Between financial loss and impact on reputation, transaction fraud is a serious threat to eCommerce. This is old news, of course, but it is mostly being dealt with by ineffective technologies that fraudsters are increasingly managing to circumvent.
Transaction fraud includes any unauthorized or illegal transaction by a fraudster, and its primary purpose is to obtain goods without paying or via the unauthorized use of funds. As of 2018, transaction fraud soared to impact 82% of businesses and continues to be a persistent problem. While many eCommerce retailers employ somewhat effective transaction analysis tools to catch it, detection is usually too late and also disruptive to the buyer’s journey.
When Vemno experienced significant losses attributed to payments fraud they added more checks to their strategy. Although it did result in reduced fraud numbers, it was already too late and they had to swallow the cost of the losses. There was also the added repercussions of this decision with the amount of angry customers and overwhelmed customer service when many legitimate transactions were declined. While the cause of the losses is still not clear, it seems that account takeover and new account fraud were certainly at play.
This is just one example of how payments fraud continues to be an issue. By taking a closer look at the popular transaction analysis approaches, we can shine a light on where fraud strategies can be strengthened and become more reliable.
Transaction Analysis: Too Little Too Late
We have established that transaction analysis tools are not effective enough. But the question is why? The fact of the matter is that transaction analysis takes place once, at the checkout. Even in the event of user authentication at the login, a large gap exists between this and the payment stage, leaving a large gap of opportunities for fraudsters. And as they become more cunning, the approach to stopping them has been to add more protection layers at the exact same stage. Standard methods of payment verification are ineffective: by the time any suspicious activity is flagged, it is too late and it affects more than just your fraud numbers. Let’s take a closer look at these layers:
AVS & CVV
One of the oldest tricks in the toolbox and one of the first to combat CNP fraud, these services are provided by credit card processors to merchants. Credit card and/or account data input by the user is compared with the cardholder’s billing address (AVS) or the 3-4 security digits on the back of the card (CVV).
Many issues have surfaced regarding the reliability of these methods. They are known to produce a high amount of false positives and have proven to be poor indicators of real fraud. Specifically with AVS, it does not consider normal legitimate circumstances when addresses may vary. Account holders might forget to update addresses, they may be sending gifts or they may be have multiple address including international ones that the system cannot support. CVV was designed to confirm that the cardholder actually has the card on hand. Unfortunately, if a fraudster has managed to get his hands on customers’ credit card details or legitimate user credentials, it’s almost 100% certain that they also have access to at least one, if not, both data sets needed to bypass this check (it is now popular to save payment details in user accounts). This is made more obvious with the connection to increasing numbers of sophisticated attacks like account takeover and new account fraud.
In addition to fraud, the weaknesses contribute to issues with user experience. Apart from the more obvious facts that stolen customer credit card details often come with the information needed to beat the barriers, the standards set are rigid and do not adapt to today’s global marketplace. The false positives mentioned not only cause customer frustration, they also affect manual reviews. AVS & CVV are not available internationally, so using this system can limit your potential customer pool. Lastly, in the event of a false negative or a chargeback, merchants can still be held liable.
First launched in 2001, 3D Secure is another early layer developed to fight payment fraud and involves a redirect to the cardholder's issuing bank website during the checkout process. Originally developed by Visa, it was quickly adopted by other credit card networks. The system uses a verification process, requiring an SMS or email based OTP to complete this stage.
This approach is regarded as somewhat more comprehensive than AVS & CCV. By working together, credit card networks offer more comprehensive security as the shared data pool provides access to more up-to-date information about rejected credit cards that the issuers are able to provide. Additionally,the networks have worked together to provide lots of integrations to allow merchants to adopt this protocol. With the adoption of 3D Secure, came the chargeback liability shift; in the event of an approved transaction being disputed, merchants are no longer liable for this expense.
Despite having a good reputation, as with any ‘old’ technology, it no longer solves the problem it originally set out to fix. The technology is more than 10 years old and is as susceptible to the same type of static related weaknesses as AVS & CVV. As an added ‘bonus’, in order to mitigate the failures of AVS/CVV, it is common for merchants to layer it up with 3D Secure, leading to more friction without necessarily resulting in reduced fraud losses.
The basic principles of this method are self-explanatory and can be used for many different purposes in digital security. In the context of transaction analysis, a list of features regarded as fraudulent are grouped together and used to identify fraudulent transactions. At the point of payment, contextual data is compared with data derived from one or a combination of lists. The sources of this data can vary between service providers and are often shared. However, not all blacklists are created equally, some may be 90% accurate and some may be closer to 55% accurate, making it difficult to manage. Popular categories for blacklists include:
- IP Reputation
- Email Domain Reputation
- Device Fingerprinting
- Device Analysis
Tools using this method can block interactions from IPs that are considered potentially risky (for example, previous transactions from this address were fraudulent or subject to an unusual amount of chargeback requests), or are located in a high-risk geographical locations, like Russia. Fraudsters have become experts at beating these barriers, they have disguised their IPs by bouncing them from different signals or used anonymizers to avoid the option for email validation. Earlier this year, fraudsters accessed legitimate domains by exploiting a weakness in GoDaddy’s authentication protocols to unleash a campaign with significant numbers of inbox delivery. Links shared in the email campaign were traced to IP addresses known to sell stolen credit card data.
More so, when it comes to advanced fraud attacks, like account takeover or new account fraud, this protection layer proves to be ineffective. Fraudsters always seem to be one step ahead, and blacklists are not dynamic enough to deal with the ever-evolving face of these attacks. Legitimate email addresses are used for account takeover attacks, bots can be used to execute a new account fraud attack where no historical data is necessary, emulators can be used to beat device-based features and much more.
As with the methods detailed above, blacklisting is also subject to similar trade-offs with the choice to add fraud detection layers contributing to more false positives, late detection, manual reviews and user frustration.
A Risky Business
While some merchants may choose to implement a standard multi-layered authentication model for transaction approvals, another more dynamic and customizable option has become a popular choice. Risk-based authentication (AKA step-up authentication) can reduce friction introduced into the customer journey. Any of the above methods can be combined in this context. When already established user accounts are in play, these methods can be partnered with a protection layer at the login. A trust score is used to determine the potential risk of the transaction in question. In the event that the contextual data is considered not or less risky, customers are not required to validate the payment (or themselves) again.
At the risk of being repetitive, this approach is still static by nature and also cannot face up to today’s advanced attack methods and global market trends. With so much customer information continuing to be stolen, it is simply not enough to use this siloed approach that ignores a gap to catch fraud earlier in the customer journey without hindering the user experience.
What’s In a Gap
While any type of fraud prevention is better than no protection at all, the interrupted user experience will often outweigh the benefits, especially for eCommerce companies where the customer is key. Waiting until the payment stage is not good enough and relying on one-time authentication at the login is made redundant by the extent of data breaches that are taking place. Combined or not, these approaches leave a significant gap - both for fraudsters AND fraud-fighters.
This is what has led to the development of a technology that supports a seamless and continuous fraud detection solution. Behavioral biometrics analyzes 100s of human-to-device interactions, account activities and device intelligence, to open up a whole new point of view on user intent, thus allowing online merchants to detect potentially fraudulent activities before it’s too late. It works invisibly providing a holistic solution from the initial user login stage (new or existing) to close the gap, and support pre-transaction fraud detection.
The Behavioral Biometric Difference
With this in mind, eCommerce businesses should no longer require a host of different siloed solutions that fail to catch advanced fraud attacks - manual or automated - such as new account fraud, account takeover, and checkout fraud.
With Behavioral Biometrics, businesses have a much-needed comprehensive solution at their fingertips. It is an innovative approach that is moving the needle on fraud protection solutions and smashing the belief that it is impossible to improve security without harming the user experience. The machine learning foundation means that undetected fraud is no longer undetectable as it can adapt to new attack vectors.. There is no more need to rely on rigid, rule-based technologies.
Instead of a one-time process that can be easily bypassed by fraudsters, Behavioral Biometrics drastically reduces fraud numbers and related costs while also contributing to a safe and seamless customer experience.