endpoint security

4 Types of eCommerce Fraud That Have Increased During the Pandemic

  • By Thorsten Herbes
  • Nov 02, 2020

As we shop from the safety of our homes and fuel the digital economy, we expose ourselves to a great amount of risk, and fraudsters are taking advantage of this sharp increase in online shopping over the course of the Covid-19 crisis. Bots, account takeovers, and fake accounts are commonplace threats to merchants and require far more sophisticated prevention methods than what companies have in place today. As the fraudsters become smarter and more adept at defeating the traditional methods of fraud prevention, detecting subtle tells and behavioral analysis have emerged as effective ways to protect both consumers and merchants from unwanted access and transactions. As a merchant, look for holes in your anti-fraud stack and realize that the fraudsters will always evolve. If your fraud prevention technology remains stale, you are inviting chargebacks.

While their methods continue to change, today’s eCommerce fraudsters can still be divided into several key fraud vectors.

Bots
The dark web is filled with easily obtained lists of usernames and passwords, and fraudsters are able to purchase large quantities of such combinations for relatively little money. These credentials are then loaded into a server and used to ping eCommerce and other sites in an attempt to find a combination that works. It’s essentially the fraudster’s version of playing a slot machine, hoping for the jackpot winning combination of username and password. Once they’re “in,” the options are near limitless -- the fraudster has access to the compromised account and can make changes, transact or, like many of us who use the same username and password across multiple sites, take over the account and associated payment methods. Plus, they can even access your accounts on other sites with the same credentials. Traditional methods of analyzing the physical identity of the consumer no longer work in this scenario because the fraudster has the matching data and can easily defeat this layer of defense. A more timely approach to fraud prevention against bots is to add in a layer of security that looks for commonalities, such as IP addresses, device fingerprint and other “tells” that can easily identify a bot and stop it from getting through.

Account Takeover
Once a fraudster gains access, taking over an account is simple. In a typical account takeover (ATO) scenario, the fraudster will change subtle pieces of information associated with the account, such as phone numbers, emails, and addresses. The fraudster now “owns” your account and can transact, purchasing goods for their own use or for the purposes of selling them. Consumer electronics or digital goods, like gift cards, are particularly attractive items. Fraudsters typically attempt a large number of transactions over a short period of time, in order to maximize the breach before the real account owner has a chance to notice the compromised account. ATO is more difficult to prevent than bots, as the fraudster has already made his or her way into the secured environment with real credentials and, more importantly, now controls the account. Again, traditional methods of defense often fail in this instance. However, while the fraudster can easily mimic the credentials of the real customer, they are unable to behave in the same way that the real customer would. Utilizing behavioral biometrics has proven to be the key defense here -- fraud can be detected by analyzing user behavior patterns and comparing them to the real customer’s known patterns. Is the shopping behavior the same? Is the typing rhythm similar to prior transactions? Are there any other dissimilarities in the interaction? The fraud can be stopped only by analyzing these small variations in an intelligent way.

Fake Accounts
Another common vector is the creation of fake accounts, using stolen identities or payment instruments. Fraudsters will visit a site or app and create a new user profile, using components that are stolen in combination with their own information, such as burner phones and fake email addresses. If successful, the fraudster can transact while impersonating the real consumer and take advantage of any goods or services obtained prior to the consumer noticing. Merchants often ship items or digital goods to this seemingly good new customer, often not realizing that they are dealing with a fake account until it is too late and the real account owner contacts them to ask about the charges on their credit card. Fake accounts are difficult to spot once they have been established, so the need for more subtle ways to detect a fraudulent customer becomes paramount. Creating fake accounts has only a limited rate of success, so fraudsters often use shortcuts to help them generate many fake account registration attempts at once -- something that can lead to their detection. Paying close attention to common traits, such as the number of instances a certain device has been used; how many times the same password has been used across multiple, seemingly unrelated accounts; and the general behavioral patterns can be powerful tools in deterring this type of fraud vector.

Transaction Payment Fraud
The result of all three attack vectors is almost always a chargeback. The real consumer has realized that their account has been compromised and that transactions have been made with their payment method without their knowledge or consent. The consumer now contacts the issuing bank and demands that the charges are reversed, resulting in the bank charging back the merchant for the unauthorized transactions. The risk to the merchant is reputational and financial, potentially resulting in negative reviews and corrective measures required by the card issuer prior to allowing the merchant to accept the compromised payment method again. Assuming that the fraudster has managed to successfully evade the typical legacy methods of fraud prevention, such as identity verification, one-time-passwords or even out-of-wallet personal identification questions, there is still hope that a fraudulent transaction can be avoided. Using behavioral attributes and measuring exactly how the fraudster interacted during the page traversal can be excellent indicators of likely fraud and can offer a final barrier against unwanted transactions.

Ultimately, relying solely on standard defensive measures has become a risky proposition in today’s socially distanced shopping environment. Thankfully, new ways to prevent fraud, such as machine-learning behavioral models powered by artificial intelligence, are at the forefront of the battle and become more powerful each day.

Featured

  • Maximizing Your Security Budget This Year

    Perimeter Security Standards for Multi-Site Businesses

    When you run or own a business that has multiple locations, it is important to set clear perimeter security standards. By doing this, it allows you to assess and mitigate any potential threats or risks at each site or location efficiently and effectively. Read Now

  • Getting in Someone’s Face

    There was a time, not so long ago, when the tradeshow industry must have thought COVID-19 might wipe out face-to-face meetings. It sure seemed that way about three years ago. Read Now

    • Industry Events
    • ISC West

  • Live From ISC West 2024: Post-Show Recap

    ISC West 2024 is complete. And from start to finish, the entire conference was a huge success with almost 30,000 people in attendance. Read Now

    • Industry Events
    • ISC West

  • ISC West 2024 is a Rousing Success

    The 2024 ISC West security tradeshow marked a pivotal moment in the industry, showcasing cutting-edge technology and innovative solutions to address evolving security challenges. Exhibitors left the event with a profound sense of satisfaction, as they witnessed a high level of engagement from attendees and forged valuable connections with potential clients and partners. Read Now

    • Industry Events
    • ISC West
Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3