Data indicating a sharp rise in e-commerce fraud attacks since the first EMV installations at the point of sale in the U.S. is not yet available, but fraud's shift to the digital landscape and its favorite targets is apparent.
E-commerce merchants selling digital goods or high-ticket items like jewelry are facing the most serious threats, with attempted attacks increasing 254% on digital goods and 108% on luxury goods in the first three quarters of 2015, according to new research from Forter.
Tel Aviv-based fraud prevention provider Forter monitored fraud attacks on its network to compile its quarterly Global Fraud Index and compared this data to overall e-commerce sales to determine the percentage of sales ratings for the fraud environment.
Overall, total fraud attempts increased 163% in that 2015 time span, and that figure is expected to rise once fourth-quarter numbers are tallied. The liability shift for EMV chip cards took place in October 2015, but some large retailers had already begun accepting EMV cards before that date.
"The frequency of attacks is up significantly in the digital goods section, because it is quickly done with a download and then the item is stolen," said Bill Zielke, chief marketing officer for Forter, which has a marketing and sales office in San Francisco.
It is difficult for Forter or a merchant client to determine if the danger in digital goods sales results from fraudsters using stolen card credentials to make purchases, or if the fraudsters are using botnets to steal payment credentials from online shoppers. "It's probably a little bit of both," Zielke said.
As for the spike in luxury items, it is a matter of return on the investment for fraudsters. "The overall dollar value of an attack has gone down, but the benefit certainly remains higher," Zielke added.
Zielke emphasizes that the data reflects fraud attempts, rather than successful breaches. But the potential danger is there even if the attempts are blocked.
Suspected botnet use hit a high point as 2015 progressed, sitting at 33% of all attacks in the first quarter and rising to 80% by the third quarter. Other industry researchers have noticed the same trend in botnet attacks, or those coordinated through a network of computers.
"It smells to me like the level of sophistication to be able to recruit other computers and enact the algorithm needed to create fraud has gone up," Zielke said. "That's a pretty sophisticated fraud ring that represents a surprising element and something to keep an eye on."
Many expected e-commerce fraud to rise as EMV security blocked more fraud attempts at the point of sale, and the fraud numbers in 2015 indicate that process has already begun.
"We continue to cite other research out there that post-EMV fraud in e-commerce is going to increase 55% by at least 2018, and this data indicates we are moving in that direction," Zielke said.
In the U.S. overall, fraud attempts grew in the first three quarters of 2015 from 0.8% of sales transactions to 2.1% of all transactions, the report said. The bottom line cost of fraud as a percentage of sales doubled from the first quarter to third at 3.5%.
Forter promotes full fraud detection networks, real-time alerts and risk-based technology to spot attacks before they cause damage or to minimize the damage of those that break through.
Despite the mounting attacks and sophisticated fraud rings, the payments industry is becoming more mindful of the problems and embracing technology to thwart it, Zielke said.
"With the types of technology with cloud computing, machine learning and interconnected signals in a network, I feel we are definitely moving to a better place" in fraud prevention, Zielke said.
The card brands continue to push an improved version of 3D Secure as an e-commerce defense layer, but 3D Secure still carries some stigma from its first iteration, which required consumers to complete extra steps and type an extra password at merchants that supported it.
"An improved 3D Secure is a step in the right direction, but the challenge remains the introduction of too much friction," Zielke said. "E-commerce should all be one-click and free shipping, and we haven't gotten there yet with 3D Secure."