New fraud prevention tools make e-commerce more secure
Before the COVID-19 pandemic came along and drove almost all commerce online, the everyday use of e-commerce platforms was a shift in consumer behavior already well underway. Global e-commerce sales topped $3.5 trillion in 2019, and online transactions in the U.S. were expected to grow 15–20% this year even before the pandemic hit.
For criminals intent on committing fraud, however, this rapid expansion of global e-commerce represents only one thing: opportunity.
E-commerce fraudsters often use periods of surging traffic to disguise their activities and circumvent security measures that are stressed or overwhelmed by unusually high transaction volumes. Traditionally, events such as Black Friday, Cyber Monday, and Amazon Prime Day have prompted significant spikes in e-commerce fraud, as consumer traffic on those days can run 15–20% higher than normal.
Similarly, during the COVID-19 crisis, large retailers such as Amazon, Target, Walmart, and Costco saw holiday-like surges on their e-commerce sites as consumers rushed to buy commodity goods such as toilet paper, paper towels, groceries, and personal care products.
“Any time there is noise in the system, there are going to be increased incidences of fraud,” says Jennifer Singh, director of channel partnerships at the fin-tech security firm Entersekt. “COVID-19 created a great deal of noise as a result of retailers everywhere going online. Wherever the money goes, criminals will follow,” she says, adding that “with an average traffic increase of 15–20%, we would expect to see a 2–5% increase in fraudulent activity.”
New e-merchants at risk
Large retailers aren’t necessarily the most likely targets of e-commerce fraud, however. While some fraudsters might try to exploit traffic spikes at large retailers, or game their generous return policies, the retailers most at risk are often small- to mid-sized businesses. They are often targets because they don’t have much fraud prevention experience and haven’t invested in state-of-the-art security measures.
As a result of the COVID-19 outbreak, for instance, many restaurants hastily transformed themselves into e-commerce operations without reinforcing their digital security. Many also manage their business through their smartphones, accepting orders from customers using mobile devices—all of which are systems fraudsters are becoming increasingly adept at compromising.
“With the implementation of the EMV chip in physical cards, fraudsters have migrated to less secure channels in mobile and online,” says Singh. E-commerce fraud—also called “card not present” fraud, or CNP—cost global merchants more than $70 billion last year. And according to the industry trade magazine Merchant Fraud Journal, CNP is estimated to grow 14% per year through 2023.
Part of the reason for this escalation in CNP fraud is the expansion of e-commerce in general. But a more insidious reason is that fraud schemes are becoming much more technically sophisticated. Stolen cards, phishing scams, and fake websites are still the most prevalent first steps in most fraud schemes, but technically adept criminals have also discovered ways to co-opt even seemingly secure digital technologies.
For example, many advanced security technologies use a combination of machine learning and artificial intelligence (AI) to create a user’s digital “fingerprint,” which is essentially a record of the user’s device information based on app or browser attributes like IP address, operating system, language setting, etc. This fingerprint is used as a unique identifier and does offer greater security, especially when used in conjunction with some form of multi-factor authentication.
However, criminals can now buy stolen digital fingerprints on the dark web and use them to fool or “spoof” merchants, bankers, retailers, insurance companies, or other targets into believing they are the person associated with that fingerprint. Used in conjunction with a form of account-takeover fraud known as a SIM-swap (convincing a mobile carrier to port the user’s phone number to another SIM card), a criminal can gain instant access to the user’s phone and, using their stolen digital fingerprint, cause a great deal of economic damage.
Hackers have also been known to combine stolen digital fingerprints and bots to bombard e-commerce sites with millions of log-in requests in an attempt to overwhelm—and eventually break through—a retailer’s firewall.
Protection comes in layers
To prevent such attacks and create safer spaces for digital commerce, businesses should consider re-evaluating—and perhaps revising—their customer-authentication strategy. For example, one way to improve e-commerce security is to employ what Singh calls a layered approach, one that combines more advanced risk-assessment technologies with easier “step-up” techniques that allow consumers to validate or deny any given transaction.
A layered approach might start with an advanced risk-assessment tool that uses machine learning and AI to cross-correlate and analyze consumer data when a transaction is in progress. This enables providing a real-time risk-assessment score to the merchant, who can accept or decline the transaction based on the score. More advanced systems also layer in step-up authentication—such as sending a numeric code to the consumer’s phone or directly querying them through an app—which allows the consumer to confirm their identity and verify the purchase. The recommended best practice is to have customers authenticate through an app because it is much more secure than other practices such as one-time passcodes.
Friction and frustration
The challenge for online businesses is having a system that provides the level of security they desire but doesn’t ask so much of the consumer that they abandon their purchase out of frustration or annoyance.
“Consumers want transactions to happen instantaneously,” Singh says. “If the transaction is declined for any reason, they may abandon their cart or use a different credit card to finish the transaction. This results in losses for both the merchant and issuer of the card.”
Consumers abandon sites in mid-transaction for many reasons, but clunky security measures are often to blame. Sites that suddenly ask people to provide a password they’ve likely forgotten, or go through some sort of registration process before their purchase can be approved—these are security measures that create friction in the process, says Singh, and make cart abandonment more likely.
Less friction with 3DS2
More “frictionless” mobile solutions are now being developed through the use of the recently developed EMV 3-D Secure (3DS2) protocol, which combines superior algorithmic risk assessment with more straightforward authentication methods, resulting in more completed transactions, fewer false declines, and a reduction in costly chargebacks.
3DS2 uses 10 times more data than its predecessor, 3DS 1.0, providing more reliable risk assessment and making transactions on a variety of mobile devices—including smartphones, tablets, and wearables—much easier to complete. Significantly, says Singh, the 3DS2 protocol also shifts the purchase liability from the merchant to the card issuer, ultimately benefitting both. 3DS2 is also compliant with the European Union’s new PSD2 payment service directive, which went into effect at the end of 2019, and some version is expected to be adopted in the U.S. over the next year or two.
“As merchants ramp up their e-commerce capabilities, they should be doing so with security in mind from the start,” says Singh. “Many businesses use third-party vendors to provide payment capabilities and also rely on them for security. Merchants should talk to vendors about what kind of security they offer. Ask about things like 3DS2 and multi-factor authentication. Ask about how customer data is protected, what the system’s capabilities are, and what other sorts of firewalls and protections merchants should have in place. All of these things are very important from a security and fraud-prevention standpoint.”
This coming holiday season, no matter what the COVID-19 situation is, many online merchants can still expect to see a surge in traffic. And just as surely, fraudsters will be trying to exploit any security weakness they can find. Fortunately, security technologies are continuously improving, and with the proper tools and systems in place, it can be easier and safer than ever to conduct business online.
About the author
Tad Simons is an award-winning technology journalist who writes about communications, workflow issues, corporate efficiency, artificial intelligence, government administration, and ethics.