Unfortunately, as fraud prevention technology advances, so do fraudsters’ tactics. Think of the cat and the mouse. As merchants and financial institutions become better at thwarting traditional fraud techniques, criminals are forced to adapt. The onus is now on the financial institutions and merchants to stay ahead.
More than 700 million consumer records were exposed to fraudsters in 2015 alone, according to the Gemalto Data Breach Level Index. While credit card details may have been the most wanted information in past years, 2015 was the year when data from leading healthcare companies, government agencies and similar firms became the hottest commodity on the Dark Web.
Data stolen in these breaches is typically used in fraudulent attacks on banking and e-commerce organizations. A 2015 study by Javelin Strategy & Research on the impact of data breaches on consumers found that account takeover and new account fraud will increase by 60 percent in the next three years. That makes for an estimated $5 billion lost last year to $8 billion in 2018.
Financial institutions and merchants must implement solutions that identify and prevent fraud attempts, while also protecting the customer experience. The way to do this is by combining data obtained from device and observable behavioral biometrics from the time of login or account creation and throughout the user’s account lifespan.
Beating breaches means understanding the different types of attacks. Account takeover (ATO) fraud occurs when a fraudster accesses an existing user’s credentials (personally identifiable information) that allow consumers to log onto online banks, retailers, gaming sites or social media. Using an existing consumer’s account allows a criminal to masquerade as a genuine customer to transfer funds, use the payment method on file to make a high-value purchase or simply mask fraudulent transactions. Accessing these accounts has become easy through one of three common practices:
• Attempting combinations of usernames and/or passwords obtained through data breaches, both large and small
• Cycling through easily remembered passwords, like “Password123,” or words like their child’s name, street name, birth dates or other data socially engineered from public profiles
• Using brute force automated attacks for account takeover, which are systematic assaults (also referred to as “bots”) that use a script to continually “guess” a user’s password
Account takeover attempts will continue to grow for two main reasons. First, passwords can no longer be relied upon to keep a user’s account secure. Second, traditional fraud prevention systems that primarily use rules-based systems to analyze payment and personal identification information (PII) do not have the ability to determine if a user accessing an account is in fact the real user of that account.
The economic ramifications of failing to prevent orders or bank transfers at any point can be immense. While these systems are still relevant in terms of apprehending other forms of fraud and some instances of account takeover fraud, they can only examine payment and some device information, not the user’s behavior at the time of login.
New account fraud is also growing. According to a 2016 report by Javelin Strategy & Research titled “2016 Identity Fraud: Fraud Hits an Inflection Point,” there has been a 113% increase in incidence of new account fraud, which now accounts for 20% of all fraud losses. In most cases, the information obtained is enough to apply for new financial accounts, many times without the victims being aware for months.
Neither of these methods is typically attempted by a human. Hackers write scripts that can be run by bots en masse to attack systems using that data. Scripted attacks can be tricky to detect, as the perpetrators have studied the account creation and login pages of their target company to ensure that each field is completed correctly and appears legitimate. Standalone fraud prevention systems are merely looking at the information provided in the order or application, not the behavior displayed when logging in to or creating an account.
Whenever these new fraud methods start to become costly for businesses, an expensive side effect develops; companies apply excess caution when reviewing orders, sometimes mistaking good orders for bad. When this occurs, the merchant is not only losing the immediate sale, but also in most cases the lifetime value of that customer. Javelin Strategy & Research evaluated this issue in a sponsored study entitled “Overcoming False Positives.” Roughly 33 million -- or 15% -- of cardholders had a transaction denied because of suspected fraud in the past year. That’s resulted in a nearly $118 billion loss. In contrast, actual ecommerce fraud in the U.S. only reached $9 billion. Merchants need a better way to save these legitimate sales while still preventing the potential dollar loss due to sophisticated fraud tactics.
With these fraud attacks growing at a rate of 60% over three years, it is high time that financial institutions and online companies consider new detection methods. With many traditional fraud prevention tools, only the data entered into a shopping cart or account creation form is analyzed. Some will look at device or connection, which can be spoofable. With the data available from recent data breaches, all these details can match perfectly with the genuine consumer yet still be fraudulent and/or spoofed. Additionally, once the order and application form is completed, it initiates fraud decision-related resources via payment authorizations and fraud and/or credit reviews.
With observable behavioral biometrics, users accessing an account or application are continually evaluated from the moment they begin interacting with an online property. The amount of time it takes to log in, place an item in a cart or get to the application page is all captured. Device information such as whether a mobile, PC or tablet is being used, along with device identification information, browser language, screen size, location and whether the IP or geo-location has been faked are all compared to an existing user profile. The way a user interacts with a website is also analyzed, including the way a person types, how they hold their mobile phone, etc. By absorbing all of these characteristics and aggregating the data, behavioral biometrics create a unique profile for each user.
By passively identifying the good users, the anomalous or bad users become obvious in comparison. This enables the program to easily highlight when a different person or bot is attempting account takeover and also allows businesses to prevent bots and systems from running scripts to access or create new accounts. The uniqueness of the data gathered and the aggregation and application of all collected data creates a full 360-degree view of each user.
Ryan Wilk is the vice president of customer success for NuData Security.