How Sardine boosted Purchase Conversions for Autograph
“We need a new Data-only 3D Secure protocol to boost conversions even more”
The risk of NFT Fraud creates friction for good users.
NFTs have the potential to revolutionize ownership, how brands engage with consumers, and create entirely new forms of commerce. From Nike and Starbucks to Yuga Labs and Moonbirds, the best NFTs develop unique experiences and joy for their communities.
However, NFTs are an emerging ecosystem and like all emerging ecosystems, sometimes attract motivated fraudsters that we need to be careful about.
One of the most common fraud patterns in NFT platforms is (see picture below):
A fraudster buys an NFT from a recent drop with stolen card credentials, or the proceeds of a Crypto hack;
The fraudster lists the NFT on a marketplace, perhaps at a loss vs. the original sales price;
A buyer uses legitimate funds to buy the NFT that was listed by the fraudster;
The fraudster receives those funds and can declare them as the proceeds of an NFT sale.
NFT creators, brands, and marketplaces are often left building their tools to try and manage this type of fraud. But they’re also at the mercy of the payments system.
NFT’s fraud problem creates friction for good users. When using a card to pay, the NFT merchant often turns away at least 2 out of 10 good customers, and which can be sometimes be as high as 5 in 10! Andrew Steele, one of our investors from Activant Capital, summarizes this very well in his blog:
“No one flips a coin at a retailer to see if today’s their lucky day to buy that t-shirt. But that’s exactly what happens when you are buying crypto or NFTs today!”
Fraud is the tax on payments that makes it costly to move money — because payment processors and all participants in the ecosystem have to spend valuable time, money, and resources to prevent fraud.
“All fraud problems are ultimately data problems.”
And we love solving data problems.
There are ways to solve it, as we did for Autograph
We were excited to partner with Autograph for their Tom Brady Signature experience NFT launch. Customers were able to buy a Tom Brady NFT for $750 directly with their credit/debit card with a few clicks by using Sardine.
You can see the entire flow here and still be a part of Tom Brady’s Signature Experience: https://www.autograph.io/tom-brady.
The most interesting stat for us was the conversion rate:
Where initially the payments systems looked like they would deliver an 85% conversion rate, by working closely with partners Sardine was able to deliver
- 98% of users were identified as not fraudulent by Sardine
- Creating a 94% of consumers conversion rate to complete purchases
This is unheard of in the crypto/NFT space as conversion rates for card-based crypto or NFT purchases are abysmally low at <50%. Hence purchase abandonment becomes a major issue, and reducing friction here is critical.
How did we get to this high conversion rate?
Sardine’s thesis is that payment and fraud prevention are really two sides of the same coin.
If you go deep on how the fraud works, you can make the payment just work.
Direct Card to NFT
The key reason for this high conversion rate was that we planned with Autograph that our joint customers should buy NFTs directly via fiat; at other NFT marketplaces, you typically see the buy flow as: Card → USDC/ETH → NFT. In these alternative flows, overall conversion rate suffers due to the <50% conversion rate from the Card → USDC/ETH leg.
Fraud Pen Testing
Other key reasons we achieved such high conversion rates was because we prepared heavily for the launch to reduce fraud. This ensured that only good transactions were sent to processors for approval.
- We did various pen tests against our own system to see how could fraudsters exploit us
2. Created 100s of velocity rules and tuned our machine learning models to catch fraud rings looking for:
Reuse of a device
Reuse of a browser/device fingerprint
Reuse of an audio fingerprint
Use of similar IP-addresses, use of an email, phone number
Velocity counts of cards sharing the same first-6 and last-4 of the card number (since fraudsters often purchase stolen cards belonging the same card issuer in bulk)
A velocity rule is essentially looking for how many times the same device or IP address or data point has tried to make a purchase.
Fraud prevention and collaboration
The best way to improve conversion rates is industry collaboration.
That is because as a user uses their card to purchase anything over the internet, that card goes through at least 4 (if not more) fraud checks.
- Merchant (Sardine powering Autograph)
- Merchant processor
- Network (eg Visa or Mastercard)
- Card issuer (eg Chase, WellsFargo, etc)
At the pre-launch, we were hovering around ~85% conversion rates.
We started taking a look at the users being declined and realized that around ~9% were being approved by Sardine, however were being declined by our Merchant processor.
Our fraud ops immediately took a look at those 9% users and determined that they were good users and hence false declines. Consequently, we worked with our Merchant processor to turn off their fraud checks since many of them were duplicative of the checks we were already doing at Sardine.
Lessons learnt: If you are doing a major NFT launch, always do a pre-launch several hours ahead of the main launch, so you can find process improvements ahead of time.
Fraud prevention and incentives
Conversion rates for card purchases of crypto are abysmally low at <50%, and one of the primary reasons for that is that the card networks treat crypto as a “high risk” merchant category (MCC).
If you want to learn more about these decline rates, check out Adi’s blog here.
The fraud algorithms as the card networks aren’t able to differentiate between the different card buyers of crypto and give all of them similarly high risk scores. Visa has scores in the range of 0–99 and Mastercard has its own risk score in range of 0–999.
Then further, the Issuing banks utilize the network risk scores into their own fraud algorithms and are likely to decline the transaction.
It doesn’t matter how good or bad that buyer has behaved in the past, they get the same risk score.
It was a revelation how we were able to increase conversion rates by coordinating with our merchant processor; the meta point here was that our merchant processor trusted us because of our experience in fraud prevention and hence was ok with loosening their fraud controls which were duplicative.
What if we could do the same thing with the card networks (Visa/MC) and with the 100s of Issuing banks i.e. what if our trust could be transitive?
Turns out that there is such a protocol already that could be used to transfer trust from merchants to card issuers — 3D Secure. But why hasn’t it been adopted more widely?
3DSecure — A brief history in US
3DD Secure (3DS) helps reduce fraud and increase approval rates by adding an additional step at checkout. Buyers are presented with a window that asks them to authenticate with their bank. (If you haven’t used it, it’s quite similar to authenticating via open banking). Research has shown that this step can prevent up to 85% of fraud loss.>
So most users never even get the 3DS message from their bank leading to huge friction and purchase abandonment. 74% of users have abandoned a payment during to fraud concerns, and because data isn’t shared between merchant and issuer, good users are often declined.
The other issue with 3DS has been that of incentives. When a merchant uses 3DS to pass the fraud liability over to the Card issuer, naturally the Card issuers’ fraud algorithms become much stricter and begin declining more. It’s natural as they don’t want to bear the fraud liability more than they have to as the buck literally stops with them. Many large merchants also tend to send only the bad traffic to 3DS and hence the ML algorithm associates 3DS as risky flow.
But collaboration can make this situation better.
3DSecure — A brief history in UK/EU
UK and EU have adopted 3DSecure more widely, however, turns out that the incentives there penalize the issuer banks much more. During a demo call with a major EU bank the other day, we overheard that their fraud models and losses are being crushed by the neobanks like Revolut, Monzo, Starling, etc. Fraudsters are loading money from High Street (brick & mortar) bank cards onto the neobanks. Neobanks by default trigger 3DS and pass the liability over to the High Street banks, who then have to work harder for that dollar to determine fraud or not. Tied that to the lower interchange rates in the UK/EU and this problem gets even more exacerbated!
Time for a Data-only 3DSecure protocol
The funny thing about incentives is that no matter which way you define it, humans always figure out a way to game the system. We argue that 3DS suffers from that same issue.
And so the time is ripe for a Data-only 3DS protocol.
This is how we think it should work:
- Sardine gathers of rich data at the time of card funding or purchase eg:
whether the card details were copy/pasted (more likely to be fraudulent) or autofilled (likely good),
whether the customer used a proxy (more likely to be fraudulent),
Absence of any mouse movement or gyroscope/accelerometer data (indicating use of a script or virtual machine).
2. These signals along with Sardine fraud score can then be passed over to the Card network, which Visa/MC can then use our score to further inform their Visa/Mastercard scores respectively.
3. Even better, Visa/MC can then pass this enriched data to the Issuing banks who can then make a better decision than just the random coin toss that they currently use to decide on crypto purchases.
Overall, we think a data-only 3DS rail would actually much better align all participants in the ecosystem than passing the incentive back and forth.
However, this would mean we still need someone to bear the fraud responsibility. And that is part of our long term vision — to not just score but take on that fraud responsibility, and thereby bring down the cost of money movement for all participants in the ecosystem!
All fraud is a data visibility problem. We can shine a light and catch more fraud through collaboration. And if we collaborate, then we can make payments instant, and risk-free.
This isn’t just about Sardine.
This is about the whole ecosystem.
Reducing fraud by the attackers, makes experiences better for everyone else.