Rippleshot Follows the Money to Pinpoint Fraud
By Joe Bush
Noticing through analysis that credit-card data stolen in breaches is often used over a long period of time, the founders of a Chicago-based antifraud startup decided to attack fraud by studying merchant data to find the original data breach source of fraudulent cards.
Rippleshot was founded in 2012 by Randal Cox, Lucas Ward, Cahn Tran and Yueyu Fu, each with more than 15 years in payments or big-data analytics. They think their approach will enable merchants and financial institutions to spot breaches earlier and reduce fraud at its source.
“When I talked to fraud departments in issuers and processors they said the same thing; these breaches can go on a really long time,” says Ward, the company’s COO. “Figuring out how long is a really difficult problem. Two or three years ago we were seeing these kind of breaches where people were stealing a bunch of cards on an ongoing basis and then laundering them in small lots for quite some time.
“It’s obviously accelerating now where they’re stealing larger and larger amounts of cards, and we’re seeing with our data 50 percent of the breaches are from Tier 3 and Tier 4 merchants, smaller, and they’re never getting caught.”
Rippleshot does not monitor network traffic, and it does not manage fraud, says Ward.
“We’re profiling the merchant’s network,” he says. “That’s what allows us to focus in on whether or not the fraud we’re seeing is related to an actual merchant. We can go down to the individual (POS) terminal level, which matters more for the brick and mortar. The locus of what we’re looking at is all about the terminal and not about the customer.”
Ward, formerly the CTO of Fundspire, says Rippleshot does business primarily with card issuers and payment processors, working backwards from the laundering of the stolen information. Ward likens Rippleshot’s tactics to that of the Feds during Prohibition; they brought down the bad guys when they tried to spend or hide their ill-gotten gains.
“We’re the modern day version of that,” he says. “You try to get money from this card information and that’s what we’re picking up on. If you steal card information you’re going to have to turn it into cash and that’s how we catch it. At some point you have to put it somewhere.”
Once Rippleshot has access to transaction streams and fraud information, it traces past transactions and crunches millions of them looking for patterns. The difference Rippleshot’s tech-savvy founders provide is in the volume and speed of the tracking, says Ward.
Fu has worked with machine learning, big data, and cloud computing; Cox is an informatics scientist with a decade of modeling credit card and ATM fraud; and Tran has focused on big data and predictive analytics for a quarter century.
“The same approach has been used and it’s still being used as a manual process,” says Ward. “You can imagine a fraud analyst culling data from some type of DI (data integration) tool, trying to find a pattern; we’re just taking it and building a big-data machine learning algorithm that we’re running in the cloud, and we can crunch millions of records at once and spin out this massive 16-machine cluster to deal with it and get a response quickly.
“The nice thing about it is it doesn’t matter how the information was stolen. What we’re doing is we’re picking up on people laundering the cards, we’re finding where they’re laundering and try to shut it down. We see it at brick and mortar, and online, somebody’s hacking a server’s credit-card information that way. It doesn’t matter whether the laundering was card-present or not-present because we’re going to see it both ways. Even in terms of finding an ATM, the same approach works across every vertical.”
Ward says Rippleshot is selling its ability to find breaches quickly, then help issuers better handle re-issues and merchants protect their brand equity by correcting without public announcement. Issuers can better target affected cards to avoid not only the expense of mass re-issues, but also the problem of cardholders using a competitor’s card while waiting for a new card.
“We want to let issuers change fraud rules only for the cards affected,” says Ward. “We can make much more target-specific rules that are less of a hassle for customers but that’s only by being able to tightly look at the breaches these cards are involved in and how that spend is happening over time.”
Ward says the future will be more about online merchants and mobile payments. Upsurges in transactions for both mean upsurges in fraud activities for both. He predicts more CNP fraud, more ATM fraud once EMV migrates to the U.S., and a Target-sized data breach through an online merchant. Unless the merchant sells something specialized, it’s very easy for consumers to simply choose another Website.
“It’s a pretty juicy target,” says Ward. “Once you get in you can get a lot of information quickly. For brick and mortar, where they don’t store card information, they have to stay illicitly in your network longer, skimming. If you’re a big Website that’s storing credit card information, they pull down one big file, they’re out.”