Fraud for the Hol­i­days

For most re­tail­ers head­ing into this year’s hol­i­day-sea­son sales crunch, the epic Equifax data breach was only the lat­est in a se­ries of es­ca­lat­ing threats hav­ing a pro­found ef­fect.

ISO & Agent - - INSIDE 11/12.2017 - BY KATE FITZGER­ALD

The Equifax data breach has raised the stakes for fraud preven­tion this hol­i­day sea­son. What op­tions do ac­quir­ers and mer­chants have to shore up their de­fenses?

THE SCOPE OF THE SEPTEM­BER

Equifax event may be vast, but it’s not the first time many of the mil­lions of con­sumer files have been com­pro­mised, sold and resold on the “dark web,” forc­ing mer­chants to ac­cept the re­al­ity that fraud is an on­go­ing and evolv­ing risk that calls for cus­tom­ized so­lu­tions.

Spe­cific risks to re­tail­ers on­line and in stores this hol­i­day sea­son will come from crim­i­nals us­ing troves of stolen con­sumer ac­count data to spoof iden­ti­ties for in- store pur­chases and cre­ate syn­thetic iden­ti­ties for fraud­u­lent ac­counts plus ap­ply­ing stolen data to ma­chine- driven ac­count-takeover fraud, with all cat­e­gories of fraud on track to rise this year, ac­cord­ing to data from Auriemma Con­sult­ing.

What’s in store

Many re­tail­ers that sell higher-ticket mer­chan­dise al­ready are bol­ster­ing au- then­ti­ca­tion meth­ods this hol­i­day sea­son, in an­tic­i­pa­tion of in­creased fraud threats af­ter data breaches and mal­ware at­tacks and the surg­ing growth of e- com­merce through mo­bile chan­nels, and they will need to closely track trends and tighten con­trols if they see fraud be­gin to spike when hol­i­day sales surge af­ter Thanks­giv­ing.

“With the con­tin­ued adop­tion of EMV at the POS, es­pe­cially those mer­chants that crim­i­nals tra­di­tion­ally like to pa­tron­ize sell­ing elec­tron­ics and high- end con­sumers goods, e- com­merce mer­chants will be the tar­gets of choice this hol­i­day sea­son,” said Al Pas­cual, a se­nior an­a­lyst with Javelin Strat­egy & Re­search.

The draw­back in heavy­ing up au­then­ti­ca­tion, how­ever, is the pos­si­bil­ity that false pos­i­tives will turn away good cus­tomers, he noted.

“With all the on­line traf­fic re­tail­ers will see this year, it will be harder than ever

to sep­a­rate good cus­tomers from bad with­out stronger con­trols in place,” Pas­cual said.

Re­tail­ers that are suc­ceed­ing at stream­lin­ing sales while fer­ret­ing out fraud have found the best ap­proach is to use a com­bi­na­tion of tech­nol­ogy, tools and pro­cesses cus­tom­ized for their spe­cific niche and risk lev­els.

On­line fraud is a con­stant threat for Closet Candy, a women’s ap­parel com­pany based in In­di­anapo­lis, and at­tempted theft in­ten­si­fies each year around the hol­i­days, said founder and pres­i­dent Christina Smith.

Af­ter launch­ing in 2012 on Shopify’s host­ing plat­form, sales quickly soared to more than $6 mil­lion an­nu­ally, but the op­er­a­tion is not large enough to sus­tain many losses, ac­cord­ing to Smith, who per­son­ally in­ves­ti­gates most fraud in­ci­dents.

“Over the last cou­ple of years we’ve di­aled our charge­backs down to one or none per month, be­cause I an­a­lyze the heck out of ev­ery fraud case to avoid any re­peats,” she said.

The first line of de­fense is fil­ters built into the Shopify’s sys­tem that sig­nal when an or­der has risky char­ac­ter­is­tics.

A com­mon sign of at­tempted fraud is when the cus­tomer re­quests ship­ment to a des­ti­na­tion dif­fer­ent than the billing ad­dress, or when or­ders are placed from a com­puter IP ad­dress that’s more than 50 miles away from the ship­ping ad­dress, ac­cord­ing to Smith.

Other red flags in­clude un­usu­ally large gift card pur­chases and or­ders of mul­ti­ple sizes of the same item shipped to a sin­gle ad­dress, pre­sum­ably for re­sale.

“We look at a range of data to val­i­date or­ders, in­clud­ing the path the shop­per fol­lowed to reach the site,” Smith said, not­ing that cus­tomers who ar­rived di­rectly from an on­line or so­cial me­dia pro­mo­tion tend to be le­git­i­mate cus­tomers who reg­u­larly shop the site.

When­ever an or­der has an odd com- bi­na­tion of char­ac­ter­is­tics, em­ploy­ees run a se­ries of quick tests to ver­ify that it’s le­git­i­mate. If they can’t re­solve the case, they bump it up to se­nior man­age­ment for fur­ther in­ves­ti­ga­tion.

“We’ll ex­plore pub­licly avail­able in­for­ma­tion of con­sumers’ ad­dresses, and fraud­sters usu­ally have a lot of dis­crep­an­cies that are easy to spot. For ex­am­ple, if you’ve got a $400 or­der go­ing to what Google Maps in­di­cates is a shack, chances are high you’ve got a prob­lem,” Smith said.

Closet Candy re­lies heav­ily on so­cial me­dia to pro­mote its wares, which Smith said helps to spot fraud­sters.

“We get a lot of re­peat busi­ness, so there’s a con­sis­tency to the mix of mer­chan­dise and price points we see from le­git­i­mate cus­tomers, and any­thing that’s way out of the or­di­nary catches our at­ten­tion for fur­ther scru­tiny,” she said.

The big pic­ture

Per­son­ally vet­ting each sus­pi­cious sale may work for Closet Candy, but ecom­merce op­er­a­tors with higher vol­ume of­ten rely on third-party ser­vices to help in fraud de­tec­tion.

Huck­berry, a large and grow­ing menswear web­site launched six years ago in San Fran­cisco, hired Kount, of Boise, Idaho, to as­sist in fraud pro­tec­tion through its fraud-fil­ter­ing plat­form and con­sult­ing ser­vices, said Lisa Eu­gene, a fraud an­a­lyst for the re­tailer.

Kount, which has worked with Huck­berry for sev­eral years, main­tains a broad set of trans­ac­tion data from nu­mer­ous e- com­merce mer­chants and au­to­mat­i­cally com­pares that in­for­ma­tion against prospec­tive trans­ac­tions to de­ter­mine whether cus­tomers are le­git­i­mate.

“To­day’s fraud­sters aren’t just ran­dom in­di­vid­u­als in a base­ment some­where— these are peo­ple us­ing in­for­ma­tion avail­able on the ‘dark web’ and even on Red­dit who lever­age so­phis­ti­cated knowledge about fraud and tech­nol- ogy to probe e- com­merce sys­tems,” said Me­layna Gabiou, Kount’s se­nior mar­ket­ing man­ager.

Ex­pert e- com­merce fraud­sters cre­ate IP prox­ies, en­gi­neer re­mote desk­top lo­gins and em­u­late mo­bile de­vices, and they know how to spoof de­vice-iden­ti­fi­ca­tion sys­tems, she said.

“A mul­ti­lay­ered fraud de­tec­tion sys­tem will send fraud­sters else­where,” Gabiou said, not­ing that the cen­tral weapon Kount pro­vides is a vast store­house of in­for­ma­tion from e- com­merce sites that’s con­stantly re­freshed.

Whitepages Pro is one of the data providers Kount works with to speed­ily val­i­date cus­tomers. Us­ing a network of 5 bil­lion con­sumer records, Whitepages Pro’s Iden­tity Graph es­tab­lishes link­ages be­tween five key cus­tomer at­tributes in­clud­ing email, phone num­ber, per­son, ad­dress and busi­ness, ac­cord­ing to Sam Har­tung, Whitepages Pro’s risk part­ner­ship man­ager.

“When a cus­tomer sends us these at­tributes, we key off of all five at once, to see whether the e- com­merce site’s con­sumers are who they say they are,” Har­tung said.

Armed with Kount’s data fil­ters, Huck­berry pre­pares for fraud each hol­i­day sea­son by de­vis­ing new poli­cies to com­bat fraud based on re­cent trends of le­git­i­mate trans­ac­tions and at­tempted fraud, Eu­gene said.

“The data not only points out po­ten­tial fraud sce­nar­ios, but iso­lates the riskysig­nal com­bi­na­tions we want to con­firm be­fore ap­prov­ing a trans­ac­tion. For ex­am­ple, ear­lier this year we com­pared re­cent trans­ac­tion data with pre­vi­ous years, and used the data points on cer­tain sig­nals to help us build new rules to re­duce false pos­i­tives,” Eu­gene said.

Huck­berry typ­i­cally hires ad­di­tional per­son­nel to process or­ders dur­ing the hol­i­day sea­son and teaches them how to han­dle man­ual re­views on ques­tion­able trans­ac­tions, es­ca­lat­ing trick­ier cases to more ex­pe­ri­enced agents, she said.

Each or­der also goes through an au­to­mated as­sess­ment of how the cus­tomer nav­i­gated to the site, which can pro­vide valu­able clues to in­ves­ti­gat­ing po­ten­tially fraud­u­lent or­ders, Eu­gene said.

Rise of the ma­chines

Crim­i­nals in­creas­ingly are turn­ing to ma­chine learn­ing and bots to com­mit on­line fraud, which pose a spe­cial chal­lenge in in­dus­tries sell­ing high-ticket goods, such as the travel in­dus­try.

The Cana­dian travel agency Red­tag. ca sees a surge of all types of fraud at­tempts dur­ing the hol­i­day sea­son when travel vol­ume surges, said Roberto Gen­naro, chief dig­i­tal of­fi­cer at Red­tag.ca.

“Fraud at­tempts es­ca­late right be­fore the hol­i­days for flights within a few days of the book­ings, with fraud­sters us­ing stolen cards from trav­el­ers,” Gen­naro said.

One of the in­sid­i­ous side ef­fects of crim­i­nals de­ploy­ing bots is that they of­ten fraud­u­lently re­serve blocks of seats on flights, caus­ing the price of the re­main­ing un­sold seats to in­crease dra­mat­i­cally, throw­ing off sales, he said.

“Threats from bots are al­ways chang­ing, and as they get bet­ter at mim­ick­ing hu­man be­hav­ior while brows­ing our travel sites, they make it look like they’re le­git­i­mately shop­ping by adding items to their cart and pro­ceed­ing to a check­out page,” Gen­naro said.

Red­tag.ca has been able to thwart many bot at­tacks this year with help from Dis­til Net­works, which weeds out bad bots from hu­mans be­fore the check­out process be­gins, he said.

While the good guys are de­ploy­ing new tools of their own, to block fraud with­out im­ped­ing le­git­i­mate sales, in­dus­try or­ga­ni­za­tions are work­ing to find a re­place­ment for flimsy pass­words, and re­tail­ers are rec­og­niz­ing the need to use mul­ti­ple tools and fil­ters — along with de­vel­op­ing their own unique solu- tions based on their mix of mer­chan­dise, cus­tomer base and busi­ness mod­els, ex­perts say.

“EMV pay­ment to­k­eniza­tion has been around for a while and it’s help­ing to pro­tect cer­tain pay­ment meth­ods, but the re­cent pub­li­ca­tion of EMVCO.’S up­dated to­k­eniza­tion frame­work has ben­e­fits that can be ex­tended to all trans­ac­tions, in­clud­ing mo­bile NFC, e- com­merce and in-app trans­ac­tions,” said David Wor­thing­ton vice pres­i­dent of busi­ness de­vel­op­ment at Ram­bus, which pro­vides a range pay­ments tech­nol­ogy in­clud­ing mo­bile pay­ments and to­ken ser­vices.

In ad­di­tion to con­fronting these threats, more re­tail­ers are adopting om­nichan­nel strate­gies to sell goods on­line, through mo­bile de­vices and in­side stores and kiosks, ex­pand­ing their over­all ex­po­sure to risk.

“As re­tail­ers move to­wards an om­nichan­nel ap­proach to de­liver an en­hanced ex­pe­ri­ence for con­sumers, vul­ner­a­bil­i­ties are emerg­ing that can be ex­ploited by so­phis­ti­cated fraud­sters armed with sig­nif­i­cant amounts of per­sonal in­for­ma­tion ob­tained by data breaches,” Wor­thing­ton said.

“The POS sys­tems at re­tail­ers’ branch of­fices can be a prime tar­get for de­ter­mined hack­ers, who may find weak se­cu­rity and en­ter to con­nect to a mer­chant’s re­mote data cen­ter, giv­ing the at­tacker the abil­ity to move lat­er­ally through the network, com­pro­mis­ing the breadth of a re­tailer’s pay­ment sys­tems,” said Matt Hur, di­rec­tor of prod­uct man­age­ment for public key in­fra­struc­ture at En­trust Dat­ac­ard, which pro­vides soft­ware and hard­ware sup­port to au­then­ti­cate con­sumers in bank and re­tail en­vi­ron­ments.

But the pay­ments in­dus­try isn’t rest­ing idly while threats rise, ex­perts say.

The in­dus­try is work­ing to de­velop more se­cure cus­tomer au­then­ti­ca­tion meth­ods based on bio­met­rics and mul­ti­fac­tor pro­to­cols, in­clud­ing a new ap­proach with ad­vo­cates at the FIDO Al­liance, which de­signs and de­vel­ops strong au­then­ti­ca­tion meth­ods that ex­perts say show im­me­di­ate prom­ise for im­prov­ing pay­ments se­cu­rity.

Tar­geted tac­tics

While work­ing to spot fraud, mer­chants also are wel­com­ing many new cus­tomers on­line and in stores dur­ing the hol­i­days— and fraud­sters know it. Crim­i­nals can strike at any hour, but they of­ten con­cen­trate their at­tacks dur­ing heavy sales pe­ri­ods on week­ends, late in the day and just be­fore stores close, ex­perts say.

When fraud­sters slip past re­tail­ers’ bul­warks, there’s still a chance to block the trans­ac­tion at the pro­cess­ing level us­ing ma­chine-learn­ing tech­nol­ogy, said Karim Ah­mad, head of global prod­uct and innovation at TSYS, a ma­jor pay­ments pro­ces­sor based in Colum­bus, Ga.

TSYS part­nered with U.k.-based Fea­tures­pace last year for a bank ser­vice that ap­plies adap­tive be­hav­ioral an­a­lyt­ics to spot un­char­ac­ter­is­tic cus­tomer pat­terns that might be fraud­u­lent, ac­cord­ing to Ah­mad.

“Fea­tures­pace cre­ates a pro­file of what nor­mal be­hav­ior looks like for a spe­cific con­sumer, and then ev­ery trans­ac­tion on the ac­count gets com­pared against that pro­file,” Ah­mad said, not­ing at least two TSYS bank cus­tomers will be us­ing the ser­vice, called Fore­sight Score, for the first time this hol­i­day sea­son.

There is no sin­gle so­lu­tion to com­bat fraud in all en­vi­ron­ments, but the pay­ments in­dus­try is em­bark­ing on broad ef­forts to up­grade au­then­ti­ca­tion pro­cesses across the board, said Brett Mcdow­ell, ex­ec­u­tive di­rec­tor of the FIDO Al­liance.

The ap­proach FIDO re­cently be­gan to rec­om­mend, called high-as­sur­ance strong au­then­ti­ca­tion, shows sig­nif­i­cant prom­ise for broadly re­duc­ing fraud, Mcdow­ell said.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.