Podcast: Play in new window | Download
Upon the onset of the pandemic, consumers increasingly shifted to online and hybrid shopping experiences. Now, in the ‘new normal,’ this change in shopping behavior is here to stay. In response, fraudsters have become more creative in their attacks. These bad actors are abandoning simple fraud attacks in favor of scripted attacks that imitate authentic user behavior.
To learn more about how to fend off creative fraud attacks without compromising the customer experience, PaymentsJournal sat down with Jonathan McGrandle, Director of Market Delivery at NuData Security, Dave Senci, VP of Product Development at NuData Security, and Tim Sloane, VP of Payments Innovation at Mercator Advisory Group.
The pandemic-driven growth of e-commerce
Online shopping skyrocketed during the pandemic and is now reaching maturity. According to NuData, e-commerce purchases among major retailers grew by 51% year-over-year from H1 2020. Meanwhile, account opening decreased by 15%. While that decrease may seem contradictory, it makes sense.
Pandemic-triggered lockdowns and closures took off in the first half of 2020, which is when consumers began flocking to e-commerce websites to fulfill their shopping needs. As they were pushed online, they created accounts across the e-commerce merchants with whom they shop.
Now it has come to a point where online shoppers have reached a peak. In other words, they are not creating as many new accounts because they already have existing accounts across their preferred merchants. As a result, the decline in new account creations—despite the continued rise in e-commerce activity—is unsurprising. “Actual online activity has really taken off, almost to the point where we’ve reached this peak of online consumer maturity. People are online, they’re registered, and now they’re really starting to take advantage of that,” explained McGrandle.
Consumers are similarly adopting hybrid shopping experiences such as Buy Online Pickup in Store (BOPIS) and curbside pickup. Mastercard SpendingPulseTM anticipates continued growth of around 15% for BOPIS as customers continue to take advantage of this simplified, convenient, and seamless shopping experience.
Other areas are seeing growth, too. More specifically, Mastercard has estimated a 55% increase in restaurant spending and a 60% increase in department and apparel store spending. “In some countries, the pandemic restrictions are kind of easing out, but definitely online activity and purchase activity in general is at an all-time high,” added McGrandle.
Fraudsters reach new levels of maturity
The e-commerce boom was crucial for merchants’ survival during the pandemic. However, some merchants were unprepared for this shift when COVID-19 emerged. “There [were] a lot of merchants that didn’t really operate in the online space during the height of COVID and restrictions and small businesses shutting down, so they had to quickly adjust to create an online presence,” said Senci.
As they established their online presence, merchants also took steps to prevent an influx of fraud attacks. For example, an unsophisticated form of fraud called card cycling, when fraudsters write a computer script to test the validity of stolen card credentials, saw a 54% increase. But they are also using more creativity to try to fool common security tools and rules.
“One thing we’ve seen is that fraudsters are extremely creative in changing their tactics, in broadcasting a tactic that worked… with other fraudsters, to apply new machine learning tools to their attacks,” said Sloane. “They’re very sophisticated in how they try to take our money.”
For merchants, this means fraud prevention must go behind stopping the simplest of attacks. “Just like fraudsters are having to adjust their fraud strategies and the ways they attack, merchant fraud prevention methodologies are going to do the same,” Senci added.
Scripted attacks imitate authentic user behavior
Determined fraudsters have begun to put more effort into appearing authentic than was previously necessary. “Sophisticated [human-looking] attacks are actually going to take the time and make the effort to spoof their device with well-researched parameters. So that might mean using IP addresses that come from legitimate carriers, making sure that the time zone of the device aligns with the IP address, and simple things… that as legitimate users we never really think about, but as a fraudster, they do actually have to put a little bit of investment in,” said McGrandle.
Spoofing a device, imitating user mouse clicks and keystrokes – and pulling in human users for key moments of the user experience, such as having actual humans solve CAPTCHAs and other bot challenges – are some tactics fraudsters use to circumvent merchant fraud protection.
That doesn’t mean modern fraudsters can’t be stopped. What it does mean is that the simplest of fraud prevention tools are no longer enough. It’s critical to look at not just devie parameters and credentials, but also the behavior of the user – or foe.
“As fraudsters put in these investments, they are now easily thwarting some of those device identification strategies. But again, the thing to keep in mind is as a legitimate consumer, I’m not typically taking these steps to spoof my device or mask my device… So, shifting [a merchant’s] device strategy and introducing behavior [are] definitely two strong ways to combat some of these sophisticated attacks,” explained McGrandle.
The latest in fraud: artificially increase the quality of stolen credentials
Artificially increasing the quality of stolen credentials during an account takeover attempt is a powerful example of what today’s fraudsters can accomplish. In 2020, the average correct credential rate (rate of credentials that were correct during an account takeover attack) across multiple industries was 1.9%; in the first half of 2021, it was nearly 10%. This could mean that the quality of the stolen credentials was better, or that they did something else to make it look that way. In comparison, authentic users logging into their accounts input correct login credentials 70% to 90% of the time.
What does this increase mean? “When you see that at face value, that implies that the quality of data has drastically increased in these breaches that fraudsters are buying. And when we actually took a deeper dive into that, we found a really interesting case study at NuData,” said Senci.
The specific attack NuData saw consisted of thousands of usernames and passwords in an obvious attack on a login page. The noteworthy aspect of this attack is that 40% of these login attempts had correct credentials, even if NuData mitigated the attack. . NuData found that the attackers had used a number of methods to increase the credential success rate, including testing credentials at password reset to purge accounts that didn’t exist and creating fake accounts with passwords they obviously know.
By the time they tested their credentials at login, they had a significantly higher credential success rate than the average fraudster: they had purged accounts that didn’t exist and combined their attack with the accounts they had previously created, to look like overall, their credential success rate was higher and bypass basic tools that only look at this parameter to block traffic. “All in all, that’s pretty terrifying. They are getting so good at this, it’s scary,” said Sloane.
While a 40% success rate stood out to NuData as a clear fraud attempt, it could have fooled simple rules-based security tools. Case studies like these show that security tools must go beyond simple device intelligence and login success information. A holistic approach that protects the entire environment in a coordinated and connected way is ultimately necessary to mitigate these extremely creative takeovers.
Striking the delicate balance between fraud prevention and customer experience
For merchants, preventing fraud cannot come at the expense of a seamless customer experience. If too much friction is introduced into the customer journey, they risk losing these customers to competitors. Ultimately, it’s up to merchants to determine their comfort level when it comes to risk management.
“Overall, we really just need to find that balance between risk management and the user experience. I think the best way to go about that is to really use fraud tools that have a multi-layered approach because [merchants] are going to naturally have a slightly lower false positive rate, and that allows [them] to increase the user experience for all of [their] legitimate consumers,” McGrandle concluded.