E-Commerce sites are vulnerable to a newly popular kind of fraud that hasn’t troubled brick-and-mortar retailers: fraudulent and hijacked accounts used to attack retail sites by cybercriminals. Approximately 36% of new accounts created in 2017 were fake, which makes them potential vectors for fraudulent activity, such as purchases made with stolen credit cards, according to data from NuData Security.
Credit card fraud costs retailers 8% of their annual online revenue on average, according to a report by Javelin Strategy & Research. To fight back against these losses, retailers must first understand how online criminals behave, and how they can be detected and stopped before they defraud storefronts or loyalty programs.
“From an e-Commerce perspective, it really comes down to presence,” said Don Duncan, Security Engineer at NuData Security in an interview with Retail TouchPoints. “When you go into a store you’re actually engaging with somebody physically. The difference with e-Commerce is you don’t necessarily know who that user is, and as a result you’re really relying on that user when they create an account, to say that they really are who they say they are.”
When Fraudsters Knock, Retailers Must Be Listening
The most common form of e-Commerce fraud is brute force: would-be criminals take information stolen from data breaches and repeatedly plug it into web sites until they gain access to a usable account or credit card. From there, the thieves can make purchases or access loyalty program rewards.
“The analogy I use is, if you're looking at your web or mobile application as a house, they just keep knocking on the door and seeing at what point these credentials will open the door for them,” said Duncan. “I think the key thing with merchants is having that understanding of who they're engaging with, and at what time. This allows them to make a determination as to whether it’s a real user, or if it’s a fraudster that is impersonating someone just because they happen to have those credentials.”
However, identifying legitimate users can be easier said than done. Multi-step authentication can help, but a more complicated login process creates friction for legitimate shoppers. Additionally, authentication still relies on static data such as credentials, passwords and security questions, all of which remain vulnerable to data breaches. Retailers need to be able to identify customers in real time, in order to shield themselves with the strongest yet least intrusive forms of protection.
Behavioral Analytics Can Separate Shoppers From Bots
As in many aspects of retailing, information is at the heart of fraud prevention, particularly when it comes to identifying hijacked accounts. Retailers can start by utilizing behavioral analytics to identify legitimate customers by their past shopping habits, keeping an eye out for red flags. One warning sign is when a regular customer — one who usually follows a certain path through the site — deviates wildly from his or her normal shopping routine.
Retailers also can use analytics to detect fraudulent accounts that have been created from scratch, which are usually automated. For instance, a shopper who is typing search queries faster than humanly possible is almost certainly a bot. Additionally, cybercriminals tend to visit the same web site more frequently than legitimate shoppers, making overly frequent visits a potential warning sign.
“The key thing is that the more data points you have, the better the visibility,” said Duncan. “You can look at it like a picture: the more data you have, the higher resolution you have, and the clearer it is. That gives you the ability to make better decisions on your application.”
One metric that isn’t always reliable is how long the customer has had an account with the retailer. Fraudsters will open and occasionally use legitimate accounts to make them seem less suspicious, then go on a shopping spree with a stolen credit card at a later date. In these cases, retailers should look for massive disparities in account activity, and check to see if multiple accounts were all created at once, then simultaneously became extremely active at a later time.
Apply Friction To Criminals, Not Customers
Once a retailer has determined that a particular user is fraudulent, that is the time to introduce obstacles, such as captcha codes, to prevent automated attacks from advancing. This method will stifle bots engaged in fraudulent activity, but retailers that use data and analytics to select specific targets minimize the number of legitimate shoppers affected by the extra layer of security.
“The key thing is to make it harder for the fraudster,” said Duncan. “The more difficult that you make it for them, the less likely they are to come back and repeat what they are doing. Definitely have that line of sight: understand who you're engaging with and how they purchase. That information is a means to make the determination of if you're dealing with an actual human or a form of automation.”