Roberto Valerio, CEO of Risk Ident, a German software engineering company specialising in online fraud prevention, explains one of the fastest growing retail fraud problems today.
Latest figures released by the UK's Office for National Statistics (ONS) reveal that online sales were up 18.5% in August this year, compared to August 2015.
But while ecommerce continues to grow, it becomes an increasingly attractive target for fraudsters. ID fraud typically attracts the widest attention, yet the problem of account takeover fraud has been rising incredibly fast over recent years, remaining relatively hidden, like the fraudsters who perpetrate it.
Between June 2015 and June 2016, at Risk Ident we saw a staggering increase of up to 300% in account takeover attempts on our ecommerce customers.
An account takeover happens when an illegitimate user logs into a genuine customer account, buying goods and services without the cardholder's authorisation. There are numerous ways in which fraudsters can obtain login details to genuine customer accounts: they can be bought on the black market online, result from poor password security (such as repeating passwords across accounts, or using simple words like 'password'), or via phishing or malware attacks – which have a success rate of 45% in securing victims' usernames and passwords according to Google.
The big problem for retailers is that once a fraudster gains access to their legitimate account, they can benefit from the customer's good history and trustworthiness to help mask their actions. It is difficult for both the account user and the retailer to realise what's happening in time, and once they do, the damage is often already done.
However, there are signs of account takeover that merchants and advanced fraud prevention tools can look out for:
- Logins via a proxy server, VPN or already known suspicious device IDs
- Login attempts from different devices and places, or suspicious device configurations that try to hide the "customer's" whereabouts
- Conspicuous behaviour during the login process, such as an unusual number of failed attempts
- A password change followed by unusual customer behaviour
- A change of address immediately before ordering
- Deviating behaviour such as purchasing an unusually expensive or high volume of merchandise
- Change of operating software and/or switching to an older browser version
Another problem for retailers is that fraudsters are constantly changing, adapting and evolving their strategies, using new methods to try to remain undetected.
Rule-based anti-fraud systems can be set up to watch for these suspicious trigger points, but they can too often cause costly false positives for retailers, damaging the customer experience and threatening to destroy the merchant's reputation.
Machine learning technology, based on developing computer programs, recognises patterns and regularities in datasets, and is then able to learn from each transaction and a wealth of historical data. In this way it can continually create new models and constantly evolving algorithms that help retailers stay a step ahead of the fraudsters.