endpoint security

4 Types of eCommerce Fraud That Have Increased During the Pandemic

  • By Thorsten Herbes
  • Nov 02, 2020

As we shop from the safety of our homes and fuel the digital economy, we expose ourselves to a great amount of risk, and fraudsters are taking advantage of this sharp increase in online shopping over the course of the Covid-19 crisis. Bots, account takeovers, and fake accounts are commonplace threats to merchants and require far more sophisticated prevention methods than what companies have in place today. As the fraudsters become smarter and more adept at defeating the traditional methods of fraud prevention, detecting subtle tells and behavioral analysis have emerged as effective ways to protect both consumers and merchants from unwanted access and transactions. As a merchant, look for holes in your anti-fraud stack and realize that the fraudsters will always evolve. If your fraud prevention technology remains stale, you are inviting chargebacks.

While their methods continue to change, today’s eCommerce fraudsters can still be divided into several key fraud vectors.

Bots
The dark web is filled with easily obtained lists of usernames and passwords, and fraudsters are able to purchase large quantities of such combinations for relatively little money. These credentials are then loaded into a server and used to ping eCommerce and other sites in an attempt to find a combination that works. It’s essentially the fraudster’s version of playing a slot machine, hoping for the jackpot winning combination of username and password. Once they’re “in,” the options are near limitless -- the fraudster has access to the compromised account and can make changes, transact or, like many of us who use the same username and password across multiple sites, take over the account and associated payment methods. Plus, they can even access your accounts on other sites with the same credentials. Traditional methods of analyzing the physical identity of the consumer no longer work in this scenario because the fraudster has the matching data and can easily defeat this layer of defense. A more timely approach to fraud prevention against bots is to add in a layer of security that looks for commonalities, such as IP addresses, device fingerprint and other “tells” that can easily identify a bot and stop it from getting through.

Account Takeover
Once a fraudster gains access, taking over an account is simple. In a typical account takeover (ATO) scenario, the fraudster will change subtle pieces of information associated with the account, such as phone numbers, emails, and addresses. The fraudster now “owns” your account and can transact, purchasing goods for their own use or for the purposes of selling them. Consumer electronics or digital goods, like gift cards, are particularly attractive items. Fraudsters typically attempt a large number of transactions over a short period of time, in order to maximize the breach before the real account owner has a chance to notice the compromised account. ATO is more difficult to prevent than bots, as the fraudster has already made his or her way into the secured environment with real credentials and, more importantly, now controls the account. Again, traditional methods of defense often fail in this instance. However, while the fraudster can easily mimic the credentials of the real customer, they are unable to behave in the same way that the real customer would. Utilizing behavioral biometrics has proven to be the key defense here -- fraud can be detected by analyzing user behavior patterns and comparing them to the real customer’s known patterns. Is the shopping behavior the same? Is the typing rhythm similar to prior transactions? Are there any other dissimilarities in the interaction? The fraud can be stopped only by analyzing these small variations in an intelligent way.

Fake Accounts
Another common vector is the creation of fake accounts, using stolen identities or payment instruments. Fraudsters will visit a site or app and create a new user profile, using components that are stolen in combination with their own information, such as burner phones and fake email addresses. If successful, the fraudster can transact while impersonating the real consumer and take advantage of any goods or services obtained prior to the consumer noticing. Merchants often ship items or digital goods to this seemingly good new customer, often not realizing that they are dealing with a fake account until it is too late and the real account owner contacts them to ask about the charges on their credit card. Fake accounts are difficult to spot once they have been established, so the need for more subtle ways to detect a fraudulent customer becomes paramount. Creating fake accounts has only a limited rate of success, so fraudsters often use shortcuts to help them generate many fake account registration attempts at once -- something that can lead to their detection. Paying close attention to common traits, such as the number of instances a certain device has been used; how many times the same password has been used across multiple, seemingly unrelated accounts; and the general behavioral patterns can be powerful tools in deterring this type of fraud vector.

Transaction Payment Fraud
The result of all three attack vectors is almost always a chargeback. The real consumer has realized that their account has been compromised and that transactions have been made with their payment method without their knowledge or consent. The consumer now contacts the issuing bank and demands that the charges are reversed, resulting in the bank charging back the merchant for the unauthorized transactions. The risk to the merchant is reputational and financial, potentially resulting in negative reviews and corrective measures required by the card issuer prior to allowing the merchant to accept the compromised payment method again. Assuming that the fraudster has managed to successfully evade the typical legacy methods of fraud prevention, such as identity verification, one-time-passwords or even out-of-wallet personal identification questions, there is still hope that a fraudulent transaction can be avoided. Using behavioral attributes and measuring exactly how the fraudster interacted during the page traversal can be excellent indicators of likely fraud and can offer a final barrier against unwanted transactions.

Ultimately, relying solely on standard defensive measures has become a risky proposition in today’s socially distanced shopping environment. Thankfully, new ways to prevent fraud, such as machine-learning behavioral models powered by artificial intelligence, are at the forefront of the battle and become more powerful each day.

Featured

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events

  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

  • DHS to End ‘Shoes-Off’ Travel Policy

    Homeland Security Secretary Kristi Noem announced a new policy today which will allow passengers traveling through domestic airports to keep their shoes on while passing through security screening at TSA checkpoints. Read Now

Most   Popular

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.