Site icon Easy Prey Podcast

Understanding and Avoiding Triangulation Fraud with Soups Ranjan

“We look for moments of hesitation during a transaction. We look for the presence of abnormal behavior, like completing a transaction while on the phone or recording the screen.” - Soups Ranjan Share on X

As consumers, we may realize the need to be vigilant by using two-factor authentication and password managers, but there are so many scams out there that can impersonate legitimate organizations, websites, and people. We really can’t let our guard down.

Today’s guest is Soups Ranjan. Soups has over 18 years of experience in software engineering, data science, and risk management. He is the co-founder and CEO of Sardine. This behavior-infused platform offers fraud prevention, compliance, and payment solutions for various industries including banking, online marketplaces, FinTech, crypto, online gaming, and gift card exchanges. Previously, Soups led the Risk and Data Science teams at CoinBase, where he scaled the platform and enabled millions of users to buy, sell, and store cryptocurrency securely and efficiently.

“Every fraudster has a tell. They will slip up.” - Soups Ranjan Share on X

Show Notes:

“Even on a contactless card, using tap-to-pay, be careful. Don’t hand over your device. Always tap it yourself.” - Soups Ranjan Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Soups, thank you for coming on the Easy Prey Podcast today.

Absolutely. Happy to be a guest, Chris. Thanks for having me.

Glad to have you here. Can you give myself and the audience a little bit of background about who you are and what you do?

Sure, yeah. I'm Soups. I'm the CEO and co-founder of Sardine. We are a four-and-a-half year old, venture-backed startup. We help about 250-plus companies in both of the financial services sector, as well as online commerce sector with the fraud, as well as the compliance speeds. On the compliance side, we do identity verification, know your business, as well as AML, anti-money laundering, transaction monitoring.

On the fight fraud side, we are a behavior-based fraud prevention company, which means we look at a consumer's behavior when they're signing up, when they are doing a payments activity, or when they're logging in. By behavior, I mean how are they typing, how do they hold the phone, how do they swipe, et cetera.

My prior background before founding Sardine, I used to be head of financial crime for Revolut in the UK. They are one of the largest neobanks. Prior to Revolut, I used to be head of fraud for Coinbase. I'm a machine-learning engineer by training. I live in Berkeley, California and been practicing machine-learning for fighting a variety of bad actors, be it in cybersecurity or click fraud and not payment fraud/identity fraud, for pretty much my entire career, which is 20-plus years.

That's really cool. Was it your plan to get into fraud prevention from the beginning, was it something that caught your attention along the way, or something else?

I have a PhD in EE. My thesis was essentially about cybersecurity threats, like denial of service attacks. How do you scale up web services in the presence of distributed and out-of-service attacks? We're talking about 2000-2005. When I went over to the industry, one of the first companies I went to work for was selling software as well as hardware tools to telcos to detect bots, et cetera, and to filter out the bad traffic. That's how I got my break into applying machine-learning/data science to fight bad actors.

Throughout my career, I've only worked at startups, so I knew always that I wanted to found a company. Now I'm really excited running my own company, fighting the bad actors, and helping the world of finance get rid of bad stuff.

It will be a never-ending battle. Push them somewhere else for a little while.

Yeah.

Speaking of fighting bad actors, I try to ask as many of my cybersecurity guests, people in the counter fraud, and counter scam space, have you ever been a victim of a cybersecurity incident, a fraud, or a scam? Are you willing to share that story with us?

Yeah, sure. Yeah. I've not been a victim of a fraud or a scam online. However, I have been a victim of something that happened in person. The story goes that I was approached by a couple of young guys at my residence. The scam is called an Irish home scam because these are Irish-speaking guys who came over saying, “Hey, I have this machine, which we were just cleaning the pavement of the house next door. It's a high-pressure machine and pressure wash, and we can pressure wash your driveway, which looks really dirty.” I was like, “OK, you can do it.”

They basically upsold me into, “Hey, we can also paint your fence. If you give us some cash, we'll run to the store and buy the paint.” After they did the pressure wash, I gave them the cash, and, of course, they never came back. The moral of the story here is that always do a KYB or know your business check on anyone who is offering to do any work for you. Of course, we are all aware that we should be doing KYB checks online. How many of us really do that check on a contractor who's going to do work for you around your house? That, I feel, is still a missing spot in the industry.

Of course, we are all aware that we should be doing KYB checks online. How many of us really do that check on a contractor who's going to do work for you around your house? That, I feel, is still a missing spot in the industry.… Share on X

Yeah. There's definitely a lot of people that will knock on your door and say, “Hey, I did work for your neighbor.” But if you actually start asking them which neighbor—“Oh, the one just down the street.” “I know everybody down the street; which one?” They won't give you a name. “Oh, no. I can't tell you that.” They're just making up a story. I've moved to the position of just never answering the front door anymore.

Yeah.

I appreciate you sharing that. Let's jump back into what you're currently doing. What are some of the trends that you're seeing for your clients, and what are you guys doing to combat those trends?

Sure, yeah. We work with a very diverse set of clients. I can start with what trends we're seeing in the financial service industry, as well as more to few trends we see in the online commerce industry. I'll start first with the online commerce.

Some of the biggest trends we're seeing is spike in things like refund scams. -Soups Ranjan Share on X

Some of the biggest trends we're seeing is spike in things like refund scams. The other trend we're seeing is what I would call triangulation fraud. I'll start with explaining what is a triangulation fraud first. For example, you might be on your favorite internet search provider searching for buying an airline ticket for your holiday. You land on a website, which looks decent; however, it's a phishing website.

Now, here's the kicker. You actually do get delivered the ticket. You entered your card. The fraudster, what they do is they take your card details and your billing address, et cetera. They actually quickly go and buy a ticket for you from another site. They do deliver the ticket to you. However, what they do is they add a fuel surcharge.

What is in there for the fraudster? (1) The fraudster now has access to your card details, which they can now use for buying anything else—a Rolex watch or booking themselves on another vacation somewhere. (2) They also charged you a fuel surcharge. If you're paying real close attention to your credit card statement, you would notice it one day. Then you actually go call up the phishing site. They will refund you the air ticket because they go and they cancel the ticket on the real site, but they won't refund you the fake fuel surcharge.

That's awful.

Yeah. That's one. There's many versions of this triangulation fraud. It could be applied to you buying sneakers. They ship you the sneakers because they go and actually buy it on Nike or Adidas store, but then they have your card details and they can do whatever they want with it.

Do you find that most of the fraudulent portion of the transaction happens right away, or do they sit on the card details for three months, six months to try to get some separation from it?

No, they give you the goods right away. There's another version of it, which I just heard, which is in the ticketing space as well. Suppose you want to go to your favorite baseball game. You go online, somebody says, “I can send you the ticket.” They say that they can sell the $500 ticket for $250. What they're doing is that then they use a stolen card to go buy the $500 ticket using someone else's card. Now they will send you the $250 ticket to you. They're making money two ways.

My wife works in an industry where they have seen that same thing. Their company has been used to drop ship product out to somebody. The credit card that was used to purchase it was stolen. The customer was charged on a different credit card for lower than the face value. The person who receives the stolen goods, they’re not sold in a sense, they’re not motivated to contact anybody because they got something at a really good discount.

Exactly. The third version of it that we're seeing is that, even on your contactless card, tap to pay. If you are at a restaurant or at a store, be very careful when you're handing over your card. First of all, don't ever hand it over. You should do your tap-to-pay yourself, because what a storekeeper might do is they tap it against a real terminal, but then they have another terminal hidden somewhere, and they tap it against that as well. You get double-charged.

It's really interesting. Maybe you'll have an explanation for that. The US has been really slow to adopt tap-to-pay in my mind as well as really slow to adopt, like at-the-table card swiping. It was probably 10 years ago, my wife and I were in Canada. We went out to a restaurant, they brought the credit card machine to the table and had me insert the card in the machine. Even though it wasn't tap to pay at the time, the card never left my possession.

My wife and I were thinking, “Why in the world do we, are we not doing this in the US?” That whole concept of, in the US, we're so used to the card leaving our possession for a transaction that it'd be really hard to protect against that. Is there a reason why retailers and restaurants still have a single card machine just back behind the counter?

This type of fraud, I've heard it's happening outside the US, where they have a different terminal. All these attack vectors, the thing it all comes down to is that it is becoming increasingly difficult to verify identities of merchants. The storekeeper who tapped your card on another fake terminal, they got merchant acquiring as in another card terminal from a different processor or a different bank. Somewhere along that chain, somebody failed to do what I would call know-your-business check or know-your-merchant check properly. They gave this merchant or the storekeeper another terminal. It will be a while before the merchant-acquiring bank finds out that this merchant was doing something shady. It'll be a while.

Two things are missing in the industry, which is where Sardine comes in. (1) It is very difficult to verify identities online, especially in the age of deepfakes. (2) There's a big need for doing real-time onboarding, real-time transaction monitoring, and real-time ongoing monitoring of a merchant or a consumer. Legacy systems were not built to do any of these things real time.

Old credit card. The legacy of credit card is that physical swipe machine. You and I have seen those, but probably none of our listeners have seen the card swipe machines. They had to mail it into their credit card processor at the end of the day or the end of the week. Is it just because of that legacy, or is it complicated to do these things real time?

It is complicated to do these things real time because data is siloed across multiple different places. You have to bring it all together in one place, and then you have to do real-time transaction monitoring. What we specialize in is essentially bringing all of the data together in one place and then also building machine-learning models, or applying AI techniques to doing all this transaction monitoring in real time. This is very true for both online commerce, retail, as well as it's very true for banks.

For banks, what we're seeing is a couple of trends. One is there's a big rise in scams. As banks are increasingly adopting real-time payment methods like Zelle or soon-to-come RTP (real-time payments) or FedNow, the biggest attack vector is now shifting away from fraud over to scams. There's a variety of these scams. There's romance scams, sell scams, tech support scams, investment scams, or IRS scams.

All of them, essentially, you get a call from someone who pretends to be from the IRS or what have you, and they convince you or socially engineer you into sending all the money somewhere else. Once the money is gone via a faster payment method, then it's really gone. There's no recourse for a bank to bring it back to the victim.

Because the fraudster didn't technically gain access to the person's account, it was something that they convinced the consumer to do voluntarily, without giving away the fraud prevention services. What are some of the general concepts of how you tell whether a transaction like that is legitimate or not legitimate?

Yeah, absolutely. There's a couple of things that we do. We look for patterns of hesitation during a transaction, or we look for presence of abnormal behavior during a transaction. Abnormal behavior could be like you're doing a transaction, but you're still on the phone. Maybe because you're talking to someone. You are doing a transaction, but you're making screenshots, or you're recording the screen because the scammer convinced you to do so, because the scammer needs evidence so they can get paid.

The other thing that commonly happens is that a lot of these scammers are convincing victims to install team-sharing tools on the laptops or even on the mobile devices. These are tools like AnyDesk, TeamViewer, et cetera. These tools are typically used to provide technical support, but now fraudsters are misusing these tools.

Let's say if I convinced you to install TeamViewer or AnyDesk, then I can literally see everything on your screen. I could be controlling your screen; I could be moving the mouse on your screen. I can actually blank out your screen. When I'm on your bank account, I blank out your screen so you don't even know what I'm doing. And I move the money out.

What Sardine does is that we build what we call a device intelligence and behavior biometrics SDK, which is basically a piece of code that you embed in your bank's mobile app or on the bank's login pages on the website. This piece of code then informs the bank that there are multiple people on a screen doing things together. If this happens in real time, then the bank can take steps to prevent that transaction from happening if they suspect there are multiple people behind the screen.

Yeah, that's really neat that we can now start doing real-time tech. It's not solely looking at this is just an abnormal payment for a consumer, but the way they're using their device, the way they're using their computer in and of itself is abnormal, which is really neat to start seeing tech combating that, not facilitating fraud.

Yeah.

Are you seeing this thing? I know that you also deal with gift card exchanges. To me, that just seems to be an area that would be ripe for fraud, for money laundering. How does machine learning there protect those entities as well as their customers?

We work with the gift card exchanges, crypto exchanges, NFT platforms. For all these platforms, what they're selling is essentially digital goods. You're selling digital goods. A fraudster who's sitting with this bag of stolen credit cards, that's the best thing they can buy, because they can easily liquidate those things and they're not reversible, so you can't claw money back from them.

We have this saying at Sardine that if you can solve for fraud in these high-risk industries, then you can solve fraud elsewhere. We really cut our teeth in solving fraud in these industries first, and we now work with the largest gift card exchanges, the largest crypto exchange, and the largest NFT platforms.

The nature of fraud is the following, which is stolen credit card or stolen bank fraud. I steal or I buy online on the dark web a stolen credit card information as well as stolen bank details, then I link it to a gift card exchange, then I'm buying gift cards using the stolen payment instruments, then I'm immediately moving it off somewhere else, and then trying to liquidate it. Where Sardine comes in is that we rely on looking at intrinsic behavior patterns of the consumer when they're making a purchase. Oftentimes, every fraudster has a tell, which means they always slip up, they always make a mistake, and that's how you catch them.

Where Sardine comes in is that we rely on looking at intrinsic behavior patterns of the consumer when they're making a purchase. Oftentimes, every fraudster has a tell, which means they always slip up, they always make a mistake,… Share on X

For example, going to all sorts of telemetry. What is the angle of the phone when somebody is making a purchase? Is the phone face down when you're making a purchase? And many other details that I can't really get into because I don't want to give away the secret sauce, but that's all the intrinsic behavior patterns that we look for.

Yeah. Without discussing it, I can think of several things in my mind that a normal human being would never do this or very rarely do this. Getting into kind of the integration a little bit, there are certain things that we know this is a fraudulent transaction so we're going to stop it right now, and then there's, “This looks like it could be fraudulent.” Is that the thing that you would escalate to a fintech's internal fraud team to look at in more detail?

Yup, absolutely. First of all, we are not a black box, unlike other fraud-prevention companies. We give you all the reasoning behind someone's score being high, medium, low. Oftentimes, what our customers do is, since we work in real time, you can actually use a fraud scoring in the authorization step itself. Therefore, you can make a decision based on a fraud score whether to even approve the transaction or decline the transaction, or you can step them up.

When you step them up, you can again do automated step-ups on manual. Automated step-ups could be like Sardine things. This is a medium-risk transaction; let's do 3D Secure. Let's send some sort of a push notification back to the bank. The customer’s banks are in the US. Not many banks support 3D Secure, so we offer other types of step-ups. Step-ups could be like you could ask the customer to take a look at to upload a picture of the driver license and take a selfie.

Another step-up could be you don't trust the credit card that they're using to make the purchase. You could say, “Hey, I'm going to do some penny drop transactions using your card, but I want you to go back and look at the amount that was entered and come back and verify your card that way.” Or you just set them up to a manual verification.

The reality, though, is that we like to reduce these step-ups as much as possible because that's  where machine learning—if it's doing its job well, you should have most of the transactions being approved and very few being declined. We bring to bearing a lot of data to fight credit card fraud or bank fraud.

Oftentimes, we are also convincing new untapped data sources to actually create data products. Besides our device and behavior data, we look at email history; we look at email reputation. We look at if you gave a phone number, then what is the reputation of your phone number? If you gave us a shipping address or billing address, we look at the reputation of that address.

Finally, we recently launched a tool, which allows us to match the name of a cardholder with the card number itself. When you're doing ABS with your credit card, did you know that your name is actually not being verified?

It is not verified. Yeah.

You could enter Mickey Mouse on your card number and it'll still get passed. When these systems were built, these were all on DSL lines, and they could not carry alphabets. Therefore, it's only now that we convinced one of the largest data providers to actually build a product. Visa also is launching something similar; they call it Account Name Inquiry. We now are one of the most unique providers who can match the cardholder name to the card number, as well as the phone number, as well as their address. These signals alone reduce 25%-35% of fraud.

I'm going to try to get the phrasing of this right. Are there things that are done in financial industries outside of the US that aren't done in the US that we really should be doing in the US, or training our consumers to be able to do, if that's not vague enough?

Yeah, there are so many. For a variety of reasons, we haven't had much success in enrolling US consumers into 3D Secure.

Can you explain what 3D Secure is since a good chunk of the listeners aren't in the US, so we don't have an idea what that means?

Sure, yeah. 3D Secure is essentially the card schemes of Visa MasterCard. They came out saying that if you don't trust a particular card transaction, then you can send an SMS to the phone number linked at the bank account that that card belongs. The reality though is that not many people have their phone number linked in the bank account.

Most of the banks in the US at least, they haven't really given consumers the option to enroll into 3D Secure. It was relatively easier to do it in Europe, but in the US, it's been pretty much not being as widely adopted. If it were more widely adopted, then you could have used that as a step-up and stop a lot of fraud. Fraud rates outside the US are much lower, like in Europe, because 3D Secure is adopted. It's a trade card fraud losses and fraud rates are much lower than in the US.

Why is it more difficult to adopt fraud prevention techniques in the US than outside of the US?

Because we have way too many banks here—4,000+ banks—including the credit unions.

When there's new technology to roll out, the ones that are smaller and don't have the infrastructure to support it push back against the legislation or the mandates to do that.

Or they just don't have the technical staff to even do it.

Yeah, that's disappointing. I want the best anti-fraud measures available to me as a consumer to make sure that when my cards are kept safe and my bank accounts are kept safe, it's unfortunate that there are platforms that could help that just aren't available here.

Yeah. On the other hand, though, there's a lot of amazing things happening in the industry. Startups like ours are being started to essentially fill the gap here. We have been helping a lot of small regional banks now with their fraud prevention measures. Yeah, change is coming.

That's good. Are there any trends that you're seeing in terms of fraud or scam that you're like, “Yeah, we've got this covered,” but if other people don't have systems in place, there's this impending doom coming that if companies don't start upping their game, that they're going to be overwhelmed by? Are there any trends that are alarming to you that you see growing?

Yeah. The biggest trend that I'm concerned about is just the rise in scams. If you look across upon to the UK, they have had a faster payment method for much longer than us. Now, if you look at the stats, the dollars being lost to scams has far eclipsed dollars being lost to credit card fraud. As US has not adopted the variety of faster payment methods like Zelle, Venmo, et cetera, and with RTP and FedNow coming soon as well, consumers as well as businesses will be able to move money faster.

If you look at it, buyers have a few cutoff windows at 1:00 PM or 4:00 PM. Therefore, a bank does have the time to actually review a transaction before they actually submit the wire and let it go through. With real-time payment methods, the moment it's submitted, the money is gone. You have to up your game quite a bit.

All older banking core payment systems were written in COBOL. They cannot handle real-time payments, so all the banks were adopting RTP, FedNow, et cetera. They are rethinking the whole payment stack as well as the anti-fraud stack.

There's two things that are happening here. (1) As these technologies get adopted, we say, faster payment means faster fraud, so we’ve got to stop these in real time. In order to stop it in real time, you need new technology. That's where we are helping a lot of banks and payment providers with their faster payment fraud needs.

You're specifically saying the UK was earlier to roll out real-time payments. Did they see a spike in fraud as that technology was rolled out and that spike is now decreasing as people are more familiar with the technology and the risks associated with it? In the US, we're still on the upslope of adoption. Since people aren't familiar with it, there's more of an opportunity for the scams to take advantage of them?

Yeah. In the UK, it's still a [inaudible 00:32:34]. They are taking steps to hold folks accountable so that they're doing the right checks. They recently passed a regulation in the UK saying that the sending bank has to do a lot of checks on the counter party on the recipient. The receiving bank, similarly, they have to do checks on their counter party, which is the sender. If neither of them have done the right checks—as in is the money coming from the right individual or is the money going to the right individual?—then there's a way for a victim of fraud to get reimbursed by either the sending bank or the receiving bank. They've set up a pot of money, which the victims can get reimbursed. We are way behind any of these regulatory mechanisms.

Yeah. What can consumers in the US do, aside from being really careful about real-time fund transfers? Are there ways that we can evaluate the banks that we work with to say, “This one's doing more; this one's doing less”? Or are we all just waiting for the technology to mature, the anti-fraud technology will help everybody at the same time, and we don't really have a whole lot of significant benefit of going to one institution over another?

Yeah, absolutely. Unfortunately, it's a little hard right now for consumers to really understand that level of detail as to what type of anti-fraud measures the banks offer. Oftentimes when we are brainstorming at Sardine, we have this thesis that is, what if we could help banks or online commerce companies who are using Sardine to have almost like a Sardine insight, or Sardine is protecting you type of a framing? Consumers, if they see that, then they can trust it much more.

I'm probably not the normal bank customer in a sense that I would be willing to switch to a bank which had stricter fraud preventions. Yes, that makes my life more difficult in my day-to-day banking. What I'm doing potentially makes my life more difficult when I'm doing the things that I want to do, but I want to have an order of magnitude more protection. With more friction on my side, I'm willing to pay with friction to get a safer experience. I wonder if we'll start seeing banks advertise that as, “We're going to be different from every other business. We’re going to try to introduce friction and slow you down as opposed to facilitate instant everything.”

Yup, absolutely. I'm the same way as you, Chris. I would much rather bank at a bank which takes fraud much more seriously. In fact, I'm waiting for a bank which could offer me a mode where I could just lock up my money and no one can touch it. Even I can't touch it, unless I went through 10 different steps.

When you find that bank, let me know. I would like to use them as well. I think the financial services companies, they've got their part that they have to do in seeing anti-fraud technology move forward. It sounds like a lot of it at this point from the consumer perspective is not that we're necessarily on our own, but we still have to be really careful as consumers and not assume that our banks and our financial institutions are going to protect us as much as we'd like them to. Are there things that consumers should be watching out for, whether it's cryptocurrency transactions, gift cards, banking, online shopping? What are the things that consumers should be watching out for that should be a red flag to them?

A couple of things. (1) If you're getting a text message, which is promising you to get rich quickly, don't trust it. Or a text message from the IRS saying that you owe the IRS sums of money or someone else, don't trust it. Similarly, when you're getting emails, don't trust them. Be very vigilant about the source where the email is coming from. You can oftentimes hover over the sender and then see and then if it's the sender is really who you expect it to be. Does it really say irs.gov or says irsgov123.com, for example?

Other thing you could be doing is take your personal online security very seriously. Use a password manager. Don't share passwords across sites; use a password manager, and set up 2FA. Set up a 2FA, second-factor authentication, on all your banking accounts. The second factor also, if the bank offers authenticator-based methods, the technical term for that is TOTP. The tools that supported our Google Authenticator, Microsoft Authenticator, are time-based tokens. If your bank offers that, definitely use that or SMS, because SMS also has a lot of vulnerabilities.

Yeah. I will say while SMS is probably the weakest of two-factor authentications, it's better than nothing. Don't say, “Oh, because they don't have the most strict tokens platform in the world, I'm going to choose nothing,” because something is better than nothing.

Hundred percent agree with you, yeah.

I think it's interesting that, I think even for myself, I'm very quick to say, and people makes sense to them of, oh, yeah. Two-factor authentication on my bank accounts and anything that's a financial, these days I would almost say protecting your email address is almost more important because if someone can get your emails, they can reset passwords. They can potentially disable two-factor authentication. Our email is almost the gold standard for getting into everything else in our life.

Hundred percent agree with you on that. Yeah, protect your email like you protect your bank account. If you don't have two of your emails, then they can reset your email, and then reset your bank after that.

Scary. Any other parting advice before we wrap up here?

The only other thing I would say is that just continue being vigilant, continue being paranoid. That's the only advice I have.

Trust but verify or be suspicious of everything. If people want to find you or Sardine online, where can they find you?

Yeah, sure. Our website is very simple: sardine.ai. You can also follow us on Twitter and LinkedIn. You can also follow me directly, if you want. You can just find me on both those social media places. I'm easy to find just by the name, Soups Ranjan.

We'll make sure to link to all of those in the show notes that you can find online with this episode. Soups, thank you so much for coming on the podcast today.

Absolutely. It's been a pleasure speaking with you, Chris.

Thank you.

Exit mobile version