Mastercard’s Ajay Bhalla explains how AI can predict which cards hackers will abuse

20 Oct 2017

Mastercard president of global enterprise risk and security. Image: Mastercard

Mastercard’s president of enterprise risk and security Ajay Bhalla reveals how AI is being employed on the frontlines of cybersecurity to scour the dark web in real time for potential fraud and stave off robot attacks.

Ajay Bhalla is president in charge of global enterprise risk and security at Mastercard where he is responsible for delivering the company’s core pledge of ensuring the safety and security of every payment from more than 2bn cardholders using its network.

With over 48bn digital and card transactions across the Mastercard network every year, this includes protecting stakeholders globally with advanced scalable technologies and developing a strategy to secure future payment innovations. He also serves on the company’s management committee.

Throughout his 23-year career at Mastercard, Bhalla has been behind many revolutionary solutions that have shaped the new digital payments landscape.

He pioneered the development and use of biometrics in payments with the creation of Identity Check, a biometric authentication app to replace passwords; and launched Safety Net, a global platform that uses sophisticated algorithms to detect cyberhacking of banks and processors, blocking further attacks.

I spoke to Bhalla just as Mastercard recently launched its Early Detection System, a new service that provides banks with advanced alerts for high-risk cards and accounts that are exposed in security incidents or data breaches.

The new platform emerges as the financial world deals with the fallout of the massive breach at Equifax, where details of some 143m credit card users were stolen.

‘In a typical breach, if 100 card numbers are stolen, between 3pc and 5pc are finally misused’

How will Early Detection System help financial institutions prevail in the war against hackers?

This is part of the bigger strategy that we have to manage the security of the overall payments ecosystem.

The way we look at it is we have a number of prevention technologies working which ensure we can put technology in place that fraudsters cannot get into the system, so they cannot misuse cards or technology, like EMV (Europay, Mastercard, Visa) technology in the physical world or EMV technology in the digital world.

We have prevention technologies today that look at the transactions and detect if a transaction has been misused. These are detection technologies that are looking at the transactions, looking at data systems in a bank to see if they have been hacked or a card has been stolen. We also look at transactions from a risk-scoring point of view and our risk management system, and then we have added technologies which are looking at the digital world in real-time and that look at consumer experiences like ‘card on file’ to ensure they haven’t been compromised, and then VPN data to ensure our assure technologies can manage the risk.

As part of securing the ecosystem, one of the big issues that consumers face is that when there is a breach, suddenly, they are inconvenienced because their card number is blocked or their card has to be replaced, and consumers are worried because it could be misused for fraud.

The consumer is worried, the merchant is of course worried, and the bank whose card numbers are involved in the breach has a big problem because the bank has to replace those card numbers at huge cost.

Those are basically the main pain points. And that’s why the word ‘breach’ is so horrifying.

We have been working on a technology to ensure how can we make our ecosystems safer. And our analysis of the past has led us to new technology where we can actually detect card numbers that could be potentially breached without the organisation knowing that they are breached.

Is it fair to say that most consumers don’t know they are victims of a breach until long after it occurs?

Yes. Today, it can take several months before a merchant announces they have been breached.

We can figure from this technology that these card numbers are potentially involved in a breach. We can also know which are the card numbers likely to be misused. This is because, in a typical breach, if 100 card numbers are stolen, between 3pc and 5pc are finally misused. On the other hand, because the consumer does not know and the bank does not know, the bank has to replace multiple card numbers.

So, if we can accurately predict that these are the 3pc to 5pc which are going to be misused, then issuers will only need to replace those card numbers and, for the balance that are high risk, we can do smart monitoring of those transactions.

This technology can solve a lot of these problems and lead to savings of hundreds of millions of dollars in fraud and hundreds of millions of dollars in actual cards that don’t have to be replaced.

How does the technology work?

What we do is look at behaviours of transactions and figure out the ones that could potentially be compromised. Second, we look at the dark web where stolen numbers are available and lots of fraudulent activities are made and then test transactions where fraudsters are themselves testing these transactions – they could do it on ATMs, the internet, in the physical world.

By combining all of this information we can make these predictions. Banks are already connected to our network and can start getting these alerts.

What is the key to this? Is it AI, machine learning, looking for patterns?

It is a combination of a number of these technologies. That’s because for AI and machine learning to work, you need a lot of data. And you need the right kind of data. It is a lot of intelligence being collected from a lot of sources, putting that data into models and then using technologies that are able to predict what is potentially going to happen. A card can be misused anything between nine minutes after a fraud occurring up to 18 months.

The second big problem is knowing which cards are among the 3pc to 5pc. In big merchant breaches where up to 40m card numbers are breached, only a small percentage are used for fraud. So, being able to accurately predict that, it solves a big pain point for the industry.

The other big pain point is most users don’t know their card is potentially breached, they only learn about it after a long time has passed and then the fraudsters are having a good time misusing those card numbers. This technology actually helps us to take away that uncertainty.

Do you have probes in the dark web looking for those misuses?

Yes, precisely. It is a combination of all data sources including the dark web. By themselves these technologies will only give you limited information but when we combine them with all the data sources globally, all the merchant data, and look at the patterns, that’s when that information becomes powerful to be able to forecast misuse.

How long have you been testing it and is it live in banks today?

We have been testing this internally for almost two years and over the last several months with a few banks and they have found it to be working very well.

We use all areas of technology. Dublin has a large Mastercard development centre, and worldwide there are a lot of people working on this in a number of development centres. These teams globally work together on these large detection platforms.

How big is the challenge you face and what kind of resources do you have to fight fraud?

Security is key and that’s what determines the trust. We process more than 55bn transactions yearly and we have 2bn chip cards around the world now. We have more than 600 programmes around EMV digital technology, which includes Apple Pay, Android Pay, Samsung Pay and Mastercard, to name a few. The secure code you use to identify yourself when you buy and shop on the internet, the biometric technologies for digital transactions, and then all the detection technologies and artificial intelligence products – these fall under our remit.

We recently acquired a company in California called Brighterion which specialises in AI, and we also acquired a company called NuData which specialises in devices technology. For example, when you are using a smart device, how you hold the device is an identifier because it uses biometrics to quickly identify if there is a robot attack happening or a specific identity being used in a conflicted way. Many institutions use it to replace technologies like CAPTCHA (completely automated public Turing test to tell computers and humans apart), which is inconvenient for consumers.

By using these technologies you can make the consumer experience really smooth and, crucially, safe and secure.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years