Symptom vs Disease

Say you have a thorn in your foot. You’re in extreme pain and go to see your doctor. After you’ve made it through the waiting room, checking your height and weight, and having the nurse take your vitals, you’re finally ready to see the doctor. The doctor walks in to see the thorn in your foot, but instead of taking it out they prescribe you a pain killer to dull the pain.

Does this sound right? Of course not. Doctors are trained to identify the source of the pain or sickness so that they can treat the cause. By addressing the symptom versus the disease, they will only prolong the problem. They must treat the sickness itself to make sure that the problem doesn’t have a chance to continue.

Such is the way with fraud prevention. Historically fraud prevention has been much more reactive in nature and focused on solving for the surface-level trend. The symptom of the true problem.

An analogy I use often when explaining fraud is the Dutch boy and the dam. He does everything he can to plug the holes he finds, but no matter what he does new ones open. I see the same thing when looking at fraud trends as they emerge.

It’s easy to just slap a quick limit or restriction on an issue. But what good does that really do? Don’t get me wrong, it is paramount to analyze your limits set on services provided. With that said however, this shouldn’t be the go-to solution when fraud begins to rear its ugly head. These types of decisions tend to do more harm than good because they negatively impact good customers far more than they limit fraud losses.

Below is a personal example of how impactful root cause analysis can be.


Some years ago I was assessing a fraud trend we had started to experience. This was a fairly widespread account takeover scenario and our customers were being targeted with phishing attempts. The first instinct was to limit our Person-to-Person (P2P) limits, but after analyzing the changes there was little we could do that wouldn’t negatively affect our legitimate customers.

I realized there were two problems present. It wasn’t the transactions that were occurring. That was just the symptom. The problems were the point of compromise and the point of takeover. One of these I had direct control over, while the other was in the hands of our customers. When developing a solution, I would much rather focus on something I can control.


The first place I wanted to look was the channel the fraud was taking place from. Were the fraudsters focused on one specific channel, or was it spread evenly? I reviewed each instance of fraud and realized that they were predominantly targeting the Mobile channel.

Now that I knew there was a vector the fraudsters preferred, I knew where to focus my attention. This made it much easier to begin developing a solution. I had two focus areas I wanted to analyze next. Are there control gaps within the log-in workflow, and are there commonalities with the devices being used to takeover accounts?

  1. Control Gaps – I determined that we had a hole in the mobile authentication process that fraudsters were taking advantage of. This is the reason we were seeing the fraud occur directly through the Mobile channel, and not through Online Banking. It was extremely easy for fraudsters to register new devices and had little friction when logging in as long as they knew the user credentials.
  2. Device Commonalities – I began analyzing the devices hoping to find common traits. Little did I know it would be much easier than I originally anticipated. The fraudsters were using the same exact devices to access our customers’ accounts. With a lack of controls, fraudsters will become emboldened and continue to use the same methods until they’re stopped. There was one specific iPhone that was used to access more than 300 distinct accounts. Below are a couple device authentication vendors that I recommend:


Eureka! I had found not one, but two ways to solve for our problem! I immediately began working on ways to introduce better authentication into the Mobile channel, as well as developing an internal blacklisting function for known fraudulent devices.

By introducing both of these controls we saw a reduction of more than 80% of overall account takeover fraud. And better yet, there was almost no impact to our good customers!

It might seem like an easy fix to just address an issue on the surface, but this will never solve for the true problem. It is imperative to determine the true cause and cut the issue at the root. Only then will you truly be successful.

Never stop chasing checkmate.

Leave a Reply

%d bloggers like this: