Guest Perspective: Toward a Proactive Approach to Preventing Online Fraud
By: Ryan Wilk, Director of Customer Success, NuData Security
Research firm eMarketer predicts that by 2018, e-commerce will account for 8.8 percent of the total retail market worldwide, or $2.5 trillion. This represents an increase of more than a trillion dollars in just three years. Retailers and service providers have cause to rejoice, but there is equal reason to be cautious. “Friendly fraud” alone, in which people buy items online and then dispute the charges, costs merchants $11.8 billion a year, according to Visa . Fraudsters are enjoying the online shopping boom at your expense.
Even though identity theft is one of the fastest-growing and most lucrative types of crime, many companies that do business online have not protected themselves and their customers to the full extent possible. Traditional online security measures are no longer adequate, and companies need to understand what new methods are now available in order to defend against loss of revenue and brand reputation.
The Current State of Fraud Detection: The Reactive Approach
Rather than proactively protecting against online fraud, e-commerce merchants place their fraud detection tools after the point of transaction and end up reacting after the fact. This means that most e-commerce merchants are reacting to fraud threats rather than being proactive. Only at the point of purchase is some type of fraud review preformed. This comes in the form of watching data points around the transaction, looking at PII (personally identifiable information) and crosschecking with PCI (payment card industry) data.
Most e-commerce merchants today are looking at a device profiling data point, whether it is a device ID or a set of data points pulled from the browser that the device is connected to. Then, those data points are run through various modeling techniques, a score is received and a decision is made whether a transaction receives approval, review or rejection. The problem with this method is that it is not comprehensive: it takes a one-time snapshot at the end of a customer’s site visit, when the transaction takes place. Merchants are missing what is going on before the transaction occurred, so they don’t see the full session lifecycle. They also don’t see horizontally or vertically, through various identity libraries, how that customer acts over time.
Credit cards have a CVV code as an added security measure, and online merchants having been using the code at the time of a sale. However, as the e-commerce world perpetually seeks to remove customer friction, increase conversion flow, eliminate abandonment and entice further transactions, merchants chalk up fraud as an acceptable loss. Humans tend to take the path of least resistance, so if there is a barrier to completing the transaction—having to provide the CVV code, or otherwise—merchants worry that consumers may not complete the purchase. Removing the CVV security requirement makes it easier to transact online, but it also removes a warranted security measure. To provide an experience that is hassle-free for customers and doesn’t eliminate any potential transactions for merchants, e-commerce organizations need to find security controls that can run invisibly and effectively. In other words, merchants could be making use of a wealth of data to detect and prevent fraud, containing data points created by behavior activity prior to the point of purchase.
The New State of Fraud Detection: The Proactive Approach
Identity theft and other types of fraud disrupt business operations and lead to leakage of confidential data, damage to reputation, and loss of revenue and customers. Online fraud detection (OFD) and prevention help e-commerce merchants predict and prevent fraud and malicious behavior that occurs over the Web. This is performed by running background processes that analyze attributes like user behavior, site navigation, geolocation, device characteristics and transaction activity to determine the likelihood of a user being legitimate or fraudulent. Merchants are then able to compare this data against expected behavior with the help of machine learning or statistical algorithms, or rules that define “abnormal” behavior and activities.
Online fraud detection implementation these days is non-intrusive. Rather than viewing a customer interaction as just a single snapshot, as happens with point-of-purchase fraud detection, OFD provides a high-definition movie, a fuller story of visitor behavior from beginning to end.
What sets OFD apart is the ability to know every point of interaction ahead of a transaction. For instance, did users log in properly? When did they register for their accounts? How did they register for their accounts? How did they previously interact with the site? If they were first-time users, did their transactions look like the traditional good behavior of how the website is used? Or, by the time they got to the transaction, did they do a number of things that were unusual? Was the account created in Vietnam and now the transaction is coming from Pennsylvania? For a return user, what times of day does the person typically use the site? What device do they traditionally log in from?
The result of knowing all points of interaction is the data these interactions create—all of which helps online retailers determine typical user behavior. If they see activity that is very different from the norm, merchants may be able to determine when an account takeover is happening and can hinder the transaction before checkout occurs. This data is particularly helpful when all the other data points around this transaction look like good data points; the transaction probably would have gone through without having this full view beforehand.
This OFD approach profiles the behavior of each user, which is useful to merchants, but
analysis of overall good-user behavior is extremely helpful as well. An OFD approach should monitor user behavior prior to the login and registration, carrying on through when details of an account might be modified, to when a user would come back to see if the product could be retrieved. All those data points are examined to create correlations on how the users are interacting: does this user’s behavior match a previous behavior, or does something in this behavior not look right? This collective data helps merchants know what good user behavior looks like so that they can more easily spot fraudsters.
An Ounce of Prevention is Worth a Pound of Cure
The ease and convenience of online sales have made e-commerce a continually growing business with tremendous potential for those who sell products and services on the Web. Malicious actors, well aware of this lucrative market, are constantly on the lookout for ways to steal a piece of the pie. Merchants cannot drop their guard for one minute lest they risk the loss of money, reputation and consumer confidence. Rather than lowering the barriers to safe transactions for the sake of convenience, retailers can instead implement the proactive security measure of OFD. Its comprehensive anti-fraud strategies create a holistic view that enables online sellers to keep themselves and their customers safer.
Ryan Wilk is the director of customer success for NuData Security. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles. NuData Security predicts and prevents online fraud, protecting businesses from brand damage and financial loss caused by fraudulent or malicious attacks. NuData Security analyzes and scores billions of users per year and services some of the largest ecommerce and Web properties around the globe. To download a full report on OFD best practices, click here .