endpoint security

4 Types of eCommerce Fraud That Have Increased During the Pandemic

  • By Thorsten Herbes
  • Nov 02, 2020

As we shop from the safety of our homes and fuel the digital economy, we expose ourselves to a great amount of risk, and fraudsters are taking advantage of this sharp increase in online shopping over the course of the Covid-19 crisis. Bots, account takeovers, and fake accounts are commonplace threats to merchants and require far more sophisticated prevention methods than what companies have in place today. As the fraudsters become smarter and more adept at defeating the traditional methods of fraud prevention, detecting subtle tells and behavioral analysis have emerged as effective ways to protect both consumers and merchants from unwanted access and transactions. As a merchant, look for holes in your anti-fraud stack and realize that the fraudsters will always evolve. If your fraud prevention technology remains stale, you are inviting chargebacks.

While their methods continue to change, today’s eCommerce fraudsters can still be divided into several key fraud vectors.

Bots
The dark web is filled with easily obtained lists of usernames and passwords, and fraudsters are able to purchase large quantities of such combinations for relatively little money. These credentials are then loaded into a server and used to ping eCommerce and other sites in an attempt to find a combination that works. It’s essentially the fraudster’s version of playing a slot machine, hoping for the jackpot winning combination of username and password. Once they’re “in,” the options are near limitless -- the fraudster has access to the compromised account and can make changes, transact or, like many of us who use the same username and password across multiple sites, take over the account and associated payment methods. Plus, they can even access your accounts on other sites with the same credentials. Traditional methods of analyzing the physical identity of the consumer no longer work in this scenario because the fraudster has the matching data and can easily defeat this layer of defense. A more timely approach to fraud prevention against bots is to add in a layer of security that looks for commonalities, such as IP addresses, device fingerprint and other “tells” that can easily identify a bot and stop it from getting through.

Account Takeover
Once a fraudster gains access, taking over an account is simple. In a typical account takeover (ATO) scenario, the fraudster will change subtle pieces of information associated with the account, such as phone numbers, emails, and addresses. The fraudster now “owns” your account and can transact, purchasing goods for their own use or for the purposes of selling them. Consumer electronics or digital goods, like gift cards, are particularly attractive items. Fraudsters typically attempt a large number of transactions over a short period of time, in order to maximize the breach before the real account owner has a chance to notice the compromised account. ATO is more difficult to prevent than bots, as the fraudster has already made his or her way into the secured environment with real credentials and, more importantly, now controls the account. Again, traditional methods of defense often fail in this instance. However, while the fraudster can easily mimic the credentials of the real customer, they are unable to behave in the same way that the real customer would. Utilizing behavioral biometrics has proven to be the key defense here -- fraud can be detected by analyzing user behavior patterns and comparing them to the real customer’s known patterns. Is the shopping behavior the same? Is the typing rhythm similar to prior transactions? Are there any other dissimilarities in the interaction? The fraud can be stopped only by analyzing these small variations in an intelligent way.

Fake Accounts
Another common vector is the creation of fake accounts, using stolen identities or payment instruments. Fraudsters will visit a site or app and create a new user profile, using components that are stolen in combination with their own information, such as burner phones and fake email addresses. If successful, the fraudster can transact while impersonating the real consumer and take advantage of any goods or services obtained prior to the consumer noticing. Merchants often ship items or digital goods to this seemingly good new customer, often not realizing that they are dealing with a fake account until it is too late and the real account owner contacts them to ask about the charges on their credit card. Fake accounts are difficult to spot once they have been established, so the need for more subtle ways to detect a fraudulent customer becomes paramount. Creating fake accounts has only a limited rate of success, so fraudsters often use shortcuts to help them generate many fake account registration attempts at once -- something that can lead to their detection. Paying close attention to common traits, such as the number of instances a certain device has been used; how many times the same password has been used across multiple, seemingly unrelated accounts; and the general behavioral patterns can be powerful tools in deterring this type of fraud vector.

Transaction Payment Fraud
The result of all three attack vectors is almost always a chargeback. The real consumer has realized that their account has been compromised and that transactions have been made with their payment method without their knowledge or consent. The consumer now contacts the issuing bank and demands that the charges are reversed, resulting in the bank charging back the merchant for the unauthorized transactions. The risk to the merchant is reputational and financial, potentially resulting in negative reviews and corrective measures required by the card issuer prior to allowing the merchant to accept the compromised payment method again. Assuming that the fraudster has managed to successfully evade the typical legacy methods of fraud prevention, such as identity verification, one-time-passwords or even out-of-wallet personal identification questions, there is still hope that a fraudulent transaction can be avoided. Using behavioral attributes and measuring exactly how the fraudster interacted during the page traversal can be excellent indicators of likely fraud and can offer a final barrier against unwanted transactions.

Ultimately, relying solely on standard defensive measures has become a risky proposition in today’s socially distanced shopping environment. Thankfully, new ways to prevent fraud, such as machine-learning behavioral models powered by artificial intelligence, are at the forefront of the battle and become more powerful each day.

Featured

  • Bringing New Goods to Market

    The 2024 version of GSX brought with it a race to outrun incoming hurricane Helene. With it’s eye on Orlando, it seems to have shifted and those security professionals still in Orlando now have a fighting chance to get out town. Read Now

    • Industry Events
    • GSX

  • Live from GSX 2024: Day 3 Recap

    And GSX 2024 in Orlando, is officially in the books! I’d like to extend a hearty congratulations and a sincere thank-you to our partners in this year’s Live From program—NAPCO, Eagle Eye Networks, Hirsch, and LVT. Even though the show’s over, keep an eye on our GSX 2024 Live landing page for continued news and developments related to this year’s vast array of exhibitors and products. And if you’d like to learn more about our Live From program, please drop us a line—we’d love to work with you in Las Vegas at ISC West 2025. Read Now

    • Industry Events
    • GSX

  • Live from GSX 2024: Day 2 Recap

    Day 2 was another winner at GSX 2024 in Orlando. Aisles and booths were packed with attendees looking at some of the new and latest security technology. Remember to follow the GSX Live page from Security Today, as well as SecurToday on X and Security Today on LinkedIn to find out more about what’s happening on the show floor during tomorrow’s final day. Here’s what was happening with all four of our partners during the event on Tuesday. Read Now

    • Industry Events
    • GSX

  • How Much Carbon is Your Footprint Leaving?

    A more sustainable future is not only shared responsibility, it is increasingly critical. Securitas, is inviting clients and industry partners to make a difference in an ever-evolving world that faces diverse sustainability challenges. Read Now

    • Industry Events
    • GSX
Most   Popular

Featured Cybersecurity

Webinars

New Products

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3