Fraud's New Focus - and How to Defeat It
eMarketer forecasts that mobile payments in the U.S. will triple this year and that there will be a 210 percent growth in the total value of mobile payment transactions in 2016 – up to $27.05 billion from $8.71 billion in 2015. Wherever profit increases, fraudsters are sure to follow.
Consequently, they are always in search of new ways to commit their crimes. For instance, whereas credit card data used to be the “It” girl that hackers sought out, the new hot date in data is personally identifiable information (PII). That’ s why 2015 saw so many attacks on healthcare companies, government agencies and other firms that have PII in their vaults.
This data makes its way to fraudsters, who use it to launch assaults on financial and ecommerce organizations. As merchants and financial institutions become better at thwarting traditional fraud techniques, criminals are forced to adapt. Because they must answer to trusting customers, the onus is on the financial institutions and merchants to stay ahead.
Popular Fraud Methods and How They Work
The abundance of PII amassed from many successful large data breaches have led to the rise in popularity of account takeover (ATO) and new account fraud. A 2015 study by Javelin Strategy & Research on the impact of data breaches on consumers found that these two types of fraud will increase by 60 percent in the next three years. That makes for an increase from the estimated $5 billion lost last year to $8 billion in 2018.
Here’s how ATO is perpetrated: a cyber criminal accesses an existing user’s credentials (using stolen PII), which allows the criminal to masquerade as a genuine customer to transfer funds, use the payment method on file to make a high-value purchase or simply mask fraudulent transactions. Accessing these accounts has become easy through one of three common practices:
•Conducting systematic assaults (also referred to as “bots”) that use a script to continually “guess” a user’s password, also called brute force attacks
•Trying many combinations of usernames and/or passwords obtained through data breaches
•Running through easily remembered passwords, like “Password123,” or words like a child’s name, street name, birth dates or other data socially engineered from public profiles
The popularity of ATO shows no signs of slowing down, and there are two main reasons for that. First, passwords can no longer be relied upon to keep a user’s account secure. Second, traditional fraud prevention systems that primarily use rules-based systems to analyze payment and personal identification information (PII) do not have the ability to determine if a user accessing an account is in fact the real user of that account.
It can be not just embarrassing but financially disastrous if a company fails to prevent orders or bank transfers at any point. While these systems are still relevant in terms of apprehending other forms of fraud and some instances of account takeover fraud, they can only examine payment and some device information, not the user’s behavior at the time of login.
The other growing criminal activity is new account fraud. According to a 2016 report by Javelin Strategy & Research titled “2016 Identity Fraud: Fraud Hits an Inflection Point,” there has been a 113 percent increase in incidence of new account fraud, which now accounts for 20 percent of all fraud losses. In most cases, the information obtained is enough to apply for new financial accounts, many times without the victims being aware for months.
For both of these methods, technology works to the fraudster’s advantage. Hackers write scripts that can be run by bots en masse to attack systems using that data. Scripted attacks can be tricky to detect, as the perpetrators have studied the account creation and login pages of their target company to ensure that each field is completed correctly and appears legitimate. Standalone fraud prevention systems are merely looking at the information provided in the order or application, not the behavior displayed when logging in to or creating an account.
In an effort to stop losses, companies tend to apply excess caution when reviewing orders – sometimes mistaking good orders for bad. When this occurs, the merchant is not only losing the immediate sale, but also in most cases the lifetime value of that customer. Javelin Strategy & Research evaluated this issue in a sponsored study entitled “Overcoming False Positives.” Roughly 33 million -- or 15 percent of all --cardholders had a transaction denied because of suspected fraud in the past year. That’s resulted in a nearly $118 billion loss. In contrast, actual ecommerce fraud in the U.S. only reached $9 billion. Merchants need a better way to save these legitimate sales while still preventing the potential dollar loss due to sophisticated fraud tactics.
A New Approach is Needed
LexisNexis’s True Cost of Fraud report revealed that while mobile transactions only accounted for 14 percent of transaction volume in 2014, they made up 21 percent of all fraudulent transactions. In fact, the report found that the cost for fraudulent mobile transactions is the highest of any channel.
In light of the high cost of mobile fraud, financial institutions and online companies need to consider new detection methods. With many traditional fraud prevention tools, only the data entered into a shopping cart or account creation form is analyzed. Some will look at device or connection, which can be spoofable. With the data available from recent data breaches, all these details can match perfectly with the genuine consumer yet still be fraudulent and/or spoofed. Additionally, once the order and application form is completed, it initiates fraud decision-related resources via payment authorizations and fraud and/or credit reviews.
Consequently, another fraud detection and prevention method is gaining prominence. Using observable behavioral biometrics, users accessing an account or application are continually evaluated from the moment they begin interacting with an online property. The amount of time it takes to log in, place an item in a cart or get to the application page is all captured. Device information such as whether a mobile, PC or tablet is being used, along with device identification information, browser language, screen size, location and whether the IP or geo-location has been faked are all compared to an existing user profile. The way a user interacts with a website is also analyzed, including the way a person types, how they hold their mobile phone, etc. By absorbing all of these characteristics and aggregating the data, behavioral biometrics create a unique profile for each user.
As this method evaluates and identifies good users behind the scenes, the anomalous or bad users become obvious in comparison. This enables the program to easily highlight when a different person or bot is attempting account takeover and also allows businesses to prevent bots and systems from running scripts to access or create new accounts. The uniqueness of the data gathered and the aggregation and application of all collected data creates a full 360-degree view of each user.
Mobile fraud has become a multi-billion-dollar industry, so it’s not likely that fraudsters will move on to some less lucrative activity. Though merchants and financial institutions have tried diligently to stay ahead of cyber criminals and prevent fraud, it remains a huge loss generator. This cat-and-mouse game needs to end, and the new approach of observable behavioral biometrics can end it. This method of fraud detection and prevention passively gathers data that cannot be spoofed to identify both good and bad users. Best of all, it’s a frictionless process that maintains a positive customer experience.
About the Author
Ryan Wilk, Vice President of Customer Success, NuData Security is responsible for ensuring the success of every NuData customer during the lifetime of the partnership. In his previous role, Ryan was the Manager, Trust and Safety at StubHub, an ebay company. Prior to joining StubHub, Ryan spent 8 years with Universal Parks & Resorts where he established and implemented the eCommerce Loss Prevention teams at both Universal Orlando Resort and Universal Studios Hollywood.
Edited by Peter Bernstein