During the MRC 11th Annual ecommerce Payments & Risk Conference, Signifyd has won the METAward for the Start-up category. The other finalists were Curaxian and Sift Science. The METAward recognizes solution providers delivering the most innovative, cutting edge technology for managing payments and risk in electronic commerce.
When and why did you start this company?
My co-founder Mike Liberty and I started Signifyd in June 2011. There were two major trends that we saw:
- First, almost every merchant had a manual review team that researched Facebook, LinkedIn, Twitter and other social websites to review transactions for risk, which meant that something was missing from the decisioning process on the front end;
- Second, there was an increase in the number of small and medium businesses (SMBs) moving from the brick-and-mortar world to selling online and they had no good solutions to deal with the liabilities involved in card-not-present transactions.
Our team has a strong background in payments and fraud. Going back several years ago, I developed the fraud and risk team at FedEx Corporation where we built everything in-house. This was a period during which I learned a lot about payments, fraud and risk. In 2009, I left FedEx and moved to PayPal, where I headed up the Emerging Markets Risks and focused on Latin America, the Middle East and Africa, all high-risk profile countries. Here is where I met my co-founder Mike, who was the head of Digital Goods Risk at PayPal. One of the things I learned quickly is that, in these countries, merchants do not have the amount of data that is usually available in the U.S. with regard to customers. For instance, in the US, merchants can do phone/name/address look-ups to find out something about that person. In Brazil, Mexico or South Africa, merchants do not have this type of information. They learned to do the same things with less data and the social graph was used extensively for this purpose. We realized there was an opportunity to use the social graph data to automate what was being done manually by the agents.
At Signifyd we are building a solution that all merchants across the board could use (not only the largest enterprises, but also the smaller businesses that sell online). The best part is that for SMBs, we take the liability in case we make a wrong decision.
What is Signifyd’s role in the prevention of online fraud?
We offer a complete fraud prevention solution that includes an accept or decline decision (along with a risk score and indicators) and a manual review platform for your agents. We also take the liability in case we make a wrong decision. Integration is very simple since we provide merchants with a plugin. If they use one of the open platforms such as Magento or Shopify, or else we have a direct API which merchants can integrate with as well.
What we are doing differently in the industry is bringing in new types of data sources to be able to make better risk decisions, to be able to add less friction to your good users while declining the bad ones. When we say we fight fraud using the social graph, we are not thinking only about LinkedIn, Twitter and Facebook, but also about disparate sources of data that connect the offline identity of a user with the online persona they claim to be. For example, if a person goes online to a website and the e-mail address is associated with three social networks, we can use that e-mail to discover the person’s name and location. Then, if we get a physical address in the same location and we already know that a certain person lives there, we can make a reverse look-up on that address using another service and find a match on the name using the e-mail address and a physical address. This is a huge indicator for risk, an indicator that traditionally has not been taken into account in this industry. If a match does not occur, you have the opportunity to decline those people or put them through manual review and extra research.
In addition to all this, we can work with companies that already have a fraud solution. We could be an additional social matching layer which companies could plug in for their scoring. Furthermore, if the company performs traditional manual reviews by searching LinkedIn or Facebook before making a decision, we could allow it to use our data without integration. The search is based on name, IP, e-mail, phone, address. We receive all this information and enrich it from external data sources, combine the information and make it realistic in terms of the connections between them and provide the company with a score along with other indicators which will tell them if the social name matches the billing name or if the social address matches the billing address. This is really powerful and the first time it’s being done in our industry.
Do people you review often have fake profiles? How do you act in these situations?
The short answer is, yes we see it, but it is not that frequent just yet. However it is very similar to account takeover scenarios where fraudsters open accounts with companies and let the account incubate for several months before trying to abuse it. In the same way fraudsters are creating fake social identities, building a reputation and a network, before they begin abusing it. The good part about what we do is that we do not look at the Social Graph in isolation. At Signifyd we are looking at all the identities in a transaction and matching the offline identity of the user with the online identity they claim to be. If we see a consistency in these identities we go ahead and approve a transaction. Otherwise we decline if we are sure that it is a bad transaction or we queue it up for manual review while providing the agent with all the rich data sets we found associated with that transaction.
Having said that, I think as fraudsters figure out that companies are using social data to approve good transactions and decline bad ones, they are going to get more sophisticated at creating fake profiles. It is going to be important to improve scoring algorithms to detect these fake profiles, but we are lucky to have a head start on this since we look at millions of these users on a daily basis.
You have mentioned that Signifyd targets both larger and smaller markets, what is the difference in approach in terms of solutions?
Selling an end-to-end fraud solution in a large market is often challenging because it is a crowded market, there are a lot of big players who have been in the market for a long time. But we are not competing in that market at the enterprise level. We are actually a solution that ties together hundreds of different data sources and then makes sense of those data sources. We currently work with partners such as Social networks, CRM providers, public records, search engines, maps, credit agencies, location data providers and a lot of other partners. Our goal is to be able to focus on providing an extra data layer to these larger enterprises. If however there is an enterprise company that is looking for an end-to-end solution, we have a very good product in the market that can fit their needs.
For SMEs, on the other hand, it is a completely new market. If you look at the past ten years in the payments industry, the main focus has been on enabling large businesses to accept almost all types of payments online such as PayPal and Google to MasterCard and Visa. Most of these large enterprises realized that the liability of a bad transaction rested with them and so they used enterprise grade fraud protection solutions.
However, during the past two to three years, the focus has been on enabling SMEs to accept payments online. We have seen companies like Stripe, PayPal, Braintree, WePay, Square, which have all started to help small businesses accept payments online. These SMEs are predominantly brick and mortar companies, they have not actually sold anything online and they never took the liability for their transactions. But as they turned to the online channel, they have realised that their chargebacks rates are going up and none of these payment service providers are taking the liability for them. And these SMEs do not have resources of time to handle fraud or build solutions to prevent it. They need a complete fraud solution not just the detection, but also mitigation and the ownership of the liability. At Signifyd we provide this for the SMEs.
What is your definition for a SME?
Well, I’m not sure if this is the best way to split it up but we are looking at it in 4 segments: a) less than USD 25M, b) USD 25M to USD 100M, c) USD 100M – USD 250M and d) USD 250M – USD 500M
You have mentioned earlier that context detection is the new layer. What is the next challenge for a fraudster?
As more businesses provide users multiple options to signup, we are seeing the need to protect against fraudsters entering from these various channels. For example, we have seen many businesses allowing users to register with their website using their Facebook, Twitter or LinkedIn accounts in addition to allowing a user to create an account just with their email address. In the past it was really easy for fraudsters to open an account with Hotmail or Yahoo and then use that fake email address to abuse the system. They would then attach a stolen credit card to that email account and it would be hard to figure out if that email address did not match the payer’s information.
Today’s fraudsters have to be a bit more sophisticated. They have to create a fake Facebook or Twitter account (which isn’t hard), but the harder part is to set them up to be real. A Facebook account with no friends, no updates, no interests and no likes does not constitute a real user. It is not hard for a human to look at a Facebook account and figure out if it is real or not, but much harder for a computer algorithm to do so. So the next challenge for fraudsters is to be able to do this convincingly at scale. We are already seeing this happening, so the challenge will be to increase the level of sophistication as time progresses. At Signifyd we find this exciting to be one step ahead of the bad guys!