Breaking the Fraud Chain

Retailers’ biggest worry is increasing e-commerce fraud — including data breaches, targeted attacks, and card-not-present fraud — according to a report from the Federal Reserve Bank of Minneapolis.

Online fraud is one of the biggest challenges facing retailers, with card-not-present (CNP) fraud being one of their top worries.

CNP fraud will hit US$71 billion over the next five years, Juniper Research has forecast, as it is an easy way for cybercriminals to access money, products, and services.

There has been a 100 percent increase in purchase attempts with flagged — suspicious — credit cards, according to NuData Security.

With these numbers, it’s no surprise that merchants have allocated most resources toward securing CNP transactions.

Retailers also have been getting hit from point-of-sale systems — the physical machines that take card payments. Some retailers have discovered that their devices have been infected with malware that records the payer’s card information. POS hacking has a low barrier to entry, as cybercriminals just need to connect a $25 Raspberry Pi to upload malicious code that can penetrate the network.

Those are not the only threats. Third-party suppliers that retailers subcontract can become another target for fraud. Third-party vendors, in turn, hire other companies, creating a long list of providers that handle sensitive data. It is within these relationships that cybercriminals target the weakest link to steal personal data, such as credit card information.

Reviewing the Fraud Chain Link by Link

Retailers and merchants can close the loop on point-of-sale systems through continuous monitoring of POS devices and regular installation of security patches. It’s crucial to apply new patches to all devices to prevent attacks like the recent one on Forever 21: The company had installed the latest security patches in all its POS devices except for just a few — and those were the ones attacked.

Identifying all your third, fourth, and even twentieth-party providers is the first step toward establishing a risk management strategy.

Bad actors use any chance to steal payment data that will then trickle down to the CNP channel, where merchants can’t differentiate between legitimate customers and impostors.

Breaking the Chain

The most effective weapon against CNP fraud is to devalue the stolen data. The options to steal sensitive information have been evolving constantly, but if the stolen data is not useful to make a profit, fraudsters will lose interest in it.

Following this approach, many companies have been implementing multilayered solutions applied to the CNP transactions that evaluate users by several key points:

  • what they have — device type, for instance; and
  • what they are — physical biometrics that can include facial, retinal, or fingerprint scans.

There is an underlying layer that helps with identification by looking at a user’s passive biometrics. Passive biometrics can analyze the user’s inherent online behavior. If suspicions are raised, the company can trigger an additional verification request based on what the user has or is.

This security approach, based on passive biometrics and behavioral analytics, secures a card from illegal online transactions without relying on data that could be stolen, such as usernames and passwords.

Passive biometrics and behavioral analytics can recognize customers through hundreds of identifiers, such as how they type — their input speed and keystroke deviation — or how they hold a device. These are powerful indicators of human versus nonhuman interaction, and they can help to ensure that the right person gains access to an account.

Letting Go of the Chains That Bind

Passive biometrics and behavioral analytics give retailers context for digital transactions and the ability to stop anomalous transactions before they happen. Users benefit from a seamless experience, while organizations gain the additional assurance of authentication.

Retailers and e-commerce organizations that use multilayered security strategies with passive biometrics and behavioral analytics effectively can confirm legitimate users with pinpoint accuracy without relying on credentials that might have been stolen. User patterns and behaviors cannot be replicated by cybercriminals using stolen credentials or card details, which devalues stolen data and breaks the fraud chain.

Robert Capps

Robert Capps is vice president and authentication strategist for NuData Security, a Mastercard company. He is a recognized technologist, thought leader, and advisor with more than 20 years of experience in the design, management and protection of complex information systems -- leveraging people, processes and technology to counter cyber risks.


  • Great article!

    I believe that e-commerce payment systems are the most vulnerable when it comes to online fraud.

    Given this, I’d like to add a few recommendations for all those willing to keep their security level high.

    Since I’m working in fintech industry, I’d like to recommend users how to choose a payment service provider properly:

    1. As security is the key, a a payment gateway provided by a reliable PSP should be PCI DSS compliant.

    2. PSP’s terms and conditions should have no hidden fees / obscene cancellation fees.

    3. In the times of growing competition, it’s better to use the services of a PSP providing many integration options & currency processing opportunities.

    Hope this information will be helpful!

  • Inactive biometrics and social investigation give retailers setting for computerized exchanges and the capacity to stop strange exchanges previously they happen. Clients advantage from a consistent ordeal, while associations pick up the extra affirmation of verification.

    Retailers and online business associations that utilization multilayered security procedures with inactive biometrics and social investigation adequately can affirm honest to goodness clients with pinpoint precision, without depending on certifications that may have been stolen. Client examples and practices can’t be repeated by cybercriminals utilizing stolen certifications or card subtle elements, which degrades stolen information and breaks the misrepresentation chain

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels