For most retailers heading into this year’s holiday-season sales crunch, the epic Equifax data breach was only the latest in a series of escalating threats that are having a profound effect on the way they handle payments.
The scope of the September Equifax event may be vast, but it’s not the first time many of the millions of consumer files have been compromised, sold and resold on the “dark web,” forcing merchants to accept the reality that fraud is an ongoing and evolving risk that calls for customized solutions.
Specific risks to retailers online and in stores this holiday season will come from criminals using troves of stolen consumer account data to spoof identities for in-store purchases and create synthetic identities for fraudulent accounts plus applying stolen data to machine-driven account-takeover fraud, with all categories of fraud on track to rise this year, according to data from Auriemma Consulting.
What's in store
Many retailers that sell higher-ticket merchandise already are bolstering authentication methods this holiday season, in anticipation of increased fraud threats after data breaches and malware attacks and the surging growth of e-commerce through mobile channels, and they will need to closely track trends and tighten controls if they see fraud begin to spike when holiday sales surge after Thanksgiving.
“With the continued adoption of EMV at the POS, especially those merchants that criminals traditionally like to patronize selling electronics and high-end consumers goods, e-commerce merchants will be the targets of choice this holiday season,” said Al Pascual, a senior analyst with Javelin Strategy & Research.
The drawback in heavying up authentication, however, is the possibility that false positives will turn away good customers, he noted.
“With all the online traffic retailers will see this year, it will be harder than ever to separate good customers from bad without stronger controls in place,” Pascual said.
Retailers that are succeeding at streamlining sales while ferreting out fraud have found the best approach is to use a combination of technology, tools and processes customized for their specific niche and risk levels.
Online fraud is a constant threat for Closet Candy, a women’s apparel company based in Indianapolis, and attempted theft intensifies each year around the holidays, said founder and president Christina Smith.
After launching in 2012 on Shopify’s hosting platform, sales quickly soared to more than $6 million annually, but the operation is not large enough to sustain many losses, according to Smith, who personally investigates most fraud incidents.
“Over the last couple of years we’ve dialed our chargebacks down to one or none per month, because I analyze the heck out of every fraud case to avoid any repeats,” she said.
The first line of defense is filters built into the Shopify’s system that signal when an order has risky characteristics.
A common sign of attempted fraud is when the customer requests shipment to a destination different than the billing address, or when orders are placed from a computer IP address that’s more than 50 miles away from the shipping address, according to Smith.
Other red flags include unusually large gift card purchases and orders of multiple sizes of the same item shipped to a single address, presumably for resale.
“We look at a range of data to validate orders, including the path the shopper followed to reach the site,” Smith said, noting that customers who arrived directly from an online or social media promotion tend to be legitimate customers who regularly shop the site.
Whenever an order has an odd combination of characteristics, employees run a series of quick tests to verify that it’s legitimate. If they can’t resolve the case, they bump it up to senior management for further investigation.
“We’ll explore publicly available information of consumers’ addresses, and fraudsters usually have a lot of discrepancies that are easy to spot. For example, if you’ve got a $400 order going to what Google Maps indicates is a shack, chances are high you’ve got a problem,” Smith said.
Closet Candy relies heavily on social media to promote its wares, which Smith said helps to spot fraudsters.
“We get a lot of repeat business, so there’s a consistency to the mix of merchandise and price points we see from legitimate customers, and anything that’s way out of the ordinary catches our attention for further scrutiny,” she said.
The big picture
Personally vetting each suspicious sale may work for Closet Candy, but e-commerce operators with higher volume often rely on third-party services to help in fraud detection.
Huckberry, a large and growing menswear website launched six years ago in San Francisco, hired Kount, of Boise, Idaho, to assist in fraud protection through its fraud-filtering platform and consulting services, said Lisa Eugene, a fraud analyst for the retailer.
Kount, which has worked with Huckberry for several years, maintains a broad set of transaction data from numerous e-commerce merchants and automatically compares that information against prospective transactions to determine whether customers are legitimate.
“Today’s fraudsters aren’t just random individuals in a basement somewhere—these are people using information available on the ‘dark web’ and even on Reddit who leverage sophisticated knowledge about fraud and technology to probe e-commerce systems,” said Melayna Gabiou, Kount’s senior marketing manager.
Expert e-commerce fraudsters create IP proxies, engineer remote desktop logins and emulate mobile devices, and they know how to spoof device-identification systems, she said.
“A multilayered fraud detection system will send fraudsters elsewhere,” Gabiou said, noting that the central weapon Kount provides is a vast storehouse of information from e-commerce sites that’s constantly refreshed.
Whitepages Pro is one of the data providers Kount works with to speedily validate customers. Using a network of 5 billion consumer records, Whitepages Pro’s Identity Graph establishes linkages between five key customer attributes including email, phone number, person, address and business, according to Sam Hartung, Whitepages Pro’s risk partnership manager.
“When a customer sends us these attributes, we key off of all five at once, to see whether the e-commerce site’s consumers are who they say they are,” Hartung said.
Armed with Kount’s data filters, Huckberry prepares for fraud each holiday season by devising new policies to combat fraud based on recent trends of legitimate transactions and attempted fraud, Eugene said.
“The data not only points out potential fraud scenarios, but isolates the risky-signal combinations we want to confirm before approving a transaction. For example, earlier this year we compared recent transaction data with previous years, and used the data points on certain signals to help us build new rules to reduce false positives,” Eugene said.
Huckberry typically hires additional personnel to process orders during the holiday season and teaches them how to handle manual reviews on questionable transactions, escalating trickier cases to more experienced agents, she said.
Each order also goes through an automated assessment of how the customer navigated to the site, which can provide valuable clues to investigating potentially fraudulent orders, Eugene said.
Rise of the machines
Criminals increasingly are turning to machine learning and bots to commit online fraud, which pose a special challenge in industries selling high-ticket goods, such as the travel industry.
The Canadian travel agency RedTag.ca sees a surge of all types of fraud attempts during the holiday season when travel volume surges, said Roberto Gennaro, chief digital officer at RedTag.ca.
“Fraud attempts escalate right before the holidays for flights within a few days of the bookings, with fraudsters using stolen cards from travelers,” Gennaro said.
One of the insidious side effects of criminals deploying bots is that they often fraudulently reserve blocks of seats on flights, causing the price of the remaining unsold seats to increase dramatically, throwing off sales, he said.
“Threats from bots are always changing, and as they get better at mimicking human behavior while browsing our travel sites, they make it look like they’re legitimately shopping by adding items to their cart and proceeding to a checkout page,” Gennaro said.
RedTag.ca has been able to thwart many bot attacks this year with help from Distil Networks, which weeds out bad bots from humans before the checkout process begins, he said.
While the good guys are deploying new tools of their own, to block fraud without impeding legitimate sales, industry organizations are working to find a replacement for flimsy passwords, and retailers are recognizing the need to use multiple tools and filters — along with developing their own unique solutions based on their mix of merchandise, customer base and business models, experts say.
“EMV payment tokenization has been around for a while and it’s helping to protect certain payment methods, but the recent publication of EMVCo.’s updated tokenization framework has benefits that can be extended to all transactions, including mobile NFC, e-commerce and in-app transactions,” said David Worthington vice president of business development at Rambus, which provides a range payments technology including mobile payments and token services.
In addition to confronting these threats, more retailers are adopting omnichannel strategies to sell goods online, through mobile devices and inside stores and kiosks, expanding their overall exposure to risk.
“As retailers move towards an omnichannel approach to deliver an enhanced experience for consumers, vulnerabilities are emerging that can be exploited by sophisticated fraudsters armed with significant amounts of personal information obtained by data breaches,” Worthington said.
“The POS systems at retailers’ branch offices can be a prime target for determined hackers, who may find weak security and enter to connect to a merchant’s remote data center, giving the attacker the ability to move laterally through the network, compromising the breadth of a retailer’s payment systems,” said Matt Hur, director of product management for public key infrastructure at Entrust Datacard, which provides software and hardware support to authenticate consumers in bank and retail environments.
But the payments industry isn’t resting idly while threats rise, experts say.
The industry is working to develop more secure customer authentication methods based on biometrics and multifactor protocols, including a new approach with advocates at the FIDO Alliance, which designs and develops strong authentication methods that experts say show immediate promise for improving payments security.
While working to spot fraud, merchants also are welcoming many new customers online and in stores during the holidays—and fraudsters know it. Criminals can strike at any hour, but they often concentrate their attacks during heavy sales periods on weekends, late in the day and just before stores close, experts say.
When fraudsters slip past retailers' bulwarks, there's still a chance to block the transaction at the processing level using machine-learning technology, said Karim Ahmad, head of global product and innovation at TSYS, a major payments processor based in Columbus, Ga.
TSYS partnered with U.K.-based Featurespace last year for a bank service that applies adaptive behavioral analytics to spot uncharacteristic customer patterns that might be fraudulent, according to Ahmad.
“Featurespace creates a profile of what normal behavior looks like for a specific consumer, and then every transaction on the account gets compared against that profile,” Ahmad said, noting at least two TSYS bank customers will be using the service, called Foresight Score, for the first time this holiday season.
There is no single solution to combat fraud in all environments, but the payments industry is embarking on broad efforts to upgrade authentication processes across the board, a painstaking effort that requires cross-industry cooperation to adopt standards, said Brett McDowell, executive director of the FIDO Alliance.
The approach FIDO recently began to recommend, called high-assurance strong authentication, leverages two or more factors to verify the customer, with one of those utilizing public key cryptography. This method can be directly adopted by retailers within 30 days and shows significant promise for broadly reducing fraud, McDowell said.
“The largest payments and e-commerce sites can support live transactions using a vendor-assisted FIDO implementation in days, enabling operators to secure web, mobile and kiosk channels and provide the consumer the choice of using biometrics built into their device such as face/voice/fingerprint, a personal token or a simple PIN mechanism secured by FIDO standards,” McDowell said.