a new user is determined to be genuine but rejected because of their credit score, the initial collection of their contact info allows banks to keep in touch. That way, users aren’t lost in the sauce and can reapply in the future once their credit score reaches the required threshold.

SoFi’s signup page

There’s no better way to shut down credit app fraudsters who’ve grown accustomed to banks’ antifraud processes. Preventing false positives and salvaging quality customers is vital in its own right, and may prove even more so in the grand scheme of things. By placing Deduce at the forefront of your credit app fraud strategy, the marriage of security and UX is indeed possible, and bottom lines will be all the better for it.

Ready to shut the door on credit application fraud? Contact us today and get up and running in a few hours.

Related Content

It’s Time to Give First-Checkout Fraud a Second Look

How do you verify a customer you’ve never seen before?

Mark Gavigan
March 6, 2023

How do you verify a customer you’ve never seen before?

Spring is almost here. Sunny days will soon be upon us and it feels like the pandemic is finally tailing off. Seems the perfect time for fraudsters to rain on everyone’s parade and, boy, are they ever!

E-commerce fraud surpassed $41 billion in 2022. A recent bombshell report from the Federal Trade Commission found that fraudsters duped consumers out of $8.8 billion last year, a 44% increase from 2021. Additionally, the volume of phishing attacks grew by more than 175% over the past two years.

Fraud is surging across the board, but one type of fraud—to the chagrin of online merchants—is really riding the wave: first-checkout fraud.

Here is the skinny on what first-checkout fraud is, what makes it extra difficult to stop, and how businesses can solve for the unique problem it presents.

An overlooked threat

Deduce estimates that 71% of fraudulent transactions occur at first checkout or guest checkout. It’s not neuroscience. How are merchants supposed to approve or reject a transaction from a new “customer” with no payment history or outdated static PII data? It’s like playing in the Super Bowl and not having a scouting report on the other team’s players, zero intel on who’s who, their behaviors and tendencies. You can probably guess what team our money is on.

If a purchase involves a physical product, merchants can, of course, reject a first-checkout customer or refer the transaction to manual review. Not enough data? Why not err on the side of caution? But doing so doesn’t equal playing it safe. Sure, you might stop a potentially bogus transaction; however, this runs the risk of a false positive—rejecting a legitimate customer who isn’t likely to return.

Even if a merchant has access to PII data they can cross-reference, such as address and phone number, they’re unlikely to deploy 2FA for mobile shoppers as this added friction is a leading cause of cart abandonment. For similar reasons, thorough phone number verification, in particular, is unlikely if a user is transacting on a home wifi connection (static IP) or shopping on their laptop or tablet. In this scenario, fraudsters who possess a stolen phone number would get the green light as long as the bill-to and ship-to addresses match, though cunning fraudsters—if they aren’t buying digital goods—will opt for curbside pickup, have a product sent to their local FedEx, or contact the shipper and re-route to a different address.

In 2022, new account fraud, which also thrives on a fraudulent user’s anonymity, sucked 6% of revenue from almost 70% of businesses. It’s not far-fetched to believe first-checkout fraud is on a similar trajectory, especially with every kind of fraud having a field day (par for the course amid an economic downturn).

Synthetic shoppers

Another concern for e-tailers struggling with first-checkout fraud is the emergence of “synthetic shoppers.” Synthetic identity fraud, identified by the Federal Reserve as the fastest-growing form of financial fraud in the US, has been wreaking havoc in the online shopping world thanks to readily available PII data on the dark web.

Normally, a synthetic fraudster would stitch together a new “Frankenstein identity” using a combination of someone’s real name and phone number, among other PII, then establish a payment history to build credibility (they may even buy an aged email address). But a synthetic shopper merely needs stolen credit card credentials and a shopper profile they can easily auto-fill with a bot. They can start swindling e-commerce merchants in minutes.

At the core of all of this, though, is the identity intelligence issue. Trying to prevent online fraud with static data alone is problematic in its own right; first-checkout fraud is even more concerning because there’s zero historical purchase history data to go off of. What’s the fix?

The real-time remedy

To successfully combat first-checkout fraud, online merchants need real-time data. In fact, they need a stockpile of real-time identity intelligence only the upper crust of companies have at their disposal.

That sounds like a tall order, but Deduce can make up the height differential.

By tapping into our network of 680 million US privacy-compliant identity profiles and 1.5 billion daily authenticated user events across 150,000+ websites and apps, Deduce packs enough real-time insights to thwart (or approve) even the most nascent of shoppers. Typically, 89% of your new customers are already familiar to Deduce; 43% of these users have been seen by Deduce just hours before they make their first purchase. 

Deduce leverages real-time data such as device type and ID, geospatial info, and more to ascertain if a first-time buyer is purchasing that flat screen TV or designer handbag legitimately. If a shopper is legitimate, our geospatial intelligence alone can mitigate common false positive drivers that plague first-checkout and returning shoppers alike. For instance, a customer with mismatched bill-to and ship-to addresses won’t be declined if Deduce sees prior history for the buying identity at the ship-to location.

Geospatial identity intelligence at scale helps approve more legitimate transactions and lower operational costs while capturing incremental fraud.

In totality, Deduce’s real-time insights check for email familiarity and ensure a customer’s email and IP, geography and IP, and user history and address match—all at a massive scale. This arms merchants with high-confidence trust scores for first-time and guest checkout shoppers, enabling them to approve more transactions while reducing step-up and manual review costs.

Deduce, which integrates seamlessly with a merchant’s existing fraud stack, also determines the legitimacy of a first-checkout shopper without compromising the user experience. After all, a sluggish UX can turn off a potential customer if a wrongly flagged transaction doesn’t do the trick.

The uptick in online shopping has been a key revenue driver for merchants. The $48 billion in e-commerce fraud losses expected this year will have the opposite effect if mitigating first-checkout fraud isn’t prioritized.

Is your first-checkout engine light on? Contact us today and see how our real-time identity intelligence can accurately approve more legitimate transactions and reduce operational costs while rejecting fraudulent first-time purchases.

Related Content

Measuring Authentication Friction Early in the Customer Journey

Where should journey analytics begin? The beginning.

Mark Gavigan
November 12, 2022

Where should journey analytics begin? The beginning.

Your first trip to Disneyland. Graduating high school. Crashing your dad’s red Ferrari. Good or bad, our early life experiences stay with us and shape who we are.

A similar logic applies to the online user experience (UX). Sure, logging in to an app doesn’t warrant a page in the family scrapbook, but, for B2C companies, the early stages of the user journey can go a long way in determining if someone leaves a negative review, abandons checkout, or bails for a competitor.

Despite the importance of delivering a positive user experience early on, journey analytics—how companies measure user interactions—are mostly observed later, or post-authentication. Many brands looking to personalize their in-app experiences neglect the beginning stages of the user journey (account creation and login) where churn and cart abandonment rear their ugly heads.

The impact of a negative authentication experience is startling. It’s imperative for brands to leverage journey analytics early on—from the point your customer hits your webpage, or opens your webOS or native mobile application—and prevent users from entering authentication purgatory.

Journey analytics is the key to customer centricity

For those who don’t read the CXO trades, journey analytics is the means by which companies observe and understand the business impact of users’ decisions. An ideal journey analytics platform enables CX teams to analyze user needs and sentiment at every step of the journey with help from surveys, Net Promoter Scores (Rotten Tomatoes for CX), and social listening (monitoring online discussions about a brand).

In today’s landscape, prioritizing journey analytics is central to building a customer-centric business. It’s the most efficient way to gather direct and indirect feedback and track UX issues in real time.

However, companies that solely track journey analytics post-authentication are missing the mark. A holistic approach to journey analytics—measuring user behavior from the time they visit an app to the time they transact—is far more effective and addresses authentication issues that otherwise get overlooked.

Authentication friction: a grisly sight

To further underscore the importance of tracking journey analytics at the authentication stage, let’s check out the quantified impact of login and signup friction for new and returning users.

We worked with Shawn Johnson, former GVP of Global Product and Design for Discovery+, DiscoveryGO, and NBCUniversal, to rank the negative CX impact of various authentication actions. (The higher the number, the more it detracts from CX.)

First up: new customer friction. In the table below, you’ll notice even seemingly minor actions, such as entering and re-entering an email address, or entering a phone number, hurt CX early in the customer journey. Verifying an email or phone number (-25) is a big no-no.

For returning customers, the authentication process lends itself to many possible CX detractors. The two whoppers—locked account following incorrect password, and false positive credit card decline (-50)—deal the biggest blow to users (and user retention). 

The multiple actions related to an incorrect or forgotten password add up fast. So do other common snags like incorrect email and reCAPTCHA errors, unextended sessions, and the dreaded false positive MFA challenge, when a legitimate customer is subjected to a multi-factor authentication workflow.

At a recent CXO Exchange event, the CXO of a utility company described how 14 percent of inbound calls to the call center were related directly to signup or login problems. Further, 95 percent of customers requesting signup or login assistance from an agent never used the online, self-service features offered by the company again. At an average cost of $27 per call, this has a significant impact on the lifetime service cost of a customer who calls in for support with security-related issues.

One important callout is that new and returning users continue to favor mobile over desktop. Mobile user experiences are more susceptible to friction, namely at the authentication stage, which can exacerbate these friction scores by as much as 20 percent.

(Note: Feel free to download the tables above and keep track of your own CX detractors.)

The business impact of authentication friction

Companies that ignore journey analytics at the authentication stage fall victim to account creation friction (new users) and interrupted sessions (returning users). These issues result in churn, shopping cart abandonment, and other monetary impacts that deal a significant blow to bottom lines.

How significant? Try $1.2 trillion—that’s how much US businesses lost last year due to misidentifying legitimate customers, far more than identity fraud ($95 billion), a serious issue in its own right. (Use our calculator to see how much account creation churn and interrupted user sessions are costing your business.)

A convoluted signup process will always increase the likelihood of account creation abandonment. New users want to plug and play; asking them to verify by email or one-time passcode is an immediate step in the wrong direction. Returning customers, on the other hand, abhor re-authenticating during a browsing session. Per the FIDO Alliance, 60 percent of consumers have ditched an online cart because of password problems, and an accumulation of such friction could lead them to ditch a platform altogether.

Both of these issues begin at the point of entry. Deploying journey analytics early on is a necessity, but it isn’t the cure-all. The solution lies in identity.

Build a culture that reduces UX friction

Making a conscious decision to remove customer friction is part of a “customer first” cultural decision. As such, this can be measured by a corporate OKR (Objective and Key Result) that is owned by everyone in the organization. Importantly, as is common with OKRs, it requires cross-department collaboration where it may not exist today. Specifically, the Design/UX and security/fraud teams should establish KPIs for UX friction and meet regularly to review results and work on improvements.

Using a scoring system similar to the one discussed earlier, set milestones for both user journeys—new and returning users—and proactively reduce friction to as close to zero as possible. One KPI, for example, could be cutting false positive MFAs by 75 percent.

While monitoring user behaviors early in the customer journey is a necessity, it isn’t a deterrent for signup churn and login issues. The real solution lies in identity, specifically real-time identity intelligence.

Real-time identity intelligence (and a lot of it) is how Deduce neutralizes authentication friction so that customer journeys aren’t cut short before they even start. Our identity graph, the largest addressing risk, fraud, and trust in the US, enables us to know if users are legit prior to signup. Risk and trust signals analyze factors like geography and time of day against a user’s known tendencies, device, and network. If everything checks out, the user can zoom past annoying verification steps.

Some of the trust and risk signals Deduce uses to verify identities

Real-time identity intelligence also enables returning users to continue their sessions unimpeded when they come back to a website or app. These extended sessions—known as continuous authentication—keeps users logged in so they aren’t booted prior to conversion.

If a new or returning user remembers their experience on an app or website, real-time identity intelligence ensures it’s a fond remembrance and not an angry snowball that builds into an avalanche of displeasure.

Journey analytics is a crucial tool for identifying CX issues at the earliest stages. It helps set goals and KPIs for eliminating these issues. But, when it comes time to smooth over verification speed bumps for new and returning users, ultimately real-time identity intelligence is the steamroller.

Want to treat your customers to The Trusted User Experience? Contact us today to get started.

Related Content

Authentication Time is the New Page Load Time

Fast load times are a given. Now, users desire faster authentication.

Mark Gavigan
September 27, 2022

Fast load times are a given. Now, users desire faster authentication.

You’ve got Mail! Once upon a time, in the America Online years when The Internet Superhighway slowly began to approach Autobahn speeds (you know, 50kb/s), page loading was a big deal. Even into the late aughts, phlegmatic page load times crippled websites. Tech companies and agencies would advertise “More responsive websites make more money” and “You’re losing customers with your page load times.” Website speed was a competitive advantage.

Fast-forward to 2022, and broadband internet in the US is the norm. Dial-up connections are as common as phone books. Page loading times are still important, but not nearly the nuisance they once were. Besides, as of August 2022, the majority of web visits skewed mobile (54% versus desktop’s 46%), and last year 90% of those mobile visits were on apps, not websites. 5G will only tip the scales further.

What does this mean? Simple: it’s time to prioritize user login and authentication. With website page loads no longer a slog, and more users glued to their mobile devices, expediting these processes will ultimately impact retention, conversions, and the user experience at large.

Turbocharging login (and account creation)

Few things grind a user’s gears like login trouble. The chagrin (and potential for churn) is multiplied exponentially if said user is trying to buy popular concert tickets, capitalize on a time-sensitive online sale, or locate an important email.

A major user experience detractor that strikes at the login stage is multi-factor authentication (MFA). The helicopter parenting of account verification, MFA’s added friction is not worth it when more efficient alternatives to preventing account takeover (ATO) are out there. MFA elongates the verification process and flags legitimate users in what is called a false positive challenge—a nightmare on UX Street.

MFA isn’t necessary when companies can identify trusted users via identity intelligence. This Trusted User Experience also unlocks the passwordless approach to login, which negates another customer pain point: password reset.

We’ve all endured the forgotten password song-and-dance, but this rundown from the Stytch blog illustrates just how painful and time consuming the process is:

Step 1: User forgets password.

Step 2: User clicks “Forgot password?” link.

Step 3: User enters email and requests password reset flow.

Step 4: User opens inbox and clicks the password reset link.

Step 5: User creates a new password with a set of 10 elaborate security requirements.

Step 6: User confirms new password.

Step 7: User is redirected to the original login page.

Step 8: User enters username and new, complicated password.

With logged-in session extensions for trusted users backed by continuous authentication, or a passwordless login approach, users won’t need to remember or create a complicated password they’ll likely forget and need to reset later. 

But remember, too, that passwordless login won’t mean squat-diddly if your account creation process is a mess. One QSR company told us that 10 percent of new app signups were lost because of incomplete email verification steps. Speeding up account creation by implementing progressive form-fill and streamlining verification steps is a must—they can’t login if they don’t exist!

Enabling Continuous Authentication

Once a user creates an account and logs in, a CXO’s job is to keep them logged in. Enabling continuous authentication for trusted users helps do just that, and prevent login issues that can lead to abandoned shopping carts, churn, and reputational harm. Amazon’s continuous authentication feature is perhaps the most well-known example. (Can you remember the last time Amazon asked you to login?)

Continuous authentication may give security teams the heebie-jeebies, but the same real-time identity intelligence that allows for passwordless login ensures that only real customers are let back in. Various real-time signals across the risk and trust spectrum determine if a customer warrants a session extension cookie and can be sent to checkout.

Companies that utilize Deduce’s continuous authentication enjoy an additional benefit: a user’s identity is alway secure, even when they are not actively using a given website or app. For example, If a user’s credentials are breached on another platform within our network—the Deduce Identity Network—that user’s session extension cookie is revoked and they’ll need to reauthenticate. The same logic applies to users who have authenticated elsewhere on our network.

For apps trying to facilitate the customer journey it all starts with identity, and continuous authentication, like its passwordless cousin, hinges on identifying genuine users—fast.

The common thread: identity intelligence

The entire turbocharged authentication machine—expedited account creation, passwordless login, continuous authentication—doesn’t work without identity intelligence. In the same way broadband internet disrupted the dial-up/page-loading conversation, real-time identity intelligence marks a true before-and-after moment in the annals of the user experience.

Joining the instantaneous authentication revolution requires real-time identity intelligence, yes, but companies also need dump trucks full of it. Garnering enough real-time identity intelligence to consistently identify a never-ending hoard of fraudsters and consumers—an amount of data rivaling the likes of Google, Apple, Microsoft, etc.—seems daunting, if not blatantly unrealistic. With Deduce, however, companies can enjoy the same data-rich benefits of the tech behemoths.

Deduce’s Identity Network is the largest identity graph for fraud in the US. Companies who tap our network immediately gain all of the real-time data they need to preempt fraud, streamline account creation and login, and continuously authenticate users: 500M+ unique identity profiles, 150K+ websites and apps, and 1.4B daily interactions.

Given its positive impact on the user experience, we believe it’s high time for billboards and online ads to promote fast authentication—in the same way companies trumpeted their fast page load times all those years ago. And if their authentication isn’t fast to begin with, Deduce’s real-time identity intelligence can help with that.

Want to shift your account creation, login, and continuous authentication into hyperdrive? Contact us today.

Related Content

Deduce in the Wild: Hunting Fraud in the Online Savanna [Video]

Never a dull moment at the authentication waterhole

Mark Gavigan
September 15, 2022

Never a dull moment at the authentication waterhole

Just another wild day at the authentication waterhole: Deduce was busy sniffing out fraudsters masquerading as consumers.

Lucky for us, our cameras were rolling!

Want to take a bite out of identity fraud and streamline your user experience? Contact Deduce today.

Related Content

The Sneaker Bot Dilemma: Driving Sales Without Churning Users

A successful hype sale mustn’t harm the user experience

Mark Gavigan
August 30, 2022

A successful hype sale mustn’t harm the user experience

The aptly named “hype sale” is all the rage in today’s online landscape. The successor to the brick-and-mortar doorbuster, hype sales drive massive traffic and sell out exclusive physical and digital goods in record time.

NFTs. Concert tickets. Collectible cards. Companies can hype up practically anything. Sneakers—yes, that includes Crocs—move the needle like no other.

However, what’s moving that needle is where the problem lies. Footwear hype sales attract millions of bots, mostly scalper bots, that easily beat out the sneakerheads waiting torturously in the online queue. 

Ostensibly, e-commerce companies should be pleased. After all, isn’t the point to sell inventory? But, lost in the drummed-up excitement and revenue spike, is bots’ impact on the user experience (UX). In a bot-eat-bot world, can hype sales drive maximum profits without disappointing sneaker fans?

Bots are here to stay (and wreak havoc)

Between March 3, 2020 and January 2, 2021, scalper bots were responsible for almost 50% of shopping cart requests. The ubiquity of these bots can be tied to their accessibility: finding them is a cinch, and deployment doesn’t require black-hatter expertise.

Sneaker bots dance circles around their human counterparts.

Scalpers have a smorgasbord of bots at their disposal. Scalpers looking to flip sneakers for profit use “All In One” bots (AIO), such as Stellara or Dragon AIO. After procuring an AIO bot on either the dark web or Discord, sometimes for as much as $50K, scalpers can then buy sneakers from more than one website—faster and more intelligently than any single human could.

Scalpers covet bots, including the AIO variety, as much as the exclusive items themselves. Demand is so high, in fact, that sometimes they use a bot to buy a bot, and bots are flipped for thousands of dollars just like the products they help purchase. With the multibillion-dollar reseller market continuing to thrive—thanks in part to the pandemic’s influx of remote entrepreneurialism—the message is clear: bots are here to stay (and infuriate legitimate sneaker buyers).

Hype sale mayhem

If a glamorous new sneaker is up for grabs, bots are guaranteed to show up and wipe out the inventory. This can be brutal on an e-tailer’s server and web resources. Sophisticated bots can even grab sneakers from inventory management systems before they’re available for purchase.

It goes without saying that bot detection and mitigation is crucial. Aside from protecting the hopes and dreams of legitimate sneaker collectors, too many bots could crash a website or app altogether. But an all-out assault on bots isn’t the move: some bots are actually genuine customers trying to outmaneuver the bad bots.

Shoes like the Yeezy 750 Boosts, pictured above, sell out in minutes (if that).

Installing a bot mitigation solution, to separate the good bots from the bad, is a start. Yet, it still doesn’t do much to assuage those real customers who don’t have the luxury of a bot—those bot-less sneaker aficionados who lose out and then watch bot-assisted purchasers gloat on social media afterwards.

These customers are likely to churn, and they could drag a brand’s reputation through the dirt on their way out. If a company’s plan is to alleviate its bot problem—without damaging its brand image and UX—it might be time to focus on the humans.

Banking on trust

Maximizing hype sale profits while appeasing bot-less customers is, admittedly, a tough nut to crack. A blanket approach to neutralizing bots will also affect the good bots, and nets a less spectacular financial outcome. Meanwhile, a lax strategy that lets too many bots in might severely compromise UX and cause reputational harm.

We don’t have a silver-bullet solution to this problem (no one does), but we have an idea: focus on trust, not risk.

Assuming an e-tailer has a bot mitigation platform in place, it behooves the merchant to then verify the users in the waiting room and ensure the legitimate human customers are granted preferential treatment. This means moving them up the queue, ahead of bots, and drastically improving their chances of achieving sneakerhead nirvana.

This, of course, requires a stockpile of real-time identity intelligence that uses trust signals—geography, device ID, etc.—to seamlessly authenticate customers. Big shoes to fill. But Deduce is up for it.

Our Identity Network, the largest real-time identity graph for fraud in the US, spans more than 500 million unique user profiles and over 1.4 billion daily activities from 150,000+ websites and apps. If trust is indeed the key to balancing hype sale success with a seamless UX, there’s no better compliment to a bot mitigation solution.

Want to learn more about how Deduce prioritizes trust to facilitate the user experience? Contact us today.

Related Content