[ThePhysicist]

I once saw a presentation from BSI (Germany Cyber Security Agency) where a researcher used computer vision / AR to create a video feed of a realistically looking ID card based on a simple paper copy of the card. They could add reflections and holograms to the paper copy that looked absolutely realistic, and they were able to use it to pass a video-based identification test (Video-Ident) that's widely used by banks in Germany to remotely validate the identity of new customers. The company then had to change their validation method by asking people to not only hold up and tilt the passport (to reveal the holograms) but to also pass their hand in front of it while holding it, which would lead the AR algorithm to fail.

So I'd say it's definitely possible to fool even a person let alone an algorithm, as you said it's questionable though if there aren't any easier ways for criminals to use stolen card numbers.

[julia-zheng]

Thanks for sharing that - super helpful to know.

Definitely agree it's possible to make good fake cards, but it makes it difficult enough that fraudsters will usually migrate to a different platform. Since banks are probably the most attractive business to fraudsters, we'd suspect banks would have to make life much more difficult for fraudsters than the average business in order to chase them away.

[yuy910616]

I do love the product and don't want to appear like I'm bashing it. Great work on lunching! Best of luck!

However, it seems if this practice (scanning card) becomes more widely adopted and becomes a standard process of detecting fraud, it'd become a relatively easy target for fraudsters to crack, right? I don't know if DL or card making technology will outpace fraudsters' will to make fake cards?

Further more, if I'm a fraudster and know some websites that adopt this policy, there is a big incentive for me to get a credit card embossing kit to start making cards, right? After all, I'd think it is far easier to make a copy of a card than making the magnetic strip thing? And given your tech is a strong signal of 'not fraud', if it is relatively easy to beat this system, wouldn't it attract a huge number of fraudsters?

[splonk]

I used to work in this field. The goal is not to create something unbeatable. The goal is to make something difficult enough that it becomes more cost effective for a fraudster to attack someone else instead. Acquiring thousands of credit card numbers and credentials (and even CVCs) is trivial. Actually converting those to real cash using real hardware is an incredible pain compared to just finding the least well defended e-commerce site out there that will sell you a gift card or bitcoin or whatever.

We used to say that our job wasn't to stop fraud, it was to move the attacks to Paypal instead. I don't have strong product opinions on this either way (personally I find all the card scanning apps to be incredibly annoying, but I think I'm a minority), but I do think it'll be a long time before I'd be worried about self-embossed cards being a meaningful attack vector.

[avip]

Security is always about bar raising. Any protection can be bypassed. But for a non trivial period, fraudsters would be forced to try their CC listings on other apps, not protected by this tech. This will provide tremendous value to Dyneti's customers.

[lennyevans]

Lena here: completely agree avip. In terms of fraud losses, most companies are really worried about fraudsters that can scale their operations, not super targeted attacks. If you can increase the cost (in terms of time and money) of committing fraud, it becomes less scalable and less profitable for the fraudster. So certainly, a fraudster can get a card embossing kit and start making cards, but this is going to be much slower. Without our solution fraudsters are just typing in a card number, which takes seconds! Unless each instance of fraud is highly valuable (for example, as is the case with banks as Julia mentioned earlier), the economics start to look worse and worse. On top of that (and this certainly applies more to any deep-learning based solutions trying to bypass us) our models will constantly improve and so we'll force the fraudsters to constantly improve any fake card generation, making the fraudsters spend time on that rather than defrauding.

[yuy910616]

Hi Lena, Great answer! Congrats on launching. I do have a few more counterpoints.

Thinking about this from a individual fraudster perspective. Acquiring a stolen cc is not an easy transaction, there is risk, and cost involved. So I think each fraudster would be trying to maximize the value of each stolen cc they have on hand. When you have a system that doesn't tell the fraudster what is causing the stolen cc to be rejected, the fraudster has nothing but trial&error to improve their chance, maybe instead of public wifi they have to use a private one, maybe instead of a gmail account they have to use a edu account. But in this case, if they know that a embossing kit will significantly improve their chance, wouldn't they spend the money and get that technology?

The bottom line is this technology has to make it more expensive for the fraudster to throw their hands up and say "well i better go try a different place". but I'm not sure if the barrier is high enough here. Furthermore, if you have an 'invisible' barrier, then it is all about trial and error, if you have a 'visible' barrier, I think it is just going to garner more attention and more people trying to solve it?

[julia-zheng]

So actually acquiring stolen cc numbers is very easy - there's a bunch of marketplaces that sell thousands of them. Figuring out a scalable way to extract value out of them, however, is hard. More than visible or invisible barriers, what makes a fraudster want to spend time getting around the defenses of a specific business is the value of the offering (e.g., banks vs an app that sells a service)

[dpflan]

Is there an issue with keeping up with different credit cards that get created as CC companies try to create new products (i.e. do you have classifers for “realness” that do not require staying exactly on top of trends in CC design?)?

[julia-zheng]

For the most part the model should generalize pretty well to new formats, but we do constantly monitor and update to catch up with any holes.