Credit card details used to be the apple of cyber criminals’ eyes, but 2015 saw a shift in focus. Fraudsters are now out to get as much personally identifiable information (PII) as possible, purchased on the Dark Web in the wake of numerous breaches against government agencies, healthcare companies and other organizations that use PII.
Fraudsters most often use the data from these breaches to steal from banking and ecommerce organizations. Analysts predict that account takeover (ATO) and new account fraud will increase by as much as 60 percent in the next three years, resulting in billions of dollars in losses.
The cat-and-mouse game of fraud perpetration and fraud prevention goes on and on. As merchants and financial institutions become better at thwarting traditional fraud techniques, criminals are forced to adapt. It’s the responsibility of financial institutions and merchants to stay ahead.
How the New Threats Work
ATO is popular these days for a variety of reasons. ATO fraud occurs when a fraudster accesses an existing user’s credentials (personally identifiable information) that allow consumers to log onto online banks, retailers, gaming sites or social media. Using an existing consumer’s account allows a criminal to masquerade as a genuine customer to transfer funds, use the payment method on file to make a high-value purchase or simply mask fraudulent transactions. Accessing these accounts has become easy through one of three common practices:
• Using brute force automated attacks for account takeover, which are systematic assaults (also referred to as “bots”) that use a script to continually “guess” a user’s password
• Attempting combinations of usernames and/or passwords obtained through data breaches, both large and small
• Cycling through easily remembered passwords, like “Password123,” or words like their child’s name, street name, birth dates or other data socially engineered from public profiles
These practices work quite well, and their use will continue – primarily for two reasons.
First, passwords can no longer be relied upon to keep a user’s account secure. Second, traditional fraud prevention systems that primarily use rules-based systems to analyze payment and personal identification information (PII) do not have the ability to determine if a user accessing an account is in fact the real user of that account.
Financial institutions can’t afford the consequences of failing to stop fraudulent transactions. While rules-based systems are still relevant in terms of apprehending other forms of fraud and some instances of account takeover fraud, they can only examine payment and some device information, not the user’s behavior at the time of login.
In addition to the growth and popularity of account takeover, new account fraud is also on the rise. In most cases, the information obtained is enough to apply for new financial accounts, many times without the victims being aware for months.
These days, fraudsters don’t sit at the keyboard all day, typing in new account information. Instead, hackers write scripts that can be run by bots en masse to attack systems using that data. Scripted attacks can be tricky to detect, as the perpetrators have studied the account creation and login pages of their target company to ensure that each field is completed correctly and appears legitimate. Standalone fraud prevention systems are merely looking at the information provided in the order or application, not the behavior displayed when logging in to or creating an account.
As businesses begin to feel the economic pain of these fraud methods, an expensive side effect develops; companies apply excess caution when reviewing orders, sometimes mistaking good orders for bad. When this occurs, the merchant is not only losing the immediate sale, but also in most cases the lifetime value of that customer. In fact, transactions denied because of suspected fraud have cost businesses more than 10 times what they’ve lost to actual ecommerce fraud. Merchants need a better way to save these legitimate sales while still preventing the potential dollar loss due to sophisticated fraud tactics.
Recognizing the Good
Losses of this kind cannot be sustained; new detection methods must be found. With many traditional fraud prevention tools, only the data entered into a shopping cart or account creation form is analyzed. Some will look at device or connection, which can be spoofable. With the data available from recent data breaches, all these details can match perfectly with the genuine consumer yet still be fraudulent and/or spoofed. Additionally, once the order and application form is completed, it initiates fraud decision-related resources via payment authorizations and fraud and/or credit reviews.
In contrast, another detection method is gaining prominence: observable behavioral biometrics. In this case, users accessing an account or application are continually evaluated from the moment they begin interacting with an online property. The amount of time it takes to log in, place an item in a cart or get to the application page is all captured. Device information such as whether a mobile, PC or tablet is being used, along with device identification information, browser language, screen size, location and whether the IP or geo-location has been faked are all compared to an existing user profile. The way a user interacts with a website is also analyzed, including the way a person types, how they hold their mobile phone, etc. By absorbing all of these characteristics and aggregating the data, behavioral biometrics create a unique profile for each user.
Sometimes, the best way to spot a fake is to have an expert grasp of what the original looks like. That’s the case with behavioral biometrics. By passively identifying the good users, the anomalous or bad users become obvious in comparison. This enables the program to easily highlight when a different person or bot is attempting account takeover and also allows businesses to prevent bots and systems from running scripts to access or create new accounts. The uniqueness of the data gathered and the aggregation and application of all collected data creates a full 360-degree view of each user.
Fighting Bad Behavior with Good
Fraud detection is a tricky proposition, no matter how you look at it. As quickly as the industry can come up with a solution to a fraud tactic, cyber criminals come up with a new tactic. But they can’t fake or otherwise overcome good users’ or their own unconscious behaviors. Identifying and blocking fraud attempts, while also protecting the customer experience, is the order of the day. Using data gleaned from a user’s device, including behavioral biometrics throughout an account’s lifespan, puts an end to the fraud cat-and-mouse game.
About Ryan Wilk
Ryan Wilk is the vice president of customer success for NuData Security. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles.
NuData Security predicts and prevents online fraud, protecting businesses from brand damage and financial loss caused by fraudulent or malicious attacks. NuData Security analyzes and scores billions of users per year and services some of the largest ecommerce and Web properties around the globe.