Fighting Online Financial Fraud in India

How Kite brought fraud down through machine learning

India lies at the cusp of a digital banking revolution, with the emergence of digitization-oriented government policies and of several mobile wallets by telecommunication giants like Airtel and Reliance Jio. Even traditional banks are shedding their “no-pain and no-risk” mentality and adopting mainstream technological advances in banking and finance by embracing the mobile revolution across the globe. Major banks like SBI, HDFC and ICICI have joined the fray with their own smartphone-based apps. Never before have we seen such a tremendous push towards making things faster and safer while transacting online. At the same time, there is an is an unprecedented demand for interoperability among different players within the financial ecosystem to deliver a seamless user experience. The United Payments Interface (UPI) and Aadhaar Know Your Customer (KYC) systems are undoubtedly two of the biggest rollouts in the Indian banking industry. They form the backbone of how we think efficient financial services can be brought to a nation of more than a billion people.

As the sector moves to greater interoperability, problems like online fraud and credit card arbitrage are on the rise too; though, it can’t be said if there is an increase in incidents or just that we are getting better at detecting them. Probably both. But one thing is for certain — it is more difficult than ever to safely identify whether a transaction is genuine or fraudulent. More people now use online financial technology, and a significant percentage fall prey to fraudulent activities. Many are victims of fraud because of a lack of knowledge on common fraudulent practices, and some then become ardent critics of the shift to digital economies. According to Electronic Payment System data by the Reserve Bank of India (RBI) (see this), the volume of electronic transactions has reached 967.3 Million in October 2017 as compared to 671.5 Million in November 2016, a 44% increase in just one year. The same data shows a jump of approximately 22% in the total value of the transactions. According to an Inc42 article, the Payments Council of India has predicted that digital payments in the country could increase by 30%-40% in the coming five years. With such rapid growth, transaction security is one of the main priorities for banking institutions in India and beyond. According to The Hindu, there were 25,800 reported cases of banking fraud (Internet banking, credit card and debit card) amounting to a total worth of Rs. 1.79 billion (or $28.2 million) in 2017 only. This is probably just the tip of the iceberg, given how many cases go unreported or undetected. Globally, card fraud losses reached $22.80 billion in 2016 as per the 2017 Nilson Report.

Kite launched its first digital banking solution in February 2017 with the objective of bringing financial services to everyone with access to a smartphone and an internet connection. At Kite, we understand that cash is an indispensable part of the Indian economy — instead of shunning it altogether, we made it more accessible through our network of Kite Agents. Kite offers virtual cards that expire after one-time usage, thereby ensuring that no user has to expose their card information online. Kite Cash became an enhanced form of cash, maintaining its accessibility but gaining digital-payment-like flexibility.

One of the major aims at Kite was to deliver an experience which is as safe as it is beautiful. We combed through financial data for insights on how to build and improve our product. We created a 3-pronged system to identify different stakeholders involved in a transaction to curb fraud at Kite that resulted in the transaction amount reported as fraud to be as small as 1.03% of the total transaction worth on the platform.

Identifying the destination

The general modus operandi of a fraudster is as enumerated below:

1. The fraudster calls the victim, pretending to be a representative of an institution like the bank or a government institution.
2. The fraudster asks for the victim’s account information under the pretense of associating their Aadhaar card with their bank account or simply validating the account.
3. The fraudster sometimes, threatens the victim with discontinuation of the bank account if the asked information is not provided.
4. The victim divulges their one-time password (OTP) to the fraudster.
5. The fraudster transfers money from the victim’s bank account into their own digital wallet account.
6. The fraudster moves the money to a bank account of their choice (owned by an individual fraudster or collectively used by the group).

First, we tracked the money flowing through the reported account. We then analyzed the bank accounts and Indian Financial System Code (IFSC)/bank branches which were the most popular destinations. We found that bank accounts across India serve as a destination for aggregating money laundered through fraudulent means, either individually or by groups. Generally, banks with nationwide networks are popular for these purposes. These accounts are present in both metropolitan cities as well as remote locations that have access to decent banking, telecommunication services and internet connectivity.

We created a machine learning algorithm to block bank accounts reported in fraud transactions and used as a destination for laundered money. Once a bank account is recognized, whether it is being used by an individual or a pool of fraudsters, it can’t be used again, as shown in Figure 1. Getting a new bank account every time increases the “cost of fraud”, which is one of the most effective methods to dissuade fraudsters from repeating this method.

Figure 1: preventing bank account reuse for fraud

Identifying the players

There are many reasons a fraudster can avoid identification. The primary reason is that victims don’t report a fraud with the police Cyber Crime Investigation Cell in their area. Secondary reasons include that the fraudster isn’t directly involved in fraud. One such example is if one fraudster completes a malicious ‘cash-in’ and forwards the funds to other people. Then, like chains, the money flows out of the reported fraudster’s account and finally aggregates into a separate account that never interacts with the bank, but uses peer-to-peer (P2P) capabilities and/or Kite’s virtual card feature. Fraud-detection systems looking at that specific activity then fail to identify the account. At Kite, these ‘passive links’ within the fraudulent networks get scrutinized along with other players (Refer to Figure 2 below).

Figure 2: identifying ‘passive’ fraudsters in a network

Identifying the unreported

The worst kind of threats to any system are the ones that are never flagged. The system doesn’t know that anything suspicious exists, so there is no effort to mitigate the risk. An article on YourStory shows that cyber attacks are on the rise, and the lack of info security awareness is one of the major reasons for it. According to The Times of India, a survey has revealed that nearly 48% of the respondents have fallen victim to a fraud at some point. Even worse, many victims aren’t aware of the proper steps to take once you have been duped. Most cases remain unreported as a result.

We therefore implemented a system of to detect potentially unreported fraud cases. For example, fraudsters often exploit a single compromised card, and set up multiple digital wallet accounts through one e-mail ID. Whenever such an e-mail ID or credit card number is reported through any means (by the police, payment gateway or bank), all players who use the same email or credit card come under scrutiny. In essence, all account holders using the same common information (Figure 3) get analyzed when one of their common identifiers is flagged.

Figure 3: clustering fraudsters based on common assets and usage patterns

Correlating all the data helped us identify fraudulent accounts that were not flagged, helping Kite crack down upon large groups of malicious players operating within the system. This brought down the reported fraud rate on Kite by more than 90 percent between April 2017 and August 2017. The fraud rate has now stabilized around the August 2017 rate.

Going forward

Technology at Kite is constantly evolving. Apart from the above mentioned measures, we are looking at advanced machine learning solutions to identify fraudsters before they commit a fraudulent transaction. Security researchers are developing and using psychological or activity profiles of fraudsters based on known behavior on the platform. Others still detect ‘expert behavior’ from a first time user. We shall discuss these developments in a separate post.

Even as you read this, financial institutions the world over are implementing technologies like biometric authentication, dynamic knowledge-based authentication (KBA) and part-passwords/OTP on email and phone numbers. We will discuss the efficiency of these technologies and their pros and cons in a separate post

If you have any feedback or suggestions, and/or want to collaborate towards solving one of the most pressing fraud problems of new-age digital transactions, feel free to drop me an e-mail (people@kitecash.in).