Cyber criminals also change billing addresses to thwart detection.
Paul Demery , Managing Editor, B2B E-commerce
As cyber criminals look for new ways to commit online fraud, one method that has become more common of late is changing addresses in hacked credit card accounts, providing a way for thieves to receive delivery of goods purchased with a stolen payment card account, says Julie Conroy, an analyst at financial services research and advisory firm Aite Group.
“Account takeover is sharply on the rise for e-commerce merchants, thanks to the waves of database breaches in which online credentials have been compromised,” she says. “A key indicator of account takeover is a change to the shipping address.”
To make matters worse, Conroy adds, cyber criminals are also increasingly changing billing addresses in stolen accounts. Merchants often flag for manual review online payment accounts that have different billing and shipping addresses because it can increase the likelihood that a shipment is headed to a criminal’s address. By providing matching addresses for both billing and shipping, a criminal may make it less like that a retailer notices a risky transaction, experts say.
Conroy bases her findings on interviews over the past six months with 20 e-commerce merchants, each with more than $500 million in annual online transaction volume. “The vast majority indicated that account takeover is a significant and growing issue,” she says.
One method that can be effective at guarding against such fraud, without blocking many legitimate transactions, is to use transaction-scoring software available from ID Analytics, a provider of risk management technology, Conroy says.
ID Analytics provides an eCommerce software suite that alerts online merchants to potentially fraudulent transactions based on modified account information or attributes, such as IP addresses and account numbers, that have been associated with prior online fraud. The company relies on online payment transaction data, including shipping and billing addresses and other account information, compiled in its ID Network. The network maintains databases with information from more than 250 client companies, and has compiled more than two billion consumer transactions, says director of e-commerce Aaron Kline. He adds that the ID Network gathers more than 50 million new identity data elements, such as shipping and billing addresses, every day. It also associates identity elements with known incidents of fraud.
Conroy of Aite Group notes that the combination of ID Analytics’ data network and risk management tools provides an effective way for merchants to separate good from bad transactions. “Given its consortium view of people’s identities, ID Analytics can help weed out which address changes are false positives vs. those that may be truly suspicious,” she says. “It does this behind the scenes, which means good customers won’t feel any additional friction.”