How to Pinpoint a Data Breach More Efficiently

By Tina Orem

Fraud costs banks $1.9 billion a year, but a three-year-old Chicago-based company named Rippleshot—recently endorsed by ABA for card breach detection—is helping banks take a major bite out of that by using big data, machine learning and predictive analytics to detect card fraud weeks or even months before traditional methods sound the alarm.

Using an algorithm that compares and combines merchant and card issuer data on hundreds of millions of card transactions and fraudulent activity reports, Rippleshot’s Sonar product finds common points of compromise—the places cardholders shopped at before their cards were suddenly used fraudulently somewhere else. This reveals which stores—even which point-of-sale terminals—might be compromised, as well as which cards were used there during the suspected breach and which cards are most likely to report fraudulent use soon.

The approach is dramatically different from how many banks currently get a heads up about a breach, Rippleshot CEO Canh Tran said.

Today, “it’s pretty much sort of like a little telephone chain,” he explained. “Word gets passed around. People make calls to colleagues at other banks and pretty soon somebody sends an anonymous post to [cybersecurity reporter Brian]Krebs and he hits publish. Then they’re calling the processors and saying ‘Hey, are you seeing anything here? We’re seeing a lot of customers having debit or credit card fraud. We can’t pinpoint it.’ The processor will say something like ‘I’m working on that. We’ll get back to you.’ It’s a very manual, reactive type of process.”

However, Tran says Rippleshot can warn clients of a suspected breach an average of 46 days before a Compromised Account Management System alert goes out, thus helping banks avoid unwarranted mass reissues, thereby reducing fraud costs by 20-30 percent and shrinking card reissuance costs by as much as half. “Sonar provides insights into cards less likely to be breached and therefore enables the bank to make more informed decisions re-issuing cards,” says Bryan Luke, president and COO at Hawaii National Bank in Honolulu. “This alone has the potential to save the bank significant costs in unnecessary reissuance.”

Tran also noted that CAMS alerts tend to focus on large breaches; far fewer go out for smaller local breaches associated with ATM skimmers, local independent restaurants or even e-commerce sites.

“Thirty percent of all data breaches are from smaller retailers, and 87 percent of those are from merchants who have five stores or less,” he explains. Plus, the average compromised card passes through not one but three compromised merchants.

Now more banks have access to technology that gives them more flexibility in the face of fraud and allows them to make more intelligent decisions around whether a card needs to be reissued, according to ABA SVP Lisa Gold Schier. “Our bankers have been continually talking about the issues that are involved with card fraud, and how difficult it is for them if there is card fraud. That’s why we made this endorsement.”

Tina Orem is a frequent ABA Banking Journal contributor.