Fraud, friction, risk & reward: Fighting online fraud
The conundrum of risk management boils down to the seemingly conflicting goals of consumer convenience and protection against fraud.
We live in fascinating times. As a technologist at heart, I’m thrilled by the advances in big data, real-time streaming, correlation, virtual cubes and the like, and by the incredible promise of supercomputers and quantum computing. These technologies are creating value for individuals and communities around the world. For example, when quantum computing becomes commercially available, in the next five to 10 years, it will bring tremendous opportunities for science and medicine.
But, every rose has its thorn. Quantum computing will also make it easy for criminals to break public key cryptography, which is at the base of today’s online and mobile commerce.
The problem is that the same advances available to companies and authorities are also available to organisations with unsavoury goals. Risk in digital payments is no longer only the work of isolated, malicious hackers in their basement, seeking to impress their friends, but of criminal organisations with access to a wealth of technical resources, such as organised crime, cause-motivated hacktivists and rogue nations.
These criminals can often correlate data from different breaches to either use (or sell on the dark web) stolen sensitive personal information that can lead to all sorts of fraud, identity theft, account takeovers, and more.
Compounding the problem is the ubiquity of digital payments. E-commerce is approaching $2tn globally, and the explosion of mobile, with currently five billion connected devices, which are predicted to reach anywhere between 25 and 50 billion by 2020, powered by the growth of the Internet of Things that will allow our fridges to order milk and our dishwashers to order soap when they’re about to run out, obeying “intelligent contracts”, which are a sort of standing orders establishing the triggers and boundaries of these automated transactions.
At Paysafe, being a pioneer of e-commerce since the late 90s, we have seen virtually all flavours of risk and fraud. We have developed a unique expertise that combines: knowledge, processes and proprietary technology. We are also highly regarded when it comes to the integration of leading third-party security tools and industry best practices, as recommended by the card schemes.
The conundrum of risk management boils down to the seemingly conflicting goals of consumer convenience and protection against fraud. Consumers and merchants desire a frictionless experience – single tap, single click, remember-me features, and the like. On the other hand, security protocols continue to grow with two-factor authentication, biometrics and other safeguards.
Now, a few interesting statistics, which provide a sense of the backdrop against which businesses and consumers are operating:
- Every single minute, over 600,000 phishing emails are sent.
- Fraud is moving to Card Not Present (CNP), due to securing of POS transactions with chip and PIN cards. CNP represented 59% of global fraud in 2015, up from 52% in 2011.
- The U.S. accounts for 61% of global fraud, likely as a result of the delayed rollout of chip and PIN cards. In contrast, Europe accounts for 18%.
- There are areas of improvement. For example, industry statistics show that the median days before the discovery of a compromise was 146 days in 2015, down from a horrific 416 days in 2011. This is a marked improvement, but 146 days is still almost five months. The worst part is that the compromise detection source is external in 53% of cases, versus internal detection at only 47%.
Fraud has as many facets as there are flavours in a good Italian gelato shop. These are some that come to mind, in this in no way exhaustive list:
- Account takeover / identity theft: fraudster impersonates the legitimate consumer and gains control of an existing account or creates a brand new fraudulent account.
- Friendly fraud: the consumer, or a close family member, performs the transaction but then claims he/she did not.
- Affiliate fraud: fraudulent transactions for the sole purpose of generating affiliate commissions. The commissions are paid, then the affiliate disappears before the transactions come back as chargebacks.
- Re-shipping: the fraudsters get goods shipped to a legitimately looking address, only to have the goods forwarded to the ultimate destination.
- Botnets: infected computers are used to initiate orders to take advantage of their “clean IP address”.
- Phishing / whaling: emails that direct to a false webpage, aimed at collecting login credentials to defraud the unsuspecting consumer.
- Whaling involves spoofed emails that appear to come from people in position of authority within the company, like a CEO or CFO, asking for an immediate wire transfer.
- Triangulation: the fraudster pretends to sell goods online, but for the only purpose of collecting credit card information and other personal details, which are then immediately used to perform fraudulent purchases at another site.
- And then we have “clean fraud” where the transaction provides absolutely no indication of anything improper, clearly the hardest to detect.
What to do to keep fraudsters at bay?
The key to mitigating ecommerce risk is relentless vigilance. Putting in place the tools that generate data, not a flood of useless reports which go mostly unread, but laser focused data (threat intelligence), which leads to analysis, and prompt action.
There is no single answer or silver bullet to combat fraud, especially since fraud continually morphs and keeps taking new forms. Instead, a constantly evolving, multi-pronged approach has been proven to deliver excellent results, composed of the following elements:
- Staff training.
- Selecting the right processing partner.
- Refining your own offering (privacy, refund policy, easy access to customer service).
- Internal fraud prevention (access control, need to know basis).
- Use of scheme tools (AVS, CVV2, 3DS).
- Strict adherence to PCI DSS.
- Use of fraud screening tools (device fingerprinting, IP geolocation).
- Use of self-learning (i.e. machine learning) fraud management algorithms, which enable a reduction in false positives by detecting new fraud patterns.
- Outsorting for manual review of certain transactions; and
- Monitoring of chargebacks, but also total volume, refunds and declines, for any unexpected spikes or other inconsistencies.
- Being great about risk and fraud is not a nice to have. It’s not about becoming a bit more profitable. It’s a major competitive differentiator.
Fraudsters are always looking for the path of least resistance. If your webshop is easier to defraud, you’ll be certain to attract an inordinate amount of fraud. Conversely, if you are better than your competition, you’ll effectively be “sending the fraud away”.
So, in my opinion, the best approach is to take control and create a path that, without compromising convenience and ease of use, protects your business and your consumers. As my very first boss taught me years ago; there are three secrets to success: preparation, preparation and preparation ... Risk management is no exception.