Adapting to Cyber-crime Attacks with Targeted Friction
How Tokopedia mitigate and prevent fraudulent users from unsecured lending perspective
Fraud is a constant cat and mouse game between established institutions and criminals. Once a financial institution upgrades its fraud prevention measures, fraudsters are already looking for ways to outsmart the system. From global banking to emerging financial technology companies, all have suffered from fraudulent activity. The average amount of losses incurred could reach up to $5000 per scam (KPMG Global Banking Fraud Survey, 2019).
What we’re fighting: social engineering
Ever heard of the “Nigerian Prince Scheme”? This is called social engineering/phishing, an act of cybercrime in which victims are contacted by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information (PII — e.g. Mother’s Maiden Name, ID card number, birth date), banking and credit card details, and passwords. In Tokopedia, we highly value user’s private information, as such that a One-Time Password (OTP) is worded as follows:
As straightforward as it is, many users still get tricked by criminals who usually pretend to be a Tokopedia representative (we also had a case where a scammer identified himself as a “Toko Sebelah” representative, following which the user willingly gave the OTP to them!).
The story of why fintech products are the target of malicious users
Let’s cut to the chase. What actually happens in Tokopedia? I am pleased to introduce a pioneer in merchant credit line services on an e-commerce platform, Modal Toko. Modal Toko provides merchants with a seamless lending facility by assessing merchant activity, sales, reputation, fraud history, and merchant credit risk. Merchants only have to upload their Know Your Customer (KYC) details and some personal information. Service level agreements for the whole process will require at maximum 2 working days.
As previously explained, these lending products are much more convenient than traditional loan products. However, convenience and security are not correlated. When you give customers more convenience, the measurements put in place become less secure. Hence, finding the balance is the main challenge.
Then, fraudsters often make a move to lure mature merchants with a good reputation, as their probability of being offered Modal Toko is much higher. Usually these merchants provide detailed information on their Product Details Page (PDP) or shop, or even give out their personal number which is also registered as user login details. They can easily attempt to login using only a phone number, trigger the OTP and take over the user account. In most of our cases, users reluctantly give the fraudster their OTP details despite all the warning signs.
When account takeover happens, fraudsters can easily apply for the feature as the merchant’s KYC has been uploaded beforehand (or uploading a stolen identity). Since the approval process usually needs less than 1 hour (which we initially considered was a cutting-edge improvement), fraudsters generally manage to finish their takeover just before the authentic user can grasp reality. Meanwhile, active Modal Toko users are already prone from the moment the feature is activated. Fraudsters can easily withdraw loans and disburse funds. The losses that a genuine user, Tokopedia, and partner must bear ranges from Rp 2 million to as much as 100 million per account.
Getting to the root of the cause: creating targeted friction
We identified that almost 90% of recent fraud cases have one root cause — Sensitive Data Changes (SDC). This means that actions need to be done without sacrificing the user’s experience. Hence, we created an API to identify a user’s last data change to inform us on the user’s data-changing activities. We then consume the data and create a validation with the API at the point of:
- User when entering the application form
- User when initiating loan disbursements
In some situations, we block actions outright. However, in this situation we give users the opportunity to satisfy an additional verification step called a friction. Using the validation mentioned, we created a friction targeted to those who are changing phone numbers or e-mail details within our time range criteria. Whenever users, genuine or fraudulent, attempt to click the Apply/Disburse button, we will immediately block their next activity.
To inform the genuine user, who might become the victim of such an activity, we will send a notification to their old and new phone numbers informing them that there has been an attempt to access the user’s Modal Toko feature, urging them to report to us if they had not initiated that action. User accounts will only be unblocked after the user verifies their authentic identity to Tokopedia through the Fraud Operations team.
Our Credit Risk team also creates a daily report of all Modal Toko applicants of the day who conducted a SDC within the last couple of days, for partner assessment in regard to loan applications. Moreover, the Modal Toko team assumes that these cases must be coming from syndicates as the fraud mechanisms are very similar to one another. Therefore, we are working closely with the Tokopedia Fraud team to handle occurring cases.
Our achievements and the preventive measurements taken
Since kicking off this activity in September, our ticket from social engineering cases has declined by nearly 90%. We managed to prevent losses of more than Rp 500 million from 15 different accounts. We also found several good leads in identifying the criminals, as numerous activities point to either the same devices, bank account name or bank account number.
Well after the SDC cases had been (somewhat) resolved, we still identified another pattern of fraud. Which shows us that the challenge does not end here due to the unsecured lending environment. Some improvements have been made after we launched, to minimize the number of false positives such as lengthening the tenor of blocker, providing access to users’ extensive account history to the Credit Analyst team, and shortening the approval process. Nevertheless, our current fraud prevention and risk management measures are still far from ideal, and many more steps must be taken. Experimentation and analytics orchestrated with more variables could be taken to compose machine learning models in order to target more identifiable patterns of fraudulent activity inside e-commerce.
Our final thoughts
It’s true that what we are doing will never be enough, as fraudsters will always find a way. It is also highly probable that they are currently reading this Medium article and thinking about their next move! So, among the major key takeaways, it is crucial that we act faster than those looking to take advantage of the Tokopedia community. Tokopedia is really about user trust and everyone should act based on this belief. Then, it is the Product Manager’s job to think faster, act faster, and not lose sight of the long-term possibility when carrying out a product roadmap while not sacrificing the user experience.
— — — — — — -
Special thanks to my mentor Tyonardo, Merchant Lending team, Profiles team, Fraud team, and Operations team for the solid collaboration in tackling the issue.
Do you have something in mind that you think can be improved from what I have elaborated? Let’s discuss and hit me up at vincentia.maudy@tokopedia.com!
