As criminals roll out an array of new, increasingly sophisticated schemes, retailers can turn to vendors to help them fight back.
When it comes to protecting their web sites from hackers and data thieves, e-retailers have their hands full. They can't rest because criminals regularly turn to increasingly sophisticated schemes to defeat retailers' security systems.
For proof, consider one of the latest plots being used by fraud rings. The fraud ring first poses as an affiliate site that funnels transactions made with stolen credit cards to the retailer. It then pockets the affiliate commissions retailers pay for the new traffic. Meanwhile, other criminals are launching denial-of-service attacks seeking a profit. They bombard a retailer's site with traffic to render the site inaccessible to legitimate consumers, then demand money from retailers to stop, or use the attack to distract a retailer's information technology department while they plant a worm on the retailer's server. Once the worm has been planted, it captures customer data at checkout that can later be used to steal consumers' identities.
What's more, e-retailers may soon have to contend with a new wave of fraud as banks in the United States convert to issuing credit and debit cards with chips in them. The consumer must enter a PIN, which the card's chip recognizes, making these so-called EMV cards less vulnerable to fraud at store checkout counters. In Europe and other regions where banks have migrated to chip cards criminals—effectively prevented from committing fraud by copying the magnetic stripes of payment cards—have shifted their focus to defrauding online retailers. That's why experts predict criminals currently targeting bricks-and-mortar retailers will move their business online in droves in coming years as this transition takes place in the United States.
While there are threats galore, there are also safeguards that online retailers can put in place to avoid criminal attacks and minimize fraud. Implementing these technologies can also boost sales and customer satisfaction by reducing the number of good transactions flagged as suspect, the frequency of successful frauds that force consumers to complain and banks to issue chargebacks, and by generally making customers feel more secure when transacting online.
Understanding the symptoms
"Retailers may have the resources needed to tackle fraud and secure their sites, but their expertise does not lie in these areas," says Don Bush, vice president of marketing for Kount Inc., a provider of fraud and risk-management solutions. "In the case of fraud, there are a lot of symptoms that retailers don't recognize, such as high return rates despite low chargeback rates, that suggest there is a fraud problem."
For example, one scheme multichannel retailers may fail to catch is when a criminal purchases an item online with a stolen credit card, picks it up in a store and, within a day, returns it for a cash refund or gift card. He then can purchase another item that can quickly be sold for cash or sell the gift card itself.
"Fraud prevention is a management issue because it impacts sales and revenue, and retailers that approach it from that perspective are going to have a fuller understanding of how fraud impacts their business and what they can do to correct the problem," Bush says.
One of the biggest pain points for e-retailers when it comes to fraud prevention is manual reviews of suspect transactions. Surveys suggest e-retailers on average manually review about 25% of their total transactions. In some cases, however, that figure can exceed one-third of all transactions. Manually inspecting that many transactions for telltale signs of fraud requires an army of fraud analysts to decide within seconds whether to approve the transaction.
"More than half of a retailer's fraud budget is for fraud analysts that review transactions, which makes manual reviews a costly proposition," says Greg Wooten, chief executive officer for SecureBuy, a SignatureLink company and provider of dynamic fraud detection applications.
The cost of manual reviews extends beyond the salaries of the fraud analysts, he says. Each review produces risks. For instance, if a retailer places an impatient customer's legitimate order under review, he might abandon his shopping cart, or, if a retailer has stringent rules, its analysts might end up denying legitimate transactions.
To rectify the problem, Wooten recommends e-retailers ask a customer a validation question at checkout for high-risk transactions. SecureBuy makes this possible by linking e-retailers with credit card issuers through the Visa and MasterCard networks by way of a risk-based deployment of 3D Secure processing, an XML-based protocol that adds a layer of security for online credit and debit card transactions.
SecureBuy has reengineered the 3D Secure process to prompt high-risk shoppers with a security question, without creating a pop-up window. Instead, at checkout the security question appears in the shopping cart, typically below the cardholder's credit card information. When the correct answer is provided, the consumer continues the checkout process without the need for manual review. The entire process takes place in seconds, and the retailer also gets a discount on its interchange fees. For the 40% of issuing banks not using the 3D Secure protocol, approval is granted automatically by the card brand.
"As executive assistant director of the FBI, I saw mobile and e-commerce payment fraud skyrocket, costing the economy billions of dollars every year," says Shawn Henry, a member of SecureBuy's board of directors and president of security firm CrowdStrike Inc. "One of the key ways to substantially reduce fraud is the ability to identify the criminal and/or their actions before the crime is committed. Utilizing risk-based passive and active authentication, captured signatures, certified sales receipts, and true chain of custody, SecureBuy takes this concept to an unprecedented level. This is game-changing technology for securing online commerce."
Matching IP addresses
Retailers, however, should not limit themselves to just one form of fraud detection because criminals are adept at portraying themselves as legitimate customers.
Fraud rings often use proxy servers to hide the fact they are operating out of countries where online fraud gangs operate. Many have recently added a new twist to the scheme: matching IP addresses to the city or state where the stolen credit card was issued, rather than relying on a single IP address from a country that is not likely to raise a red flag.
"Fraud rings with a lot of stolen cards from a particular geographic area will rent space on a local IP server in that area to make the transaction look like it is being originated locally," says Rupert Young, head of product management for IP Intelligence at Neustar Inc., a provider of real-time information and data analysis solutions.
Retailers can detect such fraudulent transactions by reviewing the domain name associated with the IP address. They can also do so using a technique called proxy detection, which examines much more than the presented IP address of the shopper's computer to determine if a proxy server is being used and to establish the true geographic location of the shopper's IP address.
"Criminals are becoming more creative in how they disguise the IP address associated with an online transaction," Young says. "Proxy detection is a forensic approach to real-time fraud detection that helps further mitigate fraud risk by determining the legitimacy of the IP address the customer is using."
Fraudulent transactions are not the only threat to retailers. Data thieves also seek to penetrate a site's security defenses and skim customer account data. They can use that data to fraudulently open credit card accounts in the cardholder's name to make purchases, or sell the data to identity thieves.
Many retailers are not aware that each change to their web sites may open holes in their sites' security that hackers can exploit, experts say. It's common for a retailer to fail to thoroughly vet the code for new site elements to make sure they are bulletproof or to take the time to determine the impact the new code will have on a site's overall security. That may occur, for example, when a retailer adds a tracking code to its site to follow a consumer as she moves across the site to learn about her product preferences and make suggestions based on that information. And those failures may inadvertently open a backdoor to a hacker.
"A lot of retailers are in such a hurry to add new features to their sites they don't always make certain the new application is security hardened and that the rest of their sites remain secure once the new application is added," says Soumen Das, CEO for UniteU Technologies Inc., a provider of software-as-service e-commerce services.
That's particularly important when it comes to complying with the Payment Card Industry Data Security Council's standards for securing cardholder data. "PCI-compliance is all about data security and retailers need to realize that once they are compliant it is not a static badge of approval," Das says. "They must constantly evaluate the security of the customer data flowing through their web site." Major card networks like Visa, MasterCard and American Express created the PCI rules; retailers that fail to comply can be fined or lose their ability to accept payment cards.
Rather than spend the time to make sure a new application is secure and does not weaken the security of the retail site, UniteU Technologies protects new applications by loading them on its secure e-commerce platform and making them available to the retailer on demand.
"This way hackers can't hijack the application and write new Java scripts that instruct it to pick off customer data and route it to them," Das says. "There are different vectors of attacks criminals will use to infiltrate a web site and staying on top them requires a lot of due diligence."
Before retailers can effectively combat fraud, they first have to recognize its symptoms. Digging into its sales data, music e-retailer CD Baby, for example, discovered that it was being attacked by criminals on multiple fronts. Fraud rings were testing stolen credit cards by purchasing 99-cent music downloads. Others joined CD Baby pretending to be artists, creating albums using stolen music, then repeatedly buying the albums using stolen credit cards to earn artist royalties. Still others posed as affiliates and made purchases using stolen credit cards to collect fraudulent affiliate commissions.
The recurring fraud attacks drove chargebacks up to 2.6% of CD Baby's total transactions and in one month cost the retailer $26,000 in fraud losses.
To remedy the problem, CD Baby deployed the Kount Complete platform which includes several proprietary technologies and other well-known features, such as device fingerprinting and risk-scoring tools. The fraud-fighting technology helped CD Baby accurately identify which orders should be accepted, denied or manually reviewed. Chargebacks fell to less than 0.1% of total transactions. In addition, Kount's Order Linking tool, which identifies customers using stolen cards, significantly reduced the number of transactions the retailer has to manually review.
A constant battle
"Fraud schemes are not stagnant, which means the schemes criminals are using today could be different six months for now," Kount's Bush says. "The most effective fraud-fighting solutions use the latest technology and provide numerous hurdles for criminals to clear, such as velocity checks, proxy piercing and behavioral modeling." Velocity checks flag consumers making a large number of purchases in a short time period; behavioral modeling compares normal shopper patterns to a shopper's behavior as he moves through a retailer's site to detect abnormal behavioral patterns that may indicate fraud.
Security for mobile commerce represents a new challenge for retailers. Although criminals are not yet flocking to mobile commerce because the channel is still fairly new, fraud prevention experts expect that to change once purchases through smartphones and tablets becomes a bigger part of online retailing.
One issue that arises when it comes to mobile commerce is that it is harder to validate a mobile device's location than a computer's location. In e-commerce consumers typically use a fixed IP address in close proximity to their billing address, which can indicate they are who they claim to be. The same is true for mobile users connecting through a Wi-Fi network. But validating the location of mobile users via their IP address when they are connecting to a retailer's web site through a mobile gateway is trickier because the consumer's mobile carrier may route the connection through the first available gateway available to speed the connection. And the gateway may be hundreds of miles away from the customer's billing address.
An inconsistency in proximity between the shopper's mobile IP address and billing address raises the question whether the consumer is traveling or the transaction is fraudulent. The retailer must then make a snap decision whether to flag the mobile transaction for manual review, ask the customer to validate her identity in some way—which can be tough since the small screens on smartphones are not conducive for extensive typing—or deny the transaction.
While it's not easy to determine the exact location of a shopper connecting via 3G or 4G networks, there are some telltale signs that can be useful for screening mobile transactions for potential fraud. For instance, as mobile carriers add more local gateways to improve service, a smartphone user connecting to a retailer's web site via a regional mobile gateway, as opposed to gateways that route traffic from anywhere in the country, is likely to have an IP address originating from the same state or metro area as the one provided in their billing address or a nearby state.
"Knowing the kind of information to look for around an IP address associated with a mobile transaction can improve a retailer's ability to differentiate between legitimate and potentially fraudulent transactions," Neustar's Young says. "Ultimately connections through mobile gateways are not as reliable a reference point for the origin of an IP address as those coming from a fixed Wi-Fi network."
Concerns are also popping up about the security of retailer applications downloaded to mobile devices. While mobile apps allow consumers to connect to a retailer at the touch of a finger, they are less secure than connecting to a retailer's site via a web browser because they do not automatically update their protection from malware and viruses. That responsibility falls to the consumer, which may not be diligent about downloading updates. And in some cases, app updates may not include fixes to stop the latest security threats.
"Unlike web browsers, which are secured by code residing on the host server that is constantly updated to prevent security threats, the security features of mobile apps tend to be more static," UniteU Technologies' Das says. "In some cases, app developers don't always write code into the app to secure the data passing through it."
One way to secure mobile applications is to include code that automatically launches the mobile device's web browser when the consumer arrives at the retailer's checkout page. The checkout page is then displayed through the web browser, which secures the data entered by the customer at checkout. "Web browsers provide a more secure environment for entering account data, and it is not hard to create a hybrid mobile app that launches the web browser when needed for this purpose," Das says.
E-retailers should be careful not to put fraud prevention rules into place around mobile transactions that are too stringent, as doing so can deny as many legitimate transactions as illegitimate ones. For example, a retailer may place a ceiling on the amount of a transaction made with a mobile device that when exceeded, triggers an automatic denial.
Such rules can be counterproductive because they are so absolute. "These kinds of rules are along the lines of amputating someone's hand because they have a broken finger," Kount's Bush says. "They just don't consider the variances around the transaction data that can determine whether a transaction is fraudulent or legitimate."
Bush says some retailers are too closely scrutinizing mobile transactions based strictly on the dollar amount, regardless of the type of mobile device used. "A higher level of scrutiny for certain types of mobile transactions is fine but the retailer needs to know what it is they are looking for in the transaction data, rather than just examining the transaction for the sake of doing so," he says.
A gray, but nonetheless costly, area of fraud is so-called friendly fraud or "cybershoplifting," in which consumers keep an item without paying for it by either denying they made the purchase or claiming they never received the item. The latter only works if a signature is not required by the retailer upon delivery. These consumers complain to their card issuer, which reverses the payment made to the merchant, creating what's known as a chargeback.
Disputing chargebacks can be an expensive proposition for e-retailers. So much so that unless the retailer knows for certain it can win the dispute it may decide it is better off eating the cost of the transaction than incurring costs in a losing battle.
However, there are vendors that can help retailers combat friendly fraud. SecureBuy has developed a biometric signature-capture application as part of its SecureBuy 1.0 and 2.0 platforms that is compatible with mobile devices and computers and is essentially device agnostic. Consumers reaching a retailer's checkout page will see a pressure-sensitive signature-capture window that records their signature. Consumers shopping via a desktop or laptop computer can sign their name using a mouse. Mobile shoppers can sign their name by pressing their finger or a writing stylus to the screen on their mobile device. Shoppers do not need any plug-in peripheral devices to sign their name.
Once the consumer's signature is electronically captured, it appears on their receipt along with the retailer's terms and conditions. An electronic copy remains on file with the retailer that can be referenced in the event of a chargeback dispute. "About 20% of all fraud is friendly fraud or cybershoplifting and signature capture can reduce chargebacks by as much as 97%," SecureBuy's Wooten says. "Adding a signature to an online sales draft with terms and conditions creates a legally binding sales transaction that protects the retailer."
Retailers can also protect themselves by preparing for a denial-of-service attack. The goal of hackers launching such attacks is to overwhelm a web site with bad traffic, making it impossible for legitimate visitors to access the site, which essentially means the hackers are holding the site hostage. Once their objective is achieved, the criminals will demand a ransom before they stop the attack and allow the web site to resume normal functioning.
Lately, criminals have found a new objective for denial-of-service attacks, introducing malicious programs, onto the retailer's web server to skim customer account data. "Using denial-of-service attacks as a cover for a data security breach is a very real threat and retailers need to make sure their technology partners are able to not only respond quickly to the disruption caused by the denial of service, but are able to detect any potential security breach that goes along with it," UniteU Technologies' Das says.
More often than not, retailers opt to combat the threat of a distributed denial-of-service attack (DDoS) by completely shutting down their sites until they can fix the problem. While effective, it is a short-term solution to a problem that can potentially last for days or weeks, thus alienating repeat customers and new visitors who cannot access the site. And unscheduled downtime can drive customers to a competitor's site and erode their loyalty.
"Staying operational during a DDoS attack is something retailers need to plan for, because a complete shutdown in the event of an attack can harm their business," Neustar's Young says.
Neustar has developed a web site traffic filtering service that separates bad traffic resulting from a DDoS attack from good traffic so retailers can keep their sites operational and customers happy.
Because fraud is always evolving, retailers always have to be looking out for potential threats. In the near-term, the introduction of EMV cards to the United States is likely one big danger because criminals stopped at the physical point of sale by EMV's anti-fraud technology will likely move online.
"In every market around the world where EMV has been introduced online fraud has risen dramatically while in-store fraud has dropped just as dramatically," Wooten says. "Retailers need to be prepared." That's because there are two kinds of e-retailers, he says. "Those that have been hit by fraud and will be targeted again, and those that haven't been hit yet but will be."