Episode 167 – Combating Fraud – Patrick Chen, Spec

Yvette Bohanan

May 12, 2022

POF Podcast

In this episode of Payments on Fire®, Yvette Bohanan is joined by Patrick Chen, co-founder of Spec, to discuss payments risk, fraud, and the age-old question of good versus evil. Listen in to hear how organizations can combat fraud while still providing the best customer journey.

 

Yvette Bohanan:

Welcome to Payments on Fire, a podcast from Glenbrook Partners about the payments industry, how it works and trends and its evolution. I’m Yvette Bohanan, a partner at Glenbrook, and along with George Peabody, your co-host for Payments on Fire. Today I am flying solo while George is out sailing somewhere in the bay or doing something fun. Who knows? But he’ll be joining me on a future podcast, for sure.

 

Yvette Bohanan:

Anyway, I get to talk with someone super special today. I’m going to be talking with Patrick Chen, who is a co-founder of a new company called Spec. The reason I’m really excited about this is because Spec is tackling a really tough problem. And we’re going to give a big shout out today to all of our friends in payments risk operations, risk ops folks out there, the unsung heroes of keeping things on an even keel in an organization.

 

Yvette Bohanan:

If payments risk isn’t controlled, as we all know, in walks fraud. Fraud rings are becoming increasingly professional, global, tough to find, tough to deal with, and they’re as fast or faster than most of the technology being employed by the good guys.

 

Yvette Bohanan:

So we have a really, really dedicated group of people in organizations, if you’re lucky, who have a lot of technology, who are working really hard, and their job is super tedious. On one side of the equation, they are trying to figure out how fraudsters are getting into their environment, and that can be really, really difficult. We’re going to talk about that with Patrick.

 

Yvette Bohanan:

Now, on the other side, if they’re not trying to prove what the MO is, how the fraudsters are doing their thing and shifting tactics, and what has to happen in terms of engineering resources and changes to websites or processes or policies in order to stop the fraud, then on the other side of the equation, they’re talking with the growth team, the marketing team, the sales team, and they’re trying to prove that they’re not hurting or harming the customer journey for all the good customers trying to get through and transact with the business. It’s a tough job. So, Patrick, with that tee up, welcome to Payments on Fire.

 

Patrick Chen:

Thank you, Yvette. Super happy to be here.

 

Yvette Bohanan:

All right. So I just described what’s going on in risk ops teams if companies are lucky enough to actually have a team dedicated to this. Sometimes it’s just some poor person in finance or accounting that’s trying to figure out what’s going, or customer service, right?

 

Patrick Chen:

Mm-hmm.

 

Yvette Bohanan:

You’ve been in this industry for a long time. Can you just take us through the basics? Unpack what we’re teeing up here. What is actually going on today? What types of tools, technologies do people have at their disposal and what actually makes this hard?

 

Patrick Chen:

That’s a great question, Yvette. I think what actually makes it hard is just the dispersed nature of all of the tooling, all of the data in a typical organization. If you look at how an organization or a risk ops team typically finds out about fraud, it’s with trailing indicators, it’s some metric went wrong, maybe chargebacks are up, maybe payment declines are up, maybe some other metric pops up.

 

Patrick Chen:

Now a fraud ops team, after fraud has already happened, needs to go into a number of different systems. For a payments related industry or company, that could mean finding data from a PCI secure server. It could be marrying that with PII data that’s in a little less secure than PCI area, marrying that with public data, like an IP address, maybe what the consumer was doing on your site. That’s the first step to pull all of this together.

 

Patrick Chen:

The second part is once you pull all this data together, you have to comb through potentially millions and millions of rows, or hundreds of thousands of rows to figure out what was the fraudster actually doing. So that takes even more time. It can take weeks to figure out what the MO is.

 

Patrick Chen:

Finally, when you realize what’s actually going on, you might need to go beg, borrow, and steal an engineering resource to go and stop that fraud. Typically, engineering resources have their work planned out for quarters and quarters ahead. You’re literally blowing up their roadmaps to come and stop fraud. You’ll be shocked to find that fraudsters don’t schedule their attacks to fit your roadmap.

 

Yvette Bohanan:

Really? They’re not aware of all these product roadmaps out there and when engineering is going to have a break to deal with them.

 

Patrick Chen:

Yeah, exactly. So all of those things make it incredibly difficult and just increases the amount of time to detect, learn about the fraud, and then do something about it. A fraudster might take just several hours to launch an attack, and then it takes typical teams maybe days to weeks to months to identify the MO and then put some countermeasures in place to actually stop that fraud.

 

Yvette Bohanan:

Yeah. I just want to double-click on one thing that you said and go a little bit deeper. Just to be really clear here, in these environments, we’re not talking about websites or apps that don’t have some sort of controls around them.

 

Yvette Bohanan:

Usually there’s something going on to stop bot attacks at the perimeter, and there’s often either hard-coded rules in the environment to tackle common fraud patterns. Maybe they have some machine learning tools, or something just deployed out there. You have customer service teams who are getting signals from people calling in, right?

 

Patrick Chen:

Mm-hmm.

 

Yvette Bohanan:

It’s those signals that once you get the signals and you realize something’s off, now the process you’re talking about kicks in, right?

 

Patrick Chen:

Yup.

 

Yvette Bohanan:

How long can it typically take a team to figure this out?

 

Patrick Chen:

It can take several weeks sometimes. A lot of those systems don’t actually talk to each other. A lot of the fraud operations teams that I’ve worked with and at companies I’ve worked with, they don’t know what the security team is blocking at the edge, what IP addresses are coming in, how many of them have been blocked, what’s getting through. Maybe this IP that looks like … Associated with what looks to be a good order was actually blocked 9,000 times at the edge, and fraud operations teams don’t have that information.

 

Patrick Chen:

Maybe they don’t have that information of the social engineering that’s happening at the call center, that this person called in on 15 different accounts in the last two hours. All this data is incredibly siloed, and that increases the time to identify that fraud is actually happening, and then to figure out how it’s happening.

 

Yvette Bohanan:

Right. Yeah. I can’t tell you how many times I’ve sat down with teams who were trying to figure something out. We have all this sophisticated stuff going on and plugged into the environment and screening transactions or whatever and we sit down and they’re like, “Here, let me open this spreadsheet and show you what we’ve put together.” We’re back in Excel. They’re scrolling through thousands of rows going, “Yeah. See these wonky email addresses and stuff? We found this and that.”

 

Yvette Bohanan:

Yeah, it’s really crazy. It’s hard, hard work. Then you’re going into escalation meetings every day trying to explain where you’re at in the process, and people are wondering why it’s taking so long. There’s a lot of pressure to it, too. So it’s a tough job.

 

Patrick Chen:

Yeah, it’s incredibly difficult.

 

Yvette Bohanan:

And on the other side, we’re putting in technology all the time to make it easier for good customers to interact and to make processes more efficient, like chat, right?

 

Patrick Chen:

Yeah.

 

Yvette Bohanan:

Then you have these MOs that start popping up these days where the chat channels are actually being used to compromise and circumvent a lot of the controls.

 

Patrick Chen:

Yeah, absolutely. I think the siloed nature of the tooling doesn’t apply just to the different teams. For what a fraud ops team controls, like registration to login, to payments, and payouts, it’s incredibly siloed as well. I think chat is a great example of the lack of fraud tooling and controls that are deployed in that channel.

 

Patrick Chen:

That means you may learn about a fraud ring exiting funds to the same bank account only after the funds have been exited off your platform. If we look at chat, you may find out that that person that’s egressing funds was actually spamming a number of people in your double-sided marketplace. They may have been asking for information or trying to take transactions off platform, or romance scams, or any other of these scams that are incredibly difficult to monitor with traditional fraud tools.

 

Patrick Chen:

An API-based solution is incredibly expensive when you’re deploying that out to a perhaps million-chat conversation platform. It’s incredibly difficult to stitch that together. That might be where you can best detect that fraud, not at the point of egress or the point of payment but actually as that abusive customer is actually launching those chats to other users of your platform.

 

Yvette Bohanan:

But it’s a really sophisticated blend of the fraud rings using technology and social engineering together that we’re really dealing with here at scale, at a global scale.

 

Patrick Chen:

Yeah, absolutely. They may be automating some of these chats as well. It may be incredibly obvious for a fraud operations person, once they have that data, to say, “Whoa, this is actually bad Patrick.” It’s like what is he actually doing? Why is he sending 10,000 messages per minute? That’s ridiculous. First of all, let’s not talk about fraud. That’s a bad customer experience for your other customers.

 

Yvette Bohanan:

Exactly, exactly. There’s so much new technology for customers to use today in the payments realm and experiences alone that are supposed to drive really cool experiences. You have all this new fast payments technology where people are supposed to get money available faster. They can send money and receive it, independent of those five-day a week banking business hour kind of constraints we’ve all had for decades and decades. But, gee, what’s not to love about that if you’re a fraudster?

 

Yvette Bohanan:

We see headlines all the time with these scams, with payment systems like Zelle experiencing this authorized push payment fraud or APP fraud. So the rings keep evolving and it’s really hard to spot until after the fact. Then the money’s gone and people lose trust in the system and they lose trust in your brand. Things spiral downward really quick with good customers.

 

Yvette Bohanan:

So, Patrick, it’s a cruel hard world out there. So give me some hope. What I want is I want an environment to take the tedium out and to give some power to the good guys who are fighting this stuff. I think that’s what you wanted too with Nate when you co-founded Spec. So how are you looking at things differently with what you’re doing now? Because you’ve been in this industry a long time. You’ve developed products and launched very successful products. You’ve worked inside of operations teams. You understand this obviously really well. What’s the solution?

 

Patrick Chen:

Yeah, that’s a great point. I think you hit on the biggest problem that triggered Nate and myself to start Spec, which is why does it take so dang long for the good guys to mount a defense against evolving fraud? How we think about that is really reimagining where a fraud platform sits in the ecosystem of an enterprise customer’s technology stack.

 

Patrick Chen:

Every API-based system today sits actually behind the technology stack. So you’re letting fraud onto your platform, and then you’re trying to figure out how to stop it. Spec is fundamentally different in that we actually sit in front of your technology stack. We sit on what’s called the edge of the internet. So as your consumers are interacting with your applications, before they even hit your site, they’re coming through Spec’s platform.

 

Patrick Chen:

So our platform operates similarly to like a Cloudflare or an Akamai CDN and we sit in front of the application and we’re looking at the traffic that comes in. Because we do that, we have several distinct advantages. We see every interaction that the consumer is making, whether or not it fits into the traditional fraud checkpoint or not.

 

Patrick Chen:

So that means every page load, before they try to login. Did they load the page? What credentials did they use? How many times did they try? What were the outcomes of those particular events? Were they successfully able to register? Were they able to successfully egress funds or did they get caught up in something? Did that bank account not exist and, therefore, the transfer couldn’t happen?

 

Patrick Chen:

So all of that information makes it much easier for fraud operations teams to detect the fraud and understand what’s going on. Then because we sit in the edge, we can deploy the countermeasures much, much faster. What this means is just no code for our customers, like no need to go to engineering to pull them off of the important work they’re doing. They’re likely generating revenue. They’re launching new products, launching new markets, doing all of these things to generate revenue for the business. We don’t need to pull them off of that important work. All of the countermeasures can be deployed directly off of our platform in just a couple of clicks.

 

Yvette Bohanan:

Yeah. So you’ve moved from this risk ops organization going to engineering, or product of engineering, over to them going to what I would consider the realm of the CSO, the security team, the network engineering security group and you’re asking them to monkey around with their edge of the network. How much involvement … I mean is it really literally from a dashboard that you get to do all of this stuff?

 

Patrick Chen:

Yeah.

 

Yvette Bohanan:

That’s amazing. So when people are looking at doing this, a lot of times they’ll want to run A/B tests before they put something in their environment. Is there a capability to do that too, to switch traffic over and back, just to see and compare … I’m thinking of things like speed in that of the page loads and things and the customer experience. How do you test this? Because this seems pretty encompassing. How would someone test it?

 

Patrick Chen:

Yeah.

 

Yvette Bohanan:

We always tell our clients you’ve got to do an A/B test, whatever you’re putting in place.

 

Patrick Chen:

Yeah, absolutely. Because we sit at the edge, we’re able to do some unique things that don’t involve that level of A/B testing. So we can actually work off of a mirrored copy of the network traffic.

 

Patrick Chen:

That’s typically how our enterprise customers first try Spec. So we’re not blocking the traffic. We’re just basically utilizing in a CDN is the most common way, like a concept of a worker. It just copies HTTP traffic that’s going to say dub, dub, dub, da your company.com and makes a copy to Spec. We can already start to do the stitching together of the customer journey to show them what we’re able to do. So that’s a really low risk way for us to get involved and show the value of our platform without that little bit of a risk of sitting in line or sitting in that network stream.

 

Yvette Bohanan:

So now I’m really curious, because I’m in a world where I have way more information way sooner. I have a pretty easy and sophisticated way to turn things off and on in the environment for controls. Now all those old ways of detecting if something is off change, too.

 

Yvette Bohanan:

I know you have some kind of like a visualization component here. When I was reading up a little bit on the product, what really struck me was a quote where you said, “One of the first things we learned when we turned on this visualization product was that a circle is a bad thing.” Can you tell us a little bit about why a circle is a bad thing and why visualization becomes really important here?

 

Patrick Chen:

Yeah. I think visualization is really important because it provides humans the context of what’s actually going on. When you’re talking about this spreadsheet-based thing, it’s kind of like the matrix. Somebody’s reading some code and figure out what’s going on. It’s incredibly difficult to contextualize that to leadership, to somebody who’s trying to balance that revenue versus fraud on what’s actually going on.

 

Patrick Chen:

So the visualization component that we’ve put together is really around … Well, there’s two components. So I think what you were talking about with respect to the circles is the data and element linking component. So for a given session, how many different email addresses were associated with it? How many bank accounts paid into it? For a given bank account, how many different consumers were paying into that bank account? All of that information makes it easier to contextualize is this anomalous or is this not?

 

Patrick Chen:

So the concept of circle being bad was a number of inputs to one specific output in a very short amount of time. In our visualization, it just makes a beautiful flower. That’s where circles became really, really bad.

 

Patrick Chen:

The other part of our visualization is that customer journey, like everything the consumer did in that journey, how long that journey took. Did they register and immediately login and then start to transact business or start to chat with thousands of customers in the first 30 seconds of them signing up?

 

Patrick Chen:

That’s all information that we pulled together in that customer journey for comparison to other customer journeys for that particular login. Then in aggregate, the visualizations that we have around the full customer journey, the fraud walk, if you will, in fraud ops team speak, is to understand the conversion through each of these checkpoints, like how many people got stuck in a login flow or in a two-factor authentication flow? Are there frictions? How many good customers got caught up in your fraud step-up? How many bad people are getting through? That data is really, really powerful, not just for fraud-

 

Yvette Bohanan:

Everyone.

 

Patrick Chen:

… but for growth and revenue generating teams to figure out how to create a better customer experience.

 

Yvette Bohanan:

Well, that’s the kind of data that brings people together to solve a problem, not just bringing them together in frustration about why do we have a problem?

 

Patrick Chen:

Yeah.

 

Yvette Bohanan:

And so, you’re changing the conversation on a lot of levels here and you’re creating a data that you can use without someone understanding the ins and outs of the system and fraud and patterns and MOs and the fraud walk. You can actually just show them the picture and say, “Here’s what’s going on,” and then move the conversation to a different level, maybe.

 

Patrick Chen:

Yeah. A lot of companies I’ve worked with, there’s a lot of friction between, say, marketing and fraud teams, or growth teams and fraud teams. A lot of that is because of lack of attribution. So we don’t call it MO. We call it an attribution. So a bot hitting a marketing coupon site to register tens of thousands of accounts’ free coupon looks like fantastic conversion to a marketing person.

 

Yvette Bohanan:

Exactly. Exactly. It’s amazing. It’s fabulous.

 

Patrick Chen:

“It’s amazing. We went through our budget in 39 minutes. That’s awesome.”

 

Yvette Bohanan:

“Give us more budget.”

 

Patrick Chen:

Yeah, “Give us more budget.” That’s not necessarily bad, but getting that attribution to find out what is actually happening. How does that marketing conversion tie into fraud for the business, to payments fraud, to chargebacks, to other metrics that really impact the business?

 

Patrick Chen:

All of that becomes much easier in that visualization. You can actually understand like that was actually a robot and this is how we know it’s a robot. That’s actually a good customer. They actually abandon because you ask for too many fields.

 

Yvette Bohanan:

Right. Yeah. You stepped them up one too many times here.

 

Patrick Chen:

Exactly.

 

Yvette Bohanan:

Right. Wow. So this could be pretty cool stuff, changing the game. That’s a big, big task to take on. I’m pretty excited about what you’re talking about. Any other observations about the industry? What are you learning as you roll this product out and you see what’s going on, kind of the state of the union from your vantage point? Because you’re looking at things a little bit differently and you have a lot of history in this space. What would you say are sort of like, in the last 20 years, how far have we come and how far do we have to go? Besides what you’re doing, any other thoughts?

 

Patrick Chen:

Yeah. I think, certainly in the last 20 years, there have been a lot of advancements in fraud signals that I think every fraud operations leader like yourself has been sold like a silver bullet, like, “Yvette, buy this risk signal and it’s totally going to stop this kind of fraud.” We haven’t had the advancements like when we’re talking about sitting on the network edge.

 

Patrick Chen:

This is old hat for security teams. They’ve been working with these types of tools for generations now. It’s relatively new to the fraud space, but a lot of adjacent organizational buddies have been utilizing this technology for a long time. So we’ve been seeing this breakdown of silos, of engineering teams saying like, “Whoa. We’re using a similar technology. Can we link these two platforms together?” As soon as the fraud person who’s monitoring payments, or account takers or anything, mark something as fraudulent, we update the technology at the edge, the web application firewall and everything, to see what’s going on.

 

Patrick Chen:

So we’re seeing this concept of fusion teams where fraud personnel are getting pulled into security teams, or working closely with growth and marketing teams, to find out what is actually going on. It’s two sides of the same coin when you’re stopping fraud. To your partners in the business, it sounds like you’re just introducing friction and my metrics are going to become lower. We become this platform that unifies not just the data, but the people that operate within an organization and they work much better together.

 

Yvette Bohanan:

Yup. We’re always saying have a cross-functional team. Have a cross-functional team. But I think when you put people in the room, it was still super hard, because everybody came into the room with their own data and their own needs. I really, really hope people are thinking about ways to change the game for better results across the board.

 

Yvette Bohanan:

This was a really great and important conversation. It’s what we talk about all the time with people in this space. I’m so happy you and Nate had the tenacity to try to figure out whatever the secret sauce is that you’ve put in at the edge to help people collect this information and interpret it, and use it and make it useful to them. So I will be watching from the sidelines cheering you on and to see how this evolves.

 

Yvette Bohanan:

This is really cool. I hope we can have you back maybe in a year’s time to talk about the evolution of the industry and what you’re seeing as you start to roll this out more with people.

 

Patrick Chen:

Yeah. I’d be happy to, Yvette.

 

Yvette Bohanan:

Yeah. That would be cool. Thanks so much. Thank you for listening. We are always delighted to hear comments and ideas from our audience and what they want to hear about. If you heard something today that’s of interest to you, you want us to dig deeper, talk about more, you can always share your thoughts and ideas. Just email us at paymentsonfire@glenbrook.com. Until we catch you on our next podcast, take care, everyone, and do good work.

Recent Payment Views

Payments Post #17: Cutting Costs

Payments Post #17: Cutting Costs

In this Payments Post, we discuss the DOJ bringing a lawsuit against Visa that alleges the company operates an illegal monopoly in the debit card space. Does the argument have merit in our non-legal minds? And if so, what could the DOJ’s move mean for an evolving payments landscape?

read more
Payments Post #17: Cutting Costs

Payments Post #16: The Apple Drops

It’s time for another edition of Payments Post and (surprise!) we’re thinking about the Visa Flexible Credential again. Now that Apple has plans to open up the NFC chip and Secure Element to third party developers, we’re scratching our heads. Who benefits from this newfound NFC access? What opportunities can fintechs unlock? How will conventional financial institutions react? And to tie it all back, does the VFC still matter?

read more
Payments Post #17: Cutting Costs

Payments Post #15: BNPL Battles

In this month’s Payments Post, we revisit the prime use case for Visa Flexible Credential (VFC): BNPL. How are buy now pay later providers positioning themselves in the current environment, how are consumers using their tools, and how are regulators and issuers responding?

read more

Glenbrook Payments Boot CampTM

Register for the next Glenbrook Payments Boot CampTM

An intensive and comprehensive overview of the payments industry.

Train your Team

Customized, private Payments Boot CampsTM workshops tailored to meet your team’s unique needs.

OnDemand Modules

Recorded, one-hour videos covering a broad array of payments concepts.

GlenbrookTM Company Press

Comprehensive books that detail the systems and innovations shaping the payments industry.

Launch, improve & grow your payments business