E-commerce grew 20% for Costco in fiscal 2015—20 times faster than store sales.
Criminals are making big bucks defrauding online retailers, and using their ill-gotten gains to become even more technically sophisticated and dangerous. Fraud-prevention specialists are keeping the pace with advances of their own.
Criminals are continually coming up with new ways to defraud online retailers, and fraud-prevention companies are responding by constantly developing new fraud-fighting tools. For online retailers, it's essential to be aware of the new threats, and the new techniques for thwarting the bad guys.
There's no secret why criminals are drawn to e-commerce: From the anonymity they gain by not having to be physically present at the time of purchase to the quick-strike capability of computer programs that allows them to simultaneously make purchases from multiple merchants, criminals can make money fast with little fear of getting caught.
The lucrative profits enable fraud rings to invest in sophisticated technology, which makes them better able to disguise their identities and skirt retailer's fraud-fighting systems. The most technically savvy fraud rings can now hide their IP addresses. They also have access to underground online chat rooms where they can meet sellers of CVV codes and expiration dates, payment card data that merchants rely on to confirm the person making the purchase is in physical possession of the card.
Factor in the explosive growth of transactions initiated with mobile phones, which criminals can fraudulently obtain and dispose of after a few transactions, making it harder to track their purchasing patterns, and it's no wonder retailers are struggling to stay ahead of the latest fraud trends.
"There is a lot of money for criminals to make by defrauding e-commerce merchants, and fraudsters' growing level of technical sophistication is emboldening them when it comes to perpetrating fraud online," says Carl Clump, CEO of Retail Decisions Ltd., which specializes in fraud detection. "Criminals are constantly finding new loopholes to beat the system and will always attack the weakest link in the chain, which means e-retailers need to constantly evolve their fraud-prevention practices and solutions."
Staying one step ahead of organized fraud rings requires deployment of the most up-to-date fraud-prevention technologies such as device fingerprinting and tokenization. With device fingerprinting online merchants can trace the transaction history of the device being used to initiate the transaction. Device fingerprinting can recognize criminals even if they change their identity through the use of proxies and stolen credit cards or account information as long as they use the same device, because it can show merchants the device that is used for the transaction has a known bad track record or is suspect. Device fingerprinting can be used for mobile devices as well.
Tokenization is an encryption technology preventing criminals from accessing credit and debit card numbers that they can use for fraudulent purchases.
The emergence of device fingerprinting, tokenization and other proven fraud-prevention technologies like IP geolocation, blacklists and velocity checks gives merchants a leg up in spotting and rejecting suspect transactions.
"Fraud rings are becoming more organized and globalÑthat means retailers need to be adding new tools to help them detect fraud and protect sensitive customer account data," says Koen Vanpraet, chief commercial officer for payment services provider GlobalCollect.
Retailers can also fight fraud by adding alternative payment options that are popular locally and inherently have a lower fraud risk. These include real-time bank transfers from a shopper's bank account. Such bank transfers are a popular payment method outside the United States.
"The idea is to create a customized multi-layer approach to fraud prevention, instead of relying on just one tool or strategy," says Vanpraet. "The more layers there are to complement each other, the harder it is for fraudulent transactions to slip through the cracksÑbut one size does not fit all"
Who do you call?
For many retailers the cost of implementing new fraud-fighting technologies on their own is an expensive proposition. That's why many retailers are turning to companies that specialize in fraud prevention. These specialist firms can often provide sophisticated antifraud technologies at more affordable prices than a retailer can get on its own because they can spread the cost of technology over a large merchant portfolio.
These providers also spare retailers the technological nightmare of having to cobble together fraud-detection applications, a process that can create a complex maze of software to maintain. Considering that small and mid-sized e-retailers typically do not have large information technology staffs or budgets, it often makes sense to outsource fraud prevention.
"In a lot of cases merchants are looking for a silver bullet when it comes to fraud prevention and detection, and adding the latest bells and whistles to a home-grown operating platform does not always result in a seamless integration, which can be costly for the merchant," says Steve Rouse, chief operating officer of Kount Inc., a provider of turnkey fraud and risk-management solutions.
A major advantage of using a fraud-prevention technology provider is that retailers are assured of regular upgrades, which means they can keep up with the latest criminal schemes. "Fraud-prevention systems that are not regularly upgraded can become static and fall behind the latest fraud trends," says Rouse. "Regular upgrades assure merchants of a comprehensive fraud-management solution that keeps pace with, and ahead of, changing fraud techniques and makes merchants better equipped to fight fraud in the long run."
Staying a step ahead of criminals is a full-time job as they continually find new ways to defraud merchants. One method to watch out for is criminals using a proxy server, which makes it appear they are coming to a retail site from a reputable organization, such as a corporation, public Internet service provider, university or hospital, or hides the fact they are coming from countries associated with online fraud.
Criminals will obtain the addresses of known proxy servers and probe them to see if they can pierce a server's defenses to create the appearance they are logged onto the server when communicating with the retailer's web site. Use of proxy servers enables criminals to hide their geographic location by leaving a convoluted trail of clues about how they came to the retailer's web site.