hands-coffee-smartphone-technology.jpg

Has the Same Technology That Is Used to Prevent Fraud Opened the Door to Increasingly Sophisticated and Pervasive Online Fraud

June 30, 2020
I recently switched from using Safari to Chrome. And while I made this move reluctantly and with a heavy heart, I'm really glad I did it. Not because I have any affinity for Google or a hidden love for Chrome, though it is growing on me. But because it reminded me about something many of us are too quick to take for granted when it comes to online retail fraud.

But to understand this, you have to understand more about my move from Safari to Chrome. By all accounts, this was pretty smooth and boring. No fireworks or fanfare here. There was no learning curve or real adjustment time. If I'm honest, the most challenging part was manually updating passwords because I'd relied on Safari's built-in password manager for so long. And then, I discovered the Password Checkup feature within Chrome's Password Manager.

A quick walkthrough revealed that I had 17 compromised passwords; 94 reused passwords and 61 accounts using weak passwords. I was shocked. Who knew? See the thing is I'd always prided myself on being quite tech-savvy. I couldn't quite grasp the fact that I'd used weak passwords (plural), let alone that several of my passwords had been compromised. I quickly ran through Chrome's recommended steps to rectify this. And 20 minutes and several new passwords later, when I got the green light from Google, I felt calm once again. Order had been restored to my online kingdom. My passwords, private information and credit card details were safe yet again. But it's not quite as simple as that. It never is when it comes to online retail fraud.

Here's the thing. I'm embarrassed to admit it, but my passwords for Amazon and Etsy were among those that had been compromised! Who knows when. Who knows how. I certainly had no idea even though I use these sites on an almost daily basis. It terrified me to think that someone out there had my password and may have even logged into my account. It scared me even more to think what they may have done while logged in. Maybe they disabled notifications and then made a transaction? Maybe they made other changes to my account, like changing the shipping address? I had no idea. And while I have since changed my passwords and activated two-step-verification, fraudsters are often 20 clicks ahead of us. It made me realize that technology may be giving us a false sense of security. It got me thinking, is the very technology that's meant to protect us, putting us at even greater risk?

The more things change. The more they stay the same

We all know that online retail fraud is evolving at an alarming rate. And the stats to prove this abound. A recent report from Signal Sciences suggests that of this year's estimated $630 billion online retail sales, fraudsters will pocket $12 billion. And that's probably a conservative estimate. However, what's interesting is not how prolific online retail fraud has become, but rather the nature of this fraud.

What's interesting is not how prolific online retail fraud has become, but rather the nature of this fraud.

What we're seeing is that fraud strategies and tools are becoming increasingly sophisticated and systematized. And while in many cases online retailers know of tools and technology to detect and prevent this fraud, many are reluctant to use them. The fear that this added friction to the customer journey would mean a dramatic spike in cart abandonment is not unfounded: research has found that an estimated 1 in 5 shoppers abandon their carts because the checkout process was too long or complicated. Forter reported that most shoppers will abandon a cart if it takes more than 3 steps to complete a transaction! See, the thing is that any security hurdle will add some friction to the customer journey, and that is something online retailers desperately want to avoid at all costs. And so they do, giving fraudsters an opportunity to do what they do best.

What we're noticing is that as the technology evolves, so too do the attack strategies. It is almost as if there's no stopping these fraudsters This begs the question: Is there a link? Is it possible that advances in technology present an opportunity for fraudsters, making fraud ever more sophisticated, pervasive, and harder to detect? It's a terrifying thought, but is it possible that fraudsters are using the very technology that is meant to keep retailers safe against us?

It's Time to Think Like a Fraudster: Learning from eCommerce Fraud Trends

Technology to the Rescue? Not Likely.

In some cases, it’s technology that fails when it comes to effective fraud detection and prevention. Many legacy fraud detection systems end up erroneously flagging legitimate shoppers if their shopping behavior deviates from a typical behavior or pattern. This results in unnecessary transaction declines and has also been linked to an increase in card abandonment and, consequently, lower transaction rates.

Many fraud detection and protection solutions also fail to detect suspicious activity, which takes place before the payment stage. This could include things like changing a shipping address or disabling notifications. The reality is that many of today's technological solutions simply don't go far enough. But is it more than that? It's not just that fraud detection and prevention technology is letting us down; it's that fraudsters are paying close attention to the solutions being used to prevent fraud. Is it possible that fraudsters are using the same tech that's supposed to protect us against us?

We all have (fraud) blind spots

In the fight against online retail fraud, it's what you don't know that matters. And yet, most retailers spend so much time focusing on what they know. Like focusing solely on the payment stage. And yet, we're starting to see how in many cases, fraud is committed before this stage. We’ve seen cases where fraudsters go beyond the digital journey and take advantage of customer service. A fraudster might call customer support after a transaction fails and the customer rep, who’s main goal is to keep customers happy, will approve it.

The latest version of reCAPTCHA, v3, is an invisible reCAPTCHA which works in the background, using a host of factors such as cookies, browser attributes, and user behavior to determine whether or not you're human. Sounds like a foolproof approach to online fraud prevention, right? Wrong! In fact, bots that forge their browser fingerprint can easily bypass this reCAPTCHA. Researchers from the University of Monstair were also able to hack reCAPTCHA v3 using Reinforcement Learning. Their approach had a 97.4% success rate.

Say hello to smart fraud

There's no denying it - online retail fraud is evolving and becoming increasingly sophisticated all the time. But the real question is, are fraudsters really using the technology that's supposed to protect us against us? Two interesting things are happening.

First, more and more fraudsters are responding and adjusting their approach in an attempt to outsmart fraud detection and prevention technology. This includes things like bots that mimic human behaviors and interactions. We also see this at the device level, where fraudsters are starting to use emulators with increasing frequency. Fraudsters take advantage of the combined benefits of bots and emulators, making it easy to commit large scale attacks almost undetected.

Emulators are flexible, easy-to-use and virtual, exactly why fraudsters are  attracted to them

There are also examples of fraudsters abusing fraud prevention technology. And while this may sound futuristic and may occur less often, it does happen. This happened in the form of a voice-spoofing attack in March 2019 when the CEO of a UK-based energy company thought he was speaking to his boss on the phone. In fact, it was a fraudster using AI-technology to impersonate this executive's voice, and demanding that €220,000 ($243,000) be transferred immediately.

The best is yet to come

What we know and are seeing with increasing frequency is that fraudsters are adopting their techniques as technology evolves. We are also seeing how fraudsters are tweaking their approach to online retail fraud in response to fraud prevention technology. So are fraudsters using the same technology that's meant to protect us against us? Not necessarily.

Current online retail fraud trends suggest that fraudsters are always on the lookout for ways to use new technology so they can be more efficient and effective. We're also seeing that as fraud prevention becomes more sophisticated, so too do fraudsters. But perhaps the biggest takeaway is that a close look at the technology being used by fraudsters hints at what's next and where online retail fraud is headed. It's a brave new world out there, and those that fail to keep up will be left behind.

eBook: Breaking down the fraudster's journey gives insights into   what, where and how they are executing their attacks.

Recent Posts

Has the Same Technology That Is Used to Prevent Fraud Opened the Door to Increasingly Sophisticated and Pervasive Online Fraud
What's LTV Got To Do with Fraud?
Learning from eCommerce Fraud Trends: It's Time to Think Like a Fraudster
An Architecture That Scales
An eCommerce Showdown: Account Takeover VS Behavioral Biometrics

Follow Us