The 2014 LexisNexis (News - Alert) True Cost of Fraud Study tells a tale of increasing online fraud. Forty-two percent of merchants who support online channels are reporting an increase in fraud, which costs them $2.69 in fees per dollar of fraud. Large e-commerce merchants not only pay more per dollar of fraud, up to $2.33 in 2014 from $2.23 the previous year, but they also saw an increase in the amount of fraud lost to revenue, from 0.53 percent in 2013 to 0.85 percent in 2014. This increase in fraud losses is the result of a higher volume of fraudulent transactions; the average merchant suffered 133 successful fraudulent transactions per month in 2014, up 46 percent from last year.
These statistics should give retailers pause to consider how fraud has gotten to this level and how it can be stopped. In the early days of e-commerce, retailers let banks and credit card companies verify that card numbers and the security codes found on the backs of cards matched. That sufficed for online fraud detection and prevention. However, marketers began to realize that asking the user for any additional information, like a security code, resulted in lost sales. Marketers for e-commerce sites constantly pushed for new ways to safely and securely store customer data in order to reduce customer friction and keep sales.
Marketing statistics caused a fundamental change in the architecture of online shopping. Instead of checking the card at transaction, the fraud test shifted to the user account, which holds all your sensitive information secured by a password. This created a gap between the login screen and the “confirm purchase” button because the events were not connected. So fraudsters tried to steal accounts by guessing passwords – a strategy that often worked!
Fraud’s Domino Effect
Fraud teams responded to this new threat by creating rules that tied login and purchase.
With the advent of the virtual shopping cart, merchant marketers needed a way to not just track sales but verify that the person making the transaction had the right to do so. Historically, retailers focused on the transaction itself because that was the pain point and because back then, fraud happened individually, one transaction at a time.
One unintended consequence often leads to another. So, although the rules engine seemed like the answer, retailers found themselves building ever more complicated rules to assess whether or not a particular purchase was legitimate or fraudulent – and finding that this method still didn’t work. More restrictive rules also had the unexpected side effect of increasing false positives, turning legitimate users away and souring potential and long-term customers alike. In the end, fraudsters kept getting better at exploiting a system that created as many holes as it patched.
Looking Beyond Passwords
All of the well-intentioned rules in the world mean nothing, though, to the customer whose information is stolen and made public. Wide-scale data breaches make it easy for savvy criminals to bypass primitive rules because usernames, passwords, credit card numbers and personally identifying information are freely available. Now, fraudsters can either pilfer legitimate accounts or make up new ones with the stolen data.
Fraudsters have expanded their vision since the early days, where one person would make a series of bad transactions on a single stolen credit card; fraudsters now think bigger — much bigger. These days, the favorite tactic is seeding a site with hundreds or thousands of fake accounts well before any attempt is made to steal a dime. This means that whether or not a password is correctly entered for an account is almost irrelevant, as the account itself may be fraudulent. An effective fraud prevention strategy must take a closer look at account creation. We need to shift our focus to when the account is created in the first place. And it all comes down to intelligence gathering.
The Value of Marketing Research
Usually, a customer will research a product until they find the one that suits their needs and price point. This could include researching the product and the seller, looking at user reviews and ratings, seeing what configuration options the item offers, and so on. Intelligence gathering is the first step in any fraud attempt as well. Gone are the days when fraudsters could brute-force their way in through weak rule-sets. They’ve had to become more clever and, to do that, they’ve had to slow down and do their homework. Before they plan a fraud, they plot out their steps, what they want to steal and where the likely security holes are. Only when they are sure will they launch the fraud attempt. And once they have one working strategy, they’ll use it again and again until it stops working.
The value of research is clear to customers and fraudsters alike – what about retailers?
In an effort to understand prospects and convert them to customers, marketers study and analyze everything they can about those potential buyers. Retailers initially sought out the most basic demographics—gender, age, income—but quickly diversified, and they used that information to divide their customers into smaller groups more descriptive of their needs and then tailored their marketing approach to each subset. Retailers could better predict what products would appeal to each group and, in some cases, lead to entirely new product lines being developed.
Given how sold retailers already are on gathering intelligence to entice customers to their storefronts, it’s surprising that more retailers don’t scope out their prospective customers once they arrive at their website but before they try to make a purchase. So if intelligence gathering helps retailers draw in the right customers, what would happen if they spent some time looking at the account before the first purchase is made?
Retailers need to understand that whether or not they are making use of intelligence gathering, fraudsters certainly are. They’ve had no choice. As rule-based fraud detection became more and more complicated, fraudsters had to continually change tactics. Before, they could take a single account and test a thousand stolen credit cards, one after the other, until one worked; when that behavior got flagged, fraudsters started making thousands of accounts, each with a single credit card. You can put new rules in place to flag them, but then fraudsters let the accounts sit fallow until that rule has expired. These accounts then appear indistinguishable from legitimate accounts. However, the creation of these accounts does leave telltale fraudulent signs – if you know what to look for.
Evaluating Account Creation
The customer data available today is unprecedented in scope and application. This marketing intelligence can help retailers anticipate the needs and desires of a customer before the customer knows what he or she needs or desires. Retailers can make specific offers that align with each customer’s behavior at just the right time. It’s a powerful new model of service. This same data can be used to power a new model of fraud detection as well. Fraudsters have learned how to skirt around the rules-based systems, but evaluating account creation is a strong new tactic to help separate the real accounts from the fraudulent ones.
About the Author: Ryan Wilk is director of Customer Success, NuData Security.