Fraud prevention, as management of all other types of risk, is an endless process of improvement and technological development. This allows financial institutions to invent additional tools for decision-making system efficiency improvement. Such tools help to manage new types of risks and define better ways to cut already known risks. The endless variety of the online world, on the one hand, makes it possible to create a convenient environment for receiving financial products and services, and on the other hand, it brings risks and leads to difficulties, for both financial institutions and their clients.
Everyone loves beautiful and functional web resources with various graphic solutions, fonts and other design and visual elements. Many of these elements are implemented by loading various components from external resources (domains). A significant number of such domains are reliable and relate to trustworthy organizations; various elements downloaded from such domains are used by many financial institutions, retailers and other service providers operating online.
However, among all this diversity, there is a proportion of cases (according to our estimates, from 0.5% to 5%) when the downloaded data and components do not benefit the financial institution, but are malicious and can be used for dangerous purposes. Often we are talking about various web portals that are not directly related to the bank or microlender, since the market leaders usually closely monitor what is posted on their sites. We are talking about those portals where f the user, or example, can fulfil an application for a loan or insurance product without direct reference to a specific financial institution.
Where do dangerous domains come from?
There are two principles which may be distinguished in terms of how such resources operate:
- deliberate actions of the virtual user, the owner of the device used for application fulfilment and sending; in this case, the application inherits links to all domains which will be automatically attached to the application for a financial product, including those domains which may bring a threat to both the applicant and the financial institution;
- actions of third parties who secretly or explicitly install scripts without the applicant’s or Internet resource owner’s consent.
What is the danger of such domains?
In some cases, there can be manipulations with browser settings, Internet connection settings, various scripts for automated or automatic loan application fulfilment. Even the presence of such markers during an application fulfilment process brings an additional risk for a financial institution. In the most difficult cases, fraudsters have the opportunity to gain remote access to the applicant's device, steal logins, passwords and other personal and sensitive information of the user through such dangerous domains. All this leads to risk both for the user, whose data has been compromised, and for the financial institution receiving a financial product application with sometimes knowingly false data.
How do we identify such cases?
We have developed a methodology to proactively identify such kinds of domains. This means that there is no need to wait for the application to mature and to confirm the applicant's bad faith.
Dangerous domains are defined based on the following algorithm:
- Determining the level of danger of a domain - the analysis is based on a number of metrics and parameters, such as, for example, the use of JuicyScore values to identify the concentration of risk for such domains, statistics on the claims occurrence frequency with such domains, cross-validation with other attributes processed by the JuicyScore, domain registration and owner information, behaviour patterns, domain characteristics and functionality verification, and much more;
- Identification of domains which scripts were uploaded to a financial institution web resource and which were additionally revealed during application fulfilment - the most interesting cases are related to those domains that appeared in loan applications for the first time;
- Identification of patterns associated with frequent changes of low-level domains (for example, n01.vwxyz.com, n02.vwxyz.com), when the same script is downloaded from different domains associated with the same group.
In addition to that the cases related to the absence of any single domain associated with the application fulfilment and typical for a given segment of applications are also suspicious and may be treated as a negative anomaly.
Such domains analysis results should be used to identify groups of related applications with a high level of fraud risk, therefore, this functionality is already available within the most recent version of JuicyScore API v12, and the fact of such dangerous domains presence in a loan or insurance application is returned within the response. This information will allow to identify the most dangerous cases and will enable our partners to respond promptly to them before the actual risk matures and mass loan disbursement occurs for such applications.
Over the past 4-5 years, we have been developing a number of ideas, such as, for example, reducing personal and sensitive data turnover or balancing privacy and anonymity. All these aspects are deeply utilitarian, and applying them in practice makes it possible to reduce risks and obtain an economic effect. We are constantly developing products and technologies so that our partners and customers have the opportunity to stay one step ahead of attackers, to obtain a high level of data ROI and an efficient balance of risk reduction and the cost of this reduction.