Two years ago the Target credit card data breach had a ripple effect that has led to the shoring up of payments security in the U.S. from “smart card” EMV machines to sophisticated anti-malware technology deployments to legions of managed security services teams protecting retail stores and databases. But improved brick & mortar and payments security plus a marked shift toward online shopping are driving a trend of rapidly increasing e-commerce and online marketplace fraud.
Whether it’s the sale of fake or non-existent goods or services, copycats, returns scams or run-of-the-mill payments fraud, it’s the fraudsters who will be making out like bandits this year. In fact, a recent study by ACI Worldwide indicated that there was a 30% increase in e-commerce fraud in 2015 as compared to the same period in 2014.
Fraud trends we’re expecting in the U.S. in online fraud this holiday season include:
Payments fraud moves from store to the web. With the October 2015 deadline for EMV migration behind us, mandated use of chip cards will discourage counterfeiting of physical credit cards which has accounted for 37 percent of all U.S. credit card fraud, according to a 2014 report by Aite Group. The subsequent reduction of in-store purchases with stolen plastic will lead fraudsters to turn to using stolen credit card numbers to buy online—leading to an increase in card not present (CNP) fraud. During the UK’s EMV migration, CNP fraud rose by 79% from 2005 to 2008.
More mobile Grinches stealing by smartphone. Holiday commerce on mobile is predicted to grow by 47 percent this year vs. last, according to Comscore. Many of the fraud strategies and tools that work well in detecting online fraud fall short in detecting mobile device-based fraud.
For example, detecting fraudsters by their IP address works much better when they’re on a desktop or laptop than when they’re on a mobile device. This is because on a desktop your default IP is set by your ISP (typically within 50 miles). On a mobile device it’s assigned from a pool of IP addresses owned by your mobile operator. So a fraudster could get an IP from Atlanta while surfing on her smartphone in San Francisco. If in the desktop world you use customer location being more than 50 miles away from IP location as an indicator of fraud, that indicator will catch a lot of good customers (aka false positives) on mobile.
Another example of a tricky desktop to mobile transition is browser-based device fingerprints. Desktop fingerprints rely on browser configuration, operating system (OS) variations, fonts, etc. to identify unique device, and it is rare for two desktop users to have the same fingerprint. On the mobile phones the variation across browsers and OS is actually much lower, so it’s very likely for two unique mobile users to have the same browser-based fingerprint.
So here are some tips for stopping online fraud this holiday season:
Invest more in manual reviews of gray-area transactions. During the holiday season, you are more likely to see anomalous behavior from good customers.
For example, you may see more customers using overnight shipping, new customers buying high-priced items in their first transaction in your store, etc. Normally, you would consider these behaviors indicative of fraud and might auto-deny these transactions, but during the holiday season this could lead you to reject legitimate purchases by good customers.
Similarly, as patterns of buying goods during holidays deviate from normal buying behavior it becomes easier for fraudsters to blend in with good customers.
These are circumstances where putting additional manual review resources might help. Instead of auto-denying or accepting transactions, there might be a small percentage of transactions that you put a hold on and review manually.
Manual reviews should do two things: (1) let you analyze the transaction and the customer more holistically with human context and (2) let you do additional checks, such as calling the customer or do additional verification.
Layer fraud detection tools to address new online, mobile and international fraud vectors. Consider adding new tools like device fingerprinting, email address risk assessment and address verification to augment your fraud detection. Many of these products are relatively inexpensive and are easy and quick to implement. It’s not too late to augment your existing fraud detection systems.
No longer can online retailers or marketplaces allow fraud to be a begrudgingly accepted cost of business. More fraudsters are going online and onto mobile to find the paths of least resistance, and serving international customers presents new challenges. The good news is that it is possible to catch and stop most online fraud before it starts. There are ways to combat most fraud without bringing holiday shopping sales to a crawl, if online fraud prevention is made a priority.
Simility provides fraud-detection technology that combines human analysis with machine learning.